Tietosuojavaltuutetun toimisto (Finland) - 6132/151/19
Tietosuojavaltuutetun toimisto (Finland) - 6132/151/19 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 12(5) GDPR Article 15(3) GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 15.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 6132/151/19 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Finnish |
Original Source: | Finnish DPA (in FI) |
Initial Contributor: | Florence D'Ath |
The Finnish DPA found that patients should be provided with a copy of their medical file free of charge under Article 15(3) GDPR, even when such a file includes X-rays and magnetic resonance images which cannot be printed on paper, but need to be burned on a CD/DVD.
English Summary
Facts
A patient in a hospital (the Complainant) made an access request on the basis of Article 15 GDPR in order to obtain a copy of his medical file. The hospital provided him with a file containing only part of his health data. In particular, some X-rays and magnetic resonance images were missing. When the Complainant requested a copy of the missing data, he was charged a fee of 25 EUR by the hospital. The Complainant therefore filed a complaint with the Finnish DPA, asking whether these data should have not been provided to him free of charge on the basis of Article 15(3) GDPR.
The Finnish DPA requested the hospital to provide its opinion on the matter, and in particular on the fee of 25 EUR. The hospital explained that X-rays and magnetic resonance images cannot be printed on paper, but had to be burned on a CD/DVD. According to the hospital, the fee of 25 EUR was reflecting the costs of the CD/DVD, secretarial work, as well as billing and postage. The hospital further referred to an opinion issued by the Finnish DPA in 2008 regarding the possibility to charge a reasonable fee to the data subject based on administrative costs (Opinion n°2546/41/2008).
Holding
The Finnish DPA examined Article 15(3) GDPR, according to which data subjects should normally be provided with a copy of their data free of charge, unless further copies are requested, in which case "the controller may charge a reasonable fee based on administrative costs."
The Finnish DPA appreciated this obligation to provide data subjects with a copy of their personal data free of charge in light of the principle of privacy by design (Article 25(1) GDPR). According to this principle, data protection issues should be taken into account by controllers from the outset when designing information systems . In practice, this presupposes that controllers should design or adapt their processing practices and technical capacity to ensure the respect of the right of data subjects to obtain a copy of their data free of charge under Article 15(3) GDPR.
Given that, in this case, it was the first time that the Complainant requested a copy of his personal data, and that his request was neither unfounded nor excessive (Article 12(5) GDPR), the Finnish DPA concluded that the hospital should not have charged any administrative costs to the Complainant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Exercising the right of the patient to be examined in health care for X-ray and magnetic resonance imaging Decision of the Assistant Supervisor on the right of access Thing The data subject's right to access the images of the imaging study free of charge The complainant 's claims and reasons On 15 August 2019, the complainant informed the Office of the Data Protection Officer that he had made a request to the hospital district for an inspection of all his patient data. However, the X-rays and magnetic resonance images were not provided to him, and they were charged a fee of € 25, which was said to be based on hospital practice. The complainant asks whether the patient should also receive the images free of charge. Statement received from the controller The Office of the Data Protection Supervisor has requested clarification from the controller with a request for clarification dated 24 August 2020 and a request for additional clarification dated 21 September 2020. The registrar has issued a report on 11.9.2020 and an additional report on 2.11.2020. According to the registrar, it is not possible to print the images requested by the complainant on paper and the images can be provided on a CD / DVD instead of on paper. The fee for images is based on the cost of a floppy disk, secretarial work, billing and postage. According to the registrar, in the future, the nationwide Kvarkki XDS archiving will enable X-ray images of imaging examinations to be seen in Omakanta as well. The controller also points out that the practice of charging is based on an opinion issued by the EDPS in 2008 (Dnro 2546/41/2008). Applicable law The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (the Data Protection Regulation) has been applicable since 25 May 2018. The act is a regulation of the law directly applicable in the Member States. The Data Protection Regulation contains a national margin of maneuver, on the basis of which national law can supplement and clarify matters specifically defined in the Regulation. The General Data Protection Regulation is specified in the National Data Protection Act (1050/2018), which has been applied since 1 January 2019. The Data Protection Act repealed the previously valid Personal Data Act (523/1999). The data subject's right of access is enshrined in Article 15 of the General Data Protection Regulation. According to this article, the data subject has the right to receive confirmation from the controller that personal data concerning him or her are being processed or not, and if such personal data are processed, the right to access the personal data and the data listed in the article. Paragraph 3 requires the controller to provide a copy of the personal data processed. If the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. Article 12 (5) of the General Data Protection Regulation provides for the basic free of charge of information and measures based on Article 15 of the General Data Protection Regulation and the grounds for charging. According to this paragraph, all information and measures based on