Commissioner (Cyprus) - 11.17.001.009.048

From GDPRhub
Revision as of 10:27, 31 January 2024 by Co (talk | contribs)
Commissioner - 11.17.001.009.048
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 9(2) GDPR
Article 9(2)(h) GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 22.03.2021
Decided:
Published: 24.01.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 11.17.001.009.048
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL) (in EL)
Initial Contributor: co

The Cypriot DPA issued a reprimand to a doctor, as a controller for acting in violation of Article 9(2)(h) GDPR.

English Summary

Facts

A data subject was a patient of a doctor, the controller, in 2018, when she underwent surgery. After the operation, the controller filed suit against the datra subject for defamation, as she left a negative review online. In this context, the data subject found out that in September and October 2020, the controller accessed her personal medical data through the portal of the beneficiaries of the General Health System (GHS), without a referral and without her permission. The justification insterted by the controller on the portal for accessing the data subject's GHS account was that the data subject once asked for a visit without a referral and then she was unconscious and needed urgent medical care, and that the controller had her consent. On 23 March 2021, the data subject filed a complaint with the Cypriot Data Protection Commissioner, DPC.

The DPC asked the parties to bring their submissions and also asked the Health Insurance Agency some questions, as it can check all accesses to the GHS. The agency confirmed that the controller accessed medical data of the data subject between 2020 and 2021, a period in which there was no relation between the controller and the data subject: no referral, no visit was registered nor was there a need to provide urgent care to the data subject.

In its submissions, the controller claimed first of all, that the data subject had never withdrawn her consent. Then the controller submitted that it received two phone calls by data subject's relatives who were concerned about her health conditions and needed the doctor's opinion, who then accessed the medical data of the data subject for urgent reasons. The controller also claimed to have had a phone call with the data subject but it was not recorded.

The data subject denied all this.

Holding

In December 2023, the Cypriot DPC decided on the case, taking into account the fact that it was established that the controller did not have any relationship with the data subject in the relevant period of time between 2020 and 2021 and could not prove that they obtained the data subject's personal data in a lawful manner or that they were authorised to access the GHS portal.

The DPC noted that the processing operations by the controller included special categories of personal data under Article 9 GDPR, which can only be lawful if one of the exceptions of Article 9(2) apply. With respect to Article 9(2)(h) GDPR, the DPC held that this could not apply since the data subject was not receiving any medical care by the controller. Also, the controller could not rely on Article 9(2)(a) GDPR as a legal basis since the data subject did not give her specific consent to such processing.

Further, the DPC considered some mitigating factors such as the fact that the controller was no longer subscribed to the GHS, hence he could no longer access the personal data of the data subject but also that since he accessed the system twice, this could not be considered an accidental occurrence.

In light of the above, the DPC considered that there was a violation of Article 9(2)(h) GDPR and pursuant to Article 58(2)(b) GDPR issued a reprimand to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

REPUBLIC OF CYPRUS OFFICE OF THE COMMISSIONER FOR PROTECTION OF PERSONAL DATA Kypranoros 15, 1061 NICOSIA / PO Box 23378, 1682 NICOSIA. Tel: 22818456, Fax: 22304565 E-mail: commissioner@dataprotection.gov.cy, Website: http://www.dataprotection.gov.cy No. Fac.: 11.17.001.009.048 DECISION Complaint for access to the account of a beneficiary of the NHS by a doctor Based on the duties and powers granted to me by article 57(1)(f) of Regulation (EU) 2016/679 for the protection of natural persons against the processing of personal data and for the free circulation of such data (hereinafter the "Regulation"), I examined a complaint submitted to my Office on March 22, 2021 regarding access to the account of the General Health System (GeSY) of Mr. XXX (hereinafter the "Complainant"), by Dr. XXX (hereinafter the "Professor"). Based on the investigation, I found a violation of the Regulation by the Defendant and, therefore, issue this Decision. A. Incidents of the Case Positions of the Complainant 2. In the complaint dated March 22, 2021, the following was mentioned: 2.1. the Complainant was a patient / client of the Defendant around the year 2018, and on June 28, 2018, he underwent surgery by the Defendant, 2.2. the Complainant posted an evaluation and/or review of the Defendant, through the online platform Google Reviews, 2.3. in August 2020, the Defendant filed a Lawsuit in the District