HDPA (Greece) - 36/2022: Difference between revisions

From GDPRhub
No edit summary
Line 92: Line 92:
The DPA found that the retention period for the images was ten years from the data subject's last visit. The DPA further noted that the images were unavailable at the time the right was exercised. The DPA therefore held that the data subject's right of access ([[Article 15 GDPR]]) was not violated as it was impossible to provide the images, even though they were unlawfully deleted.  
The DPA found that the retention period for the images was ten years from the data subject's last visit. The DPA further noted that the images were unavailable at the time the right was exercised. The DPA therefore held that the data subject's right of access ([[Article 15 GDPR]]) was not violated as it was impossible to provide the images, even though they were unlawfully deleted.  


However, the DPA, found that the loss of availability of the images constituted a violation of the principle of integrity and confidentiality pursuant to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The DPA followed that the beforementioned violation was a result of insuffisient technical and organizational measures to ensure the appropriate level of security pursuant to [[Article 32 GDPR]].   
However, the DPA, found that the loss of availability of the images constituted a violation of the principle of integrity and confidentiality pursuant to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The DPA followed that the above-mentioned violation was a result of insufficient technical and organizational measures to ensure the appropriate level of security pursuant to [[Article 32 GDPR]].   


The DPA imposed an administrative fine on the controller,   
The DPA imposed an administrative fine on the controller,   


The DPA further reprimanded to controller, as it notified the DPA too late about the data breach in violation of the [[Article 33 GDPR]]. The DPA also ordered the controllerer to communicate the data breach to the affected data subjects pursuant to [[Article 34 GDPR]].  
The DPA further reprimanded to controller, as it notified the DPA too late about the data breach in violation of the [[Article 33 GDPR]]. The DPA also ordered the controller to communicate the data breach to the affected data subjects pursuant to [[Article 34 GDPR]].  


== Comment ==
== Comment ==

Revision as of 14:03, 31 August 2022

HDPA - 36/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 15 GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 31.05.2021
Decided: 03.08.2022
Published: 18.08.2022
Fine: 30,000 EUR
Parties: AXIOYU PYLIS CENTRE I.A
National Case Number/Name: 36/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Jette

The Greek DPA fined a medical diagnostics centre €30,000 for violating the principle of integrity and confidentiality by losing images of a data subject's mammogram due to insufficient technical and organisational measures. The DPA reprimanded the diagnostics centre for the data breach and ordered it to communicate the breach to the affected data subjects.

English Summary

Facts

A patient (data subject) of diagnostic centre Pyle Axiou I.A.E. (controller) requested copies of her medical records in relation to a mammogram carried out in the past. The controller replied that it could not provide her with the images from the mammogram, as the machine can only store them for 3 months. The data subject then submitted a complaint with the DPA for violation of her right of access. She stressed that in particular the images of the mammogram were important in view of her age and state of health.

After a letter of the DPA, the controller suddenly remembered that it also stored the images on a hard drive in it's storage. However, it could not recover the images.

During a hearing, the controller argued:

  1. it exhausted all possibilities to recover the images (but without succes);
  2. the most important medical record was provided to the data subject: the report on the images.
  3. it informed the data subject in good time of the unavailability of the images;
  4. it submitted his views on the issues of his compliance with his obligations under Articles 32-34 GDPR.

The data subject argued during the hearing that, in addition to the violation of the right of access, the controller also violated her right to information. She was never informed by the controller of the definitive loss of the images.

Holding

The DPA found that the retention period for the images was ten years from the data subject's last visit. The DPA further noted that the images were unavailable at the time the right was exercised. The DPA therefore held that the data subject's right of access (Article 15 GDPR) was not violated as it was impossible to provide the images, even though they were unlawfully deleted.

However, the DPA, found that the loss of availability of the images constituted a violation of the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR. The DPA followed that the above-mentioned violation was a result of insufficient technical and organizational measures to ensure the appropriate level of security pursuant to Article 32 GDPR.

The DPA imposed an administrative fine on the controller,

The DPA further reprimanded to controller, as it notified the DPA too late about the data breach in violation of the Article 33 GDPR. The DPA also ordered the controller to communicate the data breach to the affected data subjects pursuant to Article 34 GDPR.

