AKI - 2.1.-3/20/4479
|AKI - 2.1.-3/20/4479|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 6 GDPR
|Parties:||Mustamäe Apteek OÜ|
|National Case Number/Name:||2.1.-3/20/4479|
|European Case Law Identifier:||n/a|
|Original Source:||AKI (in ET)|
The DPA dismissed the challenge against a precept requiring the e-pharmacy to implement a proper technical and organizational measures to ensure the security of the processing. The precept was issued after a discovery that a platform displayed other person's unpurchased prescriptions.
At the end of November 2020, the DPA discovered that after loging to Apotheka e-pharmacy(apotheka.ee) it is possible to get acquainted with the personal identification code of any other person by entering the code given on prescriptions. Additionally, all the other person's unpurchased prescriptions were immediately displayed. AKI assessed the risk to data subjects very high, which is why it exceptionally used § 40 (3) of the Administrative Procedure Act (HMS)1 that grants the right to issue an administrative act without hearing the objections of the participant in the proceeding.
According to the appellant, the DPA violated the principle of definition when issuing a precept without setting a clear deadline. Moreover, the DPA infringed procedural requirements by failing to hear the e-pharmacy. The appellant also believed the DPA had a misconception as to what would happen when entering a personal identification code.
Did the DPA violate procedural requirements when issuing the precept?
According to DPA, the resolution was short and clear: to suspend the processing of personal data in question by e-pharmacies. As the DPA argued, no one would imagine a situation where you could enter the Internet bank account with another person's personal identification number and both view his bank statement and make some transfers. If such an activity were to take place, no one would be surprised if the DPA stopped it from day one. At the same time, the bank account balance is not a special type of personal data, unlike prescription data.
According to the DPA, the above-described process is fully automated. Even if the appellant claims that a pharmacist was needed to manually display the prescription information, this does not change the fact that the prescription information was displayed only on the basis of the personal identification code without any further checks.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
CONTEST DECISION personal data protection case no. 2.1.-3/20/4479 Decision-maker Maris Juha, Head of Supervision of the Data Protection Inspectorate Time and place of making the decision 17.12.2020 Tallinn Time of filing the challenge 07.12.2020 The contested administrative act or the Data Protection Inspectorate 30.11.2020. a precept action in personal data protection case no. 2.1.-4/20/1662 Challenge submitted by MustamäeApteek OÜ e-mail address: email@example.com I RESOLUTION Pursuant to clause 85 4) of the Administrative Procedure Act (HMS), I decide to dismiss the challenge. REFERENCE REFERENCE The appellant may challenge this decision within 30 days by submitting an appeal to an administrative court in accordance with the Code of Administrative Court Procedure. FACTUAL CIRCUMSTANCES 3.1. At the end of November 2020, the Data Protection Inspectorate (AKI) discovered that Apotheka e-pharmacy (apotheka.ee) it is possible to get acquainted with any other person's personal code recipes. To do this, you had to log in with the e-pharmacy ID card and enter the personal identification code of another person, after which all the other person's unpurchased recipes were immediately displayed. The information displayed read: prescription time of prescription, name of prescriber, prescription period, active substance (s) and reference the disease (or group of diseases) in which the medicine is used (eg anti-asthma medicines; anti-acne preparations; other medicines that affect the nervous system; cardiovascular system; urogenital system and sex hormones). The latter field is not the recipe itself in the data set. In this process, no identification was made as to whether to display another person's data the logged-in user has a legal basis (eg legal or authorized right of representation). AKI then found that there are still some e-pharmacies in Estonia and inspected the same fact in them as well. A similar process took place in the other two e-pharmacies. 3.2. The data displayed are obviously of the health data type for the data subject personal data the processing of which is prohibited unless there is at least one protection of personal data the basis listed in Article 9 of the General Regulation (CCIP). As regards the unlawful processing of such data 1The opponent refers to this as the ATC group name. Regulation of the Minister of Social Affairs “Prescribing and conditions and procedure for dispensing from pharmacies and the form of the prescription ”§ 4 lists the prescription data fields. Ka when checking from the patient portal, the digital prescription does not have such a field. Tatari tn 39/10134 Tallinn / 627 4135 / firstname.lastname@example.org / www.aki.ee Registry code 70004235 The country obviously has a significantly higher obligation to protect persons. AKI assessed the risk to data subjects very high, which is why it exceptionally used § 40 (3) of the Administrative Procedure Act (HMS) 1 granted the right to issue an administrative act without hearing the objections of the participant in the proceeding. November 30 In 2020, AKI issued a precept to OÜ Mustamäe Apteek, Veerenni Apteek OÜ and OÜ PharmaMint prescribes the suspension of e-pharmacies based on personal identification prescriptions displaying the list to other persons, in so far as there is no legal basis for such publication. The term for compliance with the precept was 01.12.2020. 