ANSPDCP (Romania) - 31.01.2023

From GDPRhub
ANSPDCP - Press Release 31/01/2023
LogoRO.jpg
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 6(1)(a) GDPR
Article 9(2)(a) GDPR
Article 33 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 31.01.2023
Fine: 1,000 RON
Parties: n/a
National Case Number/Name: Press Release 31/01/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: Romanian DPA (in RO)
Initial Contributor: n/a

The Romanian DPA fined a dental practice and a dentist 4,919 lei (approx. €1000) each. The dentist had published a patient's personal data in a medical blog without explicit consent. The dental practice had failed to inform the DPA within 72 hours of being informed of the data breach contrary to the requirements of Article 33 GDPR.

English Summary

Facts

Based on a data subject's complaint, the Romanian DPA started investigations into a dental practice and a collaborating dentist (the controllers). The data subject had alleged that they had disclosed his health data online without his consent.

During the investigations the DPA was able to confirm the data subject's allegations. It found that the controllers disclosed medical information concerning the data subject's orthodontic treatment, consisting of a set of photographs and radiographs that could be correlated with the person's name, by in a published article on a specialized blog. The personal data had been published for scientific and commercial purposes.

In contradiction to Article 33 GDPR, despite the fact that the dental practice was informed by the data subject about the unauthorized disclosure of his personal health data, the controller did not notify DPA within 72 hours of the security breach.

At the same time, the DPA found that the collaborating dentist published personal data regarding the state of health of the data subject in an article posted in a personal blog, without obtaining the express consent of to the data subject and without informing the data subject.

Holding

The DPA held that both controller's violated the GDPR.

The dental practise violated the GDPR by not informing the DPA of the data breach within 72 hours and, thereby, violated Article 33 GDPR.

The dentist who was collaborating with the dental practise, violated Articles 6(1), and 9(2)(a) GDPR by publishing the data subject's health data without consent. Moreover, by failing to inform the data subject about the publication the dentist also violated Articles 12, 13, and 14 GDPR.

The DPA fined each of them respectively 4,919 lei (approx. €1000). Additionally, both controllers were ordered to implement corrective measures to come into compliance with the GDPR.

The dental practice applied the corrective measure by implementing technical and organizational security measures appropriate to the specifics of the processing and identified risks and training authorized persons and other persons who process data under its authority.

The dentist implemented corrective measures by ensuring that the processing of patients' personal data is conducted in strict compliance with the legal provisions regarding the laws on medical services and data protection. Additionally, in the case of the use of patient's personal data for other purposes, the dentist would comply with all the legal conditions on processing personal data. Depending on the purposes of the processing and the categories of hte processed personal data, the dentist was ordered to apply the necessary measures and anonymization or pseudonymization data, where appropriate.

Comment

Unfortunately, the Romanian DPA does not publish full decisions. The summary had to be based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

31.01.2023

Penalty for GDPR violation



The National Supervisory Authority completed in December 2022 two investigations at a dental practice and at a dentist, collaborator of the dental practice, both operators of personal data.

Thus, it was found that:

the operator Dent Estet Clinic SA violated the provisions of art. 33 of Regulation (EU) 2016/679 and the contravention sanction of a fine of 4,919.2 lei (the equivalent of 1000 EURO) and a corrective measure was applied to him; the dentist operator, collaborator of Dent Estet Clinic SA, violated the provisions of art. 6 para. (1) lit. a) and of art. 9 para. (2) lit. a) from Regulation (EU) 2016/679 in conjunction with art. 12-14 of the same normative act and the contraventional sanction of a fine of 4,919.2 lei (the equivalent of 1000 EURO) and a corrective measure was applied to him.

The investigations were started as a result of a complaint sent by a targeted person who complained that the operators of Dent Estet Clinic SA and the collaborating doctor disclosed his health data online.

During the investigations carried out, it was found that the operators disclosed medical information regarding the petitioner's orthodontic treatment to the Authority, consisting of a set of photographs and radiographs that could be correlated with the person's name, by publishing an article on a specialized blog. This information has been published for both scientific and commercial purposes.

It was found that the operator Dent Estet Clinic SA, although he was informed by the petitioner himself about the unauthorized disclosure of his personal data regarding his state of health, did not notify the National Supervisory Authority, within no more than 72 hours from the date on which he aware of the security breach, thus violating art. 33 of Regulation (EU) 2016/679.

The operator Dent Estet Clinic SA was also applied the corrective measure to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and identified risks, throughout the data processing cycle, in terms of the appropriate training of authorized persons and other persons who process data under its authority and compliance with the conditions of legality of the processing and full information of the persons concerned.

At the same time, the National Supervisory Authority found that the collaborating dentist operator processed, including through use and disclosure, the personal data regarding the state of health of the person concerned, in an article posted on the personal blog, without presenting evidence of obtaining the express consent of to the person involved and without his prior information, thus violating the provisions of art. 6 para. (1) lit. a) and art. 9 para. (2) lit. a) from Regulation (EU) 2016/679, combined with the provisions of art. 12-14 of the same normative act.

The dental operator was also given the corrective measure to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, so that the processing of patients' personal data is processed in strict compliance with the legal provisions regarding the provision of medical services and personal data protection. Also, in the case of the use of their personal data for other purposes, it was decided to comply with all the conditions of legality of the processing and information of the persons concerned, depending on the purposes of the processing and the categories of processed data, taking the necessary measures to anonymization or pseudonymization of data, where appropriate.



Legal and Communication Department

A.N.S.P.D.C.P.