Banner1.jpg

HDPA (Greece) - 50 2024

From GDPRhub
HDPA - 50_2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 9 GDPR
Article 13 GDPR
Article 17 GDPR
Article 18 GDPR
Article 21 GDPR
Article 58 GDPR
Type: Complaint
Outcome: Upheld
Started: 12.06.2023
Decided: 08.12.2024
Published: 25.12.2025
Fine: n/a
Parties: n/a
National Case Number/Name: 50_2024
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: ao

The DPA ordered a doctor to rephrase their consent form as the purpose of promoting the doctor's services on social media was not clearly listed for the processing of data subjects’ pictures. Such processing without valid consent was deemed unlawful.

English Summary

Facts

The doctor, here the controller, had posted pictures of his former patient on Instagram without hiding distinguishing features.

Before undergoing treatment with the controller, the data subject had signed a data processing agreement stating that the processing would take place exclusively for medical and scientific purposes. The controller had assured the patient that her data would only be processed for medical purposes.

The data subject expressed that she did not want any of her photos published on the internet or social media. The controller’s office assistant then assured her that no photos would be published without her consent and that the pictures taken immediately before the surgery were for the controller’s own records.

After the surgery, the controller again took pictures of the data subject at the post-operative check-up. The data subject alleges that she again expressly stated that she did not want any photos of her to be posted online.

Following this appointment, one set of pictures taken of the data subject were posted on Instagram and Facebook. The data subject’s face was not visible but other identifying features were and the operation was described in detail. The data subject in response, contacted the office assistant and asked for the photos to be deleted. The photos were subsequently removed from social media. However, a few months later the controller again uploaded the pictures to social media, allegedly by mistake.

The data subject filed a complaint with the Hellenic Data Protection Authority (Αρχή προστασίας δεδομένων προσωπικού χαρακτήρα) on the 12 June 2023 alleging that her doctor had processed her personal data unlawfully. The data subject alleged violations of Articles 17, 18 and 21 GDPR.

The controller brought forward that the consent form which the data subject had signed specifically required consent to the publishing of pictures in which the patient cannot be identified. As the data subject could not be identified and the pictures were removed after she had requested it, the controller declared that it lawfully processed her data.

Holding

The DPA analysed the data subject's claims (1) in relation to Article 17 GDPR, Article 18 GDPR and Article 21 GDPR and (2) also conducted an ex-officio investigation into whether the posting of the pictures was lawful.

(1) Erasure, restriction and objection

The DPA found that subsequent to the data subject’s erasure request, the controller lawfully obliged by deleting the pictures from social media and limiting the processing to the retention of the pictures in the medical file. It therefore held that the controller complied with the erasure request, without undue delay. Further, the controller was found to have complied with the data subject’s request for restriction of the data processing by limiting the processing to retention in the medical file only subsequent to the data subject's request.

(2) Ex-officio investigation

However, the DPA found that the controller had not met the information requirements under Article 5(1)(a)&(b) GDPR as well as 13(1)(a),(b)&(c) GDPR. The controller had not informed the data subject that photos would be used for the promotion of the controller’s services on social media. Therefore, the posting of the pictures violated Article 5(1)(a) GDPR, Article 6(1)(a) GDPR as well as Article 9 GDPR as the data subject was not informed of the express purpose of promoting the controller’s services in the consent form.

Under Article 58(2)(d) GDPR, the DPA ordered the controller to alter its consent form to clearly describe the purposes of processing. Further, under Article 58(1)(a) GDPR it ordered the controller to keep strict records of any revocation of consent by data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details. 

