APD/GBA (Belgium) - 103/2023

From GDPRhub
APD/GBA - 103/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 9(1) GDPR
Article 24 GDPR
Article 32 GDPR
Article 458 Code Penal
Type: Complaint
Outcome: Upheld
Started: 03.09.2022
Decided: 26.07.2023
Published: 03.08.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 103/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Autoritée de protection des données (in FR)
Initial Contributor: Enzo Marquet

The Belgian DPA issued a warning to a hospital group for non-compliance of Article 32 GDPR and Article 24 GDPR, as the hospital group had failed to implement the appropriate internal data security measures.

English Summary[edit | edit source]

Facts[edit | edit source]

Following a sexual assualt, the data subject visited and was treated by Centre 'Z'. Centre 'Z' is a part of the hospital group against which the complaint was filed. Several months later, the data subject visited a psychologist employed by the hospital group who manages Centre 'Z'. However, the psychologist did not work at Centre 'Z' and the visit was unrelated to the data subject's sexual assault. During the psychological consultation, the data subject was asked questions relating to her sexual assault, this indicated to her that the psychologist had access to her medical data held by Centre 'Z', despite not working at Centre 'Z'.

The data subject contacted Centre 'Z' regarding their internal data access policy. She was informed that all of the hospital group's employees could access her records, regardless of whether they worked at Centre 'Z' or not. She requested that the Centre restrict access to her data to only staff working at Centre 'Z'. The Centre responded that this was not possible, but did note that the hospital group was in the process of updating its policy on this matter.

Holding[edit | edit source]

The Belgian DPA found that the hospital group's internal data security measures were in violation of Article 32 GDPR and Article 24 GDPR.

These Articles impose a duty upon controllers and processors to implement the "appropriate technical and organisational measures" to ensure compliance with the GDPR, and to ensure a level of security appropriate to the risk of processing. The Belgian DPA interpretted the meaning of "appropriate technical and organisational measures" in a healthcare context to mean that measures should be implemented to "ensure that healthcare providers and other professionals who use [an] information exchange system only have access to data from a patient file which is necessary for their respective services." In reaching this conclusion, the Belgian DPA explicitly affirmed the position taken by the Committee of Ministers of the Council of Europe in Recommendation CM/ Rec (2019) 2 on the protection of health-related data.

As the hospital group allowed all of its employees to access patient data, and not simply those who were treating a particular patient, the DPA found that the hospital group had not implemented the "appropriate technical and organisational measures" for the purposes of Article 32 GDPR and Article 24 GDPR. Given that the hospitasl group was in the process of updating its policies and practices, the Belgian DPA issued a warning.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/9





                                                                         Litigation Chamber


                                                        Decision 103/2023 of July 26, 2023





File number: DOS-2022-03592


Subject: Complaint relating to the accessibility of data concerning the health of a patient at

all hospital staff




The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and

to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter

“ACL”;

Having regard to the internal regulations as approved by the House of Representatives on 20

December 2018 and published in the Belgian Official Gazette on January 15, 2019;


Considering the documents in the file;


Made the following decision regarding:



The complainant: Mrs. X, hereinafter “the complainant”; .

                                                                                                         .
                                                                                                         .
The defendant: Center Hospitalier Y, hereinafter: “the defendant”. Decision 103/2023 – 2/9



I. Facts and procedure


 1. The subject of the complaint concerns access to the complainant's data by members of the

       defendant's staff other than those who took care of the complainant

       during his initial visit to a specialized center of the defendant.


 2. On September 3, 2022 the complainant lodged a complaint with the Protection Authority

       data (APD) against the defendant.

 3. On September 5, 2022, the complaint was declared admissible by the Front Line Service

       (SPL) of the DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the

       Litigation Division pursuant to Article 62, § 1 of the LCA. 2


 4. The complainant stated that following a sexual assault, she was in September/October
                                                                            3
       2021 returned to Center Z, a specialized center of the defendant.

