ANSPDCP (Romania) - Fine to a physician for recording a patient on his personal telephone
| ANSPDCP - N/A | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5 GDPR Article 6(1) GDPR Article 9(2) GDPR Law 46/2023 regarding patients' law |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 31.08.23 |
| Fine: | 2000 EUR |
| Parties: | n/a |
| National Case Number/Name: | N/A |
| European Case Law Identifier: | N/A |
| Appeal: | n/a |
| Original Language(s): | Romanian |
| Original Source: | Romanian DPA (in RO) |
| Initial Contributor: | Silvia Axinescu |
The Romanian DPA found a physician to have breached Article 5 GDPR, Article 6(1) GDPR and Article 9 GDPR for recording a patient on his personal telephone, without her consent, and posting the video on his Facebook page. The DPA issued a fine of 9919.2 RON (equivalent to €2000).
English Summary
Facts
A physician recorded a patient from the hospital he worked at, on his personal telephone, and subsequently posted the video on his Facebook page. The recording took place without the patient’s consent. The physician deleted the video from his Facebook page on the same day as the one he uploaded it.
Following the submission of a complaint to the DPA, an investigation was initiated.
During its investigation, the DPA found that the physician’s recording and subsequent post on his Facebook account revealed the patient’s personal data, including their physical image, voice, name, surname and health status. The post and this information was seen by a large number of people and was also further disclosed on various websites and media channels.
Holding
The DPA assessed the GDPR infringements alongside domestic legislation on patient rights. Specifically, it took into consideration Article 20 of Law 46/2023, which establishes that a patient may not be photographed or filmed in a medical unit without his or her consent, except in cases where the images are necessary for the diagnosis of treatment and to avoid suspicion of medical fault.
The DPA found a violation of Article 5 GDPR, Article 6(1) GDPR and Article 9 GDPR. Article 5 GDPR establishes the principles of data processing.
Firstly, Article 5(1)(a) GDPR notes that personal data must be processed "lawfully, fairly and in a transparent manner." Article 5 GDPR read in line with Article 6 GDPR, establishes that processing may only be lawful if it is conducted on one of the legal bases outlined in Article 6(1) GDPR. Given that the data processing (the filming and posting) had no legal basis under Article 6 GDPR and was also illegal under domestic law, the Romanian DPA found a violation of Article 5 GDPR and Article 6(1) GDPR.
Secondly, Article 9(2)(a) GDPR establishes that the prohibition against processing sensitive data as outlined in Article 9(1) GDRP is lifted, if the data subject explicitly consents to the processing. Health data is sensitive data under Article 9 GDPR. The physician’s recording revealed the patient’s health status and was filmed without their explicit consent. This amounted to violation of Article 9 GDPR.
As a result of the violations, the physician was fined 9919.2 RON (equivalent to €2000).
The DPA also imposed corrective measures by ordering the physician to ensure compliance with GDPR of his processing operations to ensure that the patients’ personal data was processed with the observance of the GDPR and domestic law governing the processing of patient data in a medical context.
Comment
Unfortunately, the Romanian DPA does not publish its full decisions. This summary is based on a press release. Interestingly, this is another recent case from the Romanian DPA when an individual (i.e. the physician) is qualified as controller in relation to processing activities regarding disclosure of data on the Internet, having thus all correspondent obligations under the GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
31.08.2023 A new fine - natural person operator The National Supervisory Authority for the Processing of Personal Data completed in June 2023 an investigation at a natural person operator and found a violation of the provisions of art. 5, art. 6 para. (1) lit. a) and art. 9 para. (2) lit. a) from Regulation (EU) 2016/679. The operator was fined in the amount of 9919.2 lei, the equivalent of 2000 euros. During the investigation carried out following a complaint, it was found that the sanctioned operator (doctor) filmed, with his personal phone, a patient of the hospital where he works, without her consent and later posted the footage on his Facebook page. The audio-video recording led to the disclosure of the patient's personal data, such as image, voice, name, surname and state of health. The operator deleted the recording from its Facebook page later that day, but not before it was viewed by a large number of people and picked up and disseminated on various websites and media channels. We emphasize that art. 20 of Law no. 46/2003 regarding the patient's rights, with subsequent amendments and additions, states that: "The patient cannot be photographed or filmed in a medical facility without his consent, except in cases where the images are necessary for diagnosis or treatment and to avoid suspicion of medical malpractice .” In addition to the fine, the National Supervisory Authority for the Processing of Personal Data also applied a corrective measure, ordering the operator to ensure compliance with the GDPR of personal data processing operations, so that patients' personal data are processed in strict compliance of the legal provisions regarding the provision of medical services and the protection of personal data, by avoiding the illegal/excessive/unauthorized collection and/or disclosure of their personal data." Legal and Communication Department A.N.S.P.D.C.P.
