Garante per la protezione dei dati personali (Italy) - 9863050
|Garante per la protezione dei dati personali - 9863050|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 4 GDPR|
Article 5 GDPR
Article 9 GDPR
Article 32 GDPR
|Parties:||Azienda Ospedaliera Bianchi Melacrino Morelli|
|National Case Number/Name:||9863050|
|European Case Law Identifier:||n/a|
|Original Source:||Garante per la protezione dei dati personali (in IT)|
X received a third party medical reports from an Italian Hospital. Counter operators sent reports by e-mail in the Covid-19 period contrary to the indication to only deliver them personally. The Italian DPA declares the unlawfulness processing and orders to pay €7,000.
English Summary[edit | edit source]
Facts[edit | edit source]
X complained of having received, from the Bianchi Melacrino Morelli Hospital (hereinafter the "Company"), a report relating to a third party, a patient of the same Company. The Grande Ospedale Metropolitano “Bianchi - Melacrino — Morelli” (G.O.M.) had formalized precise indications on the procedures to be followed for the delivery, only brevi manu of the medical reports.
Counter operators resorted to sending reports by e-mail, not systematically, but only at the express request of those directly involved in the Covid-19 period. The DPA considers this assessment, carried out on its own by the individual operators, appeared to be not without common sense also considering the particular role of this hospital within the regional hospital network. Counter operators, who in the period of maximum pandemic emergency have sometimes contravened the rigid and formal company procedures aimed at protecting confidentiality, committing that they acted pursuing the most urgent and important public interest, i.e. the one connected to the containment of the pandemic and the continuity of the provision of fundamental and irreplaceable health services at the reference hospital for the whole province of Reggio Calabria.
Considering that the Company has provided suitable assurances declaring: that it has immediately suspended "the sending of reports online"; to have sent a request “to the unauthorized third party (…) to destroy the data subject's documentation, not to use the data, and in any case (…) not to disclose to third parties the health records received by mistake (…); to have started a "cycle of extraordinary training activities to inform all UU.OO directors of the incident"; to have reiterated "the ban on sending health documentation by e-mail and (...) (highlighted) the need to fully apply the company security measures (...)", the conditions for the adoption of the corrective measures pursuant to Article 58 (2) GDPR.
The Guarantee declares the unlawfulness of the processing of personal data carried out by the Bianchi Melacrino Morelli Hospital for the violation of Articles 5, 9 and 32 GDPR and of the art. 75 of the Code. The Guarantee orders to pay the sum of €7,000 (seven thousand) euros as an administrative fine for the violations indicated in this provision.
Holding[edit | edit source]
"Health-related data" deserve greater protection since the context of their processing could create significant risks for fundamental rights and freedoms (recital n. 51). The regulation on the protection of personal data provides that information on the state of health can only be communicated to the interested party and can be communicated to third parties only on the basis of a suitable legal prerequisite.
The data controller is required to implement "adequate technical and organizational measures to guarantee a level of security appropriate to the risk", taking into account, among other things, "the nature, object, context and purpose of the processing , as well as the risk of varying probability and severity for the rights and freedoms of natural persons" (Article 32 of the Regulation)
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.