AKI (Estonia) - 2.1.-3/20/4479

From GDPRhub
Revision as of 10:31, 13 December 2023 by Ar (talk | contribs) (Ar moved page AKI - 2.1.-3/20/4479 to AKI (Estonia) - 2.1.-3/20/4479)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AKI - 2.1.-3/20/4479
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5(1)(c) GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Fine: None
Parties: Mustamäe Apteek OÜ
National Case Number/Name: 2.1.-3/20/4479
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Estonian
Original Source: AKI (in ET)
Initial Contributor: n/a

The DPA dismissed the challenge against a precept requiring the e-pharmacy to implement a proper technical and organizational measures to ensure the security of the processing. The precept was issued after a discovery that a platform displayed other person's unpurchased prescriptions.

English Summary


At the end of November 2020, the DPA discovered that after loging to Apotheka e-pharmacy(apotheka.ee) it is possible to get acquainted with the personal identification code of any other person by entering the code given on prescriptions. Additionally, all the other person's unpurchased prescriptions were immediately displayed. AKI assessed the risk to data subjects very high, which is why it exceptionally used § 40 (3) of the Administrative Procedure Act (HMS)1 that grants the right to issue an administrative act without hearing the objections of the participant in the proceeding.

According to the appellant, the DPA violated the principle of definition when issuing a precept without setting a clear deadline. Moreover, the DPA infringed procedural requirements by failing to hear the e-pharmacy. The appellant also believed the DPA had a misconception as to what would happen when entering a personal identification code.


Did the DPA violate procedural requirements when issuing the precept?


According to DPA, the resolution was short and clear: to suspend the processing of personal data in question by e-pharmacies. As the DPA argued, no one would imagine a situation where you could enter the Internet bank account with another person's personal identification number and both view his bank statement and make some transfers. If such an activity were to take place, no one would be surprised if the DPA stopped it from day one. At the same time, the bank account balance is not a special type of personal data, unlike prescription data.

According to the DPA, the above-described process is fully automated. Even if the appellant claims that a pharmacist was needed to manually display the prescription information, this does not change the fact that the prescription information was displayed only on the basis of the personal identification code without any further checks.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.

                                      CONTEST DECISION
                        personal data protection case no. 2.1.-3/20/4479

 Decision-maker Maris Juha, Head of Supervision of the Data Protection Inspectorate

 Time and place of making the decision 17.12.2020 Tallinn

 Time of filing the challenge 07.12.2020

 The contested administrative act or the Data Protection Inspectorate 30.11.2020. a precept
 action in personal data protection case no. 2.1.-4/20/1662

 Challenge submitted by MustamäeApteek OÜ
                                 e-mail address: jyrgen.janese@apotheker.ee

Pursuant to clause 85 4) of the Administrative Procedure Act (HMS), I decide to dismiss the challenge.

The appellant may challenge this decision within 30 days by submitting
an appeal to an administrative court in accordance with the Code of Administrative Court Procedure.


3.1. At the end of November 2020, the Data Protection Inspectorate (AKI) discovered that Apotheka e-pharmacy
(apotheka.ee) it is possible to get acquainted with any other person's personal code
recipes. To do this, you had to log in with the e-pharmacy ID card and enter the personal identification code of another person,
after which all the other person's unpurchased recipes were immediately displayed. The information displayed read: prescription
time of prescription, name of prescriber, prescription period, active substance (s) and reference

the disease (or group of diseases) in which the medicine is used (eg anti-asthma medicines;
anti-acne preparations; other medicines that affect the nervous system; cardiovascular system;
urogenital system and sex hormones). The latter field is not the recipe itself
in the data set. In this process, no identification was made as to whether to display another person's data
the logged-in user has a legal basis (eg legal or authorized right of representation).

AKI then found that there are still some e-pharmacies in Estonia and inspected the same
fact in them as well. A similar process took place in the other two e-pharmacies.