Athens, 18-12-2024 No. Prot.: 3609 DECISION 50/2024 (Department) The Personal Data Protection Authority met, following an invitation by its President, in a Department meeting via videoconference on Wednesday 27.11.2024 at 09:00, in order to examine the case referred to in the history of this case. The Deputy President of the Authority, Georgios Batzalexis, was present, in the absence of the President of the Authority, Konstantinos Menudoukou, and Grigorios Tsolias, regular member, and Demosthenes Vougioukas, alternate member, as rapporteur, in place of the regular member Konstantinos Lambrinoudakis, who, although legally invited, did not attend due to an impediment. Present, without the right to vote, were Chariklia Latsiou, DN - legal auditor, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the complaint dated 12.06.2023 (and with no. ΑΠΟ Γ/ΕΙΣ/4350/12.06.2023), A informed the Authority that doctor B processed (posted on a social networking site, Instagram) her personal data (her photos without hiding all her distinguishing features) without a legal basis, beyond the purposes for which she had given consent, while she had the express assurance of the doctor complained of that her data would be used only for medical purposes and submitted a complaint to the Authority for violation of the rights to erasure, restriction of processing and objection, of articles 17, 18 and 21 of the GDPR, respectively. 1 Ave. Kifissias 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr In particular, A informed the Authority that she first visited the clinic of the complained doctor in September …, in order to be informed about the performance of two operations (…). During this first visit in September …, A signed the personal data processing form, which stated that the processing concerns exclusively medical and scientific purposes. During this initial visit, the complainant allowed the doctor to proceed with taking photographs of the operable areas (…), because this case was medically special (…), with the doctor’s explicit assurance that the photographs would be used only for the aforementioned medical-scientific purposes, without revealing her identity. On … the complainant visited the doctor’s office for the second time, in order to have a final medical assessment before the surgery scheduled for …. Before performing the surgeries, the doctor drew the areas to be operated on with a marker and took new photographs of these areas for his records. At that time, the complainant, as she claims, reiterated that she did not want any photographs of her to be published on the internet and social media. According to the complaint, the assistant of the accused, C, assured her that no photographs would be published without her consent and that they were intended for the doctor’s records. On … the complainant returned to the accused’s office for the removal of the stitches and the usual post-operative check-up, at which time the accused again took photographs of the operated parts of the body. And then, the complainant, as she claims, emphatically stated – for the third time – that she did not want her photographs to be posted on the doctor’s social media. However, the next day, namely on … the complainant found that the photographs relating to one of the two operations (…) were posted on the official pages (profiles) maintained by the accused on Instagram and Facebook. In the posted photographs, the accused doctor had removed her face, however “(…) while my other identifiable information, such as … were very evident, accompanied by an accurate description of my operation! …”. Therefore, the complainant claims that: “Anyone who knew me and remembered any of the above could easily understand that I am depicted in the photographs, that is, to identify myself and gain knowledge of … my sensitive medical data (…)”. As soon as she saw the photographs, the complainant contacted the doctor’s assistant via viber, complained about the fact that the doctor had posted the photographs without her knowledge and consent and requested their deletion from all of the doctor’s social media. Indeed, the doctor complied with her request and the photos were removed from social media. According to the complaint, the doctor's social media pages are particularly popular with ... thousands of followers on Instagram and ... thousands on Facebook, while the complainant's photos had already garnered ... likes on Instagram and ... likes and two comments on Facebook in just a few hours. Despite this, A complains that the doctor re-posted her photos from the procedure ... on his official Instagram profile a few months later (on ...), with a description of her case (e.g. ...), which had already garnered ... likes, despite her explicit opposition and denial. Following this, A, with the out-of-court protest - invitation - statement to the surgeon, called on him to: a) "(...) withdraw my photos from social media and delete them from your archive based on art. 17 GDPR, otherwise, alternatively, limit the purpose of processing based on art. 18 GDPR exclusively for medical purposes (…)” and b) “(…) as you send me a complete copy of my medical file that you keep (after the photos and the contract for processing my personal data (..)”. With the submitted complaint, A complains before the Authority for violation of the rights to deletion, restriction of processing and objection of articles 17, 18 and 21 GDPR, respectively, by which she informs, in accordance with the above, the Authority that the respondent: “responded partially, by deleting my data from the Instagram page. He has not yet responded in relation to my request for satisfaction of the right to deletion/restriction of processing and the right to object, while in addition, as the doctor’s assistant, Ms. C, told me in a relevant communication with us, 3my personal data have been transferred to a third company, which manages the doctor's social media, without any prior information and consent". The Authority, during the examination of the complaint, called with the document no. ΑΠΑ Γ/ΕΣΕ/1729/06.07.2023 the complained doctor to submit full clarifications on the complaints. In response to the above document, the complained doctor with his response no. ΑΠΑ Γ/ΕΙΣ/6332/11.09.2023 informed the Authority, among other things, that: 1) the complainant during the pre-operative stage received and completed a consent form for the processing of personal data, in which there is a specific field for taking the photos and posting them without revealing the patient's identity directly or indirectly. The complainant filled in the relevant field positively and therefore she did not exclude the use of her photographs. 