APD/GBA (Belgium) - 103/2023
From GDPRhub
| APD/GBA - 103/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(2) GDPR Article 9(1) GDPR Article 24 GDPR Article 32 GDPR Article 458 Code Penal |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 03.09.2022 |
| Decided: | 26.07.2023 |
| Published: | 03.08.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 103/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Autoritée de protection des données (in FR) |
| Initial Contributor: | Enzo Marquet |
In a prima facie decision, the Belgian DPA warned a medical centre for not having adequate access management under Article 6 juncto Article 24 and Article 5(2).
English Summary
Facts
In the past, the data subject stayed at a specialised care centre (the controller), after being sexually assaulted. 8 months after her stay, she visited a psychologist at the same centre for a consultation about her pregnancy. It became clear during her consultation to her that her data was accessed by staff other than those who were responsible for her initial care. She asked the centre for clarification.
The centre had explained to her that all staff have access to a summary of her medical information, including details on the sexual assault. The centre was in the progress of changing this. However, the data subject said they did not confirm whether this reformation was applicable to already open files. The DPO also informed her that they were analysing the situation and would follow-up with her. This follow-up did not happen.
The data subject submitted a complaint against the centre.
Holding
The Belgian DPA first made the distinction between sensitive personal data linked to the sexual aggression under [Article 9 GDPR#1|Article 9(1)]] and Recital 43 as well as personal data which are not as sensitive such as factual statements about the sexual aggression. The DPA noted that it appears that all staff potentially have access to the files of patients. The DPA concluded that it is not competent to judge whether a psychologist having access to the files is necessary or not in this context.
The DPA stated that it is not competent to sanction a possible violation of professional secrecy under article 458 Criminal Code. The DPA clarified that is is competent to verify the information exchange system set up by the controller and to see if it acts in line with the GDPR, including the required confidentiality.
The DPA found a prima facie violation of the GDPR: a breach of the responsibility to implement security and access measures under Article 6 juncto Article 24 and Article 5(2) to adequately protect personal data of data subjects. Given that the controller is in the process of updating its policies and practices, the DPA issued a warning. The DPA noted that the updated procedure must also apply to existing cases.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/9
Litigation Chamber
Decision 103/2023 of July 26, 2023
File number: DOS-2022-03592
Subject: Complaint relating to the accessibility of data concerning the health of a patient at
all hospital staff
The Litigation Chamber of the Data Protection Authority, made up of Mr. Hielke
Hijmans, chairman;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and
to the free movement of such data, and repealing Directive 95/46/EC (General Regulation on the
data protection), hereinafter “GDPR”;
Having regard to the Law of 3 December 2017 establishing the Data Protection Authority, hereinafter
“ACL”;
Having regard to the internal regulations as approved by the House of Representatives on 20
December 2018 and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents in the file;
Made the following decision regarding:
The complainant: Mrs. X, hereinafter “the complainant”; .
.
.
The defendant: Center Hospitalier Y, hereinafter: “the defendant”. Decision 103/2023 – 2/9
I. Facts and procedure
1. The subject of the complaint concerns access to the complainant's data by members of the
defendant's staff other than those who took care of the complainant
during his initial visit to a specialized center of the defendant.
2. On September 3, 2022 the complainant lodged a complaint with the Protection Authority
data (APD) against the defendant.
3. On September 5, 2022, the complaint was declared admissible by the Front Line Service
(SPL) of the DPA on the basis of Articles 58 and 60 of the LCA and the complaint is transmitted to the
Litigation Division pursuant to Article 62, § 1 of the LCA. 2
4. The complainant stated that following a sexual assault, she was in September/October
3
2021 returned to Center Z, a specialized center of the defendant.
5. The Complainant also specifies that approximately 8 months later, on April 19, 2022, she
went to a psychological consultation with the defendant. This consultation has
took place in the context of her pregnancy and preparation for the upcoming delivery, without
link she exhibits with the sexual violence experienced. The complainant indicates that during this
consultation, the psychologist asked him a number of questions about the assault
sexual activity of which she had been the victim. The complainant indicates that she deduced from this that,
Obviously, the psychologist had had access to the information held by the center Z to
following its passage in September/October 2021 (point 4). The complainant reports having
concerned about this situation and the fact that a large number of people (members of the
defendant’s staff, doctors, etc. thus seemed to be able to access data
very delicate and sensitive about her.
