HDPA (Greece) - 37/2024
HDPA - 37/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR Article 6(4) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 12(2) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.05.2023 |
Decided: | 24.07.2024 |
Published: | 11.10.2024 |
Fine: | 15,000 EUR |
Parties: | n/a |
National Case Number/Name: | 37/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Greek |
Original Source: | HDPA (Greece) (in EL) |
Initial Contributor: | Sofia Papadopoulou |
The DPA fined a doctor €15,000 for sending election advertisements to patients in violation of the principles of lawfulness, fairness, and transparency of data processing.
English Summary
Facts
On 4 May 2023, the data subject received an unsolicited SMS from the controller, whom she did not know personally. Upon investigating, she discovered via Facebook that the controller was a doctor affiliated with a hospital she had visited frequently. The message contained political content promoting the controller’s political rally. A similar complaint was filed by another data subject the following day.
The Greek DPA initiated an inquiry, contacting the hospital for its input on the matter. Subsequently, the DPA invited the controller to address the complaints. In his response, the controller made the following claims:
1. The phone numbers either belonged to individuals within his personal network or were generated using a random number generator.
2. The messages were unrelated to the recipients’ health information.
3. He was unaware of recent legal updates regarding political communication and had acted according to previous regulations.
4. After sending the messages, he uploaded a consent form and privacy notice to his Facebook page.
5. He relied on legitimate interest under Article 6(1)(f) GDPR as the legal basis for processing the data to communicate his political activities.
6. He denied accessing or using patient data from hospital records for his political campaign.
The DPA requested detailed clarifications from the controller, including, the total number of SMS recipients, the origin of their phone numbers, the usage frequency of the consent form, the exact timeline for publishing the privacy notice, and measures taken to ensure recipients could exercise their rights under the GDPR.
The controller disclosed that 4,772 individuals received the SMS, claiming that 75% were from his personal network. He further argued that data subjects could exercise their rights via his Facebook page.
The DPA obtained a patient phone list from the hospital for comparison. Among the 4,772 recipients, 3,392 numbers matched those on the hospital’s list. Furthermore, both lists contained 17 phone numbers with identical errors. When confronted, the controller revised his earlier stance, asserting that patients within his personal network were included in his contact list—a detail he had omitted in previous hearings. The DPA requested additional clarifications and invited the controller to another oral hearing to address these findings and inconsistencies.
Holding
The DPA, after having heard the controller, the hospital and the data subjects, held that the controller violated the principles of lawfulness, fairness and transparency (Article 5(1)(a) GDPR, Article 6(1) GDPR and Article 6(4) GDPR) regarding the personal data of his patients, thus also violating Article 9 GDPR. Also, he failed to facilitate the exercise of the data subjects' rights under the GDPR, e.g. according to Article 13 GDPR and Article 14 GDPR. The DPA’s findings were based on the following observations:
1. The controller consistently altered his explanations in response to evidence presented by the DPA, undermining his credibility.
2. He failed to credibly identify the sources of the phone numbers used, making it implausible that such a significant portion of his patients’ contact details were included accidentally or generated randomly.
Given that the violation concerns special categories of personal data (Article 9 GDPR), the level of responsibility of the controller, who is a doctor, combined with his confidentiality obligation, and lastly, the contradictory arguments presented in the hearings, the DPA decided to impose a fine of €15,000 for the violation of the fundamental principles and of those set out in Article 12(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
1 Ave. Kifisias 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr Athens, 11-10-2024 No. Prot.: 2754 DECISION 37/2024 (Department) The Personal Data Protection Authority met, at the invitation of its President, in a regular meeting in the composition of the Department at its headquarters on 24/7/2024 in order to examine the case referred to in history of the present. The meeting was attended by teleconference by Georgios Batzalexis, Deputy President, in place of the President of the Authority, Konstantinou Menoudakou, Demosthenes Vougioukas in place of regular member Konstantinos Lambrinoudakis and Maria Psalla, as rapporteur and in place of regular member Grigorio Tsolia, who and were legally summoned in writing, they did not attend due to disability. Haris Symeonidou and Georgia Panagopoulou, special scientists - auditors, as assistant rapporteurs and Irini Papageorgopoulou, an employee of the Authority's administrative affairs department, as secretary, attended the meeting, by order of the President without voting rights. The Authority took into account the following: With no. first C/EIS/3284/04-05-2023 her complaint before the Authority, A complained that on 4/5/2023 at 17:56 she received a message (sms) on her personal mobile phone with the following content: "... ( FB: …)”, which he attaches to the complaint. As the complainant states, she has never personally met the gentleman in question, she was unaware of his existence and after connecting to his Facebook account she saw that he is a Curator at the X Hospital Clinic, a hospital that the complainant states that she had visited many times as a patient and as a companion of minor patients. For this reason, the complainant complains about the unwanted political communication and the violation of her sensitive personal data, as she claims. Then, with no. first C/EIS/3322/05-05-2023 her complaint, B stated that she is suing C for violating her personal data as a patient for the purposes of his political campaign, claiming that the complainant took her details, her phone and her medical history from hospital X without her permission or knowledge, and used them to send her the same sms message mentioned above ("… (fb: …)"). As the complainant states, this message caused her anxiety as it refers to a very painful event in her life, to her illness ... due to which she was hospitalized at hospital X […], while she regularly visits the hospital to this day, and because of the complainant message, she now "feels threatened" by the fact that anyone can take the data she gives to the hospital for the purpose of her medical treatment and use it as they wish. Along with the no. first C/EIS/3383/08-05-2023 notification of a data breach incident and its supplementary documents, Hospital X notified the Authority in accordance with Article 33 GDPR of the following facts: "On 05/05/2023, the Hospital received a letter from the affected data subject, with which he informed the Hospital that on 04/05/2023 received a political communication message [with the following content: "… (FB: ..."]), from a doctor - candidate for Member of Parliament, who has not worked at the Hospital since ... . In this way, the Hospital was informed of the the fact that the doctor - former employee of the Hospital, either upon his departure or at an earlier time, extracted personal data from the Hospital's systems (in which he legally had access to for the purposes of performing his medical duties) and used them for other, incompatible purposes. The 3 Hospital is not able to know exactly when the incident of violation took place, i.e. the extraction of his patient's personal data