APD/GBA (Belgium) - 127/2022
APD/GBA - 127/2022 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Article 32 GDPR Article 35(1) GDPR Article 35(3) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 04.10.2019 |
Decided: | 19.08.2022 |
Published: | |
Fine: | 20,000 EUR |
Parties: | n/a |
National Case Number/Name: | 127/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Dutch |
Original Source: | APD/GBA (Belgium) (in NL) |
Initial Contributor: | Koen |
The Belgian DPA fined a laboratory €20,000 for violating Articles 5(1)(f), 12, 13, 14, 24, 25, 32, 35(1), and 35(3) GDPR due to its lack of security and privacy policy on its website and its nonexistent data protection impact assessment.
English Summary
Facts
The data subject had dealt with a medical laboratory (the controller) on several occasions. He underwent a medical analysis multiple times. After hearing that his doctor had remote access to the results, the data subject found out that the website of the laboratory contained a link to a page for access to medical data under the name ‘Cyberplab’, which used an unsafe http-protocol.
The data subject filed a complaint at the Belgian DPA against the controller. After receiving the complaint, the DPA initiated an investigation into the matter. The site was unencrypted with the http-protocol at the time of the first report of the investigation of the DPA. However, after the DPA had made contact with the controller, the controller added TLS 1.2 to the website, a basic protocol which is used for websites since 1999. Because of this, the site used the https-protocol.
The controller challenged most findings of the investigation. The controller stated that it thought that it was the processor instead of the controller. The controller also stated that her processing operation was small before the pandemic but had since then grown into a large processing operation. Before the pandemic, it claimed to have 50 operations a day, but didn’t provide any statistics how much operations were undertaken each day during – and after the pandemic. The controller also stated that the GDPR doesn’t contain any provision that this information should be provided on a website at all. The controller also stated that, given the small number of processing before the COVID crisis, a posting of the information in its physical sites was sufficient during that time.
Holding
Firstly, the Belgian DPA held that the laboratory was a controller pursuant to Article 4(7) GDPR because it determined both the purposes and means of processing.
Secondly, the DPA also held that the controller had inadequately secured the health data in its possession. More precisely, the DPA held that the controller violated the principle of integrity and confidentiality (Article 5(1)(f) GDPR and 32 GDPR). In particular, the controller had not implemented secure and encrypted login and communication protocols which, in turn, made it possible for an attacker to perform ‘man in the middle attacks’. For the same reasons, the DPA also held that the processor did not take appropriate technical and organizational measures under Article 24 GDPR and 25 GDPR. However, the DPA considered that in this case, the violations of Article 5(1)(f) GDPR and 32 GDPR were sufficient in order to sanction the website's lack of security.
Furthermore, the DPA held that the controller violated Articles 35(1) and 35(3) by not conducting a data protection impact assessment. In determining whether the controller was obliged to do so, the DPA considered that the central issue was whether the processing at hand was large scale or not. The DPA considered the number of data subject, the volume of data, the length in time of processing operation and the geographical scale of the processing to be the relevant factors for this question. Since an external service provider stated in its report that the processing in question was large scale and concerned special categories of data, the DPA held that the controller should have conducted a data protection impact assessment before the processing had started.
Finally, the DPA held that the controller had also violated Articles 12, 13, and 14 GDPR, mainly due to a lack of a privacy policy on its website until the DPA contacted the controller. The DPA held that providing this information at the physical test sites was insufficient. Moreover, the DPA found no evidence that the controller had provided any GDPR-information at the physical locations. It is clear from the decision that the DPA held that the information should also be available on a website, despite any availability at physical locations.