3.3. On 1 December 2020, MustamäeApteek OÜ announced compliance with the precept. 3.4. On December 7, 2020, Mustamäe Apteek OÜ filed a challenge against the precept. Challenger calls for the injunction to be revoked. REASONS FOR THE IV CHALLENGE AND ANSWERS BY AKI 4.1. Appellant: AKI violated the principle of definition when issuing a precept by ordering stopped displaying recipes without setting a stop time. According to the appellant, no he also understood whether he had to stop selling medicines. According to the appellant, this is not the case the precept is enforceable. The appellant's claim that the injunction was not enforceable is devoid of purpose because the appellant's representative sent December 1AKI-lease confirmation: "Appearance of the list of prescriptions valid for another person by the pharmacist and the dispensing of these prescription drugs in Apotheka e-pharmacy has been deactivated. " According to AKI, the resolution was short and clear: to suspend a person in e-pharmacies on the basis of personal identification code display a list of valid recipes to other people. No resolution or injunction the recitals never mention a ban on the sale of medicinal products. AKI would not receive such a ban either somehow give. 4.2. Appellant: AKI infringed procedural requirements by failing to hear. AKI also stated in the precept that it exercised the right granted by clause 40 (3) 1) of the HMS. IKÜMist considers a number of provisions requiring the processing of data to be suspended for the duration of the dispute. It is the right to issue an order to suspend data processing is set out separately in Article 58 (2) of the CCIP in point f. According to AKI, in this case the risk to data subjects was so great that the primary as a measure, the publication of data in this way had to be suspended as a matter of urgency. AKI, becoming aware from such easy access to such sensitive data, there is no way that this situation will continue accepted even during the proceedings. Also illegal disclosure of one person's health data may have irreversible consequences for humans. The sight cannot be removed from another person's head delete or nullify. Later possibility through court in time-consuming proceedings receiving compensation for non-pecuniary damage of a few hundred euros does not compensate for the damage done. In the proceedings of the Inspectorate there are constant complaints that acquaintances, relatives, ex-spouses, in court disputing parties, neighbors, employers and co-workers, etc. obtain and disseminate health information. Obtained health data is often used in labor disputes and custody of a child disputes. No one would imagine a situation where you could enter there by logging in to the Internet bank another person's personal identification number and view both his bank statement and make some transfers. If if such an activity were to take place, no one would be surprised if the AKI stopped it from day one. At the same time, the bank account balance is not a special type of personal data, unlike prescription data. 4.3. Challenger: AKI has a misconception as to what would happen when entering a personal identification code display recipe data automatically. According to the appellant, the data is displayed by the pharmacist 2 (7) and not always the active substance is displayed, but sometimes only the name of the ATC. The Inspectorate identified the following process in the Apotheka e-pharmacy: After logging in, the e-pharmacy communication window offered the options "View my recipes", "Look at another person's recipes." Selecting "View other person's recipes" showed: "Auto-reply. Choose a person whose recipes you want to watch. To see another person's recipes, type their person in the chat window personal identification code. " After entering the personal identification code, the following appeared: “Automatic answer. Do you want to view XXX XXX recipes? ” After selecting "Yes", the following appeared in the chat window: "Automatic answer: The pharmacist is currently busy. I will connect as soon as possible .. ”“ Pharmacist Jaanika Treimann. Hi, I am Jaanika Treimann. XXX XXX has the following digital recipes. Choose which you want to continue with the recipe. " Below this was a list of recipes. Each recipe had a "Select" button. Exactly the same process (in exactly the same order, with the same wording) took place in another in a test performed on a person. According to the Inspectorate, the above-described process is fully automated, ie not required human activities. Even if the challenger claims that a pharmacist was needed to display the prescription information manual operation, this does not change the fact that the prescription information was displayed only on the basis of the personal identification code without any further checks. 