without a legal reason Hospital, given that the particular doctor had access to the patient records of his department (…) throughout his employment at the hospital, for purposes exclusively related to only by providing medical services. Also, the Hospital cannot accurately determine the end time of the incident and for this reason the date of the doctor's departure from the Hospital has been filled in as the end time of the incident, i.e. on...". Following the above, and as it appears from the relevant supplementary documents of the Hospital (G/EIS/4452/14-06-2023), an out-of-court statement - invitation - protest and reservation was sent on his behalf from 08/05/2023, with of which the Hospital informed the complainant of the above and invited him to immediately inform the Hospital if he has received a copy or has recorded it on staff of the Hospital's patient data record, when and how, what data it has received and for which patients, and to return it promptly, in order for the Hospital to consider any additional actions required in the context of its compliance with personal data protection legislation data. With the 19/5/2023 out-of-court statement - response to the Hospital, the complainant replied that he never made use of the Hospital's medical record for any reason, that the numbers of the recipients of his election campaign came exclusively from his personal patient record and from publicly accessible online databases of mobile phone numbers, that the text of the message was unfortunate and left room for misunderstandings, but there is no personalized targeting and reference to a patient, since the same message was sent to other, non-patients, and the content of the above extrajudicial statement was generally denied as unfounded. In the context of the investigation of the above facts, the Authority with document G/EXE/1244/16-05-2023 communicated the above complaints to the complainant and invited him to present his views on the complainants, providing full documentation and clarifying in particular a ) which personal data is processed for political communication purposes, what is the source of this data and what is the legal basis for its processing and b) in what way informs the data subjects of the above-mentioned processing of their data, in accordance with the principle of transparency of the processing (article 5 par. 1 a' GDPR). It is noted that the Authority's letter was initially sent by post, to the address to which the above extrajudicial letter from the Hospital had been served, and was returned undelivered. For this reason, the same letter was sent again via e-mail, after the Authority was informed of the e-mail address of the complainant from the Hospital, with the document G/EIS/4631/21-06-2023. With the under no. first C/EIS/5784/08-08-2023 his response to the Authority, the complainant answered the following: - That the allegations of the complainants for illegal collection and processing of their data for the purpose of political communication are unfounded, because, in the context of his election campaign as a parliamentary candidate ..., sent mass sms, including the disputed message sent to 4/5/2023, to people of his circle, to people who are members of ... , to his patients (his personal friends, acquaintances, colleagues and persons who have participated in the past in events and actions that he has organized), and to recipients resulting from the use of a telephone number generator (www.ekepis.gr) and to numbers from publicly accessible directories, while for this purpose a third SMS sending company was used, as I was editing. - That the content of the message ("...") has nothing to do with the medical history of its recipients, which it was not possible for him to know, according to the Code of Medical Ethics (Law 3418/2005) and that its wording message was aimed at overstating his status as ... of the NHS, who knows the pathogens from the inside and can deal with them. - That due to his increased workload (…) and due to the limited budget he could allocate to his pre-election campaign, the complainant did not, as he claims, have the opportunity to learn about the latest developments in terms of political communication, of the new Guidelines 1/2023 of the Authority and the obligations of transparency in 5 every political communication or hire a consultant to guide him. - That he carried out the communication in question bearing in mind "the previous regime", and that he brought his personal Facebook page to the attention of the recipients, so that they could submit any request for access and/or deletion and/or objection. - That a few days after sending the message he was informed by the [party] about the minimum transparency requirements that any unsolicited political communication must meet and that immediately afterwards he proceeded with the required changes, despite the costs involved (due to the number of characters of each sms now cost as much as 3) and specifically in the following compliance actions: a) the creation of a consent form, accompanied by a relevant information note on the processing personal data (for future processing), b) cleaning from the list of recipients all the numbers he had procured from the generator and from publicly accessible directories, and c) forming an information note, which he posted on his facebook page. - That the legal basis of the processing was his legitimate interest (according to article 6 par. 1 f GDPR) to communicate his political activity, his positions and ideas as a candidate for parliament and especially due to his professional background in the National Social Security, in the context of the parliamentary elections of 21/5/2023 and 25/6/2023, which derives from his constitutional rights to participate in the political life of country, to express himself freely, to organize meetings and to communicate about them, and that for the sole purpose of being able to inform the voters of ... about his actions, he keeps a record of the recipients of electronic communications with information that he collects from various sources over a number of years, given that he is generally socially active (having been a member of the Board of Medical Associations ... and ...). Regarding the weighing of his interest in question with the rights of the recipients of the communication, the complainant notes that the sending of written messages "gives the possibility to exercise the above constitutional rights more easily, more effectively and to a larger portion of citizens by achieving, according to ' 6 extension, of greater representativeness in the electoral body of the regional unity of ... . At the same time, refraining from making communications through these means and for this purpose, damages the core of the pursued interest and right which goes back to my participation in political life. Therefore, in the manner in which the intended purpose was carried out in this case -judged in combination with the type of data used, which was limited to the communication data of the subjects without processing identification data-, the rights of the affected persons-recipients of the communication were not unduly affected regarding the protection of their personal data. Following the above, it follows that the processing in question is necessary and necessary for the intended purpose". - With regard to the proportionality of the processing based on its impact on the rights of individuals, the complainant claims that only the contact details (phone numbers) were used for the said processing without processing other identification data (e.g. first and last name) of the recipients and that the rights and freedoms of the subjects are not disturbed through the political communication carried out because, in the context of the specific processing, the purpose in question is defined, explicit, legal and serves the exercise of fundamental constitutional rights. - That the allegation that he collected the data of the complainants from the file of