Commissioner (Cyprus) - 11.17.001.009.077: Difference between revisions

Revision as of 07:50, 2 April 2024

Commissioner - 11.17.001.009.077

Authority:	Commissioner (Cyprus)
Jurisdiction:	Cyprus
Relevant Law:	Article 4(2) GDPR Article 5(1)(a) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	28.04.2021
Decided:	21.12.2023
Published:
Fine:	1,500 EUR
Parties:	n/a
National Case Number/Name:	11.17.001.009.077
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Greek
Original Source:	Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor:	im

The DPA fined a doctor €1,500 for an unauthorized access to data subjects’ medical records and failing to prove how she got a possession of the patient’s data.

English Summary

Facts

The data subject filed a complaint with the DPA for an unauthorized access to her personal data through a General Health System (‘GHS’) portal. The data subject provided a screenshot of a notification showing that on 9 March 2021 a doctor specialised in endocrinology, the controller, accessed their medical records without any referral in force. It stated that the data subject provided consent for the access to her records, however, the doctor has never examined the data subject.

The doctor objected the complaint claiming that they did not visit the GHS portal concerning the data subject. As she does not know the data subject, she stated that it is impossible for her know their personal data such as name, date of birth and ID number needed to access their records. She indicated a possible mistake in entering details in the portal while trying to locate another patient, however, no processing of the patient’s data took place. Further, she stated that there was no malicious intent on her part and she was continued being guided by medical confidentiality.

Holding

The DPA took into the consideration the important element that both data subject and the controller did not know each other and that the controller never examined the data subject.

However, it was emphasized that any argument rejecting the possibility that patient’s medical data were processed must be disregarded. Even the DPA specified that the possession of the data as well as the access to the patient’s file constitute acts of processing under Article 4(2) GDPR.

For that reason, the controller must prove how the data subject’s personal data such as name, date of birth and ID number came into her possession and demonstrate the legal basis for its processing. The controller indicated the possibility of an inadvertent error, however, the DPA considers this argument infinitesimal, if not impossible.

Taking into account all of the above, the DPA decided that the controller failed to process the data lawfully and fairly in a transparent manner provided for in Article 5(1)(a) GDPR. The DPA imposed an administrative fine of €1,500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