2) “The photographs taken were processed in order to prevent the identity of the person depicted from being revealed. Thus, her face was removed, we limited ourselves to publishing it alone… and since there was no other element capable of identifying the patient in our opinion, they were published. Therefore, the complainant unfairly accuses me of allegedly being unaware that she granted us the right to post her photographs, since she signed a relevant consent to take the photographs, without prohibiting their publication by indicating her refusal in the relevant section of the consent application.” 3) “After a while, the complainant contacted the practice and asked my assistant to take down the photographs that had been posted, as she did not wish to do so. Indeed, as she herself admits (…) immediately and despite her previous consent to use/publish the photos, I requested that they be removed from all media, as was done. I must point out that we downloaded all the patient’s photos, although we found the request excessive, as no element in the photos could identify her (…)”. 4) “(…) Approximately four months later, we uploaded, by mistake and without linking the photos to the complainant’s previous stance, a similar photo of her, in which, however, there was neither the complainant’s … nor the … . This is not in order not to displease the complainant, since there was no intention to re-upload her own photos after her statement, but because after her previously mentioned dissatisfaction with the publication of the photos, I have requested that all patient photos always be edited and all information that could possibly identify a patient is removed. Thus, in full respect of the complainant's wishes, there was no intention on my part to publish her photos, but the second posting was done entirely by mistake. Moreover, I have a very large photographic archive of similar interventions, as well as the consent of the patients, so that there is no need to use the specific photos". The accused doctor concluded: 5) "To summarize, when the photos were first posted, we had the complainant's consent and it was impossible to identify her from the photos. We immediately removed the photos, satisfying her wish, although we judged it to be excessive, by mistake and without the intention of uploading her own photos, we re-posted her photos and with the service of the extrajudicial document, we satisfied everything she requested with it. Thus, all of Ms. A's requests were satisfied".  Subsequently, the complainant A, after receiving knowledge of the above response of the respondent with her supplementary application under the no. ΑΠΟ Γ/ΕΙΣ/6790/27.09.2023, asks: “(…) Also, it is surprising how, while he has proceeded to such exceptional anonymization (as he claims) during the second – by mistake – posting upon receiving my extrajudicial statement, he was able to immediately realize which photos concern me and deleted them from his page on the same day? In addition, why did I have to proceed with an extrajudicial service and an additional complaint to the ΑΠΟΠΟ, did he not take the measures that he should have implemented from the beginning following the first exercise of the right to object, nor to avoid the second – by mistake – publication?”. Furthermore, sticking to the subject of the complaint, he claims, among other things, that: “(…) 1) the consent given to the defendant was insufficient 5 (given that the consent concerned exclusively use for medical purposes), so that he could use my data in the manner and for the purpose he used them (posting on the internet for advertising and promotional purposes), 2) despite my explicit opposition, he posted them twice, having proceeded to processing to which I did not consent and while my identification was possible, 3) he transmitted my sensitive data (my photographs and description of medical procedures) to third parties (to the third company mentioned by Ms. C) without my consent, 4) he did not inform me of the identity of these third party recipients, 5) he did not confirm the deletion of my data from his file, nor did he tell me that he would limit the purpose of its processing based on Article 18 of the GDPR exclusively and solely for medical purposes and therefore the complainant has committed the relevant violations under the Regulation and the law. "Finally, the complainant doctor, having received knowledge of the above supplementary request of the complainant, with the no. protocol ΑΠΔ Γ/ΕΙΣ/7312/17.10.2023 in his response to the Authority focuses on the status of the complainant, as ..., noting that for this reason "he is not entitled to report on her alleged failure to be informed" and argues, refuting the allegations, that: "the element of identification is judged absolutely objectively and obviously any intelligent person would come to the conclusion that the identification of the complainant is impossible, especially when it comes to the specific one, who resides permanently ... and for this reason even the infinitesimal chance of her being identified is completely weakened". Finally, the defendant claims that he never transferred the complainant's data to a third company, and that he has satisfied the complainant's requests, with the exception of the complainant's (alternative) request for the deletion of her entire medical file, as by law he must retain it for a specific period of time. Subsequently, the Authority called with the no. protocol. G/ΕΣΕ/2652/02.10.2024 and G/ΕΣΕ/2653/02.10.2024 documents A and B, respectively, to be presented at a meeting of the Department of the Authority on Wednesday 16.10.2024 in order to discuss the aforementioned complaint, as well as ex officio in relation to the fact of taking photographs of the complainant and the relevant information through the form of the "information & declaration of consent regarding personal data" for the general compliance of the complained doctor with the requirements of the principles of article 5 par. 1 GDPR. B and A attended this meeting, with the power