HDPA (Greece) - 27/2023: Difference between revisions

Revision as of 09:59, 6 November 2023

HDPA - 27/2023

Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 5(1)(a) GDPR Article 5(1)(e) GDPR Article 206 Law 4820/2021
Type:	Complaint
Outcome:	Partly Upheld
Started:	12.01.2022
Decided:	13.07.2023
Published:	13.07.2023
Fine:	n/a
Parties:	"A" Athens Medical Association (AMA)
National Case Number/Name:	27/2023
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Greek
Original Source:	DPA (in EL)
Initial Contributor:	Evangelia Tsimpida

Following a complaint, the Greek DPA examined the lawfulness of the collection by the Athens Medical Association of the vaccination certificates against the covid-19 coronavirus of its member doctors.

English Summary

Facts

On 12 January 2022, a doctor and member of the Board of the Athens Medical Association (AMA) submitted a complaint to the Hellenic DPA (HDPA) against the Athens Medical Association. The complaint alleged the illegal collection of the AMA members' Covid-19 vaccination certificates. The AMA had requested its members who manage private practices to electronically send their Covid-19 vaccination certificates and upload them to an electronic platform created by the Athens Medical Association.

In their complaint to the HDPA, the data subject requested the HDPA to prohibit the AMA from collecting members' Covid-19 vaccination certificates or, in any event, if the collection was deemed lawful, to order the AMA carry out their processing in compliance with the Personal Data Protection Regulation.

In response to the complaint, the HDPA contacted the AMA and requested more information from them about their vaccination certificate collection. The AMA replied that the collection of the certificates was carried out under Articles 6(1)(e) and 9(1)(i) GDPR, in line with Article 206 of Law No. 4820/2021 which prescribed the mandatory vaccination of staff employed in health care. The AMA stated that the purpose of the processing was to allow it to fulfil its duties in inspecting the compliance of health care institutions and professionals under its responsibility.

Holding

The HDPA held that the processing carried out by the AMA was lawful for the purposes of Articles 5(1)(a) , 6(1)(e) and 9(1)(i) GDPR, but that the AMA had retained the certificates beyond the retention period prescribed by Article 5(1)(e) GDPR.

Firstly, in relation to Articles 5(1)(a) , 6(1)(e) and 9(1)(i) GDPR the HDPA took into account Article 206 of Law No. 4820/2021. It held that Article 206 of Law No. 4820/2021 fulfilled the requirements of Article 6(3)(b) GDPR, as it provided for the overriding public interest of protecting public health workers against the Covid-19 virus.

Secondly, in relation to the transparency requirements under Article 5(1)(a) GDPR, the HDPA held that the platform used by the AMA for uploading the certificates was lawful as it informed the AMA members of the purpose of collection and the legal bases relied upon for the processing (Articles 6(1)(e) and 9(1)(i) GDPR).

Thirdly, in relation to Article 5(1)(e) GDPR, the HDPA found that the AMA no longer had any reason to retain its members' Covid-19 vaccination certificates, as the period of retention necessary for the purposes of processing had expired.

As a result, the HDPA held that the collection of the Covid-19 vaccination certificates was permissible, in the then exceptional circumstances, for the protection of public health and in the context of the fulfilment of the AMA's legal responsibilities. However, it noted the expiry of the retention period, and ordered the AMA to erase any data retained relating to the vaccination certificates.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, on the occasion of a submitted complaint, examined, within the framework of its ex officio competence, the legality of the collection by the Athens Medical Association of the vaccination certificates against the covid-19 coronavirus of its doctors - members, as scientific managers of PPH institutions, as applicable of the provisions of article 206 of Law 4820/2021 and the relevant regulations of the under no. D1a/GP.oc. 52796 (Government Gazette Β΄3959/27.08.2021) KYA and ruled that for the proposed purpose of processing, i.e. to assist in the exercise of the authority of the Association of compliance of PPH institutions with the special health provision of article 206 of Law 4820/2021, for the sake of service overriding and compelling public interest related to the protection of public health, there is no reason to retain the disputed personal data.