Article 15 of the General Data Protection Regulation are free of charge. If the data subject's requests are manifestly unfounded or unreasonable, in particular if repeated, the controller may either charge a reasonable fee, taking into account the administrative costs of providing the information or messages or taking the requested action, or may refuse to perform the requested action. In such cases, the controller shall demonstrate that the request is manifestly unfounded or unreasonable. Built-in and default data protection is provided for in Article 25 of the General Data Protection Regulation. The main obligation of this article is to take appropriate measures and necessary safeguards to ensure the implementation of the rights and freedoms of data subjects in a built-in and default manner. Legal issue The Assistant Data Protection Supervisor assesses and decides on the complainant's case on the basis of the above-mentioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). This concerns the data subject's right of access (right of inspection). It is necessary to assess whether the information requested by the complainant should be provided to him free of charge under Article 15 of the General Data Protection Regulation (Articles 12 (5), 15 (1) and 15 (3) of the General Data Protection Regulation). Decision of the Assistant Supervisor Decision The controller has not complied with Articles 12 (5), 15 (1) and 15 (3) of the General Data Protection Regulation, and the controller's procedure for charging a fee for copies of X-ray and magnetic images has therefore not complied with the General Data Protection Regulation. The controller shall be instructed in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the data subject's request for the exercise of the data subject's rights under the General Data Protection Regulation. The controller is instructed in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the General Data Protection Regulation. Reasoning In the present case, the complainant has requested copies of X-ray and magnetic images from the controller under Article 15 of the General Data Protection Regulation. As the requested material could in practice only be provided on disc, the controller has charged a fee of EUR 25 and relied on the previous opinion of the EDPS. It should be noted that the general data protection regulation has been applied on 25 May 2018. The previous statement of the Data Protection Supervisor dates from the time of the repealed Personal Data Act. According to recital 63 of the General Data Protection Regulation, the data subject's right of access to personal data includes the data subject's right of access to his or her own health data, such as health files containing The registered right of inspection can in principle be considered to cover, for example, patient documents, which according to section 2 of the Patients Act (785/1992) are documents used or prepared in the organization and implementation of patient care or technical records containing patient health or other personal information. In its opinion practice, the European Data Protection Board has taken a position on the provision of non-printable personal data to the data subject under Article 15 of the General Data Protection Regulation, for example with regard to the situation where the data subject has been videotaped. In this case, if the data controller provides this information to the data subject as a video recording, the data subject has the right to receive this recording free of charge. In addition, for example, the opinion of the EU Data Protection Working Party on the right of transfer of personal data states that under Article 20 of the General Data Protection Regulation, a data subject requesting data may be provided on CD or DVD and no fee will be charged unless conditions are met. The premise that the controller could systematically disregard the request for verification directly on the grounds of, for example, technical difficulties or systematically charge a fee on the grounds that it is difficult or costly to produce a copy could in practice easily lead to the data subject's rights not being exercised. With regard to technical challenges, attention can be drawn to Article 25 of the General Data Protection Regulation (built-in and default data protection), which states that data protection regulatory issues must be taken into account in the design of information systems from the outset. In practice, this presupposes that the controller has brought its technical capacity to such a level that the regulation of the Regulation, including the right of inspection under Article 15 of the Regulation, can also be implemented in practice. In addition, it should be noted that the fee charged by the controller is based on the costs of mailing personal data, floppy disk, invoicing and secretarial work. However, it is not possible to charge a fee to the data subject for the work, materials or postage related to the execution of a data subject's request, and the fee must be based on the reasons set out in Articles 15 (3) and 12 (5) of the General Data Protection Regulation. According to Article 15 (3) of the General Data Protection Regulation, if the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. According to Article 12 (5) of the General Data Protection Regulation, where the data subject's requests are manifestly unfounded or unreasonable, in particular if repeated, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or messages or taking the requested action. requested action. In the light of the above, the EDPS considers that the obligation of the controller to provide the data subject with a copy of the personal data processed free of charge also covers X-ray and magnetic resonance images on healthcare on CD / DVD. Applicable law Mentioned in the explanatory memorandum. Appeal According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Administrative Procedure Act (586/1996). The appeal is made to the administrative court. Service The decision is notified by post in accordance with section 60 of the Administrative Procedure Act (434/2003) against an acknowledgment of receipt.