HDPA (Greece) - 3/2024
HDPA - 3/2024 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 5 GDPR Article 24 GDPR Article 24(2) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 15.12.2022 |
Decided: | 15.04.2024 |
Published: | 15.04.2024 |
Fine: | n/a |
Parties: | Omilos Iatriki Diagnosi Complianant |
National Case Number/Name: | 3/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Hellenic DPA (in EL) |
Initial Contributor: | Evangelia Tsimpida |
The Hellenic DPA proceeded to investigate a complaint against a diagnostic centre for breach of confidentiality of the complainant's personal data due to her allegation of a telephone disclosure of health data to her father. The Authority rejected the complaint as unfounded
English Summary
Facts
On 15.12.2022 the complainant proceeded to file a complaint against a Diagnostic centre. The complainant alleged that after conducting tests at the diagnostic centre, an employee of the diagnostic centre communicated the results of her tests to the complainant's father by telephone without her consent. Specifically, she alleged that an employee of the diagnostic center contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the complainant call immediately to confirm the additional cost. In the complainant's protest, she claimed that the diagnostic center apologized and admitted the incident by saying "what's done is done, now it's not undone."
On 28.03.2023, the respondent diagnostic centre replied to the Authority as follows: it confirmed that the complainant had undergone examinations at the diagnostic centre, where the secretariat informed her about the data protection policy of the complainant and completed the form E3 entitled "DECLARATION OF CONSENT FOR SENDING RESULTS" for sending the results by electronic mail using the encryption method. Furthermore, according to the diagnostic center's allegations, the complainant herself provided her telephone number to the secretariat, which was registered in the system, and the secretariat called that telephone number in order to inform her of additional required tests. This call was answered by the complainant's father, who responded that the complainant was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter and no health information was disclosed. Furthermore, with regard to the center's apology, the respondent claimed that there was no admission of the incident and apology, but rather the situation was handled with courtesy and the complainant was informed of the content of the disputed telephone call.
On 28.04.2023, the complainant responded to the allegations of the respondent and noted that she never stated the specific telephone number to the diagnostic centre and that her number is different and she stands by the allegations of her complaint. In response, the respondent clarifies that the complainant's father is not a client of the diagnostic centre and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the diagnostic centre's system. At the same time, it submits that the complaint is unproven, unfounded and constitutes an attempt by the complainant to obtain a pecuniary advantage, which has submitted an extrajudicial statement to the company proposing an out-of-court settlement of the incident in return for compensation.
Holding
On 25.01.2024, the Hellenic DPA summoned the complainant and the respondent to a hearing before the President of the Authority as a single representative body. During the hearing, they presented their allegations and were given a deadline to respond. The complainant reiterated her allegations, stressing in particular that she had never given her father's mobile phone number herself and that the secretariat of the diagnostic centre had disclosed sensitive health data during the call to her father, who, according to her, was a client of the diagnostic centre and that the call to him had been made by mistake by the secretariat. The respondent argued that the contact details were updated with the patients' verbal declaration to the registry and that the complainant's health data had never been disclosed to her father, as the registrars did not have access to the test results in any case. Furthermore, they expressed the view that the complaint in question had been lodged as a mean of enriching in relation to the out-of-court settlement she was seeking. With regard to the security measures taken by the diagnostic centre, the respondent informed that it had already been decided to rely on the procedures followed by the centre, in which the patients themselves record their communication details on a tablet during their visit.
The Authority, having examined all the information in the file and the allegations made by the complainant and the respondent, considered that the content of the telephone call could not be established with certainty and that no leakage of personal data could be established, given that, as the evidence showed, the diagnostic center's secretariat did not have access to the patients' test results and their health data. It also assessed the updating of the diagnostic centre's procedures by having the patients' communication forms signed by the diagnostic centre via a tablet.
Therefore, it is not established that the respondent has violated the principle of confidentiality of the complainant's data, while it is clear that the Diagnostic center has acted in accordance with the provisions of Articles 32 and 24(2) GDPR. The Authority therefore rejected the complaint as unfounded.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority examined a complaint against a company for breaching the confidentiality of the complainant's data, by communicating the complainant's test results to her father by telephone. In particular, the complainant stated that she herself did not give her father's mobile phone number to the complained company. From the examination of the case, the reported violation was not established. Regarding the process of collecting the contact details of the customers of the diagnostic center based on their verbal statement on the day of the visit, the Authority was informed that, in the context of updating the procedures of the complained company, from now on the collection will be done with their signed registration by the data subjects using a tablet. The complaint is therefore dismissed as unfounded.