@@ Line 76: / Line 76: @@
 In their complaint to the HDPA, the data subject requested the HDPA to prohibit the AMA from collecting members' Covid-19 vaccination certificates or, in any event, if the collection was deemed lawful, to order the AMA carry out their processing in compliance with the Personal Data Protection Regulation.
-In response to the complaint, the HDPA contacted the AMA and requested more information from them about their vaccination certificate collection.
+In response to the complaint, the HDPA contacted the AMA and requested more information from them about their vaccination certificate collection. The AMA replied that the collection of the certificates was carried out under [[Article 6 GDPR|Articles 6(1)(e)]] and [[Article 9 GDPR|9(1)(i) GDPR]], in line with Article 206 of Law No. 4820/2021 which prescribed the mandatory vaccination of staff employed in health care. The AMA stated that the purpose of the processing was to allow it to fulfil its duties in inspecting the compliance of health care institutions and professionals under its responsibility.
-The AMA replied that the collection of the certificates was carried out under Article 5(1)(e) GDPR, in line with Article 206 of Law No. 4820/2021 which prescribed the mandatory vaccination of staff employed in health care.
+=== Holding ===
+The HDPA held that the processing carried out by the AMA was lawful for the purposes of [[Article 5 GDPR|Articles 5(1)(a)]] , [[Article 6 GDPR|6(1)(e)]] and [[Article 9 GDPR|9(1)(i) GDPR]], but that the AMA had retained the certificates beyond the retention period prescribed by [[Article 5 GDPR|Article 5(1)(e) GDPR]].
-in the context of the implementation of the mandatory vaccination of staff employed in primary health care facilities under article 206 of Greek Law No. 4820/2021. The purpose of the processing is to assist the exercise of the competence of the AMA, through the competent committees during on-site inspections in the primary health care institutions of its area of responsibility. Further, the Athens Medical Association considered as an alternative electronic demonstration of vaccination certificates the uploading, verification and immediate deletion of the certificates through its electronic platform as it is a more appropriate and reasonable option in terms of the purpose of processing. The DPA met and after taking into account the claims of “A” and AMA as well as the submitted pleadings, issued a decision.
+Firstly, in relation to [[Article 5 GDPR|Articles 5(1)(a)]] , [[Article 6 GDPR|6(1)(e)]] and [[Article 9 GDPR|9(1)(i) GDPR]] the HDPA took into account Article 206 of Law No. 4820/2021. It held that Article 206 of Law No. 4820/2021 fulfilled the requirements of Article 6(3)(b) GDPR, as it provided for the overriding public interest of protecting public health workers against the Covid-19 virus.
-=== Holding ===
+Secondly, in relation to the transparency requirements under Article 5(1)(a) GDPR, the HDPA held that the platform used by the AMA for uploading the certificates was lawful as it informed the AMA members of the purpose of collection and the legal bases relied upon for the processing ([[Article 6 GDPR|Articles 6(1)(e)]] and [[Article 9 GDPR|9(1)(i) GDPR]]).
-The DPA assessed the above facts and considered that the posting of the covid-19 vaccination certificates on the electronic platform of AMA constituted automated data processing and therefore the processing by AMA, which is the controller, should be lawful under Article 5 (1) GDPR.
+Thirdly, in relation to [[Article 5 GDPR|Article 5(1)(e) GDPR]], the HDPA found that the AMA no longer had any reason to retain its members' Covid-19 vaccination certificates, as the period of retention necessary for the purposes of processing had expired.
-The DPA took into account the provisions of Article 206 of Greek Law No. 4820/2021, which provided for the specific health provision of the compulsory vaccination of health workers in order to serve an overriding public interest objective of protecting public health against the covid-19 coronavirus, as well as the voluntary nature of the uploading of the certificates on the AMA platform, who informed its members of the purpose of collection and the legal basis of the processing.
+As a result, the HDPA held that the collection of the Covid-19 vaccination certificates was permissible, in the then exceptional circumstances, for the protection of public health and in the context of the fulfilment of the AMA's legal responsibilities. However, it noted the expiry of the retention period, and ordered the AMA to erase any data retained relating to the vaccination certificates.
-The DPA, in its decision No 27/2023 that issued on 13.07.2023, held that the collection of the covid-19 coronavirus vaccination certificates of the medical doctors members of AMA was permissible in the then exceptional circumstances for the protection of public health and in the context of the execution of the legal responsibilities of the Association, but that there was no longer any reason to retain those certificates as the period of retention necessary for the purposes of processing had expired (Article 5 (1) (e) GDPR).
 == Comment ==