KamR Stockholm - 4058-22

From GDPRhub
KamR Stockholm - 4058-22
Courts logo1.png
Court: KamR Stockholm (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 6 GDPR
Article 9(1) GDPR
Article 32(1) GDPR
Decided: 12.02.2024
Published:
Parties: Medhelp Sjukvårdsrådgivning AB
National Case Number/Name: 4058-22
European Case Law Identifier:
Appeal from: FiS (Sweden)
21287-21
Appeal to: Unknown
Original Language(s): Swedish
Original Source: Kammarrätten i Stockholm (in Swedish)
Initial Contributor: Inkg

The Swedish Court confirmed a total of € 1M (11,300,000 SEK) fines against healthcare provider Medhelp for GDPR breaches related to personal data disclosures to a Thai company and exposing sensitive information without proper security.

English Summary

Facts

Swedish DPA fined Medhelp (Controller) a total of € 1,200,000 (SEK 12 million) for several breaches of GDPR. The Controller was contracted to answer and give medical advice on the medical advice phone line '1177' by three Swedish regions.

The DPA found that the Controller breached GDPR on the following points:

a) Medhelp was fined for unlawfully disclosing personal data to MediCall, a Thai company, and for allowing MediCall to process personal data, violating Article_5_GDPR#1a, Article_6_GDPR, and Article_9_GDPR#1.

b) Medhelp, for an unknown period, exposed personal data in from of audio files containing recorded phone calls to 1177 on the internet without protection against unauthorized disclosure and unauthorized access, breaching Article_5_GDPR#1f and Article_32_GDPR#1 .

c) Medhelp, other than an automated message stating that the calls were being recorded for patient safety and quality purposes, did not properly inform callers about how their personal data would be processed in connection with the collection of personal data during phone calls to 1177, in violation of Article_5_GDPR#1a and Article_13_GDPR.


Medhelp appealed the DPA's decision to the Administrative Court in Stockholm, which overturned point (a) of the decision and remanded the issue to IMY for further processing, amended the decision for points (b) to (d) to reduce the sanction fee to 8,800,000 SEK, and dismissed the appeal in other respects.

The Administrative Court annulled point (a) of IMY's decision, because both MediCall and Medhelp were deemed healthcare providers with responsibility for the personal data under Swedish laws, and MediCall's personnel were also subject to confidentiality obligations specified in Chapter 6 of Patient Safety Act. That court ruled that Medhelp was legally permitted to disclose personal data to MediCall for processing in relation to the healthcare services MediCall provided on behalf of Medhelp. Consequently, the Court found that Medhelp did not act in violation of GDPR merely by transferring personal data to MediCall and allowing the company to process personal data. Subsequently, Court determined that the fact the MediCall was located in Thailand raised the question of whether transfer of personal data to Medicall met the requirements of Chapter V in GDPR. Since this issue had not been examined by IMY, the case was referred back to the authority for further processing.

IMY has appealed the Administrative Courts decision to Administrative Court of Appeal in Stockholm.

Holding

The Administrative Court of Appeal :

1. Overturned the Administrative Court's ruling regarding the remand.

2. revoked the Administrative Court's decisions concerning decision point d as well as the associated penalty fee and injunction.

3. Granted IMY's appeal regarding decision point a and confirms the agency's decision in this regard.

4. Dismissed Medhelp Sjukvårdsrådgivning AB's appeal concerning decision points b and c as well as the associated penalty fees and injunction.

5. Confirmed the total penalty fee to 11,300,000 SEK.

Detailed summary:

As a starting point, the Appeal Court noted that the concept of data controller should be broadly interpreted for the effectiveness of the data protection regulation.

1- The primary issue in the case was determining if the Administrative Court could remand part of the case back to IMY for further examination.

