Rb. Midden-Nederland - AWB - 19 608

From GDPRhub
Rb. Midden-Nederland - AWB - 19 _ 608
CourtsNL.png
Court: Rb. Midden-Nederland (Netherlands)
Jurisdiction: Netherlands
Relevant Law:

Article 9 GDPR

Article 17 GDPR

Decided: 10. 01. 2020
Published: 29. 01. 2020
Parties: [Plaintiff]

Autoriteit Persoonsgegevens

[Third party] - de Vereniging Zorgaanbieders voor Zorgcommunicatie (VZVZ)

National Case Number: AWB - 19 608
European Case Law Identifier: ECLI:NL:RBMNE:2020:73
Appeal from: n/a
Language: Dutch
Original Source: de Rechtspraak (in NL)

The Court of First Instance of the Central Netherlands ruled on the appeal against a decision by the Dutch Data Protection Authority regarding processing of special categories of personal data (Article 9 GDPR) by the administrator of the network which grants access to medical data about patients to certain categories of healthcare providers.

English Summary[edit | edit source]

Facts[edit | edit source]

In the letter dated 27 July 2017, the plaintiff requested the defendant to take enforcement action against VZVZ - the administrator of a network to which certain categories of healthcare providers can connect and consult medical data about their patients in each other's systems (LSP). The claims made were as follows:

a. The Personal Data Authority (defendant) must take action against VZVZ for the lack of explicit consent collected by people registered in the LSP;

b. the defendant must review the view of its legal predecessor, the Dutch Data Protection Authority (Cbp), from 2014, that VZVZ has put in place sufficient technical and organisational safeguards to ensure that only personal data of patients who have given their consent for this purpose are processed;

c. the defendant must confirm that VZVZ may not ask for a national identification number (BSN) in combination with a copy of a valid identity document in response to written requests to the effect that someone has been registered with the LSP.

The plaintiff submitted four cases of patients who had been registered with the LSP without their permission. According to the plaintiff, she has thus demonstrated that patients are registered with the LSP without their explicit consent and that the system as such is therefore flawed. According to the plaintiff, the defendant must take enforcement action against VZVZ in order to rectify this.

In addition to this enforcement request, the plaintiff also submitted an enforcement request to the defendant aimed at addressing pharmacists about the unlawful registration of patients with the LSP.

Dispute[edit | edit source]

The plaintiff lodged an appeal against the decision of 24 December 2018 (the contested decision), by which the defendant dismissed the claimant's complaint.

Holding[edit | edit source]

The appeal is unfounded.

The District Court dismissed the plaintiff's argument that the LSP as a system is unlawful. There is no reason to follow plaintiff in her view that healthcare providers are reporting patients in the LSP on a large scale without the required consent. The LSP is acceptable as a system. The plaintiff's reference to her interpretation of the HR ruling and the letter of 4 October 2019 on whether or not future amendments to the legislation and regulations are feasible is not considered relevant by the Court in this respect.

Moreover, the District Court considered that in this argument the plaintiff wrongly assumes that the LSP as a system is inadmissible and that data are therefore processed unlawfully.

Comment[edit | edit source]

Share your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Dutch original for more details.

Ruling
CENTRAL COURT

Sitting place Utrecht

Administrative law

Case number: UTR 19/608
judgment of the multiple chamber of 10 January 2020 in the case between
[plaintiff] , at [place of business] , plaintiff

(Agent: J.M.T. Wijnberg),

and
the Authority Personal data, defendant

(Agent: Mr E.S. van der Deijl and Mr O.S. Nijveld).

The Vereniging Zorgaanbieders voor Zorgcommunicatie (VZVZ) (Association of Healthcare Communication Providers), The Hague, acting as third party, authorised: [authorised 1] and [authorised 2] .
Proceedings

By order of 6 May 2018 (the primary order), the defendant rejected the claimant's request to take enforcement action against VZVZ as manager of the Landelijk Schakelpunt (LSP).

By decision of 24 December 2018 (the contested decision), the defendant dismissed the claimant's objection as unfounded.

The plaintiff lodged an appeal against the contested decision.

The defendant submitted a statement of defence.

The hearing took place on 15 October 2019. The plaintiff is represented by her agent and Mr [A] . The defendant and VZVZ were represented by their agents.
Recitals


Introduction

    The articles to which the court refers in this judgment are set out in an annex that accompanies this judgment.

