IP (Slovenia) - 0611-623/2021/10

From GDPRhub
IP - 0611-623/2021/10
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 5 GDPR
Article 12 GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Act on databases in the field of healthcare (Zakon o zbirkah podatkov s področja zdravstvenega varstva - ZZPPZ)
Type: Investigation
Outcome: Violation Found
Started:
Decided: 17.05.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 0611-623/2021/10
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: Sara Horvat

The Slovenian DPA held that a private entity offering SARS CoV-2 tests violated Article 13 GDPR by failing to inform data subjects about transferring their data to a third party.

English Summary

Facts

The controller, a private entity, operated as a SARS-CoV-19 test station. The legal basis for the processing of personal data of individuals for the purpose of carrying out SARS-CoV-2 self-testing procedures is Article 6(1)(c) GDPR (the necessity to comply with a legal obligation) and Article 9(2)(h) GDPR, in conjunction with Article 14c of the Act on Databases in the Field of Healthcare (Zakon o zbirkah podatkov s področja zdravstvenega varstva - ZZPPZ).

While a contractual relationship existed between the data subject and the the person ordering the testing, the ZZPPZ establishes the obligation to transfer the data to the Central Register of Patients' Data (CRPP) for the purpose of carrying out the testing for the presence of the SARS-CoV-2 virus. According to Article 14č of the ZZPPZ, the information shall be transferred to the CRPP as soon as it arises or is received in the course of the provision of health care, but at the latest by the end of the working day.

The data subjects were not aware of these data transfers.

Holding

The DPA held that by not informing data subjects of the data transfers, the controller had violated Article 5, Article 12 and Article 13 GDPR. Therefore, the DPA ordered the controller to provide all the information referred to in Article 13(1) and Article 13(2) GDPR in a concise, transparent, comprehensible and easily accessible form and in clear and plain language. This should be done in the usual manner of notification, such as a general notice on a notice board at their premises or before entering the facility where the testing is carried out, or on the controller's website.

The DPA also found that the controller had a legal basis to obtain the name, mobile telephone number and health card number or health insurance card details of each individual who came for a test, as it was required to provide this information to the CRPP. The DPA, however, found that the controller did not have a legal basis for collecting email addresses from all persons tested, but only from those who wanted to be contacted by email or for another purpose under Article 6(1)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

Number: 0611-623 / 2021/10
Date: May 17, 2022

Information Commissioner (hereinafter: IP) by an authorized official, State Supervisor for Personal Data Protection…, pursuant to Articles 2 and 8 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/2205, 51/07 – ZUstS- A (hereinafter: ZInfP), Article 54 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07 - official consolidated text and 177/20, hereinafter: ZVOP-1), Articles 57 and 58 of the EU Regulation ) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation); and Article 32 of the Inspection Supervision Act (Official Gazette of the Republic of Slovenia, No. 43/07 - UPB1 and 40/14, hereinafter: ZIN), in the case of performing inspection supervision against the liable party mati (registration number:…, hereinafter: the liable party) ) over the implementation of the provisions of ZVOP-1 and the General Regulation due to the manner of ensuring the safety of personal data data in the conduct of self-paid testing for the presence of SARS-CoV-2 virus, issues the following


DECISION


1. The liable party: must:

individuals from whom it obtains or has already obtained data for the purpose of conducting self-paid testing for SARS-CoV-2 in a concise, transparent, comprehensible and easily accessible form and in clear and simple language provide all information referred to in Article 13 (1) and (2) General regulations in a way that is the usual way of informing the taxpayer, such as a general (general) notice on the notice board at the taxpayer or before entering the facility where testing is performed or on the taxpayer's website, etc., which will , to whom the personal data relate, have been informed of all the information referred to in Article 13 of the General Regulation which must be provided to individuals in the event that personal data are obtained from the data subject.

2. The liable party must implement the measure referred to in point 1 of the operative part of this Decision within fifteen (15) days of receiving this Decision.

3. The liable party must notify the Information Commissioner in writing of the implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity. The notification must also contain indications and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner they have implemented them.

4. No special costs have been incurred by the Authority in this procedure, and the liable party shall bear its own costs of the inspection procedure.


O b r a z l o ž i t e v

I. Indication of the provisions on which the decision is based:

Personal data means any information relating to an identified or identifiable individual, and an identifiable individual is one that can be identified directly or indirectly, in particular by providing an identifier such as name, identification number, location information, web identifier, or an indication of one or more factors which characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that individual (Article 4 (1) of the General Regulation).

Information on an individual's state of health means personal data relating to an individual's physical or mental health, including the provision of health services, and discloses information on his or her state of health (Article 4 (15) of the General Regulation).

