HDPA (Greece) - 36/2022
| HDPA - 36/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(f) GDPR Article 15 GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 31.05.2021 |
| Decided: | 03.08.2022 |
| Published: | 18.08.2022 |
| Fine: | 30,000 EUR |
| Parties: | AXIOYU PYLIS CENTRE I.A |
| National Case Number/Name: | 36/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Jette |
The Greek DPA fined a medical diagnostics centre €30,000 for not taking approperiate technical and organisational measures
English Summary
Facts
A patient (data subject) of diagnostic centre Pyle Axiou I.A.E. (controller) requested copies of her medical records in relation to a mammogram carried out in the past. The controller replied that it could not provide her with the images from the mammogram, as the machine can only store them for 3 months. The data subject then submitted a complaint with the DPA for violation of her right of access. She stressed that in particular the images of the mammogram were important in view of her age and state of health.
After a letter of the DPA, the controller suddenly remembered that it also stored the images on a hard drive in it's storage. However, it could not recover the images.
During a hearing, the controller argued: a) it had exhausted all possibilities recovery of the disputed imaging examination, which could not be recovered; b) according to medical science, the critical document is the conclusion of the imaging examination, which was provided to the complainant, and not the imaging test itself; c) it has informed the complainant in writing in good time of the unavailability of the imaging test; d) in any event, the complainant has been fully and comprehensively informed in the context of the submission of the imaging test of ... (General Number ... and case number ...) against the complainant before the Magistrates' Court of [district] X, and (e) he has submitted his views on the issues of his compliance with his obligations under Articles 32-34 of the GDPR. Similarly, A, in her memorandum of 15.03.2022 (and no. AID C/EIS/4423/16.03.2022), argued, inter alia, that in addition to the violation of the right of access during the failure to provide the requested imaging examination, there was also a violation of the right to information, as she was never informed by the diagnostic centre of the definitive loss of her availability
Holding
The Authority rejects as unfounded the patient's complaint for violation of the right of access by the complained diagnostic center, due to the fact that the personal data in question had become illegally unavailable at the time the right was exercised. Furthermore, the Authority, in the context of examining the above complaint: a) finds that the loss of availability of the imaging test in question constitutes a violation of the principle of article 5 par. 1 item. f GDPR, due to the failure to take appropriate technical organizational measures to ensure the appropriate level of security according to article 32 GDPR and imposes an administrative fine on the diagnostic center, b) finds that the notification of a personal data breach to the Authority was made late in violation of the article 33 GDPR and addresses a reprimand according to article 58 par. 2 item. b) GDPR to the diagnostic center and c) gives an order, pursuant to article 58 par. 2 item. e' GDPR, to the diagnostic center to announce the breach of personal data to the affected data subjects, in accordance with the provisions of article 34 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
1 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr Athens, 03-08-2022 Prot. No.: 1963 DECISION 36/2022 (Department) The Personal Data Protection Authority met after invitation of the President to a Department meeting via video conference on Wednesday 08.06.2022 at 10:00, in order to examine the case that refers to the history of the present. George Batzalexis was present, Deputy President of the Authority and the regular members of the Authority Konstantinos Lambrinoudakis and Grigorios Tsolias, as rapporteur. Present, without right of voting, was Chariklia Latsiu, DN - legal auditor, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the from 31.05.2021 (and with no. prot. APD C/EIS/3559/31.05.2021) complaint A informed the Authority that she submitted a PRIVATE complaint to the diagnostic center Polyclinic and diagnostic center Pylis Axios I.A.E. from 08.02.2021 request, with which he asked to receive copies of the illustrations that are included in the medical file of the Center and related to the digital mammogram carried out on ...01.2018, in addition to its conclusion. The Center with its reply from 09.02.2021 informed A that: "there is no ability to reprint images from the machine you made the examination in January 2018. The particular machine had the ability 3 months file storage and that's why we replaced it of". Following this, A complained to the Authority that the right was violated access to personal data concerning her, and 2 specifically, that she was not given copies of the imaging tests of the digital mammogram carried out on ...01.2018, underlining, in addition, that this is an important gynecological examination, which serves, due to age and health status, as a reference test. The Authority, during the examination of the above complaint, called under no. first APD C/EXE/1496/15.06.2021 document the PRIVATE POLYCLINICAL AND DIAGNOSTIC VALUE GATE CENTER I.A.E. (hereinafter diagnostic center) as submitted specific clarifications on the complainants. Next, the diagnostic center with the from 01.07.2021 (and with no. prot. APD G/EIS/4330/01.07.2021) request requested that the postponement request for the submission of opinions to a different day be accepted. Following this, the Authority with no. prot. APD C/EXE/1717/15.07.2021 document accepted the request to postpone opinions, and called the Diagnostic Center: "(...) if the disputed digital mammography from ...01.2018 is found in the meantime, as you proceed without delay to grant a copy of this to the complainant, in satisfaction of the right of access to personal data". In response to the above documents of the Authority, the diagnostic center with the from 31.07.2021 (and under no. prot. APD C/EIS/5068/02.08.2021) document informed the Authority, among other things, that: "(...) The machine with which the ...01.2018 the examination of the digital mammogram of the complainant, indeed, as we answered the complainant herself does not have the possibility reprint images. The generated images were stored locally in the specific machine for a period of approximately three (3) months from date of their processing and at the same time they were stored on hard systems discs, which were stored in a warehouse within the diagnostic center. We searched for the hard drive system where the image is stored of the complainant's digital mammogram and we identified it. It's about a NAS hard drive system, which contains images from axial drives CT scans, MRI scans, mammograms and X-rays, which have taken place during the period from March 2017 to March 2018 at our diagnostic center (...)". In addition, the diagnostic center informed the Authority that it has approached the companies Northwind Data Recovery and 3 Stellar in order, as it claims, to exhaust all the possibilities that offers the technology to recover the files contained in the company's hard drive system in the best possible form and quality. Subsequently, the Authority with sub. No. prot. G/EX E/263/02.02.2022 and C/EXE/264/02.02.2022 documents called A and the diagnostic center, respectively, as presented at a meeting of the Department of the Authority on Wednesday 09.02.2022, in order to discuss the aforementioned complaint. In addition, with the above under no. prot. C/EXE/264/02.02.2022 document the Authority informed diagnostic center that in the context of examination of the complaint is checked ex officio in relation to the fact of the lack of availability of of the complainant's personal data or his general compliance with obligations to observe the security of processing, the obligation disclosure or non-disclosure of any personal data breach, and obligation or non-disclosure of any personal data breach nature of articles 32-34 GDPR, respectively, in the context of the obligation compliance with the principle of accountability no. 5 par. 2 GDPR. At this meeting, against which was represented before the Authority by A, Stefanos Topalis as attorney lawyer and Dimitrios Ganakis, Managing Director of the diagnostic center, the Authority accepted the request to postpone the examination of the submitted case by the authorized attorney and legal advisor of the diagnostic center, Angelo Georgiadis, with the date of 08.02.2022 (and with no. prot. APD C/EIS/1933/08.02.2022)) his application and set a new meeting date on 02a.03.2022 and time 10:00. During the new meeting they appeared before the Authority A and Stefanos Topalis as attorney-in-fact of the complainant (AM..), as well as Angelos Georgiadis, attorney of the diagnostician center (AM..), while B, its Data Protection Officer, was also present diagnostic center. During this meeting, those present, after developing their opinions, they were given a deadline to submit written pleadings. Following this, the diagnostic center with from 17.03.2022 (under prot. no. APD C/EIS/4475/21.03.2022) his memorandum argued, among other things, that: a) he exhausted every possibility