of attorney of Nicoleta Mylona (AM DSA ...). During this meeting, the participants, after having developed their views, were given a deadline of 30.11.2024 to submit written submissions. Following this, A, through the power of attorney of attorney, submitted the memorandum dated 30.10.2024 (and with no. ΑΠΟ Γ/ΕΙΣ/8328/30.10.2024), by which, inter alia, in order to strengthen her claim that her posted photos fall within the concept of personal data, she presents a decision of the Lithuanian data protection authority VDAI, by which the latter accepted that the posting of photos of part of the complainant's body, without revealing his face, from the other elements of the posting (in this case, the length and color of the patient's hair, as well as the location of his tattoo) constitutes processing of personal data. Accordingly, B submitted a memorandum dated 04.11.2024 (and with no. APD C/EIS/8487/05.11.2024), due to personal impediment. The Authority, after examining the elements of the file, after hearing the rapporteur and the clarifications from the assistant rapporteur, who attended without the right to vote, following a thorough discussion, DECIDED IN ACCORDANCE WITH THE LAW 1. Whereas, from the provisions of articles 51 and 55 of the General Data Protection Regulation (Regulation 2016/679, hereinafter GDPR) and article 9 of law 4624/2019 (Government Gazette A' 137) it follows that the Authority has the competence to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of individuals from the processing of personal data. 7In particular, from the provisions of articles 57 par. 1 letter f GDPR and 13 par. 1 letter g Law. 4624/2019 it follows that the Authority has jurisdiction to deal with the complaint of A for violation of the rights to erasure, restriction of processing and objection of articles 17, 18 and 21 GDPR, respectively, by doctor B when posting photos of part of her body on the social networking site of the complainant (instagram) after the withdrawal of the relevant consent that she had initially provided (second posting), to the extent that it is established that processing of data of an identifiable person took place by the data controller and thus the Authority's jurisdiction under articles 2 par. 1 GDPR and 2 law 4624/2019 to exercise its above jurisdiction is established. In addition, from the provisions of articles 57 par. 1 letters a’ and h’ GDPR and 13 par. 1 letter 8th Law 4624/2019, it follows that the Authority has the competence ex officio to check, in the context of the alleged violation of rights, the compliance of the alleged doctor with the requirements of the principles of article 5 par. 1 GDPR in relation to the processing of the complainant's personal data and the relevant information that he is obliged to provide at the stage of data collection through the form of "information & declaration of consent regarding personal data" based on his obligation arising from the principle of accountability of article 5 par. 2 GDPR. 2. Whereas, article 5 of the GDPR establishes the processing principles governing the processing of personal data. Specifically, paragraph 1 states that personal data, inter alia: “(a) are processed lawfully and fairly in a transparent manner in relation to the data subject (“lawfulness, objectivity, transparency”), (b) are collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (…), (c) are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”) (…) (e) are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods where the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1) and where the appropriate technical and organisational measures required by the Regulation are implemented.” this regulation to safeguard the rights and freedoms of the data subject (‘limitation of the storage period’) (…)”. 3. Whereas, in accordance with the provisions of Article 5(2) of the GDPR, the controller is responsible for and must be able to demonstrate its compliance with the principles of processing established in Article 5(1). As the Authority has assessed, the GDPR has introduced a new compliance model, the central point of which is the principle of accountability, within the framework of which the controller is obliged to design, implement and generally take the necessary measures and policies in order for the processing of data to be in accordance with the relevant legislative provisions. Furthermore, the controller is burdened with the further duty of demonstrating its own and immediate compliance with the principles of Article 5(1) of the GDPR. 4. Because, in accordance with Article 8(1) of the Charter of Fundamental Rights of the European Union, Article 9A of the Constitution and Recital 4 of the GDPR, the right to the protection of personal data nature is not absolute, but must be assessed in relation to its function in society and weighed against other fundamental rights, in accordance with the principle of proportionality. The GDPR respects all fundamental rights and adopts the freedoms and principles recognised in the Charter, in particular respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, the1 See Authority decision 26/2019, paragraph 8, available on its website.  9business freedom, the right to an effective remedy and an impartial tribunal and cultural, religious and linguistic diversity. 5. Since, in accordance with the provisions of articles 2 par. 1 GDPR and 2 law 4624/2019, the rules on the protection of personal data apply “to the wholly or partly automated processing of personal data, as well as to the non-automated processing of such data which are included or are to be included in a filing system”. In this case, a crucial condition for establishing the Authority’s competence is the finding that the disputed posted photographs of the complainant can be directly or indirectly attributed to a specific identified or identifiable natural person and consequently constitute personal data of the complainant (article 4 item 1 GDPR). Recital 26 of the GDPR explains the definition of this concept: “The principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data which have been pseudonymised, which could be attributed to a natural person by the use of additional information, should be considered as information relating to an identifiable natural person. In order to determine whether a natural person is identifiable, account should