4.4. Challenger: A similar process takes place in a regular pharmacy, with the difference that in a physical pharmacy, the buyer can get a more detailed overview of his own and another person's prescriptions, because in a physical pharmacy the whole list of medicinal products is dispensed to the purchaser on the basis of the active substance, or on a product-by-product basis. The Inspectorate was not yet aware that it is possible for a third party to obtain printouts of recipe lists. If really a physical pharmacy is also possible to get only saying another person's personal code is a printout of a list of prescriptions, it is also an offense. One an offense cannot be a justification for another. It does not matter whether the active substance, the name of the medicinal product, the diagnosis v or ATC name. All refer to a state of health. Also examples of ATC names referred to above it is known that the data subject has a disease belonging to such a group of diseases. Pole it is not at all important whether these data can be used to make an accurate diagnosis of a person. Ka more general information or references to a person's state of health are a special type of personal data (see also IKÜM art. 4 p. 15 definition of health data). 4.5. Challenger: AKI's position, as if any person in an e-pharmacy could inherit any knowing a person's prescription data is incorrect, because the person needs to make an inquiry first log in to the e-pharmacy (identify yourself) and all activities are logged. Article 9 of the IIA does not provide a basis for the release of a specific type of personal data, as the requester identifies end. Identification is indeed a prerequisite for further talk of access personal data of another person. Also the data subject's person in order to give him or her about himself must first be identified. As indicated in the injunction, there must be a legal basis for issuing prescription data and 2 The first name and surname of the person who was displayed but which has been omitted from the present appeal decision. 3 (7) if it exists, the chief processor (ie the issuer of data, which is an e-pharmacy) must be convinced before releasing the data. In other words - another person who logged in to the e-pharmacy before When displaying prescriptions, the e-pharmacy must identify that person representing the data subject or is entitled to receive the data on another basis arising from law. It is this identification did not take place in e-pharmacies. No one researched on the basis of a third party data subject's prescriptions and how he substantiates his claims. Logging is a measure so that the actions taken can be verified a posteriori. 4.6. Challenger: AKI did not take into account that making changes to e-channels requires information technology development, which is generally not possible within a 1-day period. Just considering that the reorganization of the e-pharmacy system took time, the inspection took place first as a measure necessary to simply suspend data processing. To this end, each processor must always be prepared be. For example, in the event of an attack or security incident, the data processor must also be prepared respond with hours. The Inspectorate assessed that the suspension of data processing required by the precept is possible within 24 hours. All the more so as it is a large and experienced corporation with there are also corresponding economic opportunities to hire helpers. Similarly, the data controller must be prepared to suspend data processing at any time if the data subject so requests (see Art 17 (1), Article 21 (1)) or if a data protection breach occurs. 4.7. Challenger: AKI breached the requirements of discretion and should have been taken into account in the deliberations pandemic situation of the coronavirus and restricted access to patients in isolation patients or their families are not allowed to go to the pharmacy. It is true that the discovery of the disputed fact came at a bad time. However, the appellant proceeds here misconception that the Inspectorate had banned the sale of medicines. It continues to be a) the data subject himself / herself can order medicines from the e-pharmacy can provide assistance to relatives if needed); b) the inspection did not restrict in any way the e-pharmacy the sale of medicinal products to third parties (provided that the pharmacy has been inspected by a third party right of representation); (c) medicinal products can still be purchased from a physical pharmacy. 3 4.8. Challenger: The pharmacy can rely on prescription data, including § 5 (6) of the Regulation, from a patient the correctness of the consent requested by the doctor when prescribing and the Pharmacy does not have to further efforts to re-verify the validity of the patient's consent. If the recipe is marked as "open" in the prescription center, ie the prescription is marked as the buyer The "unspecified purchaser" is entitled to interpret such a note in the data protection rules consent given by the donor and publish the details of such prescription to the patient instead of the person buying the medicines. The system for buying a prescription for a person was really created years ago, according to which you should When prescribing a prescription to a patient, the physician will determine the purchaser (the person designated third party, unspecified). And you can buy a recipe by name authorized third party to designate only the patient portal (can prescribe prescriptions and persons authorized to purchase prescription medicines). It is not possible to mark a recipe on the recipe itself persons authorized to purchase. Unfortunately, this system has not materialized in practice. Doctors or patients are not aware that this is possible at all when prescribing. People don't be unaware of the possibility of authorizing a patient portal. Allegedly, the default is the prescription center 3See the following footnote 4 Regulation of the Minister of Social Affairs “Conditions and Procedure for Prescribing Medicines and Dispensing from Pharmacies and prescription form "§ 5 (6): In the case of an electronic prescription, the person to whom the prescription is issued shall determine written, the purchaser of the medicinal product as follows: 1) the person himself; 2) a named third party; 3) unspecified buyer. 