3.2. The data displayed are obviously of the health data type for the data subject

personal data the processing of which is prohibited unless there is at least one protection of personal data
the basis listed in Article 9 of the General Regulation (CCIP). As regards the unlawful processing of such data

1The opponent refers to this as the ATC group name. Regulation of the Minister of Social Affairs “Prescribing and

conditions and procedure for dispensing from pharmacies and the form of the prescription Ӥ 4 lists the prescription data fields. Ka
when checking from the patient portal, the digital prescription does not have such a field.
Tatari tn 39/10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registry code 70004235 The country obviously has a significantly higher obligation to protect persons. AKI assessed the risk to data subjects
very high, which is why it exceptionally used § 40 (3) of the Administrative Procedure Act (HMS)
1 granted the right to issue an administrative act without hearing the objections of the participant in the proceeding. November 30
In 2020, AKI issued a precept to OÜ Mustamäe Apteek, Veerenni Apteek OÜ and OÜ
PharmaMint prescribes the suspension of e-pharmacies based on personal identification prescriptions

displaying the list to other persons, in so far as there is no legal basis for such publication.
The term for compliance with the precept was 01.12.2020.

3.3. On 1 December 2020, MustamäeApteek OÜ announced compliance with the precept.

3.4. On December 7, 2020, Mustamäe Apteek OÜ filed a challenge against the precept. Challenger
calls for the injunction to be revoked.


4.1. Appellant: AKI violated the principle of definition when issuing a precept by ordering
stopped displaying recipes without setting a stop time. According to the appellant, no
he also understood whether he had to stop selling medicines. According to the appellant, this is not the case
the precept is enforceable.

The appellant's claim that the injunction was not enforceable is devoid of purpose because the appellant's representative sent
December 1AKI-lease confirmation: "Appearance of the list of prescriptions valid for another person by the pharmacist
and the dispensing of these prescription drugs in Apotheka e-pharmacy has been deactivated. "

According to AKI, the resolution was short and clear: to suspend a person in e-pharmacies on the basis of personal identification code
display a list of valid recipes to other people. No resolution or injunction
the recitals never mention a ban on the sale of medicinal products. AKI would not receive such a ban either

somehow give.

4.2. Appellant: AKI infringed procedural requirements by failing to hear.

AKI also stated in the precept that it exercised the right granted by clause 40 (3) 1) of the HMS. IKÜMist
considers a number of provisions requiring the processing of data to be suspended for the duration of the dispute. It is
the right to issue an order to suspend data processing is set out separately in Article 58 (2) of the CCIP

in point f. According to AKI, in this case the risk to data subjects was so great that the primary
as a measure, the publication of data in this way had to be suspended as a matter of urgency. AKI, becoming aware
from such easy access to such sensitive data, there is no way that this situation will continue
accepted even during the proceedings. Also illegal disclosure of one person's health data
may have irreversible consequences for humans. The sight cannot be removed from another person's head
delete or nullify. Later possibility through court in time-consuming proceedings

receiving compensation for non-pecuniary damage of a few hundred euros does not compensate for the damage done. In the proceedings of the Inspectorate
there are constant complaints that acquaintances, relatives, ex-spouses, in court
disputing parties, neighbors, employers and co-workers, etc. obtain and disseminate health information.
Obtained health data is often used in labor disputes and custody of a child

No one would imagine a situation where you could enter there by logging in to the Internet bank

another person's personal identification number and view both his bank statement and make some transfers. If
if such an activity were to take place, no one would be surprised if the AKI stopped it from day one.
At the same time, the bank account balance is not a special type of personal data, unlike prescription data.

4.3. Challenger: AKI has a misconception as to what would happen when entering a personal identification code
display recipe data automatically. According to the appellant, the data is displayed by the pharmacist

2 (7) and not always the active substance is displayed, but sometimes only the name of the ATC.

The Inspectorate identified the following process in the Apotheka e-pharmacy:

     After logging in, the e-pharmacy communication window offered the options "View my recipes",
        "Look at another person's recipes."
     Selecting "View other person's recipes" showed: "Auto-reply. Choose a person whose recipes
        you want to watch. To see another person's recipes, type their person in the chat window
        personal identification code. "

     After entering the personal identification code, the following appeared: “Automatic answer. Do you want to view XXX
        XXX recipes? ”
     After selecting "Yes", the following appeared in the chat window: "Automatic answer: The pharmacist is currently
        busy. I will connect as soon as possible .. ”“ Pharmacist Jaanika Treimann. Hi, I am
        Jaanika Treimann. XXX XXX has the following digital recipes. Choose which

        you want to continue with the recipe. "
     Below this was a list of recipes. Each recipe had a "Select" button.

Exactly the same process (in exactly the same order, with the same wording) took place in another
in a test performed on a person.