6. The complainant further states that the same day, she orally contacted center Z which
indicated that all of the defendant's medical personnel could access the
summary of her consultation at center Z (hereafter understood according to the complainant in detail
of the sexual assault of which she had been the victim). The complainant says that she requested that only
the center has access to said information. She reports that she was told that it was
then not possible but that a procedure was in progress to make this type of data
less accessible and that in the long term, only the data relating to the exemption from one or the other
medicine, for example, would be accessible and no longer the entire file. There
1Under article 61 LCA, the Litigation Chamber informs the parties by this decision, of the fact that the complaint has been
declared admissible.
2 Pursuant to Article 95, § 2 LCA, by this decision, the Litigation Division informs the parties of the fact that following
this complaint, the file was forwarded to him.
3[……]: reference to the website of the defendant's specialized center Z. Decision 103/2023 – 3/9
complainant adds that she was not told whether this new regime would apply to
folders already open (such as his) or not.
7. The complainant produced in support of her complaint the email which she then received, two months later,
either June 20, 2022, written to the Data Protection Officer (DPO) of the defendant
under which it relates the foregoing (points 5 and 6) and raises the question of the time limit in
which the new regime will apply and whether it will cover cases such as his. Of
Generally speaking, the complainant expresses that she feels that this broad accessibility
“(…) goes against my rights to privacy, precisely when it affects matters
sensitive data such as the description of a sexual assault”.
8. By way of correction, the complainant on the same day (June 20, 2022) informed center Z of the
approach she had made to the DPO of the defendant, sending him a copy of the
email sent. She also checked with the Z center that the comments she made
told the DPO following the conversation she had had with the center reflected the
reality. This e-mail is also produced in the file.
9. On June 21, 2022, a member of the Z center confirmed to the complainant that the report of
the situation she had exposed was indeed faithful to reality. It has moreover been
clarified to the complainant on the one hand that the modification of the Center Z files should be
carried out in the course of 2022 at the latest within 6 months, the process
requiring time and investment and on the other hand that it would be, if necessary
informed of new useful information concerning it. This email is on file.
10. On the other hand, the DPO of the defendant indicated by return email of June 20 to the complainant
that a meeting was scheduled in the coming weeks with Center Z to analyze its
situation and that following this meeting, a letter would be sent to him concerning access to
her data related to the sexual assault of which she was the victim. Specifically, the DPO
writes the following to the complainant: “A meeting is scheduled for this … with … [centre Z] in order to
to analyze your situation. Following this meeting, a letter will be sent to you concerning
4
access to your data related to the assault (blocking access to the details of the facts)”.
11. When filing a complaint with the DPA on September 3, 2022, the complainant indicated that she did not
to have received follow-up from (the DPO) of the defendant.
II. Motivation
12. The Litigation Chamber concludes that the data relating to the sexual assault whose
complainantreports having been victimshave personal data concerning him
within the meaning of Article 4.1. of the GDPR. Some of them are, in all likelihood,
4It is the Litigation Chamber which underlines. Decision 103/2023 – 4/9
relating to his health within the meaning of Article 9.1. of the GDPR and recital 43 thereof.
more factual data, linked to the description of the acts of aggression for example, are not
potentially not sensitive within the meaning of Article 9.1. of the GDPR. The Litigation Chamber
is nonetheless of the opinion that these data are, in the context of sexual violence of which
the complainant was the victim of "highly personal data" in the sense that
5
gives the European Data Protection Board (EDPB) to this notion. Most
Great vigilance regarding compliance with the GDPR must be required in their regard.
13. The Litigation Chamber notes that it also appears from the complaint and the exhibits
produced by the complainant that there is indeed "processing" of data within the meaning of Article 4.2. of
GDPR, the complainant's personal data being retained and accessible
electronically.
6
14. On the basis of the confidentiality policy of the defendant, the Litigation Chamber
considers, prima facie, that the defendant is the presumed controller of the
processing of the complainant's data, including those carried out by Center Z .
15. Any data controller is required to comply with Article 24 of the GDPR which implies that
taking into account the nature, scope, context and purposes of the processing as well as
risks, of varying likelihood and severity, to the rights and freedoms of
natural persons, the data controller implements measures
appropriate technical and organizational measures to ensure and be able to
demonstrate that the processing is carried out in accordance with the GDPR. All responsible for
processing must also be able to demonstrate this (article 5.2. of the GDPR).
16. The data controller is also subject to the security obligation provided for in
GDPR Article 32.