4 (7) the prescription type specified in the settings as the “unspecified person”. Only a very small part prescriptions are written differently. Thus, the patient's actual will to prescribe the prescriber is in no way realized - no one has found out or fixed it. So there is no way to say that the patient has given his or her informed consent in accordance with Article 9 (2) (a) and Article 7 of the ICCPR to disclose your specific personal data to third parties. The Inspectorate agrees that if the patient has assigned an authorized prescription to the patient portal issued with the option "named third party" or "unspecified", can be (e-) pharmacy to rely on the credentials displayed to the pharmacy from the patient portal via the prescription center display / sell the medicine if it has identified an authorized person. In this case, the person is himself really expressed their will. It would also be sufficient for minors and persons with limited legal capacity to be realized control of the legal right of representation (incl. in the case of children also the right of custody) (eg from the population register inquiries). If there is no authorized person on the patient portal, the purchaser should prove otherwise right of representation. The Supervision Authority does not agree with the appellant that the choice of an unspecified buyer in the case of a prescription, the data subject has consented to the receipt of a specific type of personal data (or right of representation) to unspecified persons. Even if a choice is made when writing the recipe "Identifiable buyer", the (data-sharing) data subject still decides for himself who The data subject is (usually orally) a third party. agreed with the person to buy the medicine. The Inspectorate does not agree that in this case it could (e-) The pharmacy will entrust anyone who claims to have the right of representation. I point out that in the e-pharmacy sales process described above, the person was never even asked if the person had right of representation. However, a person 's statement that he or she has a right of representation does not replace Article 9 (2) (a) and (c) consent of the data subject in accordance with Article 7. Article 7 (1) of the ECHR provides that where processing is based on consent, the controller the issuer of the data, ie the pharmacy) must be able to prove that the data subject has processing of personal data. So, the (e-) pharmacy should pre-prescribe personal information issuing to a third party (displaying, printing out, reading aloud) to make sure that the third party has the consent, authorization or legal right of representation of the data subject. The draft amendment to the law introducing distance selling also refers to the obligation to effectively ensure that the person is entitled to order the medicine from the e-pharmacy. Reference is made to paper recipes the problem that prescription data may fall into the hands of unauthorized persons and the prescription may be purchased by an unauthorized person. Article 5 (1) (a) and (f) of the IIA require the processing of personal data to ensure that the processing of personal data the processing (including extradition) is lawful (i.e. there is a legal basis under Articles 6 and 9); and personal data shall be protected against unauthorized or unlawful processing by appropriate means technical or organizational measures (security of processing is further regulated by the ICRM art 32). Paragraph 2 states that it is responsible and able to comply with these requirements certified by the controller. § 33 (6) of the Medicinal Products Act prohibits pharmacies from publishing prescriptions information related to the prescribing of medicinal products, except in cases prescribed by law. So the (e-) pharmacy is fully responsible for issuing the personal data of the data subject (incl. special type personal data) to a third party who did not have the consent or right of representation of the data subject. 