Comment

The specific views of the controller on his compliance issues (no 5 under Facts) were not included in the decision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


1
1-3 Kifisias Ave., 11523 Athens
T: 210 6475 600 • E: contact@dpa.gr • www.dpa.gr
Athens, 03-08-2022
Prot. No.: 1963
DECISION 36/2022
(Department)
The Personal Data Protection Authority met after
invitation of the President to a Department meeting via video conference on
Wednesday 08.06.2022 at 10:00, in order to examine the case that
refers to the history of the present. George Batzalexis was present,
Deputy President of the Authority and the regular members of the Authority Konstantinos
Lambrinoudakis and Grigorios Tsolias, as rapporteur. Present, without right
of voting, was Chariklia Latsiu, DN - legal auditor, as assistant rapporteur and
Irini Papageorgopoulou, employee of the administrative affairs department, as
secretary.
The Authority took into account the following:
With the from 31.05.2021 (and with no. prot. APD C/EIS/3559/31.05.2021)
complaint A informed the Authority that she submitted a PRIVATE complaint to the diagnostic center
Polyclinic and diagnostic center Pylis Axios I.A.E. from 08.02.2021
request, with which he asked to receive copies of the illustrations that
are included in the medical file of the Center and related to the digital
mammogram carried out on ...01.2018, in addition to its conclusion. The
Center with its reply from 09.02.2021 informed A that: "there is no
ability to reprint images from the machine you made the
examination in January 2018. The particular machine had the ability
3 months file storage and that's why we replaced it
of". Following this, A complained to the Authority that the right was violated
access to personal data concerning her, and
2
specifically, that she was not given copies of the imaging tests
of the digital mammogram carried out on ...01.2018, underlining,
in addition, that this is an important gynecological examination, which
serves, due to age and health status, as a reference test.
The Authority, during the examination of the above complaint, called under no. first
APD C/EXE/1496/15.06.2021 document the PRIVATE POLYCLINICAL AND DIAGNOSTIC
VALUE GATE CENTER I.A.E. (hereinafter diagnostic center) as submitted
specific clarifications on the complainants. Next, the diagnostic
center with the from 01.07.2021 (and with no. prot. APD G/EIS/4330/01.07.2021) request
requested that the postponement request for the submission of opinions to a different day be accepted.
Following this, the Authority with no. prot. APD C/EXE/1717/15.07.2021 document
accepted the request to postpone opinions, and called the Diagnostic Center: "(...)
if the disputed digital mammography from ...01.2018 is found in the meantime,
as you proceed without delay to grant a copy of this to the complainant, in
satisfaction of the right of access to personal data".
In response to the above documents of the Authority, the diagnostic center with the
from 31.07.2021 (and under no. prot. APD C/EIS/5068/02.08.2021) document informed
the Authority, among other things, that: "(...) The machine with which the
...01.2018 the examination of the digital mammogram of the complainant, indeed,
as we answered the complainant herself does not have the possibility
reprint images. The generated images were stored locally in the
specific machine for a period of approximately three (3) months from
date of their processing and at the same time they were stored on hard systems
discs, which were stored in a warehouse within the diagnostic center.
We searched for the hard drive system where the image is stored
of the complainant's digital mammogram and we identified it. It's about
a NAS hard drive system, which contains images from axial drives
CT scans, MRI scans, mammograms and X-rays, which
have taken place during the period from March 2017 to
March 2018 at our diagnostic center (...)". In addition, the diagnostic center
informed the Authority that it has approached the companies Northwind Data Recovery and
3
Stellar in order, as it claims, to exhaust all the possibilities that
offers the technology to recover the files contained in the
company's hard drive system in the best possible form and quality.
Subsequently, the Authority with sub. No. prot. G/EX E/263/02.02.2022 and
C/EXE/264/02.02.2022 documents called A and the diagnostic center, respectively,
as presented at a meeting of the Department of the Authority on Wednesday
09.02.2022, in order to discuss the aforementioned complaint. In addition, with
the above under no. prot. C/EXE/264/02.02.2022 document the Authority informed
diagnostic center that in the context of examination of the complaint is checked
ex officio in relation to the fact of the lack of availability of
of the complainant's personal data or his general compliance with
obligations to observe the security of processing, the obligation
disclosure or non-disclosure of any personal data breach, and
obligation or non-disclosure of any personal data breach
nature of articles 32-34 GDPR, respectively, in the context of the obligation
compliance with the principle of accountability no. 5 par. 2 GDPR. At this meeting, against
which was represented before the Authority by A, Stefanos Topalis as attorney
lawyer and Dimitrios Ganakis, Managing Director of the diagnostic center,
the Authority accepted the request to postpone the examination of the submitted case
by the authorized attorney and legal advisor of the diagnostic center,
Angelo Georgiadis, with the date of 08.02.2022 (and with no. prot. APD
C/EIS/1933/08.02.2022)) his application and set a new meeting date on
02a.03.2022 and time 10:00. During the new meeting they appeared before the Authority
A and Stefanos Topalis as attorney-in-fact of the complainant (AM..),
as well as Angelos Georgiadis, attorney of the diagnostician
center (AM..), while B, its Data Protection Officer, was also present
diagnostic center.
During this meeting, those present, after developing their opinions,
they were given a deadline to submit written pleadings. Following this, the
diagnostic center with from 17.03.2022 (under prot. no. APD C/EIS/4475/21.03.2022)
his memorandum argued, among other things, that: a) he exhausted every possibility