@@ Line 10: / Line 10: @@
 |ECLI=
 |Original_Source_Name_1=Office of the Commissioner for Personal Data Protection
-|Original_Source_Link_1=https://www.dataprotection.gov.cy/DATAPROTECTION/DATAPROTECTION.NSF/F880C7270072D4E0C2258AAE0049CEAB/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20%CE%93%CE%B5%CE%A3%CE%A5%2077.pdf
+|Original_Source_Link_1=https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/F880C7270072D4E0C2258AAE0049CEAB/$file/%25CE%2591%25CE%25A0%25CE%259F%25CE%25A6%25CE%2591%25CE%25A3%25CE%2597%2520%25CE%2593%25CE%25B5%25CE%25A3%25CE%25A5%252077.pdf?openelement
 |Original_Source_Language_1=Greek
 |Original_Source_Language__Code_1=EL
@@ Line 22: / Line 22: @@
 |Outcome=Upheld
 |Date_Started=28.04.2021
-|Date_Decided=07.12.2023
+|Date_Decided=21.12.2023
-|Date_Published=07.12.2023
+|Date_Published=
 |Year=2023
-|Fine=1500
+|Fine=1,500
 |Currency=EUR
-|GDPR_Article_1=Article 5(1)(a) GDPR
+|GDPR_Article_1=Article 4(2) GDPR
-|GDPR_Article_Link_1=Article 5 GDPR#1a
+|GDPR_Article_Link_1=Article 4 GDPR#2
-|GDPR_Article_2=Article 57(1)(f) GDPR
+|GDPR_Article_2=Article 5(1)(a) GDPR
-|GDPR_Article_Link_2=Article 57 GDPR#1f
+|GDPR_Article_Link_2=Article 5 GDPR#1a
-|GDPR_Article_3=Article 58(2)(i) GDPR
+|GDPR_Article_3=
-|GDPR_Article_Link_3=Article 58 GDPR#2i
+|GDPR_Article_Link_3=
-|GDPR_Article_4=Article 83 GDPR
+|GDPR_Article_4=
-|GDPR_Article_Link_4=Article 83 GDPR
+|GDPR_Article_Link_4=
-|GDPR_Article_5=
-|GDPR_Article_Link_5=
-|GDPR_Article_6=
-|GDPR_Article_Link_6=
 |EU_Law_Name_1=
@@ Line 51: / Line 47: @@
 |National_Law_Link_2=
-|Party_Name_1=Complainant
+|Party_Name_1=
 |Party_Link_1=
-|Party_Name_2=Respondent
+|Party_Name_2=
 |Party_Link_2=
-|Party_Name_3=
-|Party_Link_3=
-|Party_Name_4=
-|Party_Link_4=
 |Appeal_To_Body=
@@ Line 65: / Line 57: @@
 |Appeal_To_Link=
-|Initial_Contributor=Evangelia Tsimpida
+|Initial_Contributor=im
 |
 }}
-The Cypriot DPA imposed a €1,500 fine on a doctor, as a controller, for unlawfully accessing personal data on the General Health System, in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].
+The DPA fined a doctor €1,500 for an unauthorized access to data subjects’ medical records and failing to prove how she got a possession of the patient’s data.
 == English Summary ==
 === Facts ===
-A data subject found out that on 09 March 2021 her personal data was accessed by a doctor, the controller, on the portal of the General Health System (''GHS)'', without her consent. The reason given by the controller for accessing the data subject's online GHS account was that the data subject made an appointment with the controller and granted her consent. The data subject, who was not a patient of the controller, upon discovering such access, attempted to contact the controller without success.
+The data subject filed a complaint with the DPA for an unauthorized access to her personal data through a General Health System (‘GHS’) portal. The data subject provided a screenshot of a notification showing that on 9 March 2021 a doctor specialised in endocrinology, the controller, accessed their medical records without any referral in force. It stated that the data subject provided consent for the access to her records, however, the doctor has never examined the data subject.
-The Health Insurance Agency confirmed that the controller accessed the medical data of the data subject on GHS without there being a referral, claim for compensation for services nor did the data subject register a visit with the controller.
+The doctor objected the complaint claiming that they did not visit the GHS portal concerning the data subject. As she does not know the data subject, she stated that it is impossible for her know their personal data such as name, date of birth and ID number needed to access their records. She indicated a possible mistake in entering details in the portal while trying to locate another patient, however, no processing of the patient’s data took place. Further, she stated that there was no malicious intent on her part and she was continued being guided by medical confidentiality.
-On 28 April 2021 the data subject filed a complaint with the Cypriot DPA (''Data Protection Commissioner, DPC'').
+=== Holding ===
+The DPA took into the consideration the important element that both data subject and the controller did not know each other and that the controller never examined the data subject.
-On 19 July 2022, the controller provided its submissions to the DPC. The controller confirmed that she indeed did not know and had not examined the data subject before and neither did her secretary have the data subject's details in her file. In order to access the data subject's medical records in the GHS computer system, it was necessary to enter the beneficiary's full name, date of birth and ID number, and therefore the controller claimed that she had probably spoken to the data subject on the telephone for a visit. Otherwise, she assumed that there was an error in her attempt to access another patient's file. However, as a considerable amount of time had elapsed, she could not recall anything specific about the incident.
+However, it was emphasized that any argument rejecting the possibility that patient’s medical data were processed must be disregarded. Even the DPA specified that the possession of the data as well as the access to the patient’s file constitute acts of processing under [[Article 4 GDPR#2|Article 4(2) GDPR]].
-The data subject replied to the controller's submissions claiming that she never contacted the controller by telephone nor did she give her personal data to the controller's secretary. As soon as she became aware of the unlawful access to her data, she reached out to the controller and contacted her secretary, leaving her full name and telephone number (not her date of birth or her identity) so that the controller could call her, but never before that moment.
+For that reason, the controller must prove how the data subject’s personal data such as name, date of birth and ID number came into her possession and demonstrate the legal basis for its processing. The controller indicated the possibility of an inadvertent error, however, the DPA considers this argument infinitesimal, if not impossible.
-=== Holding ===
-The Cypriot DPA assessed acknowledged that he controller did not know the data subject nor had ever examined her. However, it is an important element that the doctor could not prove that she obtained the data subject's personal data in a lawful manner and that she was authorised to access the GHS portal. The DPC noted that the possession of the data subject's data, as well as access to the data subject's medical records on the GHS, constituted acts of processing on the part of the controller. Factors such as the absence of malicious intent or the absence of harm do not affect the fact that there was indeed unlawful processing. Furthermore, the DPC considered the fact that it was impossible that the controller accidentally accessed the data subject's medical data, as this requires knowledge of the date of birth and ID number of the patient.
-Taking the above into account, the DPC considered that there was a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], because the data subject's personal data were not processed lawfully and fairly nor in a transparent manner. Taking into consideration the aggravating factor that the controller accessed data concerning health of the data subject, under [[Article 9 GDPR]], the DPC, pursuant to [[Article 58 GDPR#2i|Article 58(2)(i) GDPR]] and [[Article 83 GDPR]], imposed an administrative fine of €1,500 on the controller.
+Taking into account all of the above, the DPA decided that the controller failed to process the data lawfully and fairly in a transparent manner provided for in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA imposed an administrative fine of €1,500.
 == Comment ==
@@ Line 99: / Line 89: @@
 <pre>
-I reviewed a complaint submitted to my Office regarding access to the Complainant's General Health System (GHS) account by a medical practitioner. Specifically, as the Complainant mentioned, she found access to her personal data from the doctor, on the GeSY beneficiary portal, without knowing the doctor, without a referral and without her permission. During the investigation, both the Complainant and the doctor reported to my Office that each did not know the other and that the doctor did not examine the complainant.
-I evaluated the doctor's positions regarding the possible ways of obtaining the Complainant's data, which were necessary to access the Complainant's beneficiary portal at the NHS. However, the doctor was unable to prove that she legally obtained the Complainant's personal data and that she was authorized to gain access to the beneficiary portal. Therefore, the Complainant's personal data were not processed lawfully and legitimately in a transparent manner. That is, the principle of "legality, objectivity and transparency", as provided for in Article 5(1)(a) of the Regulation, was not observed. For the violation of this article, I imposed on the doctor an administrative fine of one thousand five hundred euros (€1500).
 </pre>