5 Act on Amendments to the Medicinal Products Act and Related Acts 332 (13) of the RavS Act and supplementing § 31 with subsections 8-10 5 (7) In other words - if an e-pharmacy has been able to view the data of a third party on the basis of a personal identification code without the knowledge of the data subject, this is entirely the responsibility of the e-pharmacy operator. However, it cannot be inferred from this that a (e-) pharmacy could, at its discretion, implement a system which obviously provides an opportunity for abuse. The Data Protection Inspectorate has IKÜM and the competence under the Personal Data Protection Act to supervise data processors; and assess whether the measures they are implementing are adequate. After inspecting the process of Apotheka (and two other) e-pharmacies, the Inspectorate concluded that it does not protect data subjects from abuse. True, the complainant proposed a change in the process: “the pharmacist first asks the buyer for the patient publication of prescriptions further over which prescription the purchaser wishes to sell and only then publishes unpurchased recipes to the purchaser. " I note, first of all, that Article 5 (1) (c) of the IGC follows from the principle of minimum there is no need to display all unpurchased recipes. The buyer should first really state which recipe he wishes to implement. And even in this case it is questionable whether and which ones data should be displayed to the buyer at all. For example, if the data subject has authorized a neighbor from a pharmacy buy out a prescription written for him today, the buyer should not be shown any ATC at all name, not to mention the diagnosis. The mere fact that all unpurchased prescriptions were displayed in the e-pharmacy on the basis of personal identification code was IKÜM violation of the minimum requirement of Article 5 (1). Secondly, we replied to the complainant that, in addition to the personal identification code, the the obligation to enter a pharmacy would not reduce the risk of a person experimenting with common medicines; or with a previously known medicinal product in order to know whether the data subject continues to use it. I explain that the operator of both a physical pharmacy and an e-pharmacy is obliged to review in accordance with Article 35 of the IKÜM carry out and document the impact assessment in writing. The pharmacy clearly processes different types 6 personal data of more than 5000 persons. The impact assessment must show the data controller (Apotheka e-pharmacy operator) analysis of the risks related to their activities and their mitigation measures. The process containing such sensitive data should be multi-layered intended for pharmacists (if they process data on behalf of the controller) have detailed instructions given by the pharmacist (controller). The latter also requires Article 32 (4) of the ICCPR. 4.9. Finally, I shall also consider the appellant's allegations that there are different types of pharmacy services bases for processing personal data Article 9 (2) (i), Article 9 (4) and processing of personal data by the for the performance of a mandate-type contract between a person and a patient. An order type agreement concluded between the person purchasing the medicinal product and the patient provides Article 6 (1) of the IKÜM 1 (b) does indeed give the parties to the contract the right to process personal data (not a specific type of data) personal data). It does not give the pharmacy or any other third party the right to the data processing (output, including display, is also processing). In the case of Article 9 (2) (i) of the ICCPR, attention must be drawn to the reference contained therein - on the basis of the law of a Member State. This means that national law must provide for specific processing. The pharmacy has not been granted an abstract right to process the data of all persons in the public interest. 6Explanations on the mandatory nature of the impact assessment have been issued by the Inspectorate in the General Instructions of the Personal Data Processor 5. chapter. https://www.aki.ee/sites/default/files/dokumendid/isikuandmete_tootleja_uldjuhend.pdf The pharmacy acquires the right to process personal data at the moment when the person wishes to make a purchase (and not even in the case of cash purchases of over-the-counter medicines). Article 9 (4) of the ICCPR is not an independent basis but gives Member States the possibility to impose additional conditions processing of health data. V. CONCLUSION On the basis of the above, I consider that the precept of the Inspectorate was lawful and justified and not reason for its cancellation. I therefore dismiss the appeal. If a (e-) pharmacy wishes to obtain approval from AKI for further plans, it should submit an IKÜM a proper impact assessment and a detailed description of the process, covering both physical, information technology as well as organizational measures. However, I emphasize once again that AKI is still there made only a precept to display the list of prescriptions valid on the basis of the personal identification code in the e-pharmacy to other persons. AKI has not prohibited other distance selling processes by any administrative act or no sales at all. No one is banning any e-pharmacy right now from developing their own system additions and put it into service if it allows the requirements of the ICC to be met. The responsibility for compliance lies with the controller. However, the Inspectorate is right examine and evaluate the solutions chosen in the course of the procedures under the IIA. However, I note that looking at what misconceptions about data protection Mustamäe Apteek OÜ I have challenged, I am seriously concerned about all data processing under the Apotheka brand after. I am surprised that a large group can operate without such a sensitive profession relevant data protection expertise and knowledge. With that in mind, I definitely consider it necessary to control the data processing of pharmacies operating under the Apotheka brand more extensively. with respect /signed digitally/ Pille Lehis Director - General 7 (7)