17. Article 32 of the GDPR specifies the following: “1. Taking into account the state of the
knowledge, the costs of implementation and the nature of the scope, context and
purposes of the processing as well as the risks, the degree of probability and severity of which varies,
for the rights and freedoms of natural persons, the controller and the data processor
contractor shall implement the appropriate technical and organizational measures in order to
guaranteeahighlevelofsecurityappropriatetotherisk,includingamongother thingsasrequired
: (...) b) the means to guarantee the confidentiality, integrity, availability and
ongoing resilience of processing systems and services. (…)”. 7
5 Article 29 Group, Guidelines on Data Protection Impact Assessment (DPIA) and Data Protection
how to determine whether the processing is “likely to create a high risk” for the purposes of Regulation (EU) 2016/679,
WP 248. At its inaugural meeting the European Data Protection Board endorsed these guidelines:
https://ec.europa.eu/newsroom/article29/items/611236
6
[ …………………….. ]: reference to the defendant's privacy policy available on its website.
7Emphasis added by the Litigation Chamber. Decision 103/2023 – 5/9
18. Confidentiality is the property of information that can only be accessed by
authorized persons, entities or processes and may only be disclosed to
persons,entitiesorauthorizedprocesses.Thisabilitytograntselectiveaccess
information must be ensured throughout the life of this information, in particular
during their collection, storage, processing and
communications. In practice, the only persons authorized to access the data to be
personal character are persons whose function or professional activities
8
justify this access.
19. It therefore follows from Article 32 of the GDPR read in conjunction with Article 24 of the GDPR that the
defendant was and remains required to implement all technical measures
and organizational measures to ensure that healthcare providers and other
professionals who use its information exchange system only have access to the
only data from the patient file necessary for their respective services and this, in
compliance with all of the applicable legal framework including, but not exclusively, the
GDPR.
9 10
20. In its recommendation CM/Rec(2019)2 , the Committee of Ministers of the Council of Europe
recommends in the same way the following: “the exchange and sharing of data relating to
health between health professionals should be limited to information strictly
necessary for the coordination or continuity of care, prevention or medical follow-up
social and social of the person. Each health professional cannot, in this case,
transmit or receive only data that falls within the scope of its missions, in
depending on his authorisations. Appropriate measures should be taken in order to guarantee
data security. The use of an electronic medical record and messaging
electronically capable of enabling the sharing and exchange of health-related data
should respect these principles.
21. In general, access to data hosted on a server such as that of a hospital
must take into account several determining criteria and conditions such as the identity
and the quality of the access requester, the type of data concerned, the degree of
confidentiality of these, the purpose of the request and the duration of the access. The server should
8
See. in this regard, the information security note of the APD
https://www.autoriteprotectiondonnees.be/publications/note-relative-a-la-securite-des-donnees-a-caractere-personnel.pdf
9https://search.coe.int/cm/pages/result_details.aspx?ObjectId=090000168093b26b. The Litigation Chamber considers that
the content of this note (drafted at a time when the GDPR was not yet in force) remains relevant with regard to the
safety principles it sets out.
10 The Council of Europe’s data protection reference framework is certainly not the GDPR but rather the
Convention 108 (Convention for the protection of individuals with regard to automatic processing of personal data
staff (ETS No. 108): https://rm.coe.int/1680078b39 ) and soon, once in force, Convention 108+ (Protocol
amendment to the Convention for the protection of individuals with regard to automatic processing of personal data
personal character – ETS 223: https://www.coe.int/fr/web/conventions/full-list?module=treaty-detail&treatynum=223).
These texts nevertheless contain comparable principles in terms of data protection and security.
those of the GDPR and are so many sources of inspiration as to the measures to be put in place by a data controller
in a situation such as that of the complaint. Decision 103/2023 – 6/9
integrate these different factors so that access is filtered and reserved for
those who are authorized to do so in compliance with the GDPR and other standards to which
first-time buyers are respectively required . 11
22. The Litigation Chamber notes in this regard that the complainant titled the subject of the emails
that it produces in addition to the complaint form filed as follows: “secret
professional shared in the context of sexual violence “.
23. The Litigation Chamber is certainly not competent to sanction a possible
violation of Article 458 of the Criminal Code (professional secrecy) as such or for
assess compliance with the conditions of shared professional secrecy. She is, however
to verify that the information exchange system set up by the defendant
guarantees access to patients' personal data in compliance with the principle of
security as recalled above, including confidentiality to which respect for secrecy
professional participates without being confused with him.
