APD/GBA (Belgium) - 127/2022
APD/GBA - 127/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Article 32 GDPR Article 35(1) GDPR Article 35(3) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 04.10.2019 |
Decided: | 19.08.2022 |
Published: | |
Fine: | 20,000 EUR |
Parties: | n/a |
National Case Number/Name: | 127/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | APD/GBA (Belgium) (in NL) |
Initial Contributor: | Koen |
The Belgian DPA fined a laboratory €20,000 for violating Articles 5(1)(f), 12, 13, 14, 24, 25, 32, 35(1), and 35(3) GDPR due to its lack of a secure website, lack of a data protection impact assessment, and lack of a privacy policy on its website.
English Summary
Facts
The data subject had dealt with a laboratory (the controller) on several occasions. He underwent a medical analysis multiple times. After hearing that his doctor had remote access to the results, the data subject found out that the website of the laboratory contained a link to a page for access to medical data under the name ‘Cyberplab’, which used an unsafe http-protocol. The data subject filed a complaint at the Belgian DPA against the controller. After receiving the complaint, the DPA initiated an investigation into the matter. The site was unencrypted with the http-protocol at the time of the first report of the investigation of the DPA. However, after the DPA had made contact with the controller, the controller added TLS 1.2 to the website, a basic protocol which is used for websites since 1999. Because of this, the site used the https-protocol. The controller challenged most findings of the investigation. The controller stated that she thought that she was the processor instead of the controller. She also stated that her processing operation was small before the pandemic but had since then grown into a large processing operation. Before the pandemic, she claimed to have 50 operations a day, but didn’t provide any statistics how much operations were undertaken each day during – and after the pandemic. She also stated that the GDPR doesn’t contain any provision that this information should be provided on a website at all. She also stated that, given the small number of processing before the COVID crisis, a posting of the information in its physical sites was sufficient during that time.
Holding
The laboratory is the controller
The DPA held that the laboratory was a controller pursuant to Article 4(7) GDPR because it determined both the purposes and means of processing.
Inadequately secured health data: Violation of the principle of integrity and confidentiality (Article 5(1)(f) and 32 GDPR), the responsibilities of the controller (Article 24 GDPR) and data protection by design and default (Article 25 GDPR)
The DPA held that the controller violated the principle of integrity and confidentiality (Articles 5(1)(f) and 32 GDPR). The controller didn’t provide adequate protection on the website where doctors had remote access without encryption to the results of medical analyses of their patients. In its first report during the investigation, the DPA concluded that the ‘Cyberlab’ website was not protected sufficiently enough because of the use of the http-protocol, which should have been https to prevent so called ‘man in the middle attacks’. By using http, logins and passwords are not encrypted and can be intercepted in traffic. After the DPA had made contact, the controller implemented TLS 1.2 on the website. The use of TLS is generally recommended for websites, but should especially be used by sites that process medical data, according to the DPA. The controller didn’t provide this protection until the DPA made contact during the investigation. The DPA also held that the processor did not take appropriate technical and organizational measures by enabling doctors to access the results of their patients remotely without encryption and hence violated Article 24 GDPR and 25 GDPR. The DPA held that in this case, Article 5(1)(f) GDPR and 32 GDPR were sufficient in order to sanction the lack of security on the website.
No data protection impact assessment undertaken by the controller (Article 35(1) and 35(3) of the GDPR)
The DPA held that the controller violated Articles 35(1) and 35(3) by not conducting a data protection impact assessment. In determining whether the controller was obliged to do so, the DPA considered that the central issue was whether the processing at hand was large scale or not. The DPA considered the number of data subject, the volume of data, the length in time of processing operation and the geographical scale of the processing to be the relevant factors for this question. Since an external service provider stated in its report that the processing in question was large scale and concerned special categories of data, and since the controller failed to assess according to objective criteria whether its processing was large scale or not, the DPA held that the controller should have conducted a data protection impact assessment before the processing had started.
Lack of information regarding data processing (Articles 12 to Article 14 of the AVG)
The DPA held that the controller had also violated Articles 12, 13, and 14 GDPR, mainly due to a lack of a privacy policy on its website until the DPA contacted the controller. The DPA held that providing this information at the physical test sites was insufficient. The DPA held that the controller didn’t provide any evidence that any GDPR-information was available at the physical locations. It is clear from the decision that the DPA held that the information should also be available on a website, despite any availability at physical locations.