Court of Limassol against the Complainant, claiming general and special damages for defamatory publications, 2.4. the Complainant noticed, through his personal account on the beneficiary portal of the General Health System (GeSY), that the Defendant had access to the Complainant's beneficiary file on: 2.4.1. September 17, 2020, on the grounds "The provider created a non-referral visit and had the beneficiary's consent to access his/her Medical Record", and 2.4.2. on October 20, 2020, on the grounds that "The beneficiary was unconscious. The provider needed access to the Medical Record to provide emergency treatment,” 2 2.5. the Complainant stated that he had never visited and/or authorized the Professor, with or without a referral and that he had never been unconscious and needed treatment from the Professor on the specified days. 3. The complaint included: 3.1. letter to the Supervisory Commissioner (GeSY), with notification to my Office, in which there was an extensive reference to incidents and positions of the Complainant, 3.2. screenshot from the beneficiary portal of the National Health Service, in which the Defendant's accesses to the Complainant's beneficiary file were presented, as mentioned in paragraph 2.4. of the present. 4. On March 31, 2021, the documents - data referred to in paragraph 3 hereof, were sent again, with notification to my Office, through a letter from the Supervisory Commissioner (GeSY) to the Health Insurance Organization. Positions of the Health Insurance Organization 5. On April 21, May 17, June 28, 2021 and February 9, 2022, I sent letters to the Health Insurance Organization (hereinafter the "Organization") regarding the complaint, asking to be informed about it and asking clarifying questions. 6. The Organization in its letters to my Office, dated May 24, September 14, 2021, February 8, February 17 and March 1, 2022, stated, among other things, the following: 6.1. Beneficiaries have the possibility, through the Beneficiary Portal, to control providers' access to their medical file as well as the relevant justifications. In case they find contradictions, errors, omissions or inaccuracies, they can proceed with a complaint, which the Organization undertakes to investigate and manage accordingly, 6.2. the Organization carried out an audit of the GeSY IT System. From the results of said audit for the period between the months of May 2020 and April 2021, the claim of the Complainant - beneficiary is confirmed, that the Defendant - provider with provider number DDXX, achieved access to the Complainant's medical data, on the dates and with the reasons mentioned in paragraph 2.4. of the present, 6.3. an additional check carried out by the Organization did not demonstrate, in the context of the National Health Service, any relationship between the Complainant and the Defendant, during the period in question. Specifically, during the access dates, there was no active referral, nor was a relevant visit registered, nor was a relevant demand submitted by the Defendant. Also, the Defendant's access, during the material time, appeared to have taken place without the Complainant having visited the Defendant to receive health care services and/or without the Defendant having received the necessary authorizations and/or the consent of the Complainant for access and/or without the need to provide emergency treatment, 3 6.4. the last access of the Professor took place XXX days before the termination of his contract with the National Health Service, which was terminated on XXX, 6.5. from the moment the provider gained access to the Complainant's medical file, he was able to process the Complainant's personal data (e.g. viewing, copying, downloading), 6.6. XXX, 6.7. XXX: 6.7.1. XXX. 6.7.2. XXX, 6.8. the allegations put forward by the doctor, through his lawyers, about perpetual consent and/or that the Complainant never expressly withdrew any of his consent were not accepted by the Organization. As mentioned, according to the Regulation, the legal basis for the processing of a beneficiary's personal data by a provider is primarily the execution of the contract for the provision of health care services and since this concerns health data, their processing is prohibited unless one of the exceptions of article 9 of the Regulation, which in this case, the processing is lawful if it is necessary for the purposes of medical diagnosis, provision of health care or treatment pursuant to a contract. 6.9. XXX. 7. The Organization submitted to my Office: 7.1. table with the results of the audit, showing which health care service providers, who are contracted with the Agency, had access to the Complainant's electronic file, between the months of May 2020 and April 2021, 7.2. personal data protection policy of the GeSY web portal. Positions of the Professor 8. On May 30, 2022, I sent a letter to the Professor, requesting that specific questions be answered. 