be taken of all the means which are reasonably likely to be used, such as their separation, either by the controller or by a third party for the direct or indirect identification of the natural person. In order to determine whether certain means are reasonably likely to be used to identify the natural person, all objective factors, such as the costs and time required for identification, should be taken into account, taking into account the technology available at the time of processing and technological developments. Data protection principles should therefore not apply to anonymous information, that is to say information which does not relate to an identified or identifiable natural person, or to personal data which have been rendered anonymous in such a way that the identity of the data subject cannot or can no longer be ascertained. This Regulation therefore does not concern the processing of such anonymous information, including for statistical or research purposes. Furthermore, in Opinion 4/2007 on the concept of the term “personal data” of the Article 29 Data Protection Working Party, it is explained, with regard to the means of identifying a person, that it is not sufficient that there is merely a hypothetical possibility of distinguishing an individual in order for his identity to be ascertained, but if, taking into account all the means that can reasonably be used either by the controller or by a third party, this possibility does not exist or is negligible, the person should not be considered as an identifiable person and the information should not be considered as personal data. When applying the criterion “all the means that can reasonably be used, either by the controller or by a third party”, all relevant factors should be taken into account in particular. The cost of identity verification is one factor but not the only one. The overall purpose pursued, the way in which the processing is structured, the benefit expected by the controller, the interests of individuals at stake, as well as the risk of organizational malfunctions (e.g. breaches of privacy rules) and technical failures should be taken into account. On the other hand, the verification of compliance with the criterion is dynamic in nature, which means that the most recent technology at the time of processing and its development possibilities during the period of processing of the 2 data must be taken into account. 6. Since, in this case, the two photographs of the complainant in question (before and after …), which were posted on the social networking site of the accused surgeon (instagram), in which part of her body is depicted, entitled “… and on which the references “…” have been placed, do not in principle constitute information that can be easily attributed by third parties (reader/viewer of the specific social networking site) to the complainant. Specifically, the photographs in question, which depict part of the complainant's body, without any other identifying element on them, from which the complainant's identity can be ascertained, even indirectly (e.g. first name, date of the procedure performed) do not in principle constitute data of an identifiable person within the meaning of Article 4, paragraph 1 of the GDPR. Nor, moreover, does the posted photographs show any other particular characteristic element or feature, such as the tattoo on the complainant's body in the decision of the counterpart Lithuanian Authority that was presented by the complainant and the witness, from which her identity could be ascertained by third parties. The complainant therefore unfoundedly claims that her identity could be verified by “(…) other identifiable information about me, such as … which was very evident, accompanied by a precise description of my intervention! Anyone who knew me and remembered any of the above could easily understand that I am depicted in the photographs, that is, identify me and obtain knowledge of … my sensitive medical data”, as, firstly, the other identifying information invoked by the complainant (namely …) does not concern the second post in question – on which the alleged violation of rights is based – which, however, as it turned out, the complainant had deleted. Moreover, secondly, it appears that the above other identifying elements invoked by the complainant are not capable, on their own and in combination with the other elements placed on the posted photographs (name of the doctor, method of intervention used) to easily lead to the broad 3According to the definition in Article 4, item 10 of the GDPR, “‘third party’ means “any natural or legal person, public authority, service or body, with the exception of the data subject, the controller, the processor and the persons who, under the direct supervision of the controller or the processor, are authorized to process the personal data”, 4Cf. Opinion 4/2007 of 20.06.2007 ibid. example 12, p. 19. 12disclosure of her identity by third parties. In any case, the fact that the complainant can recognize herself in the photograph in question does not make her identifiable by third parties, nor has this been proven. The accused doctor rightly argues in this regard: “[The complainant] invoked …, evidence that is obviously impossible to identify someone, … . If we assumed that she had …, perhaps an issue of identification would arise (although exaggeratedly). … . Nor, however, does the complainant prove before the Authority in an indisputable manner her claim that: "anyone who knew me and remembered any of the above could easily understand that I am depicted in the photographs, that is, identify myself and obtain knowledge of ... my sensitive medical data (...)", so that her claim regarding the identification of the posted photographs by third parties can be accepted. However, from the entire case file and taking into account the above conceptual explanations from recital 26 of the GDPR and Opinion 4/2007, in particular, in relation to the use of means of verifying the identity of a person by the controller himself, it follows that the disputed photographs of the complainant, which were posted on the social networking site of the complained doctor (instagram), come from his medical file, in which it is necessary primarily for medical documentation reasons to determine and verify the identity of the complainant throughout the duration of its legal retention pursuant to article 14 par. 4 letter a of Law 3418/2005 (Government Gazette A 287), i.e. for at least ten years. Moreover, it is of decisive importance, in this case, that the processing of the posting of the photographs on which the alleged infringement of rights is based was carried out in a medium social networking of the same complained surgeon, who in any case as the controller of the file he keeps due to the provision of medical care to the complainant (primary purpose of the initial collection of the photographs), has the ability to determine and verify the identity of his client/patient, even in the anonymized/pseudonymized (for the general online public) 5 Under no. prot. ΑΠΟ Γ/ΕΙΣ/6332/11.09.2023 response to the Authority. 