After taking into account several aggravating and mitigating factors, the DPA fined the controller €20,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/17 Decision of the Court of First Instance of 19 August 2022 File number: DOS-2019-05244 Subject: Complaint against a medical analysis laboratory for violating the principles of integrity, confidentiality and transparency The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Mr Christophe Boeraeve and Mr Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "the AVG"; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter "WOG"; Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has taken the following decision on: Complainant X, hereinafter "the complainant Defendant: Medical Analysis Laboratory, represented by Sébastien Popijn, hereinafter "the defendant" Decision on the merits 127/2022 - 2/17 I. Facts and procedure 1. On 4 October 2019, the complainant filed a complaint against the respondent with the Data Protection Authority. 2. The complainant suspects that the Medical Analysis Laboratory (hereafter: Medical Analysis Laboratory) did not carry out a data protection impact assessment, did not inform individuals correctly and processed special categories of data, in this case health- related data, through an unsecured website. The complainant states that he had several dealings with the Medical Analysis Laboratory in the context of medical analyses. He was told that his doctor had electronic access to his analysis results. However, he notes that the website of the medical analysis laboratory contains a page for accessing medical analysis data under the name "Cyberlab" in an unsecured HTTP protocol. 3. On 29 October 2019, the complaint was declared admissible by the Honours Department under Sections 58 and 60 of the WOG and was referred to the Dispute Resolution Chamber under Section 62(1) of the WOG. 4. On 27 November 2019, the Disputes Chamber decides to request an investigation by the Inspectorate under sections 63, 2° and 94, 1° of the CPC. 5. On 29 November 2019, pursuant to Article 96 § 1 of the WOG, the Dispute Resolution Chamber's request for an investigation is forwarded to the Inspectorate, together with the complaint and the inventory of documents. 6. On September 8, 2021, the investigation of the Inspectorate is concluded, the report is added to the file and the latter is transmitted by the Inspector General to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the WOG). The report contains a number of findings relating to the subject matter of the complaint and reaches the following findings: 1. The defendant may be considered a data controller 2. Insufficiently secure health data in violation of Articles 5.1(f), 24, 25 and 32 of the AVG. 3. No data protection impact assessment in breach of Articles 35.1 and 35.3 of the AVG. 4. Lack of information regarding data processing in violation of Articles 12 to 14 of the AVG. Decision on the merits 127/2022 - 3/17 7. On 21 September 2021, the Disputes Chamber decides under Article 95, §1, 1° and Article 98 of the CPC that the case can be heard on the merits. 8. On 21 September 2021, the parties concerned will be notified by registered letter of the provisions of Article 95 §2 and Article 98 of the CPC. They are also notified of the deadlines for submitting their defences, in accordance with Article 99 of the CPC. The deadline for receipt of the defendant's defences of reply is set at 2 November 2021, that for the complainant's defences of reply at 23 November 2021 and finally that for the defendant's defences of reply at 14 December 2021. 9. On 27 September 2021, the defendant requested a copy of the file (art. 95, §2, 3° of the CPC), which was sent to her on 6 October 2021. 10. On 2 November 2021, the Dispute Resolution Chamber received the respondent's defences. 11. On 7 November 2021, the Disputes Chamber receives the complainant's defences to the reply. 12. On 9 December 2021, the Dispute Resolution Chamber received the respondent's defences. 13. On 25 July 2022, the Disputes Chamber notified the defendant of its intention to proceed with the imposition of an administrative fine, as well as its amount in order to give the defendant an opportunity to defend itself, before the sanction is effectively imposed. 14. On 15 August 2022, the Disputes Chamber received the respondent's response to the intention to impose an administrative fine and the amount thereof. II. Reason II.1. Responsibility for processing 15. In its investigation report, the Inspectorate (hereinafter ID) determines that the defendant can be considered a data controller. That position is initially disputed by the defendant, but eventually accepted in its summary conclusions, following the complainant's defences to its reply. 16. The Disputes Chamber decides that the defendant can be considered a data controller as it determines the purposes and means of processing. Decision on the merits 127/2022 - 4/17 17. It recalls, however, that in accordance with the principle of responsibility under Article 24 of the AVG, the defendant itself must be able to determine its responsibilities and obligations under the AVG. Moreover, the Disputes Chamber adds that the changes in the defendant's position during the course of the proceedings led to an apparent confusion in its defence, since it initially argued, for example, that it was not obliged to carry out an EIO because it is only a processor1 (and processors are not obliged to carry out an EIO) and then stated that the failure to carry out an EIO was due to the fact that the processing activities did not initially meet the criteria under which it was required to carry out an EIO. 2 These views are clearly incompatible. II.2. Interest of the complainant. 18. The file shows that the complainant's doctor had several medical analyses performed for his patient by the defendant. Thus, the defendant processes or has processed the complainant's personal data. The complainant therefore has an interest in appearing in this file. II.3. Finding 1: Inadequately secured health data (AVG Articles 5.1(f), 24, 25 and 32) 19. The investigation report shows that the defendant has a website. The homepage of this website contains another page of the medical analysis laboratory under the heading "Consult results", which links to the "Cyberlab", the defendant's online results server, where doctors can consult the results and histories of their patients' analyses in real time. 20. In its first technology investigation report of 14 January 2021 (hereinafter: the first technology report), the ID found that this website does not contain encryption (the collected login and password are sent unencrypted), as it uses an "http" protocol instead of an encrypted "https" protocol. 21. In this regard, ID notes that "Cyberlab's access site is thus not secure and is susceptible to man-in-the-middle attacks. The login and password collected are transmitted unencrypted [...]". 22. Following the answers provided by the respondent during the course of the investigation, a follow-up report to the technological investigation report will be issued on July 6, 2021 1 Defendants' defences, p. 9 2 Summary conclusion of the defendant, p. 7