 5. The Complainant also specifies that approximately 8 months later, on April 19, 2022, she

       went to a psychological consultation with the defendant. This consultation has

       took place in the context of her pregnancy and preparation for the upcoming delivery, without

       link she exhibits with the sexual violence experienced. The complainant indicates that during this

       consultation, the psychologist asked him a number of questions about the assault

       sexual activity of which she had been the victim. The complainant indicates that she deduced from this that,

       Obviously, the psychologist had had access to the information held by the center Z to

       following its passage in September/October 2021 (point 4). The complainant reports having

       concerned about this situation and the fact that a large number of people (members of the

       defendant’s staff, doctors, etc. thus seemed to be able to access data

       very delicate and sensitive about her.


 6. The complainant further states that the same day, she orally contacted center Z which

       indicated that all of the defendant's medical personnel could access the

       summary of her consultation at center Z (hereafter understood according to the complainant in detail

       of the sexual assault of which she had been the victim). The complainant says that she requested that only

       the center has access to said information. She reports that she was told that it was

       then not possible but that a procedure was in progress to make this type of data

       less accessible and that in the long term, only the data relating to the exemption from one or the other

       medicine, for example, would be accessible and no longer the entire file. There







1Under article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following

this complaint, the file was forwarded to him.
3[……]: reference to the website of the defendant's specialized center Z. Decision 103/2023 – 3/9


       complainant adds that she was not told whether this new regime would apply to

       folders already open (such as his) or not.


 7. The complainant produced in support of her complaint the email which she then received, two months later,

       either June 20, 2022, written to the Data Protection Officer (DPO) of the defendant
       under which it relates the foregoing (points 5 and 6) and raises the question of the time limit in

       which the new regime will apply and whether it will cover cases such as his. Of

       Generally speaking, the complainant expresses that she feels that this broad accessibility

       “(…) goes against my rights to privacy, precisely when it affects matters

       sensitive data such as the description of a sexual assault”.

 8. By way of correction, the complainant on the same day (June 20, 2022) informed center Z of the

       approach she had made to the DPO of the defendant, sending him a copy of the

       email sent. She also checked with the Z center that the comments she made

       told the DPO following the conversation she had had with the center reflected the

       reality. This e-mail is also produced in the file.

 9. On June 21, 2022, a member of the Z center confirmed to the complainant that the report of

       the situation she had exposed was indeed faithful to reality. It has moreover been

       clarified to the complainant on the one hand that the modification of the Center Z files should be

       carried out in the course of 2022 at the latest within 6 months, the process

       requiring time and investment and on the other hand that it would be, if necessary

       informed of new useful information concerning it. This email is on file.

 10. On the other hand, the DPO of the defendant indicated by return email of June 20 to the complainant

       that a meeting was scheduled in the coming weeks with Center Z to analyze its

       situation and that following this meeting, a letter would be sent to him concerning access to

       her data related to the sexual assault of which she was the victim. Specifically, the DPO

       writes the following to the complainant: “A meeting is scheduled for this … with … [centre Z] in order to

       to analyze your situation. Following this meeting, a letter will be sent to you concerning
                                                                                             4
       access to your data related to the assault (blocking access to the details of the facts)”.

 11. When filing a complaint with the DPA on September 3, 2022, the complainant indicated that she did not

       to have received follow-up from (the DPO) of the defendant.



II. Motivation


 12. The Litigation Chamber concludes that the data relating to the sexual assault whose

       complainantreports having been victimshave personal data concerning him

       within the meaning of Article 4.1. of the GDPR. Some of them are, in all likelihood,



4It is the Litigation Chamber which underlines. Decision 103/2023 – 4/9



       relating to his health within the meaning of Article 9.1. of the GDPR and recital 43 thereof.

       more factual data, linked to the description of the acts of aggression for example, are not

       potentially not sensitive within the meaning of Article 9.1. of the GDPR. The Litigation Chamber

       is nonetheless of the opinion that these data are, in the context of sexual violence of which

       the complainant was the victim of "highly personal data" in the sense that
                                                                                              5
       gives the European Data Protection Board (EDPB) to this notion. Most
       Great vigilance regarding compliance with the GDPR must be required in their regard.


 13. The Litigation Chamber notes that it also appears from the complaint and the exhibits

       produced by the complainant that there is indeed "processing" of data within the meaning of Article 4.2. of

       GDPR, the complainant's personal data being retained and accessible

       electronically.

                                                                           6
 14. On the basis of the confidentiality policy of the defendant, the Litigation Chamber

       considers, prima facie, that the defendant is the presumed controller of the

       processing of the complainant's data, including those carried out by Center Z .

 15. Any data controller is required to comply with Article 24 of the GDPR which implies that

       taking into account the nature, scope, context and purposes of the processing as well as

       risks, of varying likelihood and severity, to the rights and freedoms of

       natural persons, the data controller implements measures

       appropriate technical and organizational measures to ensure and be able to

       demonstrate that the processing is carried out in accordance with the GDPR. All responsible for

       processing must also be able to demonstrate this (article 5.2. of the GDPR).


 16. The data controller is also subject to the security obligation provided for in

       GDPR Article 32.

 17. Article 32 of the GDPR specifies the following: “1. Taking into account the state of the

       knowledge, the costs of implementation and the nature of the scope, context and

       purposes of the processing as well as the risks, the degree of probability and severity of which varies,

       for the rights and freedoms of natural persons, the controller and the data processor

       contractor shall implement the appropriate technical and organizational measures in order to

       guaranteeahighlevelofsecurityappropriatetotherisk,includingamongother thingsasrequired

       : (...) b) the means to guarantee the confidentiality, integrity, availability and

       ongoing resilience of processing systems and services. (…)”. 7





5 Article 29 Group, Guidelines on Data Protection Impact Assessment (DPIA) and Data Protection
how to determine whether the processing is “likely to create a high risk” for the purposes of Regulation (EU) 2016/679,
WP 248. At its inaugural meeting the European Data Protection Board endorsed these guidelines:
https://ec.europa.eu/newsroom/article29/items/611236
6
 [ …………………….. ]: reference to the defendant's privacy policy available on its website.
7Emphasis added by the Litigation Chamber. Decision 103/2023 – 5/9


 18. Confidentiality is the property of information that can only be accessed by

       authorized persons, entities or processes and may only be disclosed to

       persons,entitiesorauthorizedprocesses.Thisabilitytograntselectiveaccess

       information must be ensured throughout the life of this information, in particular

       during their collection, storage, processing and


       communications. In practice, the only persons authorized to access the data to be

       personal character are persons whose function or professional activities
                             8
       justify this access.

 19. It therefore follows from Article 32 of the GDPR read in conjunction with Article 24 of the GDPR that the


       defendant was and remains required to implement all technical measures

       and organizational measures to ensure that healthcare providers and other

       professionals who use its information exchange system only have access to the

       only data from the patient file necessary for their respective services and this, in

       compliance with all of the applicable legal framework including, but not exclusively, the

       GDPR.

                                                     9 10
 20. In its recommendation CM/Rec(2019)2 , the Committee of Ministers of the Council of Europe

       recommends in the same way the following: “the exchange and sharing of data relating to

       health between health professionals should be limited to information strictly

       necessary for the coordination or continuity of care, prevention or medical follow-up

       social and social of the person. Each health professional cannot, in this case,

       transmit or receive only data that falls within the scope of its missions, in

       depending on his authorisations. Appropriate measures should be taken in order to guarantee

       data security. The use of an electronic medical record and messaging

       electronically capable of enabling the sharing and exchange of health-related data

       should respect these principles.


 21. In general, access to data hosted on a server such as that of a hospital

       must take into account several determining criteria and conditions such as the identity

       and the quality of the access requester, the type of data concerned, the degree of

       confidentiality of these, the purpose of the request and the duration of the access. The server should



8
     See. in this regard, the information security note of the APD
https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-securite-des-donnees-a-caractere-personnel.pdf
9https://search.coe.int/cm/pages/result_details.aspx?ObjectId=090000168093b26b. The Litigation Chamber considers that
the content of this note (drafted at a time when the GDPR was not yet in force) remains relevant with regard to the
safety principles it sets out.

10 The Council of Europe’s data protection reference framework is certainly not the GDPR but rather the
Convention 108 (Convention for the protection of individuals with regard to automatic processing of personal data
staff (ETS No. 108): https://rm.coe.int/1680078b39 ) and soon, once in force, Convention 108+ (Protocol
amendment to the Convention for the protection of individuals with regard to automatic processing of personal data
personal character – ETS 223: https://www.coe.int/fr/web/conventions/full-list?module=treaty-detail&treatynum=223).

These texts nevertheless contain comparable principles in terms of data protection and security.
those of the GDPR and are so many sources of inspiration as to the measures to be put in place by a data controller
in a situation such as that of the complaint. Decision 103/2023 – 6/9



        integrate these different factors so that access is filtered and reserved for

        those who are authorized to do so in compliance with the GDPR and other standards to which

        first-time buyers are respectively required . 11


 22. The Litigation Chamber notes in this regard that the complainant titled the subject of the emails

        that it produces in addition to the complaint form filed as follows: “secret

        professional shared in the context of sexual violence “.


 23. The Litigation Chamber is certainly not competent to sanction a possible

        violation of Article 458 of the Criminal Code (professional secrecy) as such or for


        assess compliance with the conditions of shared professional secrecy. She is, however

        to verify that the information exchange system set up by the defendant

        guarantees access to patients' personal data in compliance with the principle of

        security as recalled above, including confidentiality to which respect for secrecy

        professional participates without being confused with him.


 24. The Litigation Chamber recalls here that on several occasions the European Court of Human Rights

        rights insisted on the importance of respecting professional secrecy not


        only for the privacy of patients but also more generally for the right to
                 12
        health .







11See.also by way of example, the Rules approved by the Management Committee of the eHealth platform on September 10

2019 and the Information Security Committee on April 7, 2020 as well as the deliberation of the Information Security Committee
(Deliberation 19/166 of October 1, 2019, amended on July 6, 2021) – circles of trust:
https://www.ehealth.fgov.be/ehealthplatform/file/view/AW0kmXp0gwvToiwBkkgH?filename=R%C3%A8glement%20COT
%20-%2005032021%20-%20v2.pdf

 12From the Niemietz v. Germany of 16 December 1992, it could thus be deduced that the European Court of Human Rights

 the man (Runner.D.H.) had, albeit implicitly, highlighted a dual function of professional secrecy (in this case
 of the lawyer): (1) the confidentiality of the relationship between professionals subject to professional secrecy (the lawyer) and his client

 protects the subjective rights deduced from article 8 (privacy) but (2) also guarantees the proper functioning

 justice (social foundation). In Z. v. Finland, the Eur. D.H. addresses, for the first time, at least
             12
 directly, the issue of medical secrecy.
 medical by the Court. It indicates that it will take into account the fundamental role played by the protection of personal data.

 personal character – medical information not being the least – for the exercise of the right to respect for life

 private and family life guaranteed by Article 8 of the European Convention on Human Rights (ECHR). Respect for

 confidentiality of health information is an essential principle of the legal system of all
 Contracting PartiestotheECHR.Itiscapitalnotonlytoprotecttheprivacyofpatientsbutalsoto

 preserve their confidence in the medical profession and health services in general . The Court is innovative

 terminological by requiring, for any possible justification for the breach of professional secrecy, the defense “of an aspect

 of the public interest” (§96) and declaring that it will exercise “the most rigorous control” (§96) in this matter.
 In other words, professional secrecy is intended to protect the confidentiality of the exchange between the patient and the

 health care professional subject to secrecy to whom it is addressed - by not disclosing its contents to third parties not

 authorized – not only in the interest of the confidant but also in that of society as a whole. Decision 103/2023 – 7/9


25. As the Commission for the Protection of Privacy (CPVP) stated in its note

      relating to security (see note 6), “Security is certainly first and foremost a matter of

      direction” in that the development and implementation of an effective security process

      requires the full awareness of management and the various managers, including
      the data controller, of the essential role that security plays within the entity

      concerned as well as their total adherence to the security objectives sought and their

      active cooperation.


26. Still as underlined in the said note, “Security is then everyone’s business”: everyone
      the members of the organization, whoever they are, are all part, at one time or another, of

      the security chain and therefore risk becoming its weakest link one day.

      aware and empowered of their own role in this chain, and must be prepared,

      sensitized and trained accordingly. This awareness must be put in place by the

      data controller with the assistance of its data protection officer

      (DPO).

27. With regard to the present case, the Litigation Division notes that it seems to emerge from

      exchanges of e-mails produced by the complainant that all the staff of the

      defendant potentially has access to the personal data concerning him, at all

      less those which she mentions in relation to the sexual assault of which she was the victim. He
      is not for the Litigation Chamber to conclude that the access operated by the

      psychologist to the complainant's data (point 4) was or was necessary for her services

      professionals. On the other hand, if the defendant did not have a policy

      access to medical records data that is GDPR compliant and more

      particularly to the principle of security read in combination with the principle of accountability,

      the defendant would be guilty of violation of these provisions.