13 6 information he posted. This finding is also reinforced by the allegation of the accused doctor, that “(…) while investigating the applications, we realized that we had indeed inadvertently re-uploaded the photos, without linking them to the specific patient, and we immediately (on the same day) withdrew them again (…) however, processed them according to our established practice, so as to eliminate even the slightest possibility of patient identification”, as well as that “(…) the identification of the complainant’s photo, which had to be deleted at her request, was obviously done by comparing the uploaded photos with the original files that I keep in the patients’ medical files (…)”.  Therefore, the accused doctor unfoundedly claims that the second (from …) posting of the disputed photographs, on which the alleged violation of the complainant's rights is based, was done by mistake, as he himself admits that he could easily, as the controller, identify the photographs he posted (in relation to the information he himself provided about them - the medical method applied ...), from the medical file and in combination with the other information included in the medical file of the specific patient and attribute them to the complainant's person, or that additional processing (deletion of ... and other data) in relation to the first posting was not capable of excluding the possibility of determining the complainant's identity by the accused doctor himself, as the controller. In light of the above, the Authority finds, in this case, that the disputed posted photographs of part of the complainant's body on which the complaint under consideration regarding the violation of her rights is based constitute personal data of the complainant, given that they can be attributed to a specific natural person. 6See relevant decision of the Dutch Court which ruled that when pseudonymous data can be attributed to a specific natural person through the use of additional information, they constitute personal data under the GDPR, available at the link https://gdprhub.eu/index.php?title=Rb._Midden-Nederland_-_C/16/536914_/_HA_RK_22-78 7 Article 14 par. 2 of Law. 3418/2005 specifically provides as a minimum content of the medical file: “Medical records must contain the patient’s name, surname, gender, age, profession, address, dates of the visit, as well as any other essential element related to the provision of care to the patient, such as, indicatively and depending on the specialty, his health complaints and the reason for the visit, the primary and secondary diagnosis or the treatment followed.” 14 conveniently in each case by the complained doctor, as data controller, in the person of the complainant for the determination and verification of her identity and therefore the Authority has the competence to handle the submitted complaint, pursuant to articles 2 par. 1 GDPR and 2 law 4624/2019. 7. Furthermore, within the framework of the principle of accountability under Article 5(2) GDPR, it emerged that the complained doctor based the further processing of the disputed photographs (extraction from a medical file and posting on a social networking site) on the complainant's specific consent, as is apparent from the relevant form for the "Information & Declaration of Consent with Personal Data", which contained a relevant passage "(4) if you provide your consent, the doctor will use your personal data for the following purposes: (…) posting your photographs on the internet, taking care not to reveal your identity directly or indirectly", which the complainant completed with a positive statement (by clicking YES). Following the first (early January…) complaint by the complainant regarding the first posting of her anonymized/pseudonymized photos, from which she, as the data subject, could automatically conclude that part of her body was depicted, the complained doctor, and in compliance with the principle of accountability of Article 5(2) GDPR, was obliged, based on the complainant’s revoked positive will, to proceed with the de-posting of the disputed photos, pursuant to Article 7(2) GDPR, and to “lock”/restrict the photos in the medical file for the initial/primary purpose of processing the provision of medical care to the complainant. It is noted that according to the provisions of the Guidelines 5/2020 on consent under Regulation 2016/679 of the EDPB, each controller must ensure that the data subject can withdraw consent with the same ease as when he gave it and at any time, without even specifying that the granting and withdrawal of consent must always be carried out with the same act 15 8 . Consequently, the second (from …) posting of the complainant's photographs on the social networking site of the accused surgeon, which he himself, with the means of verification at his disposal, could attribute to the complainant's person as explained in the aforementioned paragraph of this, was done without a legal basis, given that the complainant had withdrawn the positive declaration of will that she had provided for their posting. In any case, the complained doctor must keep an up-to-date record of the positive declarations of intent and any revocations for the distinct purpose of processing “of posting your photos online with care so that your identity is not directly or indirectly revealed”, taking into account recital 42 of the GDPR and the explanations provided in the aforementioned Guidelines 5/2020 of the EDPB, and the allegation of the complained doctor that “(…) the same photos were inadvertently posted again, but edited according to our now established