However, the processing of personal data is any act or series of actions performed in relation to personal data or sets of personal data with or without automated means, such as collecting, recording, editing, structuring, storing, adapting or modifying, retrieving, viewing, use, disclosure through mediation, dissemination or otherwise making available, adapting or combining, restricting, deleting or destroying (Article 4 (2) of the General Regulation).

The processing of personal data also means the disclosure of personal data through the transmission, dissemination or other provision of access to personal data.

The data on the incidence of covid-19 disease is data related to health or data on the health status of an individual (Article 4 (15) of the General Regulation).

The processing of personal data is lawful only if the conditions set out in Article 6 of the General Regulation are met and when it is in accordance with the purpose of the collection of personal data. The controller of personal data must therefore have an appropriate legal basis for the lawful processing of personal data. These are set out in Article 6 (1) of the General Regulation, which stipulates that processing is lawful only if at least one of the following conditions is met:

a) the data subject has consented to the processing of his or her personal data for one or more specified purposes;
b) processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of measures at the request of such data subject before the conclusion of the contract;
c) the processing is necessary to fulfill a legal obligation to which the controller is subject;
d) processing is necessary for the protection of the vital interests of the data subject or of other natural persons;
e) the processing is necessary for the performance of a task in the public interest or in the exercise of public authority conferred on the controller;
f) processing is necessary for legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where he is an individual, to whom the personal data relate, the child.

Point (f) of the first subparagraph shall not apply to processing by public authorities in the performance of their tasks.

The legal basis for the processing of specific types of personal data, such as health data, is set out in Article 9 of the General Regulation, which provides in paragraph 1 that the processing of personal data revealing racial or ethnic origin, political opinion, religion or philosophy is prohibited. belief or union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, health data or data relating to an individual's sexual life or sexual orientation, and the second paragraph further provides that paragraph 1 shall not apply if one of the following applies:

(a) the data subject has given his or her explicit consent to the processing of that personal data for one or more specified purposes, except where Union law or the law of a Member State provides that the data subject may not derogate from the prohibition referred to in paragraph 1;
(b) processing is necessary for the purposes of fulfilling the obligations and exercising the prerogatives of the controller or data subject in the field of labor law and social security and social security law, where Union law or the law of a Member State or a collective agreement so permits. in accordance with the law of the Member State providing for adequate safeguards for the fundamental rights and interests of the data subject;
(c) processing is necessary for the protection of the vital interests of the data subject or of another data subject where the data subject is physically or legally incapable of giving consent;
(d) processing in the course of its lawful activities is carried out with appropriate safeguards by an institution, association or any other non-profit body for political, philosophical, religious or trade union purposes and provided that the processing concerns only members or former members of the body or persons , who are in regular contact with him regarding his intentions, and that personal data are not transferred outside this body without the consent of the data subjects;
(e) the processing relates to personal data published by the data subject;
(f) processing is necessary for the enforcement, enforcement or defense of legal claims or where
 any courts exercise their jurisdiction;
(g) the processing is necessary for reasons of overriding public interest under Union law or the law of a Member State commensurate with the objective pursued, respects the essence of the right to data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject. relate to personal data;
(h) treatment is necessary for the purposes of preventive or occupational medicine, assessment of the employee's ability to work, medical diagnosis, provision of medical or social care or treatment, or management of health or social care systems and services under Union or Member State law or in accordance with a contract with a healthcare professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health risks or ensuring high standards of quality and safety of healthcare and medicines or medical devices, under Union law or the law of the Member State appropriate and specific measures to protect the rights and freedoms of the data subject, in particular the protection of professional secrecy;
(j) the processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) under Union law or the law of a Member State commensurate with the objective pursued. data protection and provides appropriate and specific measures to protect the fundamental rights and interests of the data subject.

The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 where they are processed or processed by a professional subject to professional secrecy under Union or Member State law or the rules laid down by determined by the competent national authorities or by another person who is also subject to the obligation of professional secrecy in accordance with Union law or the law of a Member State or with rules laid down by the competent national authorities. Member States may maintain or introduce additional conditions, including restrictions, on the processing of genetic, biometric or health data.

Article 5 of the General Regulation sets out the principles relating to the processing of personal data, namely that personal data must be:

(a) processed lawfully, fairly and transparently in relation to the data subject ("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) shall not be considered incompatible with the original purposes ('purpose limitation');
(c) relevant, relevant and limited to what is necessary for the purposes for which they are processed ('minimum amount of data');
(d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that inaccurate personal data are erased or corrected without delay, taking into account the purposes for which they are processed ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period if they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1), subject to appropriate technical and organizational measures. regulations to protect the rights and freedoms of the data subject ("storage restriction");
(f) be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical or organizational measures ("integrity and confidentiality").

The operator is responsible for compliance with paragraph 1 and must also be able to demonstrate this compliance ('liability').

