HDPA (Greece) - 36/2022
|HDPA - 36/2022|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
|Parties:||AXIOYU PYLIS CENTRE I.A|
|National Case Number/Name:||36/2022|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Greek DPA fined a medical diagnostics centre €30,000 for violating the principle of integrity and confidentiality by losing images of a data subject's mammogram due to insufficient technical and organisational measures. The DPA reprimanded the diagnostics centre for the data breach and ordered it to communicate the breach to the affected data subjects.
English Summary[edit | edit source]
Facts[edit | edit source]
A patient (data subject) of diagnostic centre Pyle Axiou I.A.E. (controller) requested copies of her medical records in relation to a mammogram carried out in the past. The controller replied that it could not provide her with the images from the mammogram, as the machine can only store them for 3 months. The data subject then submitted a complaint with the DPA for violation of her right of access. She stressed that in particular the images of the mammogram were important in view of her age and state of health.
After a letter of the DPA, the controller suddenly remembered that it also stored the images on a hard drive in it's storage. However, it could not recover the images.
During a hearing, the controller argued:
- it exhausted all possibilities to recover the images (but without success);
- the most important medical record was provided to the data subject: the report on the images.
- it informed the data subject in good time of the unavailability of the images;
- it submitted his views on the issues of his compliance with his obligations under Articles 32-34 GDPR.
The data subject argued during the hearing that, in addition to the violation of the right of access, the controller also violated her right to information. She was never informed by the controller of the definitive loss of the images.
Holding[edit | edit source]
The DPA found that the retention period for the images was ten years from the data subject's last visit. The DPA further noted that the images were unavailable at the time the right was exercised. The DPA therefore held that the data subject's right of access (Article 15 GDPR) was not violated as it was impossible to provide the images, even though they were unlawfully deleted.
However, the DPA, found that the loss of availability of the images constituted a violation of the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR. The DPA followed that the above-mentioned violation was a result of insufficient technical and organizational measures to ensure the appropriate level of security pursuant to Article 32 GDPR.
The DPA imposed an administrative fine on the controller,
The DPA further reprimanded to controller, as it notified the DPA too late about the data breach in violation of the Article 33 GDPR. The DPA also ordered the controller to communicate the data breach to the affected data subjects pursuant to Article 34 GDPR.
Comment[edit | edit source]
The specific views of the controller on his compliance issues (no 5 under Facts) were not included in the decision.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
1 1-3 Kifisias Ave., 11523 Athens T: 210 6475 600 • E: email@example.com • www.dpa.gr Athens, 03-08-2022 Prot. No.: 1963 DECISION 36/2022 (Department) The Personal Data Protection Authority met after invitation of the President to a Department meeting via video conference on Wednesday 08.06.2022 at 10:00, in order to examine the case that refers to the history of the present. George Batzalexis was present, Deputy President of the Authority and the regular members of the Authority Konstantinos Lambrinoudakis and Grigorios Tsolias, as rapporteur. Present, without right of voting, was Chariklia Latsiu, DN - legal auditor, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. The Authority took into account the following: With the from 31.05.2021 (and with no. prot. APD C/EIS/3559/31.05.2021) complaint A informed the Authority that she submitted a PRIVATE complaint to the diagnostic center Polyclinic and diagnostic center Pylis Axios I.A.E. from 08.02.2021 request, with which he asked to receive copies of the illustrations that are included in the medical file of the Center and related to the digital mammogram carried out on ...01.2018, in addition to its conclusion. The Center with its reply from 09.02.2021 informed A that: "there is no ability to reprint images from the machine you made the examination in January 2018. The particular machine had the ability 3 months file storage and that's why we replaced it of". Following this, A complained to the Authority that the right was violated access to personal data concerning her, and 2 specifically, that she was not given copies of the imaging tests of the digital mammogram carried out on ...01.2018, underlining, in addition, that this is an important gynecological examination, which serves, due to age and health status, as a reference test. The Authority, during the examination of the above complaint, called under no. first APD C/EXE/1496/15.06.2021 document the PRIVATE POLYCLINICAL AND DIAGNOSTIC VALUE GATE CENTER I.A.E. (hereinafter diagnostic center) as submitted specific clarifications on the complainants. Next, the diagnostic center with the from 01.07.2021 (and with no. prot. APD G/EIS/4330/01.07.2021) request requested that the postponement request for the submission of opinions to a different day be accepted. Following this, the Authority with no. prot. APD C/EXE/1717/15.07.2021 document accepted the request to postpone opinions, and called the Diagnostic Center: "(...) if the disputed digital mammography from ...01.2018 is found in the meantime, as you proceed without delay to grant a copy of this to the complainant, in satisfaction of the right of access to personal data". In response to the above documents of the Authority, the diagnostic center with the from 31.07.2021 (and under no. prot. APD C/EIS/5068/02.08.2021) document informed the Authority, among other things, that: "(...) The machine with which the ...01.2018 the examination of the digital mammogram of the complainant, indeed, as we answered the complainant herself does not have the possibility reprint images. The generated images were stored locally in the specific machine for a period of approximately three (3) months from date of their processing and at the same time they were stored on hard systems discs, which were stored in a warehouse within the diagnostic center. We searched for the hard drive system where the image is stored of the complainant's digital mammogram and we identified it. It's about a NAS hard drive system, which contains images from axial drives CT scans, MRI scans, mammograms and X-rays, which have taken place during the period from March 2017 to March 2018 at our diagnostic center (...)". In addition, the diagnostic center informed the Authority that it has approached the companies Northwind Data Recovery and 3 Stellar in order, as it claims, to exhaust all the possibilities that offers the technology to recover the files contained in the company's hard drive system in the best possible form and quality. Subsequently, the Authority with sub. No. prot. G/EX E/263/02.02.2022 and C/EXE/264/02.02.2022 documents called A and the diagnostic center, respectively, as presented at a meeting of the Department of the Authority on Wednesday 09.02.2022, in order to discuss the aforementioned complaint. In addition, with the above under no. prot. C/EXE/264/02.02.2022 document the Authority informed diagnostic center that in the context of examination of the complaint is checked ex officio in relation to the fact of the lack of availability of of the complainant's personal data or his general compliance with obligations to observe the security of processing, the obligation disclosure or non-disclosure of any personal data breach, and obligation or non-disclosure of any personal data breach nature of articles 32-34 GDPR, respectively, in the context of the obligation compliance with the principle of accountability no. 5 par. 2 GDPR. At this meeting, against which was represented before the Authority by A, Stefanos Topalis as attorney lawyer and Dimitrios Ganakis, Managing Director of the diagnostic center, the Authority accepted the request to postpone the examination of the submitted case by the authorized attorney and legal advisor of the diagnostic center, Angelo Georgiadis, with the date of 08.02.2022 (and with no. prot. APD C/EIS/1933/08.02.2022)) his application and set a new meeting date on 02a.03.2022 and time 10:00. During the new meeting they appeared before the Authority A and Stefanos Topalis as attorney-in-fact of the complainant (AM..), as well as Angelos Georgiadis, attorney of the diagnostician center (AM..), while B, its Data Protection Officer, was also present diagnostic center. During this meeting, those present, after developing their opinions, they were given a deadline to submit written pleadings. Following this, the diagnostic center with from 17.03.2022 (under prot. no. APD C/EIS/4475/21.03.2022) his memorandum argued, among other things, that: a) he exhausted every possibility