According to the Inspectorate, the above-described process is fully automated, ie not required
human activities. Even if the challenger claims that a pharmacist was needed to display the prescription information
manual operation, this does not change the fact that the prescription information was displayed only on the basis of the personal identification code
without any further checks.

4.4. Challenger: A similar process takes place in a regular pharmacy, with the difference that
in a physical pharmacy, the buyer can get a more detailed overview of his own and another person's prescriptions,
because in a physical pharmacy the whole list of medicinal products is dispensed to the purchaser on the basis of the active substance, or
on a product-by-product basis.

The Inspectorate was not yet aware that it is possible for a third party to obtain
printouts of recipe lists. If really a physical pharmacy is also possible to get only
saying another person's personal code is a printout of a list of prescriptions, it is also an offense. One
an offense cannot be a justification for another.

It does not matter whether the active substance, the name of the medicinal product, the diagnosis v

or ATC name. All refer to a state of health. Also examples of ATC names referred to above
it is known that the data subject has a disease belonging to such a group of diseases. Pole
it is not at all important whether these data can be used to make an accurate diagnosis of a person. Ka
more general information or references to a person's state of health are a special type of personal data (see also IKÜM art. 4 p. 15
definition of health data).

4.5. Challenger: AKI's position, as if any person in an e-pharmacy could inherit any
knowing a person's prescription data is incorrect, because the person needs to make an inquiry
first log in to the e-pharmacy (identify yourself) and all activities are logged.

Article 9 of the IIA does not provide a basis for the release of a specific type of personal data, as the requester identifies

end. Identification is indeed a prerequisite for further talk of access
personal data of another person. Also the data subject's person in order to give him or her about himself
must first be identified.

As indicated in the injunction, there must be a legal basis for issuing prescription data and

2 The first name and surname of the person who was displayed but which has been omitted from the present appeal decision.

3 (7) if it exists, the chief processor (ie the issuer of data, which is an e-pharmacy) must be convinced
before releasing the data. In other words - another person who logged in to the e-pharmacy before

When displaying prescriptions, the e-pharmacy must identify that person representing the data subject or
is entitled to receive the data on another basis arising from law. It is this identification
did not take place in e-pharmacies. No one researched on the basis of a third party data subject's prescriptions
and how he substantiates his claims.

Logging is a measure so that the actions taken can be verified a posteriori.

4.6. Challenger: AKI did not take into account that making changes to e-channels requires
information technology development, which is generally not possible within a 1-day period.

Just considering that the reorganization of the e-pharmacy system took time, the inspection took place first

as a measure necessary to simply suspend data processing. To this end, each processor must always be prepared
be. For example, in the event of an attack or security incident, the data processor must also be prepared
respond with hours. The Inspectorate assessed that the suspension of data processing required by the precept
is possible within 24 hours. All the more so as it is a large and experienced corporation with

there are also corresponding economic opportunities to hire helpers. Similarly, the data controller must
be prepared to suspend data processing at any time if the data subject so requests (see Art
17 (1), Article 21 (1)) or if a data protection breach occurs.

4.7. Challenger: AKI breached the requirements of discretion and should have been taken into account in the deliberations

pandemic situation of the coronavirus and restricted access to patients in isolation
patients or their families are not allowed to go to the pharmacy.

It is true that the discovery of the disputed fact came at a bad time. However, the appellant proceeds here
misconception that the Inspectorate had banned the sale of medicines. It continues to be a)

the data subject himself / herself can order medicines from the e-pharmacy
can provide assistance to relatives if needed); b) the inspection did not restrict in any way the e-pharmacy
the sale of medicinal products to third parties (provided that the pharmacy has been inspected by a third party
right of representation); (c) medicinal products can still be purchased from a physical pharmacy.

4.8. Challenger: The pharmacy can rely on prescription data, including § 5 (6) of the Regulation, from a patient
the correctness of the consent requested by the doctor when prescribing and the Pharmacy does not have to
further efforts to re-verify the validity of the patient's consent. If
the recipe is marked as "open" in the prescription center, ie the prescription is marked as the buyer

The "unspecified purchaser" is entitled to interpret such a note in the data protection rules
consent given by the donor and publish the details of such prescription to the patient
instead of the person buying the medicines.