9. On June 17, 2022, I received from the Defendant's lawyer, a letter dated June 16, 2022, with the following positions: 9.1. the Defendant after written consent and consent operated on the Complainant on June 28, 2018, 9.2. the patient-doctor relationship continued during the Complainant's recovery, without it being interrupted until the date of the Defendant's reply to my Office, while the Complainant never expressly withdrew any of his consent, 4 9.3. it is confirmed that the Defendant accessed the Complainant's medical record on September 17, 2020, on the grounds that "The provider created a non-referral visit and had the beneficiary's consent to access his/her Medical Record", and on October 20 2020 on the grounds that "The beneficiary was unconscious. The provider needed access to the Medical Record to provide emergency treatment,” 9.4. on September 17, 2020, the Defendant received a phone call from the Complainant's brother, who had reported to the Defendant that the Complainant's health condition had worsened and he was planning an operation at a medical center abroad. The Defendant, out of real interest in the Complainant, connected to the system to find out about his health, 9.5. on October 20, 2020, the Defendant had received a patient who reported to him that the Complainant had referred him to the Defendant. The Defendant, out of real interest in the Complainant and since he had no new communication with his brother, connected to the system to be informed about the progress of the Complainant's health, 9.6. the reasons entered in the system were for formal reasons, as there was no precise reason for the reasons why the Defendant wanted access to the Complainant's medical record, 9.7. the Defendant considered that the doctor-patient relationship continued, especially after the Complainant's initiative to refer another patient to him, 9.8. the access to the medical file was a few minutes, without the Defendant taking any other action and without the Complainant's details and/or his medical file being processed and/or falsified in any way, 9.9. the Complainant's lawyers sent the Defendant a letter dated July 7, 2020, in response to the Defendant's letter dated June 3, 2020, to cease the Complainant's defamation of the Defendant, while the Complainant filed a lawsuit for alleged medical negligence against the Defendant, on October 29, 2021. The above fact, combined with the time that passed from the date of the letter of the Complainant's lawyers until the Defendant's access to the Complainant's file, proves that it is not valid that the motives of the Defendant were alien and that they were intended to prepare him, in relation to a possible lawsuit against him. Also, as mentioned, none of the data in the medical file could be of any use to the Defendant in the event of legal proceedings. The Complainant's Positions 10. On July 18, 2022, I sent a letter to the Complainant, submitting the Defendant's positions, as well as clarifying questions. 11. The Complainant's lawyer, in a letter dated August 8, 2022, reported the following to my Office: 5 11.1. apart from the fact that the Defendant operated on the Complainant on June 28, 2018, the remaining claims of the Defendant, which were submitted to the Complainant, through a letter from my Office dated July 18, 2022, are not accepted. 11.2. the last provision of services by the Defendant to the Complainant was on the date of the intervention, 11.3. the Complainant's brother never contacted the Defendant on the said date, 11.4. the Complainant never referred another patient to the Professor.  Positions of the Defendant 12. On October 10, 2022, I sent a letter to the Defendant, presenting the positions of the Complainant and asking clarifying questions. 13. The Defendant's lawyer, in a letter dated November 10, 2022, reported the following to my Office: 13.1. the last provision of services by the Defendant to the Complainant was not on June 28, 2018, i.e. the date the operation was performed, as post-operatively, approximately five scheduled visits by the Complainant followed at the Defendant's practice. During the Complainant's visit, on August 4, 2018, the Complainant was accompanied by his brother, in order for him to undergo a neurosurgical examination, 13.2. further, there is a recorded electronic communication of the Complainant, in the e-mail of the Defendant, which concerns documents for sick leaves and other documents related to the surgery to which he was submitted. In particular, the last electronic message of the Complainant to the Defendant was on January 9, 2020, 13.3. there is also, as mentioned, a telephone conversation with the Complainant, which, however, is not recorded. 14. On February 21, 2023, I sent the Defendant a prima facie Decision, after finding that there is a prima facie violation of Article 9(2)(h) of the Regulation, because the processing operations he carried out, i.e. the accesses to the file beneficiary of the Complainant, were not based on the relevant legal basis. 14.1. Also, before taking a Decision regarding the possible imposition of an administrative fine, the Defendant was invited to submit the reasons and circumstances that should be taken into account in the context and for the purposes of imposing an administrative sanction, pursuant to Article 58(2) of the Regulation. 