Garante per la protezione dei dati personali (Italy) - 9954220
| Garante per la protezione dei dati personali - 9954220 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(f) GDPR Article 9(2)(i) GDPR Article 17-bis of Decree-Law no. 18/2020 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 40,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | 9954220 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Italian |
| Original Source: | Garante per la Protezione dei Dati Personali (in IT) |
| Initial Contributor: | ar |
The Italian DPA fined a controller, a health care provider, €40,000, as some of its employees were able to access other colleagues’ health files without consent while also breaching some of the principles of data processing pursuant to Article 5(1) GDPR.
English Summary
Facts
The data subject was employed by the controller - Lodi Territorial Social Health Authority.
The data subject submitted a complaint to the Italian DPA complaining of repeated access to her health file by some colleagues between 2019 and 2020.
From the documents provided, it appeared that the colleagues of the data subject had accessed her files to decide which doctors they could rely on to treat the patients. They believed that the quickest method was to know the result of the COVID-19 test present in the health files of all the employees. The controller also stated to not keep track of the various accesses to the health files of the employees.
Thus, the Italian DPA requested clarifications on the matter from the controller.
The controller explained that the accesses in question were carried out to perform institutional tasks of public interest in the field of public health referred to in Article 9 GDPR, in compliance with Article 17-bis of Decree-Law no. 18/2020, and that it could be said that the controller had received implicit consent.
Holding
In light of the submissions presented by the controller, the DPA noted that the usage of the data subject’s health file had been unlawful since it was carried out for purposes other than those of treatment pursued through the health file, breaching the principles of lawfulness and purpose limitation under Article 5(1)(a) GDPR and Article 5(1)(b) GDPR. In addition to breaching the principle of lawfulness, such processing was also found to be breaching the principles of transparency, fairness and data minimisation since those responsible for organising hospital shifts and verifying the quality of the care provided, although health professionals, should have only access to their colleagues’ files, without having to know the related clinical and diagnostic details. Thus, breaching Article 5(1)(a) GDPR and Article 5(1)(c) GDPR.
Moreover, the DPA noted that it did not appear that the controller considered what could constitute risky conduct relating to the data processing operations, such as the number of accesses carried out. Hence, the controller violated the principles of integrity and confidentiality of personal data under Article 5(1)(f) GDPR, as well as Article 32 GDPR, for not implementing appropriate measures to ensure security levels appropriate to the risk.
Pursuant to Article 9(2)(i) GDPR, the DPA noted that Article 17-bis of Decree-Law no. 18/2020 did not allow for derogation from the rules on data protection. The DPA stated that the law provides for simplifications of data processing operations only when the processing is indispensable to carry out activities connected with the health emergency while still complying with the principles set out in Article 5 GDPR and protecting the rights and freedoms of the data subjects.
Furthermore, in the present case, the DPA affirmed that it could not be held that the data subject's consent was implicit since a positive and specific expression of consent is required, which does not appear to have been obtained.
Due to these violations, the DPA issued a fine to the controller of €40,000 pursuant to Article 83(4) GDPR and Article 83(5) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
