Datainspektionen - DI-2019-3839

From GDPRhub
Revision as of 11:53, 14 December 2020 by Mh (talk | contribs)
Datainspektionen - DI-2019-3839
LogoSE.png
Authority: Datainspektionen (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 02.12.2020
Published: 02.12.2020
Fine: 4000000 SEK
Parties: Styrelsen för Karolinska Universitetssjukhuset
National Case Number/Name: DI-2019-3839
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Swedish
Original Source: Datainspektionen (in SV)
Initial Contributor: Charlotte Godhe

The Swedish DPA (Datainspektionen) held that access to medical records has to be restricted based on the individual care workers’ necessity to perform his/her job. The DPA therefore fined the Karolinska University Hospital approximately € for a breach of Article 32 GDPR.

English Summary

Facts

The Karolinska University Hospital gave the healthcare personnel different access to patient journals based on whether they were doctors or nurses. Thus, this system enabled access to almost all the medical care records regardless of necessity.

Dispute

Had the Karolinska University Hospital taken organisational measures to limit access to personal data in the medical record system, under Article 32 GDPR?

Holding

The DPA held that the Karolinska University Hospital had not restricted access to patient journals based on a necessity for performing the individual healthcare personnel’s work. The hospital had thus not taken appropriate organisational measures under Article 5(1) and 32 GDPR to limit access to personal data. The hospital had therefore also failed to ensure appropriate security for personal data under Article 5(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.