Commissioner (Cyprus) - 11.17.001.009.077: Difference between revisions

From GDPRhub
mNo edit summary
Tags: Reverted Visual edit
mNo edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection
|Original_Source_Name_1=Office of the Commissioner for Personal Data Protection  
|Original_Source_Link_1=https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/F880C7270072D4E0C2258AAE0049CEAB/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20%CE%93%CE%B5%CE%A3%CE%A5%2048.pdf?openelement
|Original_Source_Link_1=https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/F880C7270072D4E0C2258AAE0049CEAB/$file/%CE%91%CE%A0%CE%9F%CE%A6%CE%91%CE%A3%CE%97%20%CE%93%CE%B5%CE%A3%CE%A5%2077.pdf?openelement
|Original_Source_Language_1=Greek
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Language__Code_1=EL
Line 22: Line 22:
|Outcome=Upheld
|Outcome=Upheld
|Date_Started=28.04.2021
|Date_Started=28.04.2021
|Date_Decided=07.12.2023
|Date_Decided=21.12.2023
|Date_Published=07.12.2023
|Date_Published=
|Year=2023
|Year=2023
|Fine=1500
|Fine=1,500
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_1=Article 4(2) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_Link_1=Article 4 GDPR#2
|GDPR_Article_2=Article 57(1)(f) GDPR
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_Link_2=Article 57 GDPR#1f
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_3=Article 58(2)(i) GDPR
|GDPR_Article_3=
|GDPR_Article_Link_3=Article 58 GDPR#2i
|GDPR_Article_Link_3=
|GDPR_Article_4=Article 83 GDPR
|GDPR_Article_4=
|GDPR_Article_Link_4=Article 83 GDPR
|GDPR_Article_Link_4=
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 51: Line 47:
|National_Law_Link_2=
|National_Law_Link_2=


|Party_Name_1=Complainant
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=Respondent
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=


|Appeal_To_Body=
|Appeal_To_Body=
Line 65: Line 57:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Evangelia Tsimpida
|Initial_Contributor=im
|
|
}}
}}


The Cypriot Commissioner for Personal Data Protection, following a complaint, imposed a fine in the amount of €1,500 on a doctor for acting in violation of [[Article 9 GDPR|Article 9(2)(h) GDPR]] and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].
The DPA fined a doctor €1,500 for unauthorized access to a data subject’s medical records and for failing to explain her legal basis.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject was a patient of a doctor,  the controller, in 2018, when she underwent surgery. After the operation, the controller filed suit against the datra subject for defamation, as she left a negative review online. In this context, the data subject found out that in September and October 2020, the controller accessed her personal medical data through the portal of the beneficiaries of the General Health System (GHS), without a referral and without her permission. The justification insterted by the controller on the portal for accessing the data subject's GHS account was that the data subject once asked for a visit without a referral and then she was unconscious and needed urgent medical care, and that the controller had her consent.  
The data subject filed a complaint with the DPA for an unauthorized access to her personal data through a General Health System (‘GHS’) portal. The data subject provided a screenshot of a notification showing that on 9 March 2021 a doctor specialised in endocrinology, the controller, accessed their medical records without any referral in force. The notification stated that the data subject provided consent for the access to her records. ´However, the doctor never examined the data subject.  


The data subject, first attempted to contact the controller without success. Then, on 28 April 2021 the data subject filed a complaint with the Cypriot Data Protection Commissioner, DPC. 
The doctor ('controller') replied to the complaint claiming that they did not visit the GHS portal concerning the data subject. As she did not know the data subject, she stated that it was impossible for her to know their personal data such as name, date of birth and ID number needed to access their records. She indicated a possible mistake in entering details in the portal while trying to locate another patient, however, no processing of the patient’s data took place. Further, she stated that there was no malicious intent on her part and she was continued being guided by medical confidentiality.
 
The DPC asked the parties to bring their relevant submissions and also asked the Health Insurance Agency some questions, as it can check all accesses to the GHS. The agency confirmed that the controller accessed medical data of the data subject between 2020 and 2021, a period in which there was no relation between the controller and the data subject: no referral, no visit was registered nor was there a need to provide urgent care to the data subject. 
 
On 19 July 2022, the controller provided its submissions claiming first of all, that the data subject had never withdrawn her consent. Then the controller claimed to have receive two phone calls by data subject's relatives who were concerned about her health conditions and needed the doctor's opinion, who then accessed the medical data of the data subject. The controller also claimed to have had a phone call with the data subject but it was not recorded.
 
she confirmed that she indeed did not know and had not examined the data subject and neither did her secretary have the data subject's details in her file. In order to access the data subject's medical records in the GHS, it was necessary to enter the beneficiary's full name, date of birth and ID number, and therefore the controller claimed that she assumed that she had spoken to the data subject by telephone for a visit and thus gained access to such data. Otherwise, she assumed that it was an accidental error in her attempt to access another patient's file. As a considerable amount of time had elapsed, she could not recall anything specific about the incident. In her explanations, the controller insisted that there was no processing of the data subject's personal data and that the data subject did not suffer any damage as a result of the incident.
 
