DSB (Austria) - 2020-0.111.488: Difference between revisions

From GDPRhub
 
(One intermediate revision by one other user not shown)
Line 58: Line 58:
}}
}}


A medical doctor was fined EUR 600 by the Austrian Data Protection Authority after publishing information on his/her patients (including health data) on his/her Facebook page.
The Austrian DPA (DSB) fined a medical doctor €600 for publishing information on their patients (including health data) on the doctor's Facebook page.


==English Summary==
==English Summary==

Latest revision as of 13:50, 12 May 2023

DSB - 2020-0.111.488
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(15) GDPR
Article 5(1)(a) GDPR
Article 9(1) GDPR
Article 9(2) GDPR
Article 83(5)(a) GDPR
§ 47(1) VStG (Verwaltungsstrafgesetz - Admininstraitive Penal Act)
Type: Other
Outcome: n/a
Started:
Decided: 19.10.2020
Published: 27.11.2020
Fine: 600 EUR
Parties: Dr. P*** K*** (medical doctor)
National Case Number/Name: 2020-0.111.488
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.111.488
Appeal: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: Marco Blocher

The Austrian DPA (DSB) fined a medical doctor €600 for publishing information on their patients (including health data) on the doctor's Facebook page.

English Summary

Facts

Between February and June 2020, a medical doctor published information on his/her patients on his/her personal Facebook page. The information included special categories of personal data (health data under Article 4(15 GDPR) and consisted of the patients' names and social security numbers, excerpts from patient letters, medical records/protocols, medical diagnoses, medication data, data on hospital admissions and discharges and names of of other doctors treating the patients.

Holding

The Austrian Data Protection Authority (Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent to the online publication of their data under Article 9(2)(a) GDPR and there was no other legal basis for the processing under Article 9(2) GDPR.

Consequently, the DSB issued a fine of EUR 600 under Article 83(5)(a) GDPR

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
October 19, 2020


Business number
2020-0.111.488


Appeal at the BVwG / VwGH / VfGH
This penal order is final.




text
GZ: 2020-0.111.488 from October 19, 2020 (case number: DSB-D550.279)
[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.]
Penal order
Accused: Dr. P *** K ***, [ZIP] [City], [Street, HNr.]
As the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 on the protection of natural persons when processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : "GDPR"), OJ No. L 119 of 04.05.2016 S1, the following administrative offense (s) committed:

In any case, from **. February 2020 until anyway **. June 2020 on your personal Facebook page at (https://www.facebook.com/***) Excerpts from patient letters, findings and other medical records / protocols published. The published data include in detail i.a. Patient names, findings data, medical diagnoses, medication data, admission and discharge data from hospitals, social security numbers of patients and the names of the treating doctors.

As a result, you have processed personal data - including health data within the meaning of Art. 4 Z 15 GDPR - contrary to the prohibition of Art. 9 Para. 1 GDPR. This is because
a) the express consent of all data subjects is not available, and
b) the processing cannot otherwise be based on any of the exceptions finally standardized by Art. 9 Para. 2 GDPR.

You have thereby violated the following legal provision (s):

Art. 5 para. 1 lit. a, Art. 9 Paragraph 1 and Paragraph 2 in conjunction with Art. 83 Paragraph 5 lit. a of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation), ABl. No. L 119 of 4.5.2016, p. 1 (GDPR)



Because of these administrative offense (s) you will be subject to the following penalty:


Fine of euros
if this is irrecoverable, a substitute imprisonment of
according to


€ 600.00
36 hours
Art. 83 para. 5 lit. a GDPR in conjunction with Sections 16 and 47 of the Administrative Penal Act 1991 - VStG







Any other sayings (e.g. about expiry):




Furthermore, you have to pay according to § 64 Abs. 3 of the Administrative Penal Act 1991 - VStG:

Euros to replace cash outlays for

The total amount to be paid (penalty / cash outlay) is therefore
600.00
Euro
Payment term:
If you do not raise an objection, this sanction is immediately enforceable. In this case, the total amount is to be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, according to the data protection authority, within two weeks after it becomes legally binding. The transaction number and the completion date should be given as the intended use.
If no payment is made within this period, the total amount can be dunned. In this case, a flat fee of five euros has to be paid. If, however, no payment is made, the outstanding amount will be enforced and, in the event that it is uncollectible, the corresponding imprisonment penalty will be enforced.
Legal remedies:
You have the right to object to this penalty order.
The objection must be submitted to us in writing or orally within two weeks after delivery of this penalty order. In the appeal, you can present the evidence useful for your defense.
If you raise an objection in good time, we will initiate the due process; In this case, the objection is considered a justification within the meaning of Section 40 of the Administrative Penal Act 1991 - VStG.
With the objection, the entire penal order becomes invalid. However, this does not apply if you expressly only challenge the extent of the penalty imposed or the decision on the costs in the objection.
No higher penalty may be imposed in the penal decision issued on the basis of the objection than in this penal order.
In the criminal verdict issued on the basis of the objection, the punished person is required to contribute to the costs of the criminal proceedings in the amount of 10% of the penalty, but at least in the amount of 10 euros.
The objection can be transmitted in any technically possible form, but only by email if no special forms of transmission are provided for electronic communication.
Technical requirements or organizational restrictions for electronic traffic are published on the following website:

Please note that the sender bears the risks associated with each type of transmission (e.g. loss of transmission, loss of the document).


European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.111.488