APD/GBA - 41/2020
|APD/GBA - 41/2020|
|Relevant Law:||Article 12 GDPR|
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
|National Case Number/Name:||41/2020|
|European Case Law Identifier:||n/a|
|Original Source:||Decision by the Litigation Chamber (in FR)|
The APD/GBA (the Belgian DPA) found that a hospital that requested an audit by an external expert was the controller for the audit-related processing activity, based on Article 4(7) GDPR. The APD/GBA ordered the hospital to provide access to parts of an audit report based on the right of access, rejecting (for lack of evidence) the exceptions invoked by the hospital (confidentiality, IP rights, personal data of others).
English Summary[edit | edit source]
Facts[edit | edit source]
In the light of deficiencies regarding the radiology service in a hospital, the hospital asked an external expert to carry out an audit in order to find explanations and possible solutions. After the audit, the hospital decided to dismiss the head of the radiology service, a doctor, for severe misconduct.
The doctor in question requested access to the audit report and specifically to sections that related to her individually. The hospital refused to grant access, arguing that (i) the hospital was not the controller (but rather the external expert), (ii) the report was confidential, (iii) the report was protected by copyright and (iv) the report contained personal data of others.
In reaction to this refusal, the doctor filed a complaint with the APD/GBA.
Dispute[edit | edit source]
If an external expert examines personal data at the request of an organisation, who is the controller?
What are the limits to a data subject’s right to obtain a copy of personal data relating to him or her?
Holding[edit | edit source]
- The defendant was the controller. Based on Article 4(7) GDPR, the APD/GBA stated that "in the present case, by giving mandate to doctor Z [the auditor], even in his capacity as independent expert, to carry out an evaluation of the radiology service of the hospital, the defendant [the hospital] determined the purposes and means of the processing."
- As controller, the defendant was responsible for, and had to be able to demonstrate, compliance with the principles set out in Article 5(1) GDPR. The defendant also had to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing complied with the GDPR, with the APD/GBA explicitly referring to the obligation under Article 12 GDPR to facilitate the exercise by data subjects of their rights.
- On Article 15(3) GDPR and the rejection by the hospital of access to the audit report, the APD/GBA examined the justification provided and rejected the hospital’s arguments:
- On confidentiality, the APD/GBA stated that the defendant failed to demonstrate that the report was indeed confidential, let alone that it was covered by professional secrecy ( Article 14(5)(d) GDPR)
- On copyright:
- The author of the report did not appear to object to communication beyond the initial recipients,
- The balance of interests in the present case did not appear to prevent the sharing of a copy of the document and
- Even if that were the case, nothing would have prevented mere consultation of the document.
- On the data regarding other persons, the hospital could have redacted personal data concerning those other persons.
- On Article 12(4) GDPR: the defendant was found in breach of Article 12(4) GDPR for not mentioning the possibility to lodge a complaint with a supervisory authority or judicial remedies.
- Infringement of Articles 13 and 14 GDPR: the APD/GBA found that the defendant did not provide any information concerning the collection and processing of personal data in the context of the preparation of the audit report (collected here both directly from the plaintiff and from third parties). Based on Articles 12, 13 and 14 GDPR, the APD/GBA stressed the importance of providing such information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The APD/GBA found that the information provided in this case by the defendant contained vague statements without sufficient granularity, which did not allow the plaintiff to identify the kinds of personal data processed, the processing activities, the purpose of the processing, etc.
- Concerns regarding Article 15 GDPR:
- First, the hospital required requests to be made by appointment and did not provide the possibility to submit a request by e-mail or any other means of communication. The APD/GBA stated that it was excessive to require discussions systematically. According to the APD/GBA, this requirement could be viewed as "intimidating" and as hindering the freedom of data subjects to exercise their rights.
- Next, the APD/GBA "invited" the hospital to examine whether a copy of the data subject's ID was truly "systematically necessary" to identify them and whether any alternative means could be used.
- Outcome: no fine, because the APD/GBA was prohibited to impose a fine due to the “nature” of the hospital (an implicit reference to Article 221(2) of the Belgian Data Protection Act of 30 July 2018, according to which governmental bodies cannot be fined, except for public law entities that offer goods or services on a market), but a reprimand and an order to (i) provide access to an additional document and (ii) make its processing compliant within a period of 3 months.
Comment[edit | edit source]
Other in-depth commentaries and analyses can be found here:
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.