practice, in order to eliminate even the slightest case of patient identification (…)”, in view of the revocation of the relevant declaration by the complainant for the distinct purpose of “posting your photos online with care so that your identity is not directly or indirectly revealed”. indirectly your identity" is irrelevant. Moreover, as specified in the EDPB's CG 5/2020, in cases where the data subject withdraws consent and the controller wishes to continue processing the personal data using another lawful basis, the controller cannot automatically switch from the consent (which is withdrawn) to that other lawful basis. Any change in the lawful basis of the processing must be communicated to the data subject in accordance with the information requirements set out in Articles 13 and 14 and the general principle of transparency. Following the above, the Authority finds that the posting of the disputed photographs, on which the alleged violation under examination is based, is 8 GG 5/2020 of the EDPB from 04.05.2020, p. 113 p. 28 available at the link https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_el.pdf . 9GG 5/2020 ibid. p. 108, p. 27. 10GG 5/2020 ibid. p. 120, p. 30. 16 rights, constitutes distinct processing (i.e., extraction from a file of an identifiable person and posting with the adoption of pseudonymization/anonymization measures) with respect to third parties, which was carried out without the consent of the complainant, otherwise than despite the revocation of her relevant statement, in violation of the principle of lawfulness of processing of article 5 par. 1 letter a GDPR, in application of the provisions of articles 6 par. 1 letter a and 9 par. 2 letter a GDPR. 8. Whereas, with regard to the right to erasure (“right to be forgotten”), article 17 GDPR provides that: “1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies: (…) (b) the data subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing, (…) (d) the personal data have been processed unlawfully, (…) 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for the exercise of the right to freedom of expression and the right to information, (b) for compliance with a legal obligation to which processing is subject under Union or Member State law, or (…) (d) for archiving purposes in the public interest, for scientific research purposes. or for historical research or for statistical purposes in accordance with Article 89 paragraph 1, provided that the right referred to in paragraph 1 is likely to render impossible or substantially impede the achievement of the purposes of the said processing (…)”. 9. Since, in relation to the alleged violation of the right to erasure under Article 17 GDPR, from the entire case file, it emerged that the accused doctor, as data controller, immediately satisfied, as the complainant acknowledges, the complainant’s request to de-post the 17 disputed photographs after the service of an extrajudicial protest – invitation – statement by …, pursuant to Article 17 paragraph 2 letter b GDPR, in accordance with the requirements of Article 12 paragraph 3 GDPR, and regardless of the finding of illegal posting as above. 10. Whereas, as regards the right to restriction of processing, Article 18 GDPR provides, inter alia, that: “1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: … b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests, instead, the restriction of their use (…)”. 11. Whereas, in relation to the alleged violation of the right to restriction of processing under Article 18 GDPR, taking into account the provisions of Article 14 par. 1 -4 of Law No. 3418/2005, it emerged that the accused doctor, as the data controller, by unposting the disputed photographs from the social networking site he maintains, after the service of the complainant's extrajudicial protest - invitation - statement by ..., limited ("locked") the disputed photographs in his medical file for the primary initial purpose of providing medical care, for the fulfillment of which he is however obliged to keep them for at least ten years from her last visit (article 14 par. 4 item a of law 3418/2005), in compliance with the provisions of article 18 par. 1 item b of the GDPR and in accordance with the requirements of article 12 par. 3 of the GDPR and regardless of the finding of illegal posting as above. In light of this and the foregoing considerations, the complainant's claim that the complained-about doctor has not completely deleted the information in question from the file, nor has he stated to her that he will limit the purpose of processing exclusively to medical purposes, must be rejected as legally unfounded.12. Whereas, with regard to the right to object, Article 21 GDPR states that: “1. The data subject shall have the right to object, at any time and on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims”. 13. Because, in relation to the alleged violation of the complainant's right to object under Article 21 of the GDPR, taking into account the considerations set out in the above-mentioned considerations (especially point 7) of this present case, it emerged that the complainant, by means of the out-of-court protest - invitation - statement, requested (again) the removal of the disputed photos from the social networking site of the complained doctor (instagram), and the latter satisfied the relevant request and removed the disputed photos, for which, however, as demonstrated above, he had not secured the complainant's valid consent on which he based (in application of the principle of accountability, Article 5(2) of the GDPR) their posting, and limited their processing (registration and storage) in his medical file for the primary purpose of processing as he is obliged by law (article 14 par. 4 letter a of law 3418/2005). After this, it is established that the complained doctor, as data controller, satisfied the relevant request of the complainant in compliance with the provisions of article 21 GDPR and in accordance with the requirements of article 12 par. 3 GDPR and regardless of the finding of illegal posting as above. 