HmbBfDI (Hamburg) - Bußgeldverfahren bzgl. Covid-Testcenter
| HmbBfDI - Bußgeldverfahren bzgl. Covid-Testcenter | |
|---|---|
 | |
| Authority: | HmbBfDI (Hamburg) |
| Jurisdiction: | Germany |
| Relevant Law: | Article 6(1)(c) GDPR Article 17 GDPR Article 32(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 2,700 EUR |
| Parties: | n/a |
| National Case Number/Name: | Bußgeldverfahren bzgl. Covid-Testcenter |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | 31. Tätigkeitsbericht Datenschutz 2021 des Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit (in DE) |
| Initial Contributor: | CBMPN |
During the COVID-19 pandemic, multiple test centers were established, but not all complied with minimum data protection standards. The Hamburg DPA identified several violations, some of which led to fines.
English Summary
Facts
Various violations were identified:
1. Improper Disposal of Test Results In a medical practice offering COVID-19 tests, employees disposed of positive and negative antigen test results in a garbage bag next to a public glass recycling container. The documents contained sensitive health data under Article 9 GDPR and were accessible to unauthorized third parties. Despite acknowledging the increased burden on medical practices during the pandemic, the Hamburg DPA deemed this handling of health data unacceptable. A fine of €1,000 was imposed, which the practice accepted.
2. Refusal to Grant Data Deletion Requests
A dedicated COVID-19 test center consistently ignored individuals’ requests for data deletion, violating Article 17 GDPR.
Even after the Hamburg DPA intervened and initiated administrative proceedings, the test center refused to comply.
Due to the systematic nature of the violation, the Hamburg DPA imposed a fine of €1,000, which the test center accepted.
3. Unsecured Online Access to Test Results
Another test center provided test results via unencrypted email containing a direct URL to a PDF file. The URL structure included the tested person’s last name, making it easy to access other individuals' results by modifying the URL.
This was a clear violation of Article 32(1) GDPR, as the test center failed to implement appropriate security measures.
The Hamburg DPA imposed a fine of €2,700.
4. Unlawful Storage of ID Card Copies
A fourth test center scanned and stored both the front and back of tested individuals' ID cards on an external hard drive. This exceeded the legal requirements for documentation under the German Coronavirus Testing Regulation.
There was no legal basis under Article 6(1)(c) GDPR for storing complete ID card copies, and the practice posed a significant security risk.
The test center did not cooperate with the Hamburg DPA to address the issue, leading to a fine of approximately €1,400.
Holding
Various COVID-19 test centers committed GDPR violations, including improper data disposal, failure to respect deletion rights, inadequate security measures, and unlawful data retention.
The Hamburg DPA imposed fines ranging from €1,000 to €2,700, depending on the severity of the violations.
While some entities accepted the fines, others displayed a lack of cooperation, which influenced the penalties imposed.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Fine proceedings regarding Covid test centers During the pandemic situation, a large number of so-called corona test centers were set up and operated. Not all test centers met minimum data protection standards. In a few cases, the violations had reached a level that made it necessary to conduct administrative offense proceedings. The test centers were of a different nature. Some were doctor's offices that also offered tests in addition to regular patient care. In one such practice, employees had placed written evidence of positive and negative Covid-19 antigen rapid test results from patients in a garbage bag next to a public waste glass container. There was no protection against third parties becoming aware of them. The HmbBfDI did take into account that numerous doctor's offices had closed or were at least only open to a limited extent during the rampant pandemic. The tense situation also resulted in a significant additional burden on the practice affected here. Due to the fact that health data within the meaning of Art. 9 GDPR was handled carelessly and a large number of people were affected, the HmbBfDI could not refrain from conducting administrative offence proceedings. A fine of €1,000 was imposed, which was also accepted by the practice. In another case, the HmbBfDI had complaints about a pure test center that consistently refused to exercise the right to delete the data of people tested. Now, not every violation of a data subject's right automatically leads to the imposition of a fine, even if health data within the meaning of Art. 9 GDPR is affected. In this case, however, the approach seemed to have a method. Even when the HmbBfDI contacted the company 128 Activity Report Data Protection 2022 - HmbBfDI and initiated administrative proceedings, nothing changed in the behavior of the test center. The inquiries and requests were consistently ignored. The HmbBfDI has therefore imposed a fine of €1,000. The company has accepted this fine. Those responsible who process large amounts of personal data and thereby disregard the rights of those affected must expect the HmbBfDI to initiate administrative offence proceedings in the future. In another case, a third test centre had made the test results available for retrieval via URL. Tested persons were sent a URL via unencrypted email under which the test result could be retrieved without any further security measures. In at least 189 cases, the retrieval link was structured in such a way that the path led to the download of a PDF file and the file name corresponded to the last name of the person being tested. With knowledge of the directory path, it was therefore possible to view third-party test results. The last name simply had to be replaced with any other last name. This was obviously a violation of the obligation to properly secure personal (health) data through appropriate technical and organizational measures in accordance with Art. 32 Para. 1 GDPR. The HmbBfDI punished this violation with a fine of €2,700. The last of the cases described here concerned a test center that wanted to protect itself against inquiries from the Association of Statutory Health Insurance Physicians. For this purpose, the front and back of identity cards of tested persons were scanned and saved on an external hard drive. However, for documentation purposes, only the personal data listed in Section 7 Para. 5 No. 5 and Sections 2 to 4b of the Coronavirus Testing Ordinance would have been saved. For the remaining storage, there was no legal obligation within the meaning of Art. 6 Paragraph 1 Subparagraph 1 Letter c) of GDPR and it was therefore inadmissible, which the test center could and should have known by simply reading the law. The storage of complete identity cards is not only excessive, but also poses considerable risks for those affected. If these storages fall into the wrong hands, there are hardly any limits to the possibilities for misuse. In addition, there was no constructive cooperation between the company and the HmbBfDI with the aim of eliminating the data protection-violating conditions. The HmbBfDI has therefore imposed a fine of around €1,400.