Article 12 (1) of the General Regulation stipulates that the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and the communications referred to in Articles 15 to 22 and 34 relating to the processing. concise, transparent, comprehensible and easily accessible form and clear and simple language, in particular for all information specifically aimed at the child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, the information may be provided orally, provided that the identity of the data subject is proved by other means.

Article 13 (1) of the General Regulation provides that where personal data concerning a data subject are obtained from that data subject, the controller shall provide the data subject with all of the following information when obtaining the personal data:

(a) the identity and contact details of the controller and his representative, if any;
(b) the contact details of the data protection officer, if any;
(c) the purposes for which the personal data are processed, as well as the legal basis for their processing;
(d) where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or a third party;
(e) users or categories of users of personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization, and the existence or absence of a Commission decision on adequacy or, in the case of transfers referred to in Article 46 or 47 or the second subparagraph of Article 49 (1), or appropriate safeguards and means to obtain a copy thereof or where available.

In addition to the information referred to in Article 13 (1) of the General Regulation, the controller shall, in accordance with Article 13 (2), provide the data subject with the following information necessary to ensure fair and transparent processing:

(a) the retention period of personal data or, where this is not possible, the criteria used to determine that period;
(b) the existence of a right to request access from the controller to personal data and the rectification or erasure of personal data or restrictions on processing in relation to the data subject, or the existence of a right to object to the processing and a right to data portability;
(c) where the processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time without prejudice to the lawfulness of the processing with its consent until its revocation;
(d) the right to lodge a complaint with the supervisory authority;
(e) whether the provision of data is a legal or contractual obligation or an obligation necessary for the conclusion of the contract, and whether the data subject must provide personal data and what are the possible consequences if such data are not provided; , in
(f) the existence of automated decision-making, including the profiling referred to in Article 22 (1) and (4), and, at least in such cases, meaningful information on the reasons therefor, as well as the importance and intended consequences of such processing for the individual data.

Pursuant to Article 13 (4), paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has information.

II. IP findings and reasons for ordering an inspection measure:

During the inspection procedure, the liable party was reminded that he had to tell the truth in the procedure before the IP. Following the explanations received from the taxpayer, in view of the established facts in the subject control procedure, IP finds that the taxpayer adequately ensured the security of personal data when conducting self-paid testing for the presence of SARS-CoV-2 virus.

The legal basis for the processing of personal data of individuals for the purpose of conducting self-paid testing for SARS-CoV-2 virus is Article 6 (1) (c) of the General Regulation - processing is necessary to fulfill the legal obligation of the controller and point (h) Article 9 (2) of the General Decree in connection with Article 14č of the Health Care Databases Act (Official Gazette of the Republic of Slovenia, No. 65/00, as amended, hereinafter: ZZPPZ). A contractual relationship is established between the liable party and the individual or client of the test to whom the liable party issues an invoice for the provided health service, but the ZZPPZ stipulates the obligation to provide data to the Central Register of Patient Data (hereinafter). : CRPP). In accordance with the fifth paragraph of Article 14c of the ZZPPZ, the data is transmitted to the CRPP as soon as it is generated or received during the provision of health care, but no later than the end of the working day.

The National Institute of Public Health has prepared instructions for testing providers Reporting the results of COVID-19 tests to the Central Register of Patient Data (CRPP), Methodological and technical instructions for users, which are published on the NIJZ website. The following information must be entered (page 15):

 ZZZS number of the insured person or EMŠO (in the case of a foreign insured person TZO or ZZZS number starting with 7), if the person does not have ZZZS number or EMŠO, the local identifier determined by the information system of the test provider is used;
 date of birth of the patient (can be filled in automatically from the source ZZZS or CRPP / RPPE),
 name and surname of the patient (can be filled in automatically from the source ZZZS or CRPP / RPPE),
 address and country of residence in the case of an alien,
 mobile number of the patient, if the patient provides it (optionally without a number only for justified cases, eg caregivers in social welfare institutions. NIJZ draws special attention to the importance of entering the correct number),
 indicator informing the patient through the national system: 1 - informing the patient, 2 - informing the patient
the entry point itself, 3 - the patient does not allow notification by SMS,
 test indication,
 date of sampling,
 presence of symptoms (in case of DA, the start date is also indicated),
 epidemiological history (close contact with an infected person in the last 14 days),
 type (type) of test.

All healthcare providers must submit the results to the CRPP. The taxpayer explained that the data collected from individuals for the purpose of conducting self-paid testing for the presence of SARS-CoV-2 virus using the PCR form (name, surname, e-mail address and mobile phone number) is stored for up to… hours, then cut and that with a special device it scans the card or the contents of the health insurance for entering data into the information system…, and then the data is transmitted to ... Data obtained by the taxpayer by scanning or on the basis of PCR form .