24. The Litigation Chamber recalls here that on several occasions the European Court of Human Rights
rights insisted on the importance of respecting professional secrecy not
only for the privacy of patients but also more generally for the right to
12
health .
11See.also by way of example, the Rules approved by the Management Committee of the eHealth platform on September 10
2019 and the Information Security Committee on April 7, 2020 as well as the deliberation of the Information Security Committee
(Deliberation 19/166 of October 1, 2019, amended on July 6, 2021) – circles of trust:
https://www.ehealth.fgov.be/ehealthplatform/file/view/AW0kmXp0gwvToiwBkkgH?filename=R%C3%A8glement%20COT
%20-%2005032021%20-%20v2.pdf
12From the Niemietz v. Germany of 16 December 1992, it could thus be deduced that the European Court of Human Rights
the man (Runner.D.H.) had, albeit implicitly, highlighted a dual function of professional secrecy (in this case
of the lawyer): (1) the confidentiality of the relationship between professionals subject to professional secrecy (the lawyer) and his client
protects the subjective rights deduced from article 8 (privacy) but (2) also guarantees the proper functioning
justice (social foundation). In Z. v. Finland, the Eur. D.H. addresses, for the first time, at least
12
directly, the issue of medical secrecy.
medical by the Court. It indicates that it will take into account the fundamental role played by the protection of personal data.
personal character – medical information not being the least – for the exercise of the right to respect for life
private and family life guaranteed by Article 8 of the European Convention on Human Rights (ECHR). Respect for
confidentiality of health information is an essential principle of the legal system of all
Contracting PartiestotheECHR.Itiscapitalnotonlytoprotecttheprivacyofpatientsbutalsoto
preserve their confidence in the medical profession and health services in general . The Court is innovative
terminological by requiring, for any possible justification for the breach of professional secrecy, the defense “of an aspect
of the public interest” (§96) and declaring that it will exercise “the most rigorous control” (§96) in this matter.
In other words, professional secrecy is intended to protect the confidentiality of the exchange between the patient and the
health care professional subject to secrecy to whom it is addressed - by not disclosing its contents to third parties not
authorized – not only in the interest of the confidant but also in that of society as a whole. Decision 103/2023 – 7/9
25. As the Commission for the Protection of Privacy (CPVP) stated in its note
relating to security (see note 6), “Security is certainly first and foremost a matter of
direction” in that the development and implementation of an effective security process
requires the full awareness of management and the various managers, including
the data controller, of the essential role that security plays within the entity
concerned as well as their total adherence to the security objectives sought and their
active cooperation.
26. Still as underlined in the said note, “Security is then everyone’s business”: everyone
the members of the organization, whoever they are, are all part, at one time or another, of
the security chain and therefore risk becoming its weakest link one day.
aware and empowered of their own role in this chain, and must be prepared,
sensitized and trained accordingly. This awareness must be put in place by the
data controller with the assistance of its data protection officer
(DPO).
27. With regard to the present case, the Litigation Division notes that it seems to emerge from
exchanges of e-mails produced by the complainant that all the staff of the
defendant potentially has access to the personal data concerning him, at all
less those which she mentions in relation to the sexual assault of which she was the victim. He
is not for the Litigation Chamber to conclude that the access operated by the
psychologist to the complainant's data (point 4) was or was necessary for her services
professionals. On the other hand, if the defendant did not have a policy
access to medical records data that is GDPR compliant and more
particularly to the principle of security read in combination with the principle of accountability,
the defendant would be guilty of violation of these provisions.
28. Given what emerges from the exhibits produced by the complainant that the
defendant seems to be engaged in a process of adapting its access policy,
the Litigation Division considers that issuing a warning to it is the measure
corrective action most appropriate to the case in point. The implementation of this access policy
compliance with the GDPR should, according to the Litigation Chamber, also apply to
files already opened with the defendant and this, as quickly as possible, agreeing
account of the high sensitivity of the complainant's data.
29. In conclusion, the Litigation Chamber considers that on the basis of the aforementioned facts, there
reason to conclude that the defendant may have committed a violation of the provisions of the
GDPR, which justifies that in this case, the Litigation Chamber proceeds to take a
decision in accordance with Article 95, § 1, 4° of the LCA, i.e. more specifically the adoption
of a warning decision. Decision 103/2023 – 8/9
30. This decision is a prima facie decision taken by the Litigation Chamber
pursuant to Article 95 of the LCA on the basis of the complaint submitted by the complainant,
within the framework of the “procedure prior to the substantive decision” 13 . It is not a
decision on the merits of the Litigation Chamber within the meaning of Article 100 of the LCA.