The Appeal Court emphasized the principle of *reformatio in pejus*, protection of individuals from being disadvantaged by appealing a decision that significantly affects them. If a court finds a supervisory decision lacks justification or legal grounds, it should either repeal or annul it, but a court cannot refer a case back for investigation of issues not previously considered by the supervisory authority. Consequently, because the question whether Medhelp's data transfer to a third country wasn't examined by IMY initially, the Administrative Court couldn't refer the matter back for further review. Thus, the decision to refer the case back for further processing was annulled.

2- MediCall's Processing of Personal Data (point a of the decision)

The Administrative Court has revoked decision point a as both MediCall and Medhelp, according to the court, have been care providers with responsibility for personal data and thus, MediCall's healthcare personnel are alsocovered by the confidentiality requirement in Chapter 6 of the Patient Safety Act (2010:659), PSL. According to Swedish law, a care provider is responsible for the processing of personal data (as data controller) that the provider carries out.

According to the Court of Appeal, the fact that a third-country company provides healthcare advice in Swedish, directed toward individuals in Sweden, does not mean that the company's healthcare activities are covered by Swedish healthcare legislations. MediCall is not a healthcare provider within the meaning of Healthcare Act (2017:30), HSL.

IMY noted that for private care providers, it is the Swedish healthcare legislation, i.e., the HSL as well as PDL, and PSL, that specifies the legal support for data processing to be lawful in accordance with Article 6 and 9 in the Data Protection Regulation. The Swedish legislation is territorially limited and cannot be considered to include healthcare provided by a Thai company.

Therefore, the Court of Appeal, agreeing with IMY, found that MediCall cannot be considered a health care provider or responsible for personal data. The fact that there were professionals with Swedish nursing qualifications working in the Thai company did not lead to a different assessment.

Medhelp's processing by forwarding calls and providing MediCall access to personal data, largely of a sensitive nature, thus lacked legal support under Swedish law as required by the GDPR, thereby violation Article 9 GDPR. In addition, the Appeal Court found that allowing such a third party in a third country, to carry out part of the assignment is such a serious violation of the GDPR that even the fundamental principle of lawfulness, fairness, and transparency can be considered violated.

Medhelp, by engaging MediCall as a subcontractor for healthcare advice, enabled data processing in violation of the GDPR. The existing contractual arrangement or approval of this setup by the regions did not lead to a different assessment. The Court of Appeal found that the 3 million SEK (250 000 €) fine constituted an effective, proportional and deterrent measure for this violation.

3.Exposure of personal data without protection against unauthorized access (decision point b)

The exposed files contained recorded calls to 1177 that were answered by MediCall. As Medhelp was found to be responsible healthcare provider who is data controller, the Appeal Court explained that it is Medhelp who has the responsibility for maintaining an appropriate level of security for the personal data processed. The Appeal Court added that as it concerns sensitive personal data, Medhelp had a particularly large responsibility to ensure good IT security.

The Administrative Court's assessment was therefore endorsed by the Appeal Court, that Medhelp has failed in its duty to take appropriate technical and organizational measures to ensure an appropriate level of security for the personal data, in violation of Article 32 GDPR and Article_5_GDPR#1f. Subsequently, the appeal court rejected Medhelp's appeal, reaffirming the decision made by the Administrative Court.

Comment

See the summary of Swedish DPA's decision here: https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2019-3375

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

The Court of Appeal decides that Medhelp must pay a penalty fee for forwarding calls to 1177.

The Court of Appeal has concluded that the processing of personal data by forwarding calls to a Thai healthcare company is not supported in Swedish law. Medhelp must pay a penalty fee for this violation of the data protection regulation.
The Court of Appeal also states that there were deficiencies in the processing of the personal data, which was largely sensitive personal data, as well as in the information to the data subjects. The Court of Appeal determines the sanction fee to just over SEK 11 million.
- There has been no support in Swedish law for the forwarding of calls to 1177 to a Thai company. Medhelp has therefore been charged with an additional penalty fee, says the court's president, Court of Appeals Councilor Ingela Fridström.