ANSPDCP (Romania) - Fine to a physician for recording a patient on his personal telephone: Difference between revisions

Revision as of 13:50, 12 September 2023

ANSPDCP - N/A

Authority:	ANSPDCP (Romania)
Jurisdiction:	Romania
Relevant Law:	Article 5 GDPR Article 6(1) GDPR Article 9(2) GDPR Law 46/2023 regarding patients' law
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:
Fine:	2000 EUR
Parties:	n/a
National Case Number/Name:	N/A
European Case Law Identifier:	N/A
Appeal:	n/a
Original Language(s):	Romanian
Original Source:	Romanian DPA (in RO)
Initial Contributor:	Silvia Axinescu

A physician was fined 9919.2 RON (equivalent to €2000) for recording a patient on his personal telephone, without her consent, and posting the video on his Facebook page. The Romanian DPA found a violation of Article 5 GDPR, Article 6(1) GDPR and Article 9(2)(a) GDPR.

English Summary

Facts

A physician recorded a patient from the hospital he worked at with his personal telephone and posted the video on his Facebook page. The recording took place without the patient’s consent.

The physician deleted the video from his Facebook page on the same day as the one he uploaded it. Nonetheless, the post was seen by a large number of people and was also further disclosed on various websites and media channels.

Following the submission of a complaint with the DPA, an investigation was initiated.

Holding

During its investigation, the DPA assessed that the physician’s recording and its post on his Facebook account revealed patient’s personal data including image, voice, name, surname and health status. These data were disclosed in both the physician’s Facebook page, but also with other websites and channels.

The DPA also assessed the patient rights legal framework in this case. Specifically, it took into consideration Article 20 Law 46/2023 mentioning that the patient may not be photographed or filmed in a medical unit without his consent, except for the cases where images are necessary for diagnosis of treatment and to avoid suspicion of medical fault. The DPA found a violation of Article 5, Article 6 (para 1) and Article 9 (para 2) (a) GDPR and imposed a fine of 9919.2 lei (equivalent to EUR 2000). The DPA also imposed a corrective measure by ordering the physician to ensure compliance with GDPR of his personal data processing operations, so that the patients’ personal data are processed with the observance of specific framework governing medical services and protection of patients’ personal data and to avoid illegal/excessive/unauthorized collection and/or disclosure of patients’ personal data.

Comment

Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Interestingly, this is another recent case from the Romanian DPA when an individual (i.e. the physician) is qualified as controller in relation to processing activities regarding disclosure of data on the Internet, having thus all correspondent obligations under the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

31.08.2023

A new fine - natural person operator

The National Supervisory Authority for the Processing of Personal Data completed in June 2023 an investigation at a natural person operator and found a violation of the provisions of art. 5, art. 6 para. (1) lit. a) and art. 9 para. (2) lit. a) from Regulation (EU) 2016/679.

The operator was fined in the amount of 9919.2 lei, the equivalent of 2000 euros.

During the investigation carried out following a complaint, it was found that the sanctioned operator (doctor) filmed, with his personal phone, a patient of the hospital where he works, without her consent and later posted the footage on his Facebook page. The audio-video recording led to the disclosure of the patient's personal data, such as image, voice, name, surname and state of health.

The operator deleted the recording from its Facebook page later that day, but not before it was viewed by a large number of people and picked up and disseminated on various websites and media channels.

We emphasize that art. 20 of Law no. 46/2003 regarding the patient's rights, with subsequent amendments and additions, states that: "The patient cannot be photographed or filmed in a medical facility without his consent, except in cases where the images are necessary for diagnosis or treatment and to avoid suspicion of medical malpractice .”

In addition to the fine, the National Supervisory Authority for the Processing of Personal Data also applied a corrective measure, ordering the operator to ensure compliance with the GDPR of personal data processing operations, so that patients' personal data are processed in strict compliance of the legal provisions regarding the provision of medical services and the protection of personal data, by avoiding the illegal/excessive/unauthorized collection and/or disclosure of their personal data."

Legal and Communication Department

A.N.S.P.D.C.P.

@@ Line 65: / Line 65: @@
 }}
-A physician was sanctioned with a fine of 9919.2 lei (equivalent to EUR 2000) following the recording, with his personal phone, of a patient, without her consent, and posting the video on his Facebook page. The Romanian DPA found a violation of Article 5, Article 6 (1) and Article 9 (para 2) (a) GDPR.
+A physician was fined 9919.2 RON (equivalent to €2000) for recording a patient on his personal telephone, without her consent, and posting the video on his Facebook page. The Romanian DPA found a violation of [[Article 5 GDPR]], [[Article 6 GDPR|Article 6(1) GDPR]] and [[Article 9 GDPR|Article 9(2)(a) GDPR]].
 == English Summary ==
 === Facts ===
-A physician recorded, with his personal phone, a patient of the hospital where he works and posted the video on his Facebook page. The recording was performed without the patient’s consent.
+A physician recorded a patient from the hospital he worked at with his personal telephone and posted the video on his Facebook page. The recording took place without the patient’s consent.
-Although the physician deleted the video from his Facebook page in the same day he uploaded it, the post was still seen by a large number of people and was also further disclosed on various websites and media channels.
-The investigation was initiated following the submission of a complaint with the DPA.
+The physician deleted the video from his Facebook page on the same day as the one he uploaded it. Nonetheless, the post was seen by a large number of people and was also further disclosed on various websites and media channels.
+Following the submission of a complaint with the DPA, an investigation was initiated.
 === Holding ===
 During its investigation, the DPA assessed that the physician’s recording and its post on his Facebook account revealed patient’s personal data including image, voice, name, surname and health status. These data were disclosed in both the physician’s Facebook page, but also with other websites and channels.
 The DPA also assessed the patient rights legal framework in this case. Specifically, it took into consideration Article 20 Law 46/2023 mentioning that the patient may not be photographed or filmed in a medical unit without his consent, except for the cases where images are necessary for diagnosis of treatment and to avoid suspicion of medical fault.
 The DPA found a violation of Article 5, Article 6 (para 1) and Article 9 (para 2) (a) GDPR and imposed a fine of 9919.2 lei (equivalent to EUR 2000). The DPA also imposed a corrective measure by ordering the physician to ensure compliance with GDPR of his personal data processing operations, so that the patients’ personal data are processed with the observance of specific framework governing medical services and protection of patients’ personal data and to avoid illegal/excessive/unauthorized collection and/or disclosure of patients’ personal data.