14. Because, finally, and in relation to the complainant's late complaint regarding the violation of the right to information in relation to the recipients of the data under article 13 par. 1 letter e GDPR, and in particular the claim that: "he never informed me of the third-party recipients of my data, namely the third company, which manages the doctor's social networking tools, without any prior information and consent from me", from the entire case file, taking into account the response of the complained doctor by ... (and with no. ΑΠΟ Γ/ΕΙΣ/7312/17.10.2023), it was not proven at all that processing took place at a recipient of the data. 15. However, on the occasion of the complaint under consideration regarding the violation of the complainant's rights, it is established in relation to the compliance of the complained doctor with the requirements of the principles of article 5 par. 1 GDPR regarding the information on the processing of personal data through the form of the “information & declaration of consent regarding personal data” that the complainant provided (via a pre-printed form) the following information to the complainant: “If you provide your consent, the doctor will use your personal data for the following purposes: (…) posting your photos on the internet, taking care that your identity is not directly or indirectly revealed.” Taking into account recitals 39 and 42 of the GDPR and the Guidelines on transparency under Regulation 2016/679 of the Article 29 Working Party 11, it follows that the information provided ("posting your photos online") does not specify, under conditions of transparency (Article 5(1)(a) of the GDPR), a specific purpose of processing at the stage of data collection, pursuant to Articles 5(1)(b) and 13(1)(c) of the GDPR. Furthermore, the information about "posting on the internet" cannot be interpreted as specifying the purpose of processing, but rather describes the means, and indeed after adopting anonymization techniques, to achieve the purpose of processing, which, as emerged from the complaint submitted to the Authority, was the promotion of the doctor's work on the social networking media he maintains on Facebook and Instagram for the purpose of informing the public (scientific and general) and attracting customers. Accordingly, the Authority finds that the information provided did not meet the requirements of 11 WP260 rev.01 of 11.04.2018. 29 and 36, available at the link https://www.dpa.gr/sites/default/files/2020-05/wp260rev01_el.pdf 20 on transparent information for the specific purpose of processing as above, in accordance with the provisions of articles 5 par. 1 items a and b and 13 par. 1 item c GDPR. 16. The Authority, in relation to the established violations of the provisions of 5 par. 1 item a GDPR, in application of the provisions of articles 6 par. 1 item a and 9 par. 2 item a GDPR regarding the posting of the complainant's personal data despite the withdrawal of her relevant consent, as well as the provisions of articles 5 par. 1 item a' and b' and 13 par. 1 letter c' GDPR regarding the opaque information regarding the purpose of posting the photos during the data collection stage, considers that there is a case to exercise its corrective and advisory powers under article 58 par. 2 and 3 GDPR. In particular, with regard to the first violation, the Authority, taking into account, according to recital 148 GDPR, the unintentional nature of the violation, due in particular to the error of the complained doctor in relation to the possibility of determining the identity of the complainant through the posting of part of her body on Instagram, as well as the fact that he immediately proceeded to de-post the disputed photos, issues an order, pursuant to article 58 par. 2 letter. d' GDPR, to the complained doctor, as controller, to keep up-to-date records of the relevant declarations of will, as well as any revocations thereof, for individual processing operations, so as to comply with the principle of accountability of Article 5 par. 2 GDPR, to observe the lawfulness of the processing. As for the second violation, the Authority, taking into account, and recital 148 GDPR, on the one hand, issues an order pursuant to Article 58 par. 2 item. d' GDPR, to the complained doctor, as the controller, to reform the relevant section in the "information & consent form regarding personal data" that he uses and with which he informs his clients - patients about the discrete processing that he carries out through the posting of their photos, in such a way that the purpose of the processing that is sought is clearly stated in the manner described (posting on the internet). On the other hand, the Authority invites, pursuant to Article 21, Article 58, Paragraph 3, Item 2, GDPR, the Panhellenic Medical Association, to inform the local Medical Associations of the country, so that its doctors - members may reform the information & consent form regarding personal data, to the extent that a section corresponding to that in the complaint under examination is included, specifying the purpose of the processing that is sought through the posting of patients' photos on the internet. FOR THESE REASONS, the Authority, a) instructs, pursuant to Article 58 par. 2 letter d of the GDPR, the complained doctor, as data controller, to keep up-to-date records of the relevant consents, as well as any revocations thereof, for individual processing operations in the context of providing medical care to his patients, b) instructs, pursuant to Article 58 par. 2 letter d of the GDPR, the complained doctor, as data controller, to reformat the relevant section in the “information & declaration of consent form regarding personal data” that he uses and with which he informs his clients - patients about the discrete processing that he carries out through the posting of their photos in a way that clearly states the purpose of the processing sought in the manner described, c) invites, pursuant to Article 58 par. 3 letter b. GDPR, the Panhellenic Medical Association, to inform the local Medical Associations of the country, so that their member doctors may reform the information & declaration of consent form regarding personal data, to the extent that a section corresponding to that in the complaint under consideration is included, specifying the purpose of processing sought through the posting of patients' photographs on the internet. 22 The Deputy President The Secretary Georgios Batzalexis Irini Papageorgopoulou23
Retrieved from "https://gdprhub.eu/index.php?title=HDPA_(Greece)_-_50_2024&oldid=45027"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki