APD/GBA (Belgium) - 103/2023
|APD/GBA - 103/2023
|Article 5(2) GDPR
Article 9(1) GDPR
Article 24 GDPR
Article 32 GDPR
Article 458 Code Penal
|National Case Number/Name:
|European Case Law Identifier:
|Autoritée de protection des données (in FR)
The Belgian DPA issued a warning to a hospital group for non-compliance of Article 32 GDPR and Article 24 GDPR, as the hospital group had failed to implement the appropriate internal data security measures.
English Summary[edit | edit source]
Facts[edit | edit source]
Following a sexual assualt, the data subject visited and was treated by Centre 'Z'. Centre 'Z' is a part of the hospital group against which the complaint was filed. Several months later, the data subject visited a psychologist employed by the hospital group who manages Centre 'Z'. However, the psychologist did not work at Centre 'Z' and the visit was unrelated to the data subject's sexual assault. During the psychological consultation, the data subject was asked questions relating to her sexual assault, this indicated to her that the psychologist had access to her medical data held by Centre 'Z', despite not working at Centre 'Z'.
The data subject contacted Centre 'Z' regarding their internal data access policy. She was informed that all of the hospital group's employees could access her records, regardless of whether they worked at Centre 'Z' or not. She requested that the Centre restrict access to her data to only staff working at Centre 'Z'. The Centre responded that this was not possible, but did note that the hospital group was in the process of updating its policy on this matter.
Holding[edit | edit source]
The Belgian DPA found that the hospital group's internal data security measures were in violation of Article 32 GDPR and Article 24 GDPR.
These Articles impose a duty upon controllers and processors to implement the "appropriate technical and organisational measures" to ensure compliance with the GDPR, and to ensure a level of security appropriate to the risk of processing. The Belgian DPA interpretted the meaning of "appropriate technical and organisational measures" in a healthcare context to mean that measures should be implemented to "ensure that healthcare providers and other professionals who use [an] information exchange system only have access to data from a patient file which is necessary for their respective services." In reaching this conclusion, the Belgian DPA explicitly affirmed the position taken by the Committee of Ministers of the Council of Europe in Recommendation CM/ Rec (2019) 2 on the protection of health-related data.
As the hospital group allowed all of its employees to access patient data, and not simply those who were treating a particular patient, the DPA found that the hospital group had not implemented the "appropriate technical and organisational measures" for the purposes of Article 32 GDPR and Article 24 GDPR. Given that the hospitasl group was in the process of updating its policies and practices, the Belgian DPA issued a warning.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.