    The LSP is a network to which certain categories of healthcare providers can connect. A patient's Burgerservicenummer (BSN) is registered in the LSP. Through this network healthcare providers can consult medical data about their patients in each other's systems. The LSP is not a database: no medical data is stored in it. These data remain in the files of, for example, the (own) GP and pharmacy. Consultation of medical data in the files of another healthcare provider is only permitted if the patient has given explicit permission for this. The BSN is provided by the care provider to whom a person has granted permission for registration with the LSP.
    The claimant's request for enforcement

    By letter dated 27 July 2017, the plaintiff requested the defendant to take enforcement action against VZVZ as administrator of the LSP. Her request consists of three parts.
    a. The defendant must take action against the way in which VZVZ allows people to be registered in the LSP without having given the required explicit consent;
    b. the defendant must review the view of its legal predecessor, the Dutch Data Protection Authority (Cbp), from 2014, that VZVZ has put in place sufficient technical and organisational safeguards to ensure that only personal data of patients who have given their consent for this purpose are processed;
    c. the respondent must confirm that VZVZ may not ask for a BSN in combination with a copy of a valid identity document in response to written requests to the effect that someone has been registered with the LSP.

    The plaintiff submitted four cases of patients who had been registered with the LSP without their permission. According to the plaintiff, she has thus demonstrated that patients are registered with the LSP without their explicit consent and that the system as such is therefore flawed. According to the plaintiff, the defendant must take enforcement action against VZVZ in order to rectify this.
    Discussion of the claimant's appeal

    In addition to this enforcement request, the plaintiff also submitted an enforcement request to the defendant aimed at addressing pharmacists about the unlawful registration of patients with the LSP.1 The defendant has interpreted the present enforcement request as exclusively aimed at enforcement towards VZVZ as manager of the LSP and as co-responsible for the processing of personal data. It therefore does not focus on the healthcare providers. The District Court also maintains this classification.

6. The processing of personal data in the LSP without the express consent of patients is contrary to Article 9, second paragraph, opening words and under a, of the AVG and Article 22, second paragraph, opening words and under a, of the AVG Implementation Act. If it appears that VZVZ violates these articles, the defendant is entitled to take enforcement action pursuant to Section 58(2)(d) of the AVG. In view of the public interest served by enforcement, the defendant will generally also have to make use of his enforcement power in such a case (the obligation in principle to enforce).

7. The central question is therefore whether VZVZ has acted contrary to the AVG.
The defendant has investigated the four cases brought forward by the claimant in which healthcare providers reported patients to the LSP without the required permission. He has come to the conclusion that three of the four cases brought forward did indeed involve registration without the patient's consent. This is an offence. Nevertheless, the defendant sees no reason to take enforcement action. In the meantime, these wrongful registrations have been reversed at the request of these patients. Furthermore, VZVZ, as administrator of the system, has set up procedures and made information material available in order to ensure that healthcare providers receive correct permission from their patients and, in accordance with this permission, register the BSN with the LSP. According to the defendant, VZVZ supervises this adequately. In a report from 2014, the Cbp has already established that VZVZ has put in place sufficient technical and organisational safeguards to ensure that only personal data of persons who have granted permission for this purpose are processed. The defendant still believes this to be the case and therefore maintains this conclusion. The circumstance that in a number of isolated individual cases the care provider has registered persons with the LSP without legally valid permission, does not mean that the LSP as a system leads to unlawful processing of personal data on a large scale, as the claimant assumes.

8. The District Court is of the opinion that the defendant has investigated the four cases submitted by the plaintiff with sufficient care and that the conclusion he draws is not incorrect either. VZVZ, after having received a report from the four patients, reversed the established violations. There are no indications that new violations will occur that the defendant should prevent by applying enforcement instruments. The VZVZ uses the information it provides to healthcare providers by means of training courses and the procedures it draws up, and the supervision it then carries out, to ensure that wrongful registrations in the LSP are prevented as far as possible. VZVZ has explained in this procedure (and the enforcement procedure against pharmacists2) that it cannot monitor at a micro level, but that it intensively monitors the working methods of the care providers by concluding contracts with the care providers, carrying out regular spot checks and inquiring into the procedures used by the care providers to register. The care provider's own system must state how consent was obtained and what information the patient received. Has a leaflet been provided and if so, which leaflet? In principle, the healthcare provider is responsible for the correct registration of the patient, but VZVZ keeps sufficient supervision to prevent wrongful registrations and subsequent unlawful processing of personal data. The few errors that will nevertheless occur do not make the system as such unlawful and, in view of the efforts already made by VZVZ, the defendant does not need to use enforcement instruments.

