IP - 07121-1/2021/400

From GDPRhub
IP - 07121-1/2021/400
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law: Article 4(15) GDPR
Article 9 GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 19.03.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 07121-1/2021/400
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: IP (in SL)
Initial Contributor: GDPR plus

The Slovenian DPA decided that it is permissible for an individual to disclose to a third party the blog author's specific health information. Information whose content meets the definition of health data in point 15 of Article 4 GDPR is health information even if it is published by the person himself.

English Summary

Facts

Question: Is it permissible for a person reading the content of a publicly available blog to disclose to a third party the personal information provided about himself by the author of the blog. Namely, a person writes a personal blog (which includes photos of his or her face) that is publicly available and has written down his or her health information about a particular medical condition. The third party to whom the information is shared via private messages online does not know the author of the blog. They are also interested in whether it is still sensitive personal information if it is only published by the patient. They also believe that freedom of expression is at stake.

Holding

Generally, it is permissible for an individual to disclose to a third party the blog author's specific health information that the individual lawfully obtained from the author's publicly available website and that the author freely posted.

Information whose content meets the definition of health data in point 15 of Article 4 of the General Regulation on Data Protection is health information even if it is published by the person himself. It does not matter where the data come from, what the purpose of the publication is, whether the data are correct and complete and whether they are defined in a technically correct way.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.

On 21 February 2021, we received your request from the Information Commissioner (IP) for an opinion on whether it is permissible for a person who reads the content of a publicly accessible blog to disclose to a third party the personal data provided by the author of the blog about himself. . Namely, a person writes a personal blog (this also includes photos of his face), which is accessible to the public and has written down his health information about a certain disease. The third party to whom the information is communicated via private messages online does not know the author of the blog. You are also interested in whether it is still sensitive personal information if it is only published by the patient. You also think that it is about freedom of expression.

On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue. We further clarify that in the case of IP we are not competent to interpret the right to freedom of expression,however, concrete cases in the field of personal data protection can only be definitively determined in a possible inspection procedure.

Pursuant to point (e) of the second paragraph of Article 9 of the General Data Protection Regulation, it is in principle permissible for a person to disclose to a third party specific health information of a blog author legally obtained on the author's publicly accessible website and published by the author. alone at will.

In the case of information that corresponds in content to the definition of health information from point 15 of Article 4 of the General Data Protection Regulation, it is also information on health status if it is published by the person himself. It does not matter where the data comes from, what the purpose of the publication is, whether the data is correct and complete and whether it is properly professionally defined.

Explanation:

If the further disclosure of personal data involves the processing of personal data in the true sense of the word (see point 2 of Article 4 of the General Data Protection Regulation) and the scope of this Regulation (see Article 2 of the General Data Protection Regulation), in a specific case, the appropriate legal basis for the further dissemination of data (e) may be the second paragraph of Article 9 of the General Data Protection Regulation. This stipulates that the processing (eg disclosure, transmission) of specific categories of personal data - including health data, is permissible if the data subject publishes it himself.

In assessing the admissibility of the further dissemination of such data, it must be taken into account, inter alia, whether the individual did publish the data without restrictions on the purpose of their use and whether the individual did publish the data in a more accessible public place.

Although this is not a narrower area of ​​personal data protection, it may also be important in the further dissemination of information whether it is a fake blog created by “identity theft” and with what content the information is further disseminated (eg whether it is otherwise interpreted data, additional information from other sources, additional comments that may affect the individual's personal rights).

According to point 15 of Article 4 of the General Data Protection Regulation, data on health status are broadly defined and mean data relating to the physical or mental health of an individual, including the provision of health services, and disclose information on his health status. A similarly broad definition is contained in the first paragraph of Article 45 of the Patients' Rights Act (ZPacP). Even if the information does not come directly from the healthcare provider or does not come directly from the classic health documentation, it can still be information about the health condition.

Kind regards,