Hospital X is unfounded and offensive, that he used a number generator and that the association of the database of the recipients of his communication with the hospital's patient register in addition to that would be excessive and disproportionate processing, it would not be technically possible for him, since they are not provided with such a possibility by the Hospital's systems. - With reference to the first complaint above, the complainant states that a number generator was used and therefore it was not possible to know the details of the recipient, refuting as untrue and offensive the 7 claim that he collected the telephone number of the complainant from the patient register of the ... clinic of Hospital X. - With reference to the second complaint above, the complainant claims that it is vague, unsubstantiated and unfounded, stressing that the complainant does not mention the number on which she received the message, she did not address him before submitting the complaint as recommended by the Authority on its website and that in any case the complainant did not need to obtain the complainant's prior consent, given that the processing in this case was based on the legal basis of the overriding legitimate interest. Following the above, the Authority with its document G/EXE/2275/08-09-2023, requested the complainant to provide the following clarifications and the relevant evidence: 1) To provide complete and accurate information (evidence of shipment, invoices, recipient lists, etc.) from which the total number of subjects who received each of the mentioned on p. 9 of his memorandum communications via sms in the context of his election campaign, specifying how many recipient phone numbers correspond to each of the 4 sources to which the complainant refers on p. 10 of his memorandum. 2) To determine when and in what way the provided as a relative was used. 3 consent form on his part, stating in particular how many subjects have given him their consent in this way and providing for documentation indicative signed forms that he keeps. 3) To explain at what time and at which electronic address the information to the subjects was posted, which the complainant presented as a relation. 4, and 4) With reference to his claim that the second complainant did not submit any request to him before submitting the complaint, the Authority invited the complainant to document the possibility of the subjects to exercise their rights under the GDPR to him, as a data controller, at the time of submitting the complaint, specifying at what point exactly he provided his contact details either to the recipients of the messages or publicly to the general public. Following the sending of the Authority's G/EXE/2851/13-11-2023 reminder document, the complainant with its G/EIS/8274/21-11-2023 response document provided the Authority with 8 printouts of detailed reports of the Your SMS platform, in which show the number of SMS that each message required based on the characters, the number of recipients who received the communication and the corresponding cost. As can be seen from these data, the sending of the critical sms message (with content … (FB: …), hereinafter referred to as “1st communication”) was made on 4/5/2023 at 05:55 to 4,772 recipients, each message it corresponded to 3 sms and its cost amounted to 28,632 credits. In addition, the complainant clarified that of the 4,772 recipients, 75% belong to his personal friends, acquaintances and people in his immediate work circle, and in general persons who have participated in the past in events and actions that he has organized, 15% to recipients for which a telephone number generator was used and 10% in numbers obtained from publicly accessible directories. Furthermore, from the submitted documents, the following information emerges regarding the other communications via sms carried out by the complainant in the context of his election campaign: 2nd communication: … 3rd communication: … 4th communication: … 5th communication: … The complainant noted that he formed the consent form a few days after the communication in question was sent, the form was available in a discrete area along with other cards and leaflets candidates, during the pre-election events of ... in ... as well as at his own pre-election events, while he lists attached indicatively completed forms. With regard to the information, the complained doctor states that it was posted on his Facebook page on 08/08/2023, while maintaining that the information notes in question were also available on the consent forms he had available at his events... and his speeches, without, however, providing any evidence to substantiate the claim in question. Finally, regarding the possibility of exercising rights, complainant 9 states the following: "Since the platform I worked with to send the bulk SMS did not provide the option of automatic unsubscribe for users, I was mindful of the recipients of my communication, such as I also mention on page 10 of my Memorandum, my personal Facebook page (Ref. 3), which is public, i.e. open to everyone and on which there was the possibility of communication with one click, through the relevant application of the platform in question. In other words, it was possible for anyone to submit a question or any request such as e.g. access and/or erasure and/or opposition. However, the manner of exercising said requests was not binding. Anyone who wished could - even verbally - submit any request (which was not done) and it would be processed directly," emphasizing again that the second complainant did not attempt to submit any request, which demonstrates the abusive nature of the complaint. Following the above, the Authority with its summons C/EXE/528/12-02-2024 invited the complainant to a hearing before the Department of the Authority on 21/2/2024, in order to present his views on the case. During the meeting of 2/21/2024, the complainant, through his attorney, Stergios Konstantinos (AM DSA ...), requested the postponement of the case due to illness. The request was granted and the case was adjourned to 6/3/2024. During the meeting of 6/3/2024, the complainant was present with his above attorney. He stressed that the complainants' personal data did not come from Hospital X, reiterated the claim that the wording of the message was due to an "unfortunate choice" following advice he received to emphasize his experience in the public health system and that he was not addressing the recipient personally but to any recipient of the message who, in his estimation, had a high chance of ... actually being in the NSS. The complainant claimed that he was not aware of the legality conditions of the communication policy, that he did all the relevant management himself, without the use of a processor (beyond 10 of the yoursms service) and attributed to this the fact that he used a phone number generator and public lists, noting that he then proceeded to take actions to improve the practices he follows, i.e. created a consent form, cleared his database of numbers that came from the above two sources and clarified that the two numbers of the complainants had come from the random number generator ekepis.gr. The Authority granted a deadline for the submission of a memorandum until 22/3/2024 and it was requested to provide with the memorandum data to substantiate the claim for the use of a generator in relation to the two numbers of the complainants as well as information regarding the shipping costs of the one in question message. Subsequently, the Authority with G/EXE/878/14-03- 2024 document requested the complainant to provide, in addition to his memorandum, the complete list of the 4,772 recipients of the message (sms) sent on 4/5/2023, indicating specifically which numbers belong to which category from those mentioned in the form of percentages in C /EIS/8274/21-11- 2023 his document. With his memorandum G/EIS/2764/26-03-2024, the complainant first stated that the total cost for the specific sending of