9. This does not mean that errors will not occur in the future. The healthcare providers are responsible for the correct registration, but because consent can also be given verbally at the bar or in the consultation room, the system is not watertight. The claimant's efforts in this procedure are aimed at achieving a (virtually) watertight system. This would in fact amount to a system in which a form of written consent is required and the law does not compel this. Important in this respect is that the LSP is governed by Article 15a, first paragraph, of the Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (Wabvpz) which - in short - stipulates that the care provider can only make the client's data available via the LSP, insofar as it has been established that the client has given explicit permission for this. This consent does not have to be written, but may also be given verbally, as is evident from the considerations of the AVG under 32: 'Consent must be given by means of a clear active act, for example a written statement, also by electronic means, or a verbal statement, which shows that the person concerned freely, specifically, informed and unambiguously consents to the processing of his/her personal data. […]”. The healthcare providers and VZVZ must be able to demonstrate that the consent has actually been granted. This is evident from 42 of the recitals of the AVG: 'if the processing takes place on the basis of the data subject's consent, the data controller must be able to demonstrate that the data subject has given permission for the processing'. VZVZ's working method, as described in recital 8, ensures that the patient is sufficiently aware of what he or she is consenting to and ensures that the notification is in accordance with the GC. VZVZ is not legally obliged to do more than it currently does. There are therefore no grounds for the defendant to take enforcement action. The argument does not succeed.

10. The plaintiff also takes the position that whether or not patients are included in the LSP is not sufficiently verifiable. Anyone who does not wish to be registered with the LSP should in fact regularly check via www.volgjezorg.nl whether he or she has not been wrongly registered after all. If you do not wish to make use of this digital option, you must contact VZVZ with a request for a check accompanied by BSN and a copy of a valid identity document. The plaintiff does not want this because sensitive personal data are provided to VZVZ in this way without proper safeguards and believes that the system should give a notification to a patient when he or she is registered. She also objects to the fact that an unjustified notification is not described as such in the LSP, but that it is stated that the patient would have withdrawn the notification. This is factually incorrect according to the plaintiff and should be changed. Finally, the logging data of these persons is incorrectly retained and is not deleted.

11. The court interprets these arguments of the plaintiff, which are mainly about the way in which patients can check and cancel registration in the LSP, as further substantiation of its view that the LSP as a system is flawed and leads to unlawful processing of personal data against which the defendant must take enforcement action.
11.1 The Court does not follow plaintiff in this position. As VZVZ has explained, only the BSN of a patient is included in the LSP with a view to data minimization and therefore a notification to the patient cannot take place, because more data, such as an e-mail address, is required for this purpose. It is therefore not possible to check retrospectively whether consent has been given without further information from the patient. For this reason, VZVZ has drawn up a working method in which it has made contractual agreements with the healthcare providers, provides information in advance about the importance of the consent, and also randomly checks whether the healthcare providers comply with the agreements made in this regard. As the court ruled in recital 9, this working method is sufficient. In this respect, the court considers it important that the patient is provided with possibilities to check whether and by whom he or she has been registered in the LSP. There is no reason to assume that the way in which this can be done is disproportionately burdensome or incriminating.
11.2 The Respondent has rightly explained that there is a legal basis for the use of the BSN by VZVZ, which can be found in Article 8, second paragraph of the Additional Provisions for the Processing of Personal Data in Health Care. He also refers to Article 4 of this Act and Article 46, first paragraph, of the UAVG. The VZVZ has a basis for examining whether someone is included in the LSP on the basis of the BSN. Moreover, as VZVZ has explained, the check cannot take place in any other way, because there are no other data in the LSP. Furthermore, the court does not consider it unreasonable for VZVZ to ask for a copy of the identity document and it follows the defendant in its conclusion that there is no violation of the GCG on this point either. On the contrary, VZVZ is asking for proof of identity in order to prevent people from being able to request data from third parties just like that.
11.3 Nor does the District Court consider that the fact that it is not stated in the LSP that it is an wrongful registration, but that it is a withdrawal of consent, is a reason to assume a violation of the AVG. There is no legal obligation to state somewhere that consent has never been given. Article 17 of the AVG contains an obligation to delete data. This has been further explained in the considerations of the AVG under 65 and it does not follow from this that when deleting data it must be stated that the notification was unlawful from the outset.
11.4 Finally, the defendant has explained that VZVZ can always retrieve the logging data, so that even after withdrawal of consent, it can be ascertained which data has been made available and which data has been viewed by the BSN. In this way, insight can be provided into the exchange of medical personal data as it has taken place previously. In the statement of defence the defendant explained that pursuant to Articles 3 and 5 of the Electronic Data Processing Decree (Besluit elektronische gegevenswerking door zorgaanbieders) a statutory retention period applies for these logging data in accordance with various NEN standards mentioned in those articles. The possibility to delete data therefore only extends to the deletion of the BSN in the LSP and the reversal of consent. The immediate deletion of logging data is not legally possible.
The plaintiff's arguments do not serve any purpose.