15. In a letter from the Defendant's lawyer to my Office, dated April 12, 2023, the following is stated: 15.1. disagrees with the conclusion of my prima facie Decision, dated February 21, 2023, as it considers that there was perpetual consent from 6 the Complainant, which was never expressly withdrawn. It is also stated that the Complainant is "abusively using you as a vehicle to achieve his own ends". 15.2. the contents of the letters dated June 16, 2022 and November 12, 2022 are repeated. I note that, as it appears, the Defendant's lawyer refers to his letter dated June 16, 2022, which was submitted to my Office on June 17, 2022, and in his letter dated November 10, 2022, respectively, 15.3. the previous life of the Defendant, the individual incidents but also the totality of the facts, such as for example the absence of processing do not justify, as stated "the imposition of any fine but (probably) only a reprimand", 15.4. further, the single incident and/or its duration, the surrounding facts and the honest and honest motives of the Defendant, as stated "underline the fact that there is no issue to be 'corrected' and no question of any repetition", 15.5 . XXX, 15.6. due to the above, any other penalty beyond a reprimand is considered disproportionate, unfair, and would not serve any deterrent purpose or the purposes and true meaning of the Regulation. B. Legal Aspect 16. According to article 4 of the Regulation, personal data is interpreted as "any information concerning an identified or identifiable natural person ("data subject"); an identifiable natural person is one whose identity can be ascertained, directly or indirectly, in particular by reference to an identifier such as a name, an identity number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person in question". 17. As data relating to health, as provided for in the same article of the Regulation, are described the "personal data which are related to the physical or mental health of a natural person, including the provision of health care services, and which reveal information about his state of health". 18. As a data controller, in article 4 of the Regulation, it is defined as "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing; where the purposes and manner of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided for by Union law or the law of a Member State." 7 19. As consent, article 4 of the Regulation defines "any indication of will, free, specific, explicit and fully informed, by which the data subject manifests that he agrees, by statement or by a clear positive action, to be the subject processing the personal data concerning it". 20. With reference to the processing of special categories of personal data, article 9 of the Regulation provides the following: "1. The processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or membership in a trade union is prohibited, as well as the processing of genetic data, biometric data for the purpose of indisputable identification of a person, data concerning the health or data concerning a natural person's sex life or sexual orientation. 2. Paragraph 1 shall not apply in the following cases: a) the data subject has provided express consent to the processing of such personal data for one or more specific purposes, unless Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be removed by the data subject, b) the processing is necessary for the performance of the obligations and the exercise of specific rights of the controller or the data subject in the field of labor law and social security and social protection law, if permitted by Union or Member State law or by a collective agreement in accordance with national law providing appropriate guarantees for the fundamental rights and interests of the data subject, c) the processing is necessary to protect the vital interests of the data subject or other natural person, if the data subject is physically or legally unable to consent, d) the processing is carried out, with appropriate guarantees, in the context of the legitimate activities of an institution, organization or other non-profit body with a political, philosophical, religious or trade union objective and provided that the processing concerns exclusively the members or former members of the organization or persons who have regular communication with it in relation to its purposes and that the personal data is not shared outside the specific organization without the consent of the subjects of data, e) the processing concerns personal data that has been manifestly made public by the data subject, f) the processing is necessary for the establishment, exercise or support of legal claims or when the courts act in their jurisdictional capacity, g) the processing is necessary for reasons of substantial public interest, based on the law of the Union or a Member State, which is proportional to the intended objective, respects the essence of the right to data protection and provides for appropriate and specific measures to ensure the fundamental rights and interests of the data subject, 8h) the processing is necessary for the purposes of preventive or occupational medicine, assessment of the employee's capacity to work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services under Union law or the law of a Member State or by virtue of a