On the next day, the data subject replied to the controller's submissions claiming that she never contacted the controller by telephone nor did she give her personal data to the controller's secretary. As soon as she became aware of the breach, she sought the controller and contacted her secretary, leaving her full name and telephone number (not her date of birth or her ID number) so that the controller could call her, but she was unable to contact the controller.


=== Holding ===
=== Holding ===
The Cypriot DPC assessed the above facts, underlining the fact that, as is evident from both sides, the controller did not have any relationship with the data subject in the relevant period of time between 2020 and 2021 and could not prove that she obtained the data subject's personal data in a lawful manner or that she was authorised to access the GHS portal.   
The DPA took into the consideration the important element that both data subject and the controller did not know each other and that the controller never examined the data subject.  
 
The DPC noted that the processing operations by the controller included special categories of personal data under Article 9 GDPR, which can only be lawful if one of the exceptions of Article 9(2) apply. With respect to Article 9(2)(h) GDPR, the DPC held that this could not apply since the data subject was not receiving any medical care by the controller. Also, the controller could not rely on Article 9(2)(a) GDPR as a legal basis since the data subject did not give her specific consent to such processing.  


Further, the DPC considered that factors such as the absence of malicious intent or the absence of harm could not affect the fact that the processing was indeed unlawful, nor could this be considered an accidental occurrence.  
The DPA specified that the possession of the data as well as the access to the patient’s file constitute acts of processing under [[Article 4 GDPR#2|Article 4(2) GDPR]]. For that reason, the controller had to prove how the data subject’s personal data such as name, date of birth and ID number came into her possession and demonstrate the legal basis for its processing. The controller indicated the possibility of an error. However, the DPA considers this argument extremely unlikely, if not impossible.  


Taking the above into account, the DPC considered that there was a violation of [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]] and [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], because the data subject's personal data were not processed lawfully and fairly in a transparent manner and pursuant to [[Article 58 GDPR|Article 58(2)(i) GDPR]] and [[Article 83 GDPR]] imposed an administrative fine in the amount of €1,500 on the controller.
Taking into account all of the above, the DPA decided that the controller failed to process the data lawfully, fairly and in a transparent manner in accordance with [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. The DPA imposed an administrative fine of €1,500.


== Comment ==
== Comment ==
Line 105: Line 87:


<pre>
<pre>
I reviewed a complaint submitted to my Office regarding access to the Complainant's General Health System (GHS) account by a medical practitioner. Specifically, as the Complainant mentioned, she found access to her personal data from the doctor, on the GeSY beneficiary portal, without knowing the doctor, without a referral and without her permission. During the investigation, both the Complainant and the doctor reported to my Office that each did not know the other and that the doctor did not examine the complainant.


I evaluated the doctor's positions regarding the possible ways of obtaining the Complainant's data, which were necessary to access the Complainant's beneficiary portal at the NHS. However, the doctor was unable to prove that she legally obtained the Complainant's personal data and that she was authorized to gain access to the beneficiary portal. Therefore, the Complainant's personal data were not processed lawfully and legitimately in a transparent manner. That is, the principle of "legality, objectivity and transparency", as provided for in Article 5(1)(a) of the Regulation, was not observed. For the violation of this article, I imposed on the doctor an administrative fine of one thousand five hundred euros (€1500).
</pre>
</pre>

Latest revision as of 12:06, 3 April 2024

Commissioner - 11.17.001.009.077
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 4(2) GDPR
Article 5(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started: 28.04.2021
Decided: 21.12.2023
Published:
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name: 11.17.001.009.077
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Office of the Commissioner for Personal Data Protection (in EL)
Initial Contributor: im

The DPA fined a doctor €1,500 for unauthorized access to a data subject’s medical records and for failing to explain her legal basis.

English Summary

Facts

The data subject filed a complaint with the DPA for an unauthorized access to her personal data through a General Health System (‘GHS’) portal. The data subject provided a screenshot of a notification showing that on 9 March 2021 a doctor specialised in endocrinology, the controller, accessed their medical records without any referral in force. The notification stated that the data subject provided consent for the access to her records. ´However, the doctor never examined the data subject.

The doctor ('controller') replied to the complaint claiming that they did not visit the GHS portal concerning the data subject. As she did not know the data subject, she stated that it was impossible for her to know their personal data such as name, date of birth and ID number needed to access their records. She indicated a possible mistake in entering details in the portal while trying to locate another patient, however, no processing of the patient’s data took place. Further, she stated that there was no malicious intent on her part and she was continued being guided by medical confidentiality.

Holding

The DPA took into the consideration the important element that both data subject and the controller did not know each other and that the controller never examined the data subject.

The DPA specified that the possession of the data as well as the access to the patient’s file constitute acts of processing under Article 4(2) GDPR. For that reason, the controller had to prove how the data subject’s personal data such as name, date of birth and ID number came into her possession and demonstrate the legal basis for its processing. The controller indicated the possibility of an error. However, the DPA considers this argument extremely unlikely, if not impossible.

Taking into account all of the above, the DPA decided that the controller failed to process the data lawfully, fairly and in a transparent manner in accordance with Article 5(1)(a) GDPR. The DPA imposed an administrative fine of €1,500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.