12. The plaintiff referred to the judgment of the Supreme Court (HR) of 1 December 20173 , to which the defendant also referred. According to her, in that judgment the HR ruled that the arrangement of the LSP is acceptable as a system, but only because it is based on the freely given, sufficiently specific consent of the patients concerned. According to the plaintiff, the defendant cannot refer to this judgment to substantiate the view that the LSP is sound, because VZVZ - contrary to what the HR assumed in the judgment - cannot guarantee that notification always takes place on the basis of explicit consent. During the hearing, the plaintiff referred to a letter dated 4 October 2019 from the Minister for Medical Care and Sport to the Senate4 in which it was explained that the entry into force of Section 15(2) of the Wabvpz, which regulates a specified consent for data exchange in healthcare, is not feasible as of 1 July 2020. The plaintiff points out that the HR has also considered in its judgment that such a specified consent is more in line with - in short - the privacy rules and as soon as it is feasible the LSP must provide for it. Because this specified consent will not be forthcoming, the system does not meet the requirements to be set for it, according to the plaintiff.

13. The District Court interprets this argument as part of its argument that the LSP as a system is unlawful. It does not follow the claimant in this respect. As was considered earlier in this judgment, but also follows from the judgment of this court in the proceedings with case number UTR 19/607, there is no reason to follow plaintiff in her view that healthcare providers are reporting patients in the LSP on a large scale without the required permission. The LSP is acceptable as a system. The plaintiff's reference to her interpretation of the HR ruling and the letter of 4 October 2019 on whether or not future amendments to the legislation and regulations are feasible is not considered relevant by the court in this respect. This argument does not serve any purpose either.

13. The plaintiff argues that the contested decision affects the legal position of all healthcare providers, because their administration may fall into the hands of third parties through no fault of their own. This affects their professional secrecy and their legal liability, the plaintiff claims.
Apart from the question whether the plaintiff represents the interests of the healthcare providers in this enforcement procedure, the District Court considered that in this argument the plaintiff wrongly assumes that the LSP as a system is inadmissible and that data are therefore processed unlawfully. As previously considered, this is not the case.
This argument is unsuccessful.

13. Finally, as a separate part of her enforcement request, the plaintiff requested the defendant to return to the aforementioned conclusion in the report from 2014. The defendant rightly concluded that this cannot be an independent part of the enforcement request. When discussing the other parts of the enforcement request, the defendant took this conclusion into account and concluded that it would not return to it. The defendant maintains the position that VZVZ has put in place sufficient technical and organisational safeguards to ensure that only personal data of patients who have given permission to do so are processed. He is allowed to do so. The defendant has discussed this correctly. This argument is unsuccessful.
Conclusion

13. The appeal is unfounded. There are no grounds for an order as to costs.
Decision

The court declares the appeal unfounded.

This ruling was made by V.E. van der Does, chairman, and P.J.M. Mol and M.E.J. Sprakel, members, in the presence of M.E.C. Bakker, registrar. The decision was publicly pronounced on 10 January 2020.

registrar chairman

Copy sent to parties on:
Legal remedy

An appeal may be lodged with the Administrative Jurisdiction Division of the Council of State against this decision within six weeks of the date on which it was sent.

ANNEX

General Data Protection Regulation

Article 9

Processing of special categories of personal data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the unique identification of a person, or data concerning health, or data relating to a person's sexual behaviour or sexual orientation are prohibited.

(a) the data subject has given his or her explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject;

[…].

Article