contract with a healthcare professional and subject to the conditions and guarantees referred to in paragraph 3, i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicines or medical devices, based on Union law or the law of a Member State, which provides for appropriate and specific measures to protect the rights and freedoms of subject of the data, in particular professional confidentiality, or j) the processing is necessary for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89(1) based on Union or Member State law , which are proportionate to the intended objective, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject. 3. The personal data referred to in paragraph 1 may be processed for the purposes provided for in paragraph 2, point h), when such data is processed by or under the responsibility of a professional who is subject to the obligation to maintain professional confidentiality based on of Union or Member State law or based on rules established by competent national bodies or by another person who is also subject to an obligation of confidentiality under Union or Member State law or based on rules established by competent national bodies.  4. Member States may maintain or introduce further conditions, including restrictions, regarding the processing of genetic data, biometric data or health-related data.' 21. Pursuant to article 57, paragraph 1, subsection f) of the Regulation, the Commissioner for Personal Data Protection has the duty to: "handle the complaints submitted by the data subject or by an institution or organization or association in accordance with article 80 and investigate, to the extent appropriate, the subject of the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable period of time, in particular if further investigation or coordination with another supervisory authority is required." 22. Regarding the submission of a complaint to the Supervisory Authority, article 77 of the Regulation provides that: "Without prejudice to any other administrative or judicial appeals, each data subject has the right to submit a complaint to a supervisory 9 authority, in particular to the Member State in who has his habitual residence or his place of work or the place of the alleged infringement, if the data subject considers that the processing of the personal data concerning him infringes this regulation." 23. Pursuant to article 58, paragraph 2, of the Regulation, the Personal Data Protection Commissioner has the following corrective powers: "a) to issue warnings to the controller or processor that intended processing operations are likely to violate the provisions of this regulation, b) to address reprimands to the data controller or the processor when processing operations have violated provisions of this regulation, c) to instruct the data controller or the processor to comply with the data subject's requests for the exercise of his rights in accordance with this regulation, d) to instruct the data controller or the processor to make the processing operations comply with the provisions of this regulation, if necessary, in a specific way and within a certain period, e) to give order the data controller to notify the personal data breach to the data subject, f) to impose a temporary or definitive restriction, including the prohibition of processing, g) to order the correction or deletion of personal data or the restriction of processing pursuant to articles 16 . articles 42 and 43 or to order the certification body not to issue certification if the certification requirements are not met or are no longer met, i) to impose an administrative fine under article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case, j) to give an order to suspend the flow of data to a recipient in a third country or an international organization." 24. Regarding the general conditions for imposing administrative fines, in article 83, paragraph 2, of the Regulation, the following is provided: "2. Administrative fines, depending on the circumstances of each individual case, are imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and Article 58(2)(j). When deciding on the imposition of an administrative fine, as well as on the amount of the administrative fine for each individual case, the following shall be duly taken into account: 10 a) the nature, gravity and duration of the violation, taking into account the nature, the extent or purpose of the relevant processing, as well as the number of data subjects affected by the breach and the degree of damage they suffered, b) the fraud or negligence that caused the breach, c) any actions taken by the controller or the processor to mitigate the damage suffered by the data subjects, d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they apply pursuant to articles 25 and 32, e) any relevant previous violations of the controller or processor, f) the degree of cooperation with the supervisory authority to remedy the violation and limit its possible adverse effects, g) the categories of personal data affected by the violation, h) the the way in which the supervisory authority was informed of the breach, in particular whether and to what extent the controller or processor notified the breach, i) in case the measures referred to in Article 58 paragraph 2 were previously ordered against the controller involved processing or of the processor in relation to the same object, the compliance with said measures, j) compliance with approved codes of conduct in accordance with article 40 or approved certification mechanisms in accordance with article 42 and k) any other aggravating or mitigating factor arising from the circumstances of the particular case, such as the financial benefits obtained or losses avoided, directly or indirectly, from the infringement. 3. In the event that the controller or processor, for the same or related processing operations, violates several provisions of this regulation, the total amount of the administrative fine does not exceed the amount set for the most serious violation. 4. Violations of the following provisions shall attract, in accordance with paragraph 2, administrative fines of up to EUR 10 000 000 or, in the case of undertakings, up to 2 % of the total worldwide annual turnover of the previous financial year, whichever is higher: a ) the obligations of the controller and the processor in accordance with Articles 8, 11, 25 to 39 and 42 and 43, b) the obligations of the certification body in accordance with Articles 42 and 43, c) the obligations of the monitoring body in accordance with Article 41 paragraph 4. 5. Violations of the following provisions shall attract, in accordance with paragraph 2, administrative fines of up to EUR 20 000 000 or, in the case of undertakings, up to 4 % of the total global annual turnover of the previous financial year, depending whichever is higher: 11 a) the basic principles for processing, including the conditions applicable to authorization, in accordance with Articles 5, 6, 7 and 9, b) the rights of data subjects in accordance with Articles 12 to 22, c) the transfer of personal data to a recipient in a third country or to an international organization in accordance with articles 44 to 49, d) any obligations under the law of the Member State established pursuant to chapter IX, e) non-compliance to order or to temporarily or permanently limit the processing or to suspend the flow of data imposed by the supervisory authority pursuant to Article 58 paragraph 2 or not to provide access in violation of Article 58 paragraph 1." 25. According to Regulation 16(2) of the General System (Specialist Doctors) Regulations of 2019, it is provided that: "The specialist doctor, for the purposes of providing health care services, has access to the file of the beneficiary in accordance with the provisions of the Law and the provisions of the Regulations, internal regulations and Decisions issued pursuant to this." 25.1. Regarding the Information System of the Organization, article 32C of the General Health System Law of 2001, Law 89(I)/2001, provides the following: "(1) Health care service providers have an obligation to use the information system for the issuance of referrals and prescriptions, the submission of claims for remuneration, the management of the list of beneficiaries and any other actions and/or processes specified in this Law and in the Regulations, internal regulations and Decisions issued pursuant thereto: Provided that, the mentioned in subsection (1) actions and/or processes are performed only through the IT system, unless the Agency determines otherwise. (2) For the purposes of this Law as well as any civil or criminal procedure, the Organization provides the person who has the right to use the IT system security codes, which are subject to the handwritten signature that any documents would have if they were submitted without the use of a system IT. (3) For the use of the IT system, the Organization issues a terms and conditions document which includes the terms and conditions that must be observed by any person using the IT system. (4) The user of the IT system undertakes to fully comply with the security rules as described in the terms and conditions of the IT system, as well as with the provisions of the Personal Data Processing (Protection of the Individual) Law. 12 (5) Beneficiaries have the right to use the IT system, provided that they comply with the provisions of subsections (2), (3) and (4): Provided that, the generality of the provisions of articles 54, 54A and 54B is not affected." C. Rationale 26. XXX. 27. XXX. 28. In the case under investigation, there is the Defendant's admission that he had access to the Complainant's beneficiary file on the dates and with the reasons mentioned in paragraph 2.4. of the present. 29. These accesses by the Defendant were carried out to serve a purpose or purposes that he has determined, therefore, for the specific processing operations, he is considered a controller, with all the obligations entailed by the Regulation.  30. Even if, as the Defendant stated, his access to the Complainant's file was for a few minutes and he did not take any other action and without any processing and/or falsification of the Complainant's information and/or his medical file, the Defendant's accesses to the Complainant's beneficiary file constitute acts of processing. This conclusion is valid even if the Defendant did not view, copy or download the Complainant's data, i.e. acts he had the opportunity to do, as noted by the Organization. Moreover, the fact that the Defendant did not make a demand from the Organization does not negate this conclusion. 31. The surgery to which the Complainant was submitted took place before the implementation of the GeSY. It appears, therefore, that the doctor-patient relationship during the surgery, specifically the Professor and the Complainant respectively, was not governed by the NHS. 32. The Complainant stated that the last provision of services he received from the Defendant was on the day of the operation. However, the Defendant stated that approximately five visits to the doctor's office followed post-surgery, referring to a visit by the Complainant on August 4, 2018, without however specifying the Complainant's last visit. I therefore have before me conflicting views regarding the Complainant's last visit to the Professor. 33. In any case, however, as the Organization reported to my Office, in the control it carried out for a period of time that includes the dates of the Defendant's access to the Complainant's beneficiary file, no relationship between the Defendant and of the Complainant. 13 34. As stated by the Defendant, there was an unrecorded telephone conversation with the Complainant, without specifying when it took place, and that the Complainant's last electronic message to the Defendant was on January 9, 2020. Considering that the accesses made by the Defendant took place some months later, it was not proven that there was any relationship between the Complainant and the Defendant, which would justify and legitimize the Defendant's accesses to the Complainant's beneficiary file. 35. Taking into account that the Complainant's beneficiary file concerns and includes health-related data, therefore special categories of personal data, the processing of such data is prohibited, unless one of the cases of article 9 paragraph 2 of the Regulation applies. 36. Regarding a doctor's access to the medical record of a beneficiary of the National Health Service, the legal basis is Article 9(2)(h) of the Regulation. In particular, processing is not prohibited when: "the processing is necessary for the purposes of preventive or occupational medicine, assessment of the worker's fitness for work, medical diagnosis, provision of health or social care or treatment or management of health and social systems and services under Union law or the law of a member state or by virtue of a contract with a healthcare professional and subject to the conditions and guarantees referred to in paragraph 3" 37. Considering that there was a previous relationship between the Complainant and the Defendant and that the Defendant had the required information to access the Complainant's beneficiary file, the accesses to the Complainant's file would be justified, if they were in accordance with the relevant regulations of the Agency, for the purposes of Article 9(2)(h) of the Regulation. 38. Even if it was true that the Complainant's brother contacted the Defendant by phone, and reported on the progress of the Complainant's health and that the Defendant, out of real interest in the Complainant, connected to the system to be informed about her progress health, the Defendant's access to the Complainant's beneficiary file cannot be framed by any case of paragraph 2 of article 9 of the Regulation, since during the relevant time the Complainant did not receive services from the Defendant. 39. The above conclusion also applies in the event that the Complainant actually referred another patient to the Defendant. In no case, however, is the position that the doctor-patient relationship continues to exist, in the event that the patient refers another patient to a doctor, a view taken by the Defendant, as reported to my Office. 40. The legal basis for access to the beneficiary file cannot be based on Article 9(2)(a) of the Regulation, that is, on the express consent of the Complainant. After all, any patient does not expect that a doctor, who had provided him with health services in the past and before the implementation of the NHS, will process his data in the context of the NHS, without a doctor-patient relationship existing at the given moment. 14 41. Therefore, the fact that, as stated by the Defendant, the Complainant never expressly withdrew any consent and that there was perpetual consent, has no validity whatsoever. The term "perpetual consent" is, after all, in conflict with the definition of consent, as contained in Article 4 of the Regulation, since consent must be "specific". 42. Furthermore, as stated by the Defendant, none of the data in the medical file could be of any use to the Defendant in the event of legal proceedings. Even if this position is valid, it does not negate the fact that the processing operations carried out by the Defendant should be based on a legal basis as provided for in Article 9(2) of the Regulation. 43. The Defendant's lawyer refers to the absence of processing. I remind you that access to the beneficiary patient file, which requires the use / registration of the identity card number and date of birth, constitutes processing of personal data. 44. As far as the complaint under investigation is concerned, the previous life of the Defendant, invoked by his lawyer, cannot be taken as a mitigating factor, which I do not examine, but in no way do I dispute. 45. In addition, even if the sincere and honest motives referred to by the Defendant's lawyer are valid, they cannot legitimately frame the processing operations carried out by the Defendant. They also cannot be a mitigating factor, since while the Defendant states that he obtained access out of genuine interest, after telephone communication by the Complainant's brother and after a referral from another patient, the Complainant denies the above facts. 46. The doctor's access to the Complainant's beneficiary file cannot be considered as an isolated incident, since the Defendant had access to the file in question twice. I acknowledge the fact that no similar complaint had been submitted before, nor subsequently, against the Defendant, a fact which, in no way, diminishes the violation of the Complainant's personal data. Therefore, the above cannot be taken as a mitigating factor. 47. Nor can the duration of the incident, invoked by the Defendant's lawyer, be taken as a mitigating factor, let alone when more than a month elapsed between the Defendant's accesses. 48. The Defendant's lawyer refers to surrounding events. The surrounding events have not created, in the incident under investigation, suitable conditions for the actions carried out by the Defendant to be surrounded by legality. Therefore, the surrounding events cannot be taken as a mitigating factor. 49. As the Defendant's lawyer states, there is no question of any repetition. Even if this is the case, it does not negate the violation committed by the Defendant. Nor is his position that there is no issue to be "corrected" since, in any event, the Complainant's data was breached. However, I consider as a 15 mitigating factor the fact that the Defendant is no longer contracted with the GeSY and, therefore, the Defendant's access to the account of any beneficiary of the GeSY cannot be repeated. 50. Also, in measuring the penalty, I take as a mitigating factor the fact that XXX. 51. The statement by the Defendant's lawyer that the Complainant "abusively uses you as a vehicle to achieve his own goals", is an insult to my Office and to the institution that I myself am mandated to serve. I clearly point out that I am impartially evaluating the evidence presented to my Office and regarding the processing of personal data arising from the complaint under investigation. I will not examine, and it does not concern me, whether, behind this particular complaint, other purposes are hidden. 52. I also consider the term "abusive" to be inappropriate, since pursuant to Article 77 of the Regulation, a data subject has the right to submit a complaint to a Supervisory Authority, which complaint is handled by the Supervisory Authority pursuant to Article 57(1)(f) of the Regulation. D. Conclusion 53. Taking into account all the above facts, as they have been stated, and based on the powers granted to me by virtue of article 57(1)(f) of the Regulation, I find that there is a violation by the Defendant of the article 9(2)(h) of Regulation (EU) 2016/679, because the processing operations it carried out, i.e. the accesses to the Complainant's beneficiary file, lacked legality, since they were not based on the relevant legal basis. 54. Based on the provisions of article 83 of the Regulation, regarding the conditions for imposing administrative fines, insofar as they are applied in this particular case, when measuring the administrative fine, I took into account the following aggravating factors (a) – (b) and mitigating factors ( c) – (g) factors: (a) the Defendant gaining access to a file, which includes sensitive data, (b) the fact that the Defendant managed to access the Complainant's beneficiary file twice, (c) the fact that the Professor is no longer contracted with the NHS, (d) the incident concerned a data subject, (e) XXX, (f) the Professor's cooperation with my Office in the context of the investigation of complaint, (g) the non-existence of my previous Decision against the Defendant. 16 55. Having taken into account and taken into account: (a) the applicable legislative basis regarding the administrative sanctions provided for in the provisions of article 58(2) and article 83 of the Regulation, (b) all the circumstances and factors that the Complainant and o As they put before me based on all existing correspondence, (c) the above mitigating and aggravating factors, I consider that, under the circumstances, the imposition of an administrative fine is not justified. 56. Nevertheless, having regard to the aforementioned facts, the legal aspect on which this Decision is based and the analysis as explained above, and exercising the powers granted to me by Article 58(2)(b) of the Regulation, I have decided against my judgment and in compliance with the above provisions, to address to Dr. XXX Reprimand for the violation of Article 9(2)(h) of Regulation (EU) 2016/679. Irini Loizidou Nikolaidou Commissioner for Personal Data Protection December 5, 2023