28. Given what emerges from the exhibits produced by the complainant that the

      defendant seems to be engaged in a process of adapting its access policy,

      the Litigation Division considers that issuing a warning to it is the measure

      corrective action most appropriate to the case in point. The implementation of this access policy
      compliance with the GDPR should, according to the Litigation Chamber, also apply to

      files already opened with the defendant and this, as quickly as possible, agreeing

      account of the high sensitivity of the complainant's data.

29. In conclusion, the Litigation Chamber considers that on the basis of the aforementioned facts, there

      reason to conclude that the defendant may have committed a violation of the provisions of the

      GDPR, which justifies that in this case, the Litigation Chamber proceeds to take a

      decision in accordance with Article 95, § 1, 4° of the LCA, i.e. more specifically the adoption

      of a warning decision. Decision 103/2023 – 8/9


 30. This decision is a prima facie decision taken by the Litigation Chamber

       pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant,

       within the framework of the “procedure prior to the substantive decision” 13 . It is not a

       decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.


 31. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order

       inside the DPA, a copy of the file may be requested by the parties. If one of

       parties wishes to make use of the possibility of consulting this file, it is required to

       contact the secretariat of the Litigation Chamber, preferably via the address

       litigationchamber@apd-gba.be.


 32. The purpose of this prima facie decision is to inform the defendant, presumed

       responsible for the processing, of the fact that it may have committed a breach of the provisions

       of the GDPR, in order to enable it to still comply with the aforementioned provisions.

 33. If, however, the defendant should not agree with the content of this

       prima facie decision and had to believe that it can put forward arguments of fact and/or

       legal issues which could lead to another decision, it may address to the Chamber

       Litigation a request for processing on the merits of the case via the address

       litigationchamber@apd-gba.be, within 30 days of notification of the


       this decision. If necessary, the execution of this decision will be suspended.

       during the aforementioned period.

 34. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°

       juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their

       conclusions and to attach to the file all the documents they deem useful. If applicable,

       this decision will be permanently suspended.


 35. In the interests of transparency, the Litigation Chamber finally emphasizes that a

       dealing with the case on the merits may lead to the imposition of the measures mentioned in

       section 100 of the ACL .4




13Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive).
14 st
  Art. 100. § 1. The litigation chamber has the power to
 1° dismiss the complaint without follow-up;
 2° order the dismissal;
 3° pronouncing the suspension of the pronouncement;
 4° to propose a transaction;
 5° issue warnings and reprimands;
 6° order to comply with requests from the data subject to exercise his or her rights;
 7° order that the person concerned be informed of the security problem;
 8° order the freezing, limitation or temporary or permanent prohibition of processing;
 9° order compliance of the processing;
 10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the

     data ;
 11° order the withdrawal of accreditation from certification bodies;
 12° to issue periodic penalty payments;
 13° to issue administrative fines;
 14° order the suspension of cross-border data flows to another State or an international body; Decision 103/2023 – 9/9


III. Publication of the decision


 36. Given the importance of transparency regarding the decision-making process of the Chamber

       Litigation, this decision is published on the website of the APD. However, it is not

       it is not necessary for this purpose that the identification data of the parties be directly

       mentioned.






    FOR THESE REASONS,

    the Litigation Chamber of the Data Protection Authority decides, subject to

    the introduction of a request by the defendant for treatment on the merits in accordance with

    to articles 98 e.s. of the ACL:


        - pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 4° of the LCA, to send

            a warning to the defendant.





In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,

within thirty days of its notification, to the Court of Markets (court

d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party

defendant.


Such an appeal may be introduced by means of an interlocutory request which must contain the

information listed in article 1034ter of the Judicial Code. The interlocutory motion must be

filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 16

via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).




(Sé). Hielke H IJMANS

President of the Litigation Chamber








 15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
15The application contains on pain of nullity:

 (1) indication of the day, month and year;
 2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
     Business Number;
 3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
 (4) the object and summary statement of the means of the request;
 (5) the indication of the judge who is seized of the application;
 6° the signature of the applicant or his lawyer.
16
  The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.