HDPA (Greece) - 3/2024

From GDPRhub
HDPA - 3/2024
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5 GDPR
Article 24 GDPR
Article 24(2) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Rejected
Started: 15.12.2022
Decided: 15.04.2024
Published: 15.04.2024
Fine: n/a
Parties: Omilos Iatriki Diagnosi
National Case Number/Name: 3/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Evangelia Tsimpida

The DPA dismissed a complaint against a diagnostic centre, finding that the data subject's claims that the controller disclosed medical testing results to a family member without her consent were unsupported by the evidence presented.

English Summary


On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that the employee contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."

The controller confirmed that the data subject had undergone examinations at its facility. It claimed that an employee informed her about the data protection policy and that the data subject had completed a form entitled "Declaration of Consent For Sending Results" to send the results by electronic mail using encryption. The controller alleged that the data subject herself provided her telephone number to the employee, and that the employee called that telephone number in order to inform her of additional required tests. The call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter. The controller argued that no health information was disclosed. With regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.

The data subject responded to the controller's allegations and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.

On 25 January 2024, the HDPA held a hearing before the President of the Authority, during which the parties presented their allegations and were given a deadline to respond. The data subject stressed that she had never given her father's mobile phone number and that the employee of the controller's facility had disclosed sensitive health data during the call to her father, who she claimed was also a client who the employee called by mistake. The controller argued that the contact details were uploaded with patients' verbal declarations and that the complainant's health data had never been disclosed to her father, as registrars did not have access to test results in any case. The controller also mentioned that security measures were taken to ensure the confidentiality of the data, noting that employees were trained in patient confidentiality and that in any case, registrars do not have access to patients' test results. It also noted future measures that would collect patient details by having data subjects directly input their own information into a tablet after their identities are verified.


The HDPA found that the content of the telephone call could not be established with certainty based on the evidence and that a data breach could not be established, given that the employee who called the data subject's father did not have access to the patients' test results and their health data. It also took into consideration the controller's updating of the facility's procedures by having the patients' communication forms signed via a tablet.

Therefore, the HDPA found no violation of the principle of confidentiality pursuant to Article 5(1)(f) and considered the controller to have acted in accordance with Articles 32 and 24(2) GDPR. The HDPA therefore rejected the complaint as unfounded.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

The Authority examined a complaint against a company for breaching the confidentiality of the complainant's data, by communicating the complainant's test results to her father by telephone. In particular, the complainant stated that she herself did not give her father's mobile phone number to the complained company. From the examination of the case, the reported violation was not established. Regarding the process of collecting the contact details of the customers of the diagnostic center based on their verbal statement on the day of the visit, the Authority was informed that, in the context of updating the procedures of the complained company, from now on the collection will be done with their signed registration by the data subjects using a tablet. The complaint is therefore dismissed as unfounded.