messages amounts to 363.62 euros, at the same time he provided the entire list of recipients of the message as extracted from the yoursms.gr platform, while regarding the distribution of numbers by source of origin, he repeated the percentages (15% from a telephone number generator and 10% from publicly accessible directories), stating that it has not kept records regarding the exact origin of each number and therefore cannot proceed to categorize them based on origin. Regarding the source of the complainants' numbers, the complainant claimed that they came from the ekepis platform, while he provided a screenshot from the said platform, which contains all possible numbers starting with the same digits and in which the numbers of complainants. The memorandum also explains that in the context of proving the non-origin of the data from the file of Hospital X, a request was submitted on behalf of the complainant for access to the hospital's logs regarding the extraction of files, to which the DPO of hospital 11 replied that does not have the requested records. Thus, objectively, as the complainant claims, it cannot otherwise prove the non-extraction of patient contact information from the hospital database. Finally, with the memorandum, he points out that the complainants did not document the alleged treatment in terms of the origin of their data from the hospital, arguing that they bear the burden of proof so that the Authority is able to make a safe decision and he himself provides complete counter-evidence, invoking the provision of article 145 par. 1 of the Civil Code but also those generally applicable to the proof before the Administration when issuing administrative acts (according to article 17 par. 3 of the Civil Code), "in the absence of a specific legislative provision", as it states. Subsequently, and taking into account the absence of documentation of the origin of the recipients of the 4/5/2023 sms message from the complainant in accordance with the principle of accountability (art. 5 par. 2 GDPR), the Authority sent Hospital X the C/EXE /967/27-03-2024 document, with which he requested, following the notification of an incident of violation, until 8/4/2024: a) to report the total number of patients who submitted a complaint to the Hospital regarding the receipt of a pre-election message (sms) from doctor C, providing relevant documentation, b) to clarify whether additional information has emerged in relation to the relevant notification of a personal data breach incident and in case of an affirmative answer, to provide the data in question and c) to provide the Authority with the complete list mobile phone numbers of patients ... from May 2018 until May 2023. With its response document C/EIS/3530/16-04-2024, the Hospital presented to the Authority two complaints from patients (D and E) who had received the campaign message in question and had complained to the Hospital about the possible leak of their data in May 2023. Regarding investigation of the incident, the Hospital informed the Authority that an investigation was carried out on the matter in order to collect data and it was filed with no. em. Prot. ... conclusion according to which "there are serious indications that the doctor acted with 12 negligence in violation of the rules of medical ethics, medical confidentiality and the obligation of confidentiality". Subsequently, following the under no. ... By an act of the Hospital's Board of Directors, it was decided to refer the case to the Central Disciplinary Council of ESY Doctors (K.P.S.), which issued an acquittal decision, without calling for an apology from the doctor. The Hospital provides an extract from the meeting of the Central Disciplinary Council of ESY Doctors, according to which "the Council, after examining all the documents of the disciplinary file and taking into account mainly what was presented by the advocate and the accused doctor [...] unanimously decides the discharge without calling for an apology" of doctor C, for the disciplinary offenses attributed to him with the under no. ... act of the Board of the Hospital. In addition, the Hospital provided the Authority with an excel file consisting of 6,707 mobile phone numbers, ... in the last 5 years. From the comparison of the two mobile phone files presented to the Authority in accordance with the above, it appears that of the 4,772 numbers received from the 4/5/2023 message of the complainant, 3,392 are included in the mobile phone file of patients ... at Hospital X in the last 5 years. It should be noted that in both lists 17 numbers were found that contain the same error, i.e. they consist of either fewer or more than 10 digits. At the same time, with his letter G/EIS/3237/08-04-2024, the Ombudsman forwarded to the Authority the under no. first ... report by F, who stated that she received the pre-election message of the complainant from 4/5/2023, while he was at Hospital X in the year 2022. In continuation of the above, with the C/ΕΜΕ/1170/16-04-2024 call , the Authority again invited the complainant to a hearing before the Department of the Authority, on Wednesday 24/04/2024, notifying him at the same time of the above new information that had come to her knowledge. During the meeting of 24/4/2024, the complainant was present with his above attorney. Responding to the latest evidence, the complainant argued that the fact that a large percentage of the recipients of his campaign message from 4/5/2023 were also patients of Hospital X does not prove that he obtained 13 their mobile phone numbers from the Hospital's record, but that the same patients belonged to the "personal friends and acquaintances" category, which he named from the beginning as the source of the recipients of his message, noting that by mistake he had omitted to clarify to the Authority that they also included "his personal patients", i.e. patients whom he himself had treated during his 36 years of employment, among them patients from Hospital X. The complainant clarified that he has been working at Hospital X since 2018 and, as ..., ... a very large number of patients, which in some cases could reach ... per day. Answering a relevant question from a member of the Authority, the complainant clarified that as patients he had treated, he does not mean only those ... but also those who needed his help possibly at a later stage, e.g. requesting an opinion or other document from the Hospital. As he claimed, he considers these to be "his own patients", as he personally treated these patients. In particular, as the doctor states in his memorandum, "in the context of facilitating communication with the patients of the hospital, he created a physical file, an agenda with the names and contact details of the patients, with whom he communicated ... in order to answer questions them", as he declared to the Authority, this agenda has now been destroyed. During the hearing, the complained doctor reiterated that as far as the complainants were concerned, their numbers came from the ekepis generator, as did several other recipients' numbers. He used the generator in order to utilize the full sms package he had purchased for his particular election campaign, as this allowed him to send to more recipients than he had available in his agenda. In response to a question about how he knows that a certain number came from the generator or from his phonebook, since he keeps no documentation, he said that he "remembers all" of his acquaintances and patients, so those recipients are not among those he remembers , came from the generator. With regard to the 17 common incorrect numbers found on both lists (his and the Hospital's), the complainant argued that this was explained by the fact that in several cases he 14 collected the patient details and then gave them to the Registry of the Hospital to record them in the Hospital's electronic records, stating that the daily practice in patient management is far from the theoretical process. During the meeting, a deadline was granted for filing a memorandum until 14/6/2024, which with the Authority's document G/EXE/1643/13-06-2024 was extended until 1/7/2024, given that they were to be brought to the attention of complainant new information about the case. In this context, following the Authority's communication with Hospital X, with the Hospital's document C/EIS/5292/18-06-2024, the procedure for declaring and registering patient demographic data in the Hospital's program is described and it is clarified that these data they are declared only by the patients in person at the Outpatient Clinics Secretariat and no third party intervention or modification of their record details is allowed. In addition, with the document G/EIS/5410/21-06-2024 of the Hospital, the no. em. Prot. ... Sworn Administrative Examination Report (SAR). From this report it follows that the doctor's main claim in the context of the EDE was that the telephone numbers of the recipients of his message came from a random number generator, and the content of the message was aimed at demonstrating his professional status... and was not related to the status of citizens ... . The explanations provided by the doctor in the context of the EDE were not considered convincing and after taking into account the possibility of the doctor accessing the program with the patient data and the possibility of easily copying data from the program, which was not recording, at the time of the actual events, detailed history of actions per user, the EDE concludes that "there are serious indications that he acted negligently in violation of the rules of medical ethics, medical confidentiality and the obligation of confidentiality". With G/EXE/1755/26-06-2024 transmission document of the Authority, the above documents were communicated to the complainant so that he may take notice of them in view of submitting a memorandum by 1/7/2024. 15 With his G/EIS/5613/02-07-2024 memorandum, the complainant states the following: - That for the medical records of the patients, ... in Hospital X, the Processing Manager is the hospital itself. Physicians are not granted a digital or physical copy of patients' Medical Records or remote access. Access to the patient's record is only possible from the Hospital's computers. However, it was not possible to extract the information from the Hospital's information system, or even if it was, the doctor was not aware of this possibility nor did I receive any relevant training in this. - That in the context of facilitating communication with the patients of the Hospital, he made a physical file, an agenda with the names and contact details of the patients, with whom he communicated ... in order to answer their questions, according to the standard practice followed by all doctors to be able to manage what comes up for patients and to feel safe about their health. - That the legal basis for keeping the record was the legitimate interest of the patients in terms of the immediate management and response to any questions/questions or concerns... as well as it was necessary for the purposes of preventive or professional medicine (article 6 par. 1 in the GDPR & article 9 par. 2 GDPR). - That he always had the agenda in question on him and did not leave it exposed in common areas such as the office he shares with colleagues. - With reference to the EDE Report, he claims that this document was forwarded with the no. confidential protocol ... document to the Central Disciplinary Council of Doctors E.S.Y. (submitted as Related 1) with a question whether or not to put on a potential holiday. In the context of examination of this issue, the doctor states that he was called to a hearing on ... before the Central Disciplinary Council of Doctors of the National Health Service (provided as Related 2) and after presenting, explaining and proving both the facts and the reasons why the no. first C/EIS/5410/21-06-2024 document was based on unsupported and unfounded conclusions, the Disciplinary Council proceeded with the full discharge of 16 both based on the facts and due to material violations of the hospital during the execution of the EDE (presented as Related 3 ). - With regard to the vocabulary of communication, the doctor presents as Relevant 4 a sworn statement of the communicator Z, who had undertaken his communication strategy and confirms that he had proposed the vocabulary in question purely for communication purposes without knowing the identity of the recipients of the message. The Authority, after examining the elements of the file and after hearing the rapporteur and the clarifications from the assistant rapporteurs, after a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. From the provisions of Articles 51 and 55 and Article 9 of Law 4624/ 2019 (Government Gazette A' 137) it follows that the Authority has the authority to supervise the implementation of the provisions of the General Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data (hereinafter GDPR), this law and other regulations concerning the protection of individuals from the processing of personal data. According to the above findings and from the provisions of articles 57 par. 1 pc. f of the GDPR and 13 par. 1 pc. g΄ of Law 4624/2019, it follows that the Authority has the authority to deal with the complaints of A and B for illegal processing of their personal data and to exercise, respectively, the powers granted to it by the provisions of articles 58 of the GDPR and 15 of Law 4624/2019. 2. With article 5 par. 1 of the GDPR sets out the principles that must govern a processing. According to article 5 par. 1 a) GDPR "1. Personal data: a) are processed lawfully and legitimately in a transparent manner in relation to the data subject ("legality, objectivity and transparency". Furthermore, in accordance with the principle of accountability expressly defined in the second paragraph of the same article and is a cornerstone of the GDPR, the controller “is responsible and able to demonstrate compliance with paragraph 1 (‘accountability’).” This principle entails his obligation controller to be able to prove compliance with the principles of art. 5 par. 1. This principle regarding the burden of proof before the Authority is a more specific provision of the legislation for the protection of personal data and therefore prevails over the general rules regarding the burden of proof of the Code of Administrative Procedure. 3. According to article 6 para. 1 of the GDPR "1. The processing is lawful only if and as long as at least one of the following conditions applies: a) the data subject has consented to the processing of his personal data for one or more specific purposes, b) the processing is necessary for the performance of a contract to which the data subject is a party or to take measures at his request of the data subject before entering into a contract, c) the processing is necessary to comply with a legal obligation of the controller, d) the processing is necessary to safeguard a vital interest of the data subject data or another natural person, e) the processing is necessary for the fulfillment of a task performed in the public interest or in the exercise of public authority assigned to the data controller, f) the processing is necessary for the purposes of the legal interests pursued by the controller or a third party, unless these interests are overridden by the interest or fundamental rights and freedoms of the data subject that require the protection of personal data, in particular if the data subject is child". Recital 47 of the GDPR further clarifies the following: "Legitimate interests of the controller, including those of a controller to whom the personal data may be disclosed or of third parties, may provide the legal basis for the processing, provided that do not override the interests or fundamental rights and freedoms of the data subject, taking into account the legitimate expectations of the data subjects based on their relationship with the controller. Such a legitimate 18 interest could for example exist when there is a relevant and appropriate relationship between the data subject and the controller, such as if the data subject is a customer of the controller or is in its service. In any case, the existence of a legitimate interest would need a careful assessment, including whether the data subject, at the time and in the context of the collection of the personal data, can reasonably expect that for this purpose it can be carried out processing. In particular, the interests and fundamental rights of the data subject could prevail over the interests of the controller, when personal data are processed in cases where the data subject does not reasonably expect further processing of his data.' Furthermore, according to Article 9 GDPR, as a rule “1. The processing of personal data [...] concerning health is prohibited", unless one of the conditions provided for in par. 2 of the same article exceptions to the prohibition. When the legal basis for processing is consent, this must be provided in accordance with the definition of article 4 no. 11 GDPR ("any indication of will, free, specific, explicit and fully acknowledged, by which the data subject manifests that he agrees, by statement or by a clear positive action, to be the subject of processing of the personal data concerning him") as well as to meet the conditions of valid consent of Article 7 GDPR. 4. According to par. 4 of article 6 GDPR, "When the processing for a purpose other than that for which the personal data have been collected is not based on the consent of the data subject or on the law of the Union or the law of a Member State which is a necessary and proportionate measure in a democratic society to ensure the purposes referred to in Article 23 paragraph 1, the controller, in order to ascertain whether the processing for another purpose is compatible with the purpose for which the data were originally collected personal data, takes into account, among other things: a) any relationship between the purposes for which the 19 personal data have been collected and the purposes of the intended further processing, b) the context in which the personal data was collected, in particular as regards concerns the relationship between the data subjects and the controller, c) the nature of the personal data, in particular for the special categories of personal data processed, in accordance with Article 9, or whether personal data of a nature related to criminal convictions and offenses are processed, in accordance with article 10, d) the possible consequences of the intended further processing for the data subjects, e) the existence of appropriate guarantees, which may include encryption or pseudonymization". In the Petition. Sk. 50 of the GDPR it is pointed out that "In order to ascertain whether the purpose of the further processing is compatible with the purpose of the initial collection of the personal data, the controller, as long as he meets all the requirements for the legality of the initial processing, should take into account, among others: any links between these purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of the subject of the data based on its relationship with the controller in terms of its further use; the nature of the personal data; the consequences of the intended further processing for the data subjects; and the existence of appropriate safeguards for both the initial and the intended operations further processing". 5. With regard to the transparency of the processing, Article 12 par.1 GDPR states that: "The data controller shall take the appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication in the context of Articles 15 to 22 and of article 34 regarding the processing in a concise, transparent, understandable and easily accessible form, using clear and simple wording, in particular when it comes to information addressed especially to children. The information is provided in writing or by other means, including, if appropriate, electronically. When requested by the data subject, the information may be given orally, provided that the identity of the data subject is proven by other means. Mandatory information provided is provided for in Article 13 GDPR for the case where the data is collected by the subject and in Article 14 GDPR for the case where the data has not been collected by the subject. In particular, this information includes at least "a) the identity and contact details of the controller and, where applicable, his representative, b) the contact details of the data protection officer, where applicable, c) the purposes of the processing for which the purpose of the personal data, as well as the legal basis for the processing, d) the relevant categories of personal data, e) the recipients or categories of recipients of the personal data, f) where applicable, that the controller intends to transmit data of personal nature to a recipient in a third country or international organization and related information, g) the period for which the data will be stored, or, if this is impossible, the criteria that determine said period, h) information about the rights of the subject in accordance with articles 15-22 GDPR". In addition, according to par. 3 of the same article "When the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall provide the data subject, prior to such further processing, with information on this purpose and any other necessary information, as mentioned in paragraph 2". Since the data have not been collected by the subject, in accordance with article 14 par. 2 pcs. f) GDPR, it is required to provide the subject as information "the source from which the personal data originates and, as the case may be, whether the data originated from sources to which the public has access". The information is provided either during data collection, when this is done by the subject (Article 13 GDPR) or within the time period defined in par. 3 of article 14 GDPR, in the event that the data has not been collected from the subject and in particular, if it is to be used for communication with the data subject, no later than 21 during the first communication with the said data subject (art. 14 par. 3 para. b) GDPR). It is also noted that according to article 12 par. 2 GDPR, the controller must "facilitate the exercise of the data subjects' rights provided for in articles 15 to 22". 6. With regard to political communication, following decisions no. 1343-5/2022 of the Council of State, by which it was decided that the activity of political communication, as not having the purpose of commercial promotion, does not fall under the law. 3471/2006, the Authority reviewed, within its competence, the issues of legality that arise in relation to political communication in order to determine the framework of the legal processing of personal data for this purpose based on the provisions of the GDPR, and with the Decision 9/20231 decided to issue the Guidelines 1/2023 for the processing of personal data for the purpose of communication of a political nature. The aforementioned Guidelines (hereinafter referred to as "CG 1/2023") clarify, among other things, the following: "The processing of personal data for the purpose of political communication may be based either on the prior consent of the data subjects (Article 6 , par. 1, para. a GDPR) or in a superior legal interest that occurs each time (article 6 par. 1, para. f) GDPR). It is clarified in this regard that, when the personal data have been legally collected initially for another purpose and their further use for the purpose of political communication is not based on the consent of the data subject, the processing is legal if the controller documents that the processing for the purpose of the communication policy is compatible with the purpose for which the personal data was initially collected and the conditions of article 6 par. 4 GDPR. Indicative cases for the application of the above legality conditions are included in this text in par. 2.1.2". In addition, with the CG 1/2023 it is recalled that "in case of data collection for use for the purpose of political communication with a legal basis higher than 1 Available at the link https://www.dpa.gr/sites/default/files/2023- 04/9_2023%20- %20anonym_0.pdf 22 legitimate interest (article 6 par. 1 f GDPR), in accordance with the principle of accountability according to article 5 par. 2 GDPR, the data controller must be able to adequately document the weighing, which he must have carried out before the start of the processing, and based on which he assessed that his interests do not prevail over the interest or the fundamental rights and freedoms of the subjects - recipients of political communication". As indicative examples of cases in which personal data may not be used for the purpose of political communication, the following are listed in CG 1/2023: If the applicant has collected e-mail addresses and/or telephone numbers from the internet using a web crawler ( web crawler) If the applicant has purchased from a third party a list of citizens' contact information, even if there is consent for their use for the purpose of marketing products/services If the applicant has collected information professional communications from directories or public registers posted online for transparency or professional communications purposes If the candidate who held a public position has collected citizen data that they provided in the context of their dealings with their service. Regarding the information of the subjects in accordance with articles 13 and 14 GDPR, in CG 1/2023 it is pointed out that the information must be concise, transparent, understandable, easily accessible and formulated in simple and clear language, in accordance with article 12 par. 1 GDPR. Finally, especially in the case of electronic communication, the following are noted: "Accordingly, in every electronic communication for the purpose of political communication it is required: to clearly and clearly state the identity of the sender or the person for whose benefit the message is sent, to clarify the source from which the contact details of the subject have been collected, if this is not the subject himself (article 14 par. 2 f), to refer to the full information text in accordance with the articles 13 or 14 GDPR and 23 to indicate the way in which the recipient of the message can exercise his rights, including requesting the termination of the communication (right to object)". 7. In this case, from the information in the file and following what emerged during the hearing, it is established that the complained doctor did not submit any documentation regarding the origin of the 4,772 phone numbers of the recipients of the sms message in question, for which the examined complaints, with content "… (FB: …)". The doctor made contradictory claims as to the source of the numbers both to the Authority during the examination of the case, and to the Hospital in the context of the EDE: In particular, in the context of the EDE the doctor claimed that all the numbers came from a random generator numbers, while during his examination by the Authority he initially claimed that the recipients of his message were 75% his personal acquaintances and friends; and after comparing the list of his recipients with the list of ... at the Hospital in the years 2018 - 2023, and after it was established that the two lists were more than 70% identical, the doctor argued that in the concept of his "personal friends and acquaintances" also include "his" patients, meaning the patients of the Hospital, which he himself "treated" in a broad sense, i.e. not only … but he “served” as a physician in any way. It is noted that the doctor provided absolutely no evidence as to the origin of the numbers and their alleged quota per source of origin. Also, the allegation that the complainant collected the patient details himself and then gave them to the Hospital Secretariat (as an explanation for the inclusion of the same 17 incorrect numbers in both lists) contradicts the Hospital's described reporting process and registration of demographic data of the patients according to which these data are declared only by the patients in person at the reception Hospital and it is not allowed to interfere or modify the details of their record by a third party. With the above contradictory claims, 24 which were constantly changing and adapting according to the stage of the investigation, in order to respond each time to the newest information available to the Authority, the accused data controller failed to document, in accordance with the principle of accountability , the legal collection and processing of the data (mobile phone number) of the recipients of his campaign message. At the same time, from the data of of the case file, and taking into account in particular: a) the fact that the doctor's list of recipients and the list of Hospital X are identical by 70%, a particularly high percentage that can be statistically attributed to a coincidence, b) the fact that and in the two lists there are 17 identical numbers that are incorrect, i.e. consisting of a number of digits other than 10, and it is unlikely that the same error in the entry has been repeated exactly two times times and the specific "random" repetition of the same error to occur coincidentally in 17 cases, and c) the fact that the procedure invoked by the physician for collecting and entering patient data into the Hospital's program, i.e. the patient giving his details to the doctor and the doctor then gives them to the Secretariat, is not confirmed by the Hospital, it is a reasonable conclusion that the doctor obtained the data of patient communication from the Hospital file to which he had access, either by acting alone (see reference in the context of the EDE, that according to the testimony of the head of the organization and IT department, the export of data to excel is not complicated) or using the help of a third party. However, even if, despite the absence of any evidence, the version ultimately supported by the complained doctor was accepted, according to what he reported to the Authority in the context of the 2nd hearing, from the year 2018 when he started working at Hospital X he systematically collected data patients of the Hospital and kept them for years in his personal "agenda", said processing took place without clear and defined purpose, without a legal basis and without informing the subjects, violating the principles of 25 legality, objectivity, transparency and limitation of the purpose (articles 5 par. 1 a' and b' GDPR). As these data in this case also include health information of the subjects (that they are patients and of a specific category of diseases), they constitute special category data, for which an exception from the prohibition of processing would also be required, in accordance with Article 9 par. 2 GDPR. Regarding the claim of the complained doctor that the legal basis for keeping the patients' data in his own file was their legitimate interest in terms of immediate management and response to any queries/questions or concerns... and that the processing was necessary for the purposes of preventive or occupational medicine (Article 6 para. 1 item f GDPR & Article 9 para. 2 para. h GDPR), it is pointed out that, as well as the doctor himself mentions right from the beginning in his memorandum G/EIS/5613/02-07-2024, "for the medical record of the patients (…) the Hospital itself is responsible for processing" and not the doctor in question. Furthermore, the use of a random number generator for the purpose of sending a political communication message is not a legal practice, nor was it intended to be legal under the previous regime, invoked by the complainant (Guidelines 1/2019 of the Authority), while the sending of messages to recipients whose details have been drawn from publicly accessible directories does not meet the conditions for applying the legal basis of article 