Based on the above, IP found that the taxpayer had a legal basis to obtain from each individual who came to the test, name and surname, mobile phone number and health card number or data from the health insurance card, because this information had to intervene in the CRPP. IP also found that the taxpayer did not have a legal basis for collecting e-mail addresses from all tested persons, but only from those who wanted to communicate the test results to them by e-mail or contact them for another purpose (legal basis for consent ( Article 6 (1) (a) of the General Regulation - the data subject has consented to the processing of his or her personal data for one or more specific purposes).

The purposes of personal data processing were achieved when the data subject entered personal data in the CRPP and when the tested individuals were informed about the test results. It should be emphasized that the taxpayer no longer keeps or disposes of personal data of individuals after… hours, nor does he have the possibility to access the personal data of the individual after the testing procedure or the completion of the latter.

In the information on the processing of personal data, the data subject must clarify which personal data he collects on the basis of contract and law and which on the basis of consent and the purpose of their collection, the retention period and all other information under Article 13 of the General Regulation.

With regard to the above, the taxpayer will have to inform or supplement the content of the form guaranteeing the right to information in accordance with Article 13 of the General Regulation in such a way that the information will be granulated or broken down for personal data processing or data required by Article 13 of the General Regulation. , be included in that PCR form in such a way that all the information in accordance with Article 13 of the General Regulation, as described above, is visible.

The taxpayer may also be assisted by the form "Model notification to individuals regarding the processing of personal data (Article 13 of the General Regulation)", which can be found on the IP website: https://www.ip-rs.si/obrazci/varstvo-osebnih -data /.

The data subject must inform individuals about the rights to information in accordance with Article 13 of the General Regulation before collecting personal data (acquisition, access, transmission or any other processing of personal data), giving such notice by publishing it on the PCR form before entering the facility or on the debtor's website.

This means that the taxpayer must indicate as a legal basis for the collection of all data except the electronic address, Article 6 (1) (c) of the General Regulation - processing is necessary to fulfill the legal obligation applicable to the controller and point (h) of Article 9 2) General regulations in connection with Article 14č of the ZZPPZ.

However, in the case of the processing of an individual's e-mail address, the consent of the individual is required (Article 6 (1) (a) of the General Regulation - the data subject has consented to the processing of his personal data for one or more specified purposes). voluntary, specific, informed and unambiguous.

III. Conclusion:

Point (d) of Article 58 (2) of the General Regulation provides that the supervisory authority shall order the controller or processor to comply with the provisions of the processing, if applicable, in a specified manner and within a specified time limit.

In view of the explained reasons, due to the identified irregularities, pursuant to Articles 2 and 8 of the ZInfP, point 1 of the first paragraph of Article 54 of ZVOP-1, the first paragraph of Article 32 of the ZIN and point (d) of Article 58 (2) of the General Regulation, to eliminate the identified irregularities and to harmonize the acts of personal data processing with the provisions of Articles 5, 12 and 13 of the General Regulation, as follows from point 1 of the operative part of this Decision.

The fifth paragraph of Article 29 of the ZIN stipulates that if the inspector has ordered the elimination of irregularities and deficiencies and set a deadline for the obligor to eliminate them, he must immediately inform the inspector of the rectified irregularities. In accordance with the above, the liable party must notify the IP in writing of all implemented measures referred to in point 1 of the operative part of this decision no later than five (5) days after the elimination of the irregularity. The notification must also contain indications and evidence that the liable party has implemented the measures referred to in point 1 of the operative part of this decision and in what manner he has implemented them.

The ruling on the costs of the procedure is based on the provision of the first paragraph of Article 31 of the ZIN, according to which the costs of the inspection procedure, which were necessary to establish the facts proving that the taxpayer violated a law or other regulation, the taxpayer suffers. The liable party did not notify the costs of the procedure during the procedure, but no special costs of the procedure were incurred by the body.

This decision is issued ex officio and on the basis of Article 22 of the Administrative Fees Act Uradni list RS, no. 106/10 - official consolidated text, 14/15 - ZUUJFO, 84/15 - ZZelP-J, 32/16, 30/18 - ZKZaš and 189/20 - ZFRO) tax free.

LEGAL REMEDY:
This decision is final in the administrative procedure. In accordance with the provision of Article 55 of ZVOP-1, no appeal is allowed against it, but it is permissible to initiate an administrative dispute. An administrative dispute shall be initiated by filing a lawsuit with the Administrative Court, Fajfarjeva 33, 1000 Ljubljana, within thirty (30) days of its service. The action shall be brought directly in writing before that court or shall be sent to it by post. It is considered to have been filed in time if it is submitted by registered mail by the last day of the claim deadline. In addition to the contested decision, the original, transcript or copy must be accompanied by one copy or copy of the lawsuit and attachments for the defendant, if someone is affected by the administrative act, but also for him.




…




Serve:
…