31. Pursuant to article 95 § 2, 3° of the LCA as well as article 47 of the order
inside the DPA, a copy of the file may be requested by the parties. If one of
parties wishes to make use of the possibility of consulting this file, it is required to
contact the secretariat of the Litigation Chamber, preferably via the address
litigationchamber@apd-gba.be.
32. The purpose of this prima facie decision is to inform the defendant, presumed
responsible for the processing, of the fact that it may have committed a breach of the provisions
of the GDPR, in order to enable it to still comply with the aforementioned provisions.
33. If, however, the defendant should not agree with the content of this
prima facie decision and had to believe that it can put forward arguments of fact and/or
legal issues which could lead to another decision, it may address to the Chamber
Litigation a request for processing on the merits of the case via the address
litigationchamber@apd-gba.be, within 30 days of notification of the
this decision. If necessary, the execution of this decision will be suspended.
during the aforementioned period.
34. In the event of further processing of the case on the merits, pursuant to Articles 98, 2° and 3°
juncto article 99 of the LCA, the Litigation Chamber will invite the parties to introduce their
conclusions and to attach to the file all the documents they deem useful. If applicable,
this decision will be permanently suspended.
35. In the interests of transparency, the Litigation Chamber finally emphasizes that a
dealing with the case on the merits may lead to the imposition of the measures mentioned in
section 100 of the ACL .4
13Section 3, Subsection 2 of the ACL (sections 94 to 97 inclusive).
14 st
Art. 100. § 1. The litigation chamber has the power to
1° dismiss the complaint without follow-up;
2° order the dismissal;
3° pronouncing the suspension of the pronouncement;
4° to propose a transaction;
5° issue warnings and reprimands;
6° order to comply with requests from the data subject to exercise his or her rights;
7° order that the person concerned be informed of the security problem;
8° order the freezing, limitation or temporary or permanent prohibition of processing;
9° order compliance of the processing;
10° order the rectification, restriction or erasure of the data and the notification thereof to the recipients of the
data ;
11° order the withdrawal of accreditation from certification bodies;
12° to issue periodic penalty payments;
13° to issue administrative fines;
14° order the suspension of cross-border data flows to another State or an international body; Decision 103/2023 – 9/9
III. Publication of the decision
36. Given the importance of transparency regarding the decision-making process of the Chamber
Litigation, this decision is published on the website of the APD. However, it is not
it is not necessary for this purpose that the identification data of the parties be directly
mentioned.
FOR THESE REASONS,
the Litigation Chamber of the Data Protection Authority decides, subject to
the introduction of a request by the defendant for treatment on the merits in accordance with
to articles 98 e.s. of the ACL:
- pursuant to Article 58.2.c) of the GDPR and Article 95, § 1, 4° of the LCA, to send
a warning to the defendant.
In accordance with Article 108, § 1 of the LCA, an appeal against this decision may be lodged,
within thirty days of its notification, to the Court of Markets (court
d'appel de Bruxelles), with the Data Protection Authority (DPA) as a party
defendant.
Such an appeal may be introduced by means of an interlocutory request which must contain the
information listed in article 1034ter of the Judicial Code. The interlocutory motion must be
filed with the registry of the Court of Markets in accordance with article 1034quinquies of the C. jud. , or 16
via the e-Deposit information system of the Ministry of Justice (article 32ter of the C. jud.).
(Sé). Hielke H IJMANS
President of the Litigation Chamber
15° forward the file to the public prosecutor's office in Brussels, who informs it of the follow-up given to the file;
16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority.
15The application contains on pain of nullity:
(1) indication of the day, month and year;
2° the surname, first name, domicile of the applicant, as well as, where applicable, his qualities and his national register number or
Business Number;
3° the surname, first name, domicile and, where applicable, the capacity of the person to be summoned;
(4) the object and summary statement of the means of the request;
(5) the indication of the judge who is seized of the application;
6° the signature of the applicant or his lawyer.
16
The request, accompanied by its appendix, is sent, in as many copies as there are parties involved, by letter
recommended to the court clerk or filed with the court office.