The system for buying a prescription for a person was really created years ago, according to which you should

When prescribing a prescription to a patient, the physician will determine the purchaser (the person
designated third party, unspecified). And you can buy a recipe by name
authorized third party to designate only the patient portal (can prescribe prescriptions and
persons authorized to purchase prescription medicines). It is not possible to mark a recipe on the recipe itself

persons authorized to purchase. Unfortunately, this system has not materialized in practice. Doctors or
patients are not aware that this is possible at all when prescribing. People don't
be unaware of the possibility of authorizing a patient portal. Allegedly, the default is the prescription center

3See the following footnote
 Regulation of the Minister of Social Affairs “Conditions and Procedure for Prescribing Medicines and Dispensing from Pharmacies and
prescription form "§ 5 (6): In the case of an electronic prescription, the person to whom the prescription is issued shall determine
written, the purchaser of the medicinal product as follows: 1) the person himself; 2) a named third party; 3) unspecified

4 (7) the prescription type specified in the settings as the “unspecified person”. Only a very small part
prescriptions are written differently.

Thus, the patient's actual will to prescribe the prescriber is in no way

realized - no one has found out or fixed it. So there is no way to say that
the patient has given his or her informed consent in accordance with Article 9 (2) (a) and Article 7 of the ICCPR
to disclose your specific personal data to third parties.

The Inspectorate agrees that if the patient has assigned an authorized prescription to the patient portal

issued with the option "named third party" or "unspecified", can be
(e-) pharmacy to rely on the credentials displayed to the pharmacy from the patient portal via the prescription center
display / sell the medicine if it has identified an authorized person. In this case, the person is himself
really expressed their will.

It would also be sufficient for minors and persons with limited legal capacity to be realized

control of the legal right of representation (incl. in the case of children also the right of custody) (eg from the population register

If there is no authorized person on the patient portal, the purchaser should prove otherwise
right of representation. The Supervision Authority does not agree with the appellant that the choice of an unspecified buyer

in the case of a prescription, the data subject has consented to the receipt of a specific type of personal data (or
right of representation) to unspecified persons. Even if a choice is made when writing the recipe
"Identifiable buyer", the (data-sharing) data subject still decides for himself who
The data subject is (usually orally) a third party.
agreed with the person to buy the medicine. The Inspectorate does not agree that in this case it could
(e-) The pharmacy will entrust anyone who claims to have the right of representation. I point out that

in the e-pharmacy sales process described above, the person was never even asked if the person had
right of representation. However, a person 's statement that he or she has a right of representation does not replace Article 9 (2) (a) and (c)
consent of the data subject in accordance with Article 7.

Article 7 (1) of the ECHR provides that where processing is based on consent, the controller

the issuer of the data, ie the pharmacy) must be able to prove that the data subject has
processing of personal data. So, the (e-) pharmacy should pre-prescribe personal information
issuing to a third party (displaying, printing out, reading aloud) to make sure that
the third party has the consent, authorization or legal right of representation of the data subject.

The draft amendment to the law introducing distance selling also refers to the obligation to effectively ensure that

the person is entitled to order the medicine from the e-pharmacy. Reference is made to paper recipes
the problem that prescription data may fall into the hands of unauthorized persons and the prescription
may be purchased by an unauthorized person.

Article 5 (1) (a) and (f) of the IIA require the processing of personal data to ensure that the processing of personal data

the processing (including extradition) is lawful (i.e. there is a legal basis under Articles 6 and 9); and
personal data shall be protected against unauthorized or unlawful processing by appropriate means
technical or organizational measures (security of processing is further regulated by the ICRM
art 32). Paragraph 2 states that it is responsible and able to comply with these requirements
certified by the controller. § 33 (6) of the Medicinal Products Act prohibits pharmacies from publishing prescriptions
information related to the prescribing of medicinal products, except in cases prescribed by law. So

the (e-) pharmacy is fully responsible for issuing the personal data of the data subject (incl. special type
personal data) to a third party who did not have the consent or right of representation of the data subject.

5 Act on Amendments to the Medicinal Products Act and Related Acts 332 (13) of the RavS Act
and supplementing § 31 with subsections 8-10

5 (7) In other words - if an e-pharmacy has been able to view the data of a third party on the basis of a personal identification code
without the knowledge of the data subject, this is entirely the responsibility of the e-pharmacy operator.

However, it cannot be inferred from this that a (e-) pharmacy could, at its discretion, implement a system which

obviously provides an opportunity for abuse. The Data Protection Inspectorate has IKÜM and
the competence under the Personal Data Protection Act to supervise data processors; and
assess whether the measures they are implementing are adequate.

After inspecting the process of Apotheka (and two other) e-pharmacies, the Inspectorate concluded that

it does not protect data subjects from abuse.

True, the complainant proposed a change in the process: “the pharmacist first asks the buyer for the patient
publication of prescriptions further over which prescription the purchaser wishes to sell and only then
publishes unpurchased recipes to the purchaser. "

I note, first of all, that Article 5 (1) (c) of the IGC follows from the principle of minimum
there is no need to display all unpurchased recipes. The buyer should first really
state which recipe he wishes to implement. And even in this case it is questionable whether and which ones
data should be displayed to the buyer at all. For example, if the data subject has authorized a neighbor from a pharmacy
buy out a prescription written for him today, the buyer should not be shown any ATC at all

name, not to mention the diagnosis.

The mere fact that all unpurchased prescriptions were displayed in the e-pharmacy on the basis of personal identification code was IKÜM
violation of the minimum requirement of Article 5 (1).

Secondly, we replied to the complainant that, in addition to the personal identification code, the

the obligation to enter a pharmacy would not reduce the risk of a person experimenting with common medicines; or
with a previously known medicinal product in order to know whether the data subject continues to use it.

I explain that the operator of both a physical pharmacy and an e-pharmacy is obliged to review in accordance with Article 35 of the IKÜM
carry out and document the impact assessment in writing. The pharmacy clearly processes different types
personal data of more than 5000 persons. The impact assessment must show the data controller
(Apotheka e-pharmacy operator) analysis of the risks related to their activities and their mitigation
measures. The process containing such sensitive data should be multi-layered
intended for pharmacists (if they process data on behalf of the controller)
have detailed instructions given by the pharmacist (controller). The latter also requires
Article 32 (4) of the ICCPR.

4.9. Finally, I shall also consider the appellant's allegations that there are different types of pharmacy services
bases for processing personal data Article 9 (2) (i), Article 9 (4) and processing of personal data by the
for the performance of a mandate-type contract between a person and a patient.

An order type agreement concluded between the person purchasing the medicinal product and the patient provides Article 6 (1) of the IKÜM
1 (b) does indeed give the parties to the contract the right to process personal data (not a specific type of data)
personal data). It does not give the pharmacy or any other third party the right to the data
processing (output, including display, is also processing).

In the case of Article 9 (2) (i) of the ICCPR, attention must be drawn to the reference contained therein - on the basis of

the law of a Member State. This means that national law must provide for specific processing.
The pharmacy has not been granted an abstract right to process the data of all persons in the public interest.

6Explanations on the mandatory nature of the impact assessment have been issued by the Inspectorate in the General Instructions of the Personal Data Processor 5.
chapter. https://www.aki.ee/sites/default/files/dokumendid/isikuandmete_tootleja_uldjuhend.pdf

The pharmacy acquires the right to process personal data at the moment when the person wishes to make a purchase (and
not even in the case of cash purchases of over-the-counter medicines). Article 9 (4) of the ICCPR is not an independent basis
but gives Member States the possibility to impose additional conditions
processing of health data.


On the basis of the above, I consider that the precept of the Inspectorate was lawful and justified and not
reason for its cancellation. I therefore dismiss the appeal.

If a (e-) pharmacy wishes to obtain approval from AKI for further plans, it should submit an IKÜM
a proper impact assessment and a detailed description of the process, covering both physical,
information technology as well as organizational measures. However, I emphasize once again that AKI is still there
made only a precept to display the list of prescriptions valid on the basis of the personal identification code in the e-pharmacy
to other persons. AKI has not prohibited other distance selling processes by any administrative act
or no sales at all. No one is banning any e-pharmacy right now from developing their own system

additions and put it into service if it allows the requirements of the ICC to be met.
The responsibility for compliance lies with the controller. However, the Inspectorate is right
examine and evaluate the solutions chosen in the course of the procedures under the IIA.

However, I note that looking at what misconceptions about data protection Mustamäe Apteek OÜ
I have challenged, I am seriously concerned about all data processing under the Apotheka brand

after. I am surprised that a large group can operate without such a sensitive profession
relevant data protection expertise and knowledge. With that in mind, I definitely consider it necessary
to control the data processing of pharmacies operating under the Apotheka brand more extensively.

with respect

/signed digitally/
Pille Lehis
Director - General

7 (7)