After taking into account several aggravating and mitigating factors, the DPA fined the controller €20,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
1/17 Decision of the Court of First Instance of 19 August 2022 File number: DOS-2019-05244 Subject: Complaint against a medical analysis laboratory for violating the principles of integrity, confidentiality and transparency The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Mr Christophe Boeraeve and Mr Frank De Smet, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "the AVG"; Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter "WOG"; Having regard to the Rules of Internal Procedure, as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents in the file; has taken the following decision on: Complainant X, hereinafter "the complainant Defendant: Medical Analysis Laboratory, represented by Sébastien Popijn, hereinafter "the defendant" Decision on the merits 127/2022 - 2/17 I. Facts and procedure 1. On 4 October 2019, the complainant filed a complaint against the respondent with the Data Protection Authority. 2. The complainant suspects that the Medical Analysis Laboratory (hereafter: Medical Analysis Laboratory) did not carry out a data protection impact assessment, did not inform individuals correctly and processed special categories of data, in this case health- related data, through an unsecured website. The complainant states that he had several dealings with the Medical Analysis Laboratory in the context of medical analyses. He was told that his doctor had electronic access to his analysis results. However, he notes that the website of the medical analysis laboratory contains a page for accessing medical analysis data under the name "Cyberlab" in an unsecured HTTP protocol. 3. On 29 October 2019, the complaint was declared admissible by the Honours Department under Sections 58 and 60 of the WOG and was referred to the Dispute Resolution Chamber under Section 62(1) of the WOG. 4. On 27 November 2019, the Disputes Chamber decides to request an investigation by the Inspectorate under sections 63, 2° and 94, 1° of the CPC. 5. On 29 November 2019, pursuant to Article 96 § 1 of the WOG, the Dispute Resolution Chamber's request for an investigation is forwarded to the Inspectorate, together with the complaint and the inventory of documents. 6. On September 8, 2021, the investigation of the Inspectorate is concluded, the report is added to the file and the latter is transmitted by the Inspector General to the President of the Litigation Chamber (art. 91, § 1 and § 2 of the WOG). The report contains a number of findings relating to the subject matter of the complaint and reaches the following findings: 1. The defendant may be considered a data controller 2. Insufficiently secure health data in violation of Articles 5.1(f), 24, 25 and 32 of the AVG. 3. No data protection impact assessment in breach of Articles 35.1 and 35.3 of the AVG. 4. Lack of information regarding data processing in violation of Articles 12 to 14 of the AVG. Decision on the merits 127/2022 - 3/17 7. On 21 September 2021, the Disputes Chamber decides under Article 95, §1, 1° and Article 98 of the CPC that the case can be heard on the merits. 8. On 21 September 2021, the parties concerned will be notified by registered letter of the provisions of Article 95 §2 and Article 98 of the CPC. They are also notified of the deadlines for submitting their defences, in accordance with Article 99 of the CPC. The deadline for receipt of the defendant's defences of reply is set at 2 November 2021, that for the complainant's defences of reply at 23 November 2021 and finally that for the defendant's defences of reply at 14 December 2021. 9. On 27 September 2021, the defendant requested a copy of the file (art. 95, §2, 3° of the CPC), which was sent to her on 6 October 2021. 10. On 2 November 2021, the Dispute Resolution Chamber received the respondent's defences. 11. On 7 November 2021, the Disputes Chamber receives the complainant's defences to the reply. 12. On 9 December 2021, the Dispute Resolution Chamber received the respondent's defences. 13. On 25 July 2022, the Disputes Chamber notified the defendant of its intention to proceed with the imposition of an administrative fine, as well as its amount in order to give the defendant an opportunity to defend itself, before the sanction is effectively imposed. 14. On 15 August 2022, the Disputes Chamber received the respondent's response to the intention to impose an administrative fine and the amount thereof. II. Reason II.1. Responsibility for processing 15. In its investigation report, the Inspectorate (hereinafter ID) determines that the defendant can be considered a data controller. That position is initially disputed by the defendant, but eventually accepted in its summary conclusions, following the complainant's defences to its reply. 16. The Disputes Chamber decides that the defendant can be considered a data controller as it determines the purposes and means of processing. Decision on the merits 127/2022 - 4/17 17. It recalls, however, that in accordance with the principle of responsibility under Article 24 of the AVG, the defendant itself must be able to determine its responsibilities and obligations under the AVG. Moreover, the Disputes Chamber adds that the changes in the defendant's position during the course of the proceedings led to an apparent confusion in its defence, since it initially argued, for example, that it was not obliged to carry out an EIO because it is only a processor1 (and processors are not obliged to carry out an EIO) and then stated that the failure to carry out an EIO was due to the fact that the processing activities did not initially meet the criteria under which it was required to carry out an EIO. 2 These views are clearly incompatible. II.2. Interest of the complainant. 18. The file shows that the complainant's doctor had several medical analyses performed for his patient by the defendant. Thus, the defendant processes or has processed the complainant's personal data. The complainant therefore has an interest in appearing in this file. II.3. Finding 1: Inadequately secured health data (AVG Articles 5.1(f), 24, 25 and 32) 19. The investigation report shows that the defendant has a website. The homepage of this website contains another page of the medical analysis laboratory under the heading "Consult results", which links to the "Cyberlab", the defendant's online results server, where doctors can consult the results and histories of their patients' analyses in real time. 20. In its first technology investigation report of 14 January 2021 (hereinafter: the first technology report), the ID found that this website does not contain encryption (the collected login and password are sent unencrypted), as it uses an "http" protocol instead of an encrypted "https" protocol. 21. In this regard, ID notes that "Cyberlab's access site is thus not secure and is susceptible to man-in-the-middle attacks. The login and password collected are transmitted unencrypted [...]". 22. Following the answers provided by the respondent during the course of the investigation, a follow-up report to the technological investigation report will be issued on July 6, 2021 1 Defendants' defences, p. 9 2 Summary conclusion of the defendant, p. 7