6 par. 1 f) GDPR, so that it is based on the claimant's superior legal interest. It is noted that from the responses of the complainant it does not appear that a sufficient weighting had been done between his legitimate interest to promote his candidacy and the rights and freedoms of the recipients of the communication affected by the processing, since at no point did he state that he took into account what the said affected rights. Such processing of patient data could in no way be reasonably expected by the subjects, given that public hospital patients cannot be considered personal patients of the physician, in such a way that there is a "relevant and appropriate relationship between the subject of of data and of the controller 26" (App. Sec. 47 GDPR) and that the superior legal interest of the latter can be established in relation to the rights and the freedoms of subjects. Moreover, since the purpose of collecting the data was, according to the doctor's statement, to serve the subjects as patients, their use for the purpose of sending a political communication message constitutes a further purpose of processing, which in no case can be considered compatible with the original according to article 6 par. 4 GDPR, taking into account the nature of the (medical) data and the legitimate expectations of any patient visiting a public hospital, who cannot reasonably expect that their telephone number will be used in the context of the election campaign of the doctor who … served them with any way. In addition, in the context of the sending of the campaign message in question, it emerged that the transparency obligations of the complainant as data controller, according to Articles 13 and 14 GDPR, were not fulfilled. From the information available to the Authority, it appears that the only action taken by the complainant to fulfill the obligation of transparency was the posting of a text entitled "INFORMATION NOTE FOR THE PROTECTION OF PERSONAL DATA" on the photos of his Facebook page on 19/ 5/2023, i.e. after the message in question was sent. This information only refers to the processing of data on the legal basis of consent and not on the legal basis of overriding legitimate interest. It is noted that in the messages sent, no reference was made to any information text, nor was any other information provided. Exceptionally, in the last two missions (4th and 5th communication) the following information is provided in relation to the source of the data: "ΠΗΗ TOY THLEΤΟNIKOY ΣΑΣ APIΘMOY EINAI H ΓENNHTPIA TYXAIÓN 10ΨΨΤΟΙON APIΘMΩN ekepis.gr". Based on the above, it follows that the complained doctor collected and processed for the purpose of political communication patient data of Hospital X, in violation of the principle of legality, objectivity and transparency of the processing. In addition to the above, from the examination of the facts of the case, a violation of Article 12 par. 2 GDPR obligation of the controller 27 to facilitate the subjects in the exercise of their rights. In particular, the complainant claims that in the 1st communication he referred the recipients to his Facebook page for this purpose (note with the phrase: "(FB: ...)" at the end of the message). However, this reference is not clear that it refers to the way of exercising rights under the GDPR, while it is obvious that if the recipient did not have a Facebook account, he would not have been able to communicate with the complainant in this way. Furthermore, in the other communications (2nd – 5th) he did not provide any information in relation to how to exercise the rights to object or delete the data of the recipients. 8. Therefore, the Authority finds the following violations on the part of the complained doctor, as controller: a) violation of the basic principle of legality, objectivity and transparency of the processing (article 5 par. 1 sub. a' in conjunction with articles 6 par. 1, 6 par. 4, 9 par. 1 and 2, 13 and 14 GDPR) and b) violation of the obligation to facilitate subjects in the exercise of their rights (article 12 par. 2 GDPR). 9. Based on the above, the Authority considers that there is a case to exercise the powers according to article 58 par. 2 of the GDPR its corrective powers in relation to the violations found and that it should, based on the circumstances found, be imposed, pursuant to the provision of article 58 par. 2 pcs. i of the GDPR, an effective, proportionate and dissuasive administrative fine according to article 83 of the GDPR, both to restore compliance and to punish illegal behavior. Furthermore, the Authority took into account the criteria for measuring the fine defined in article 83 par. 2 of the GDPR, paragraphs 4 sec. a) and 5 sec. b) of the same article that are applicable in this case, the Guidelines for the application and determination of administrative fines for the purposes of Regulation 2016/679 issued on 03-10-2017 by the Article 29 Working Group (WP 253) and the facts of the case under consideration and in particular the criteria and special circumstances listed below: 28 that the violations found fall under the provisions of par. 5 of article 83 GDPR and specifically in case a) of the said paragraph regarding the basic principles of processing and in case b) regarding the rights of data subjects that, taking into account the nature of the violation, which concerns the special category of health data , the number of affected subjects (at least 3,392 patients of the Hospital and in any case a total of 4,772 subjects without a legal basis) and the duration of the infringement (the illegal collection and storage of data by the complainant appears to have been taking place at least since 2018), the severity of the violation is judged to be medium, the high degree of responsibility of the doctor, who, as a health professional, must maintain medical confidentiality that the violation appears to be attributable to at least gross negligence on the part of the accused physician Aggravating factors are taken into account: The presentation of contradictory allegations that varied according to information that the Authority had at its disposal, from which it is deduced an attempt to disorient the Authority and non-cooperation during the audit. As noted, the doctor has a special obligation to observe professional confidentiality (according to the wording of article 9 par. 3 GDPR). Therefore, the allegation that he "did not have the means to obtain proper legal advice" before using the data for the purpose of political communication and that he was "victimized" by the advice of his communicators, is considered aggravating in this case because ignorance of the relevant provisions on data protection by a professional who is obliged to maintain medical confidentiality is not understood. 29 The doctor's repeated claim that he does not bear the burden of proof, despite the principle of accountability, which demonstrates not only ignorance but also an absence of willingness to comply with the GDPR. In addition, it is taken into account that according to Recital 150 of the GDPR "In the event that administrative fines are imposed on persons who are not businesses, the supervisory authority should take into account the general level of income in the Member State, as well as the financial situation of the person , when considering the appropriate amount of the fine". FOR THESE REASONS THE AUTHORITY Imposes on C, as controller, based on article 58 par. 2 pcs. i' of the GDPR, a) an administrative fine of twelve thousand (€12,000) euros, for the established violation of the basic principle of legality, objectivity and transparency of the processing (article 5 par. 1 sub. a' in conjunction with articles 6 par. 1, 6 par. 4, 9 par. 1 and 2, 13 and 14 GDPR) and b) an administrative fine of three thousand (€3,000) euros, for the established violation of the obligation to facilitate subjects in the exercise of their rights (article 12 par. 2 GDPR). The President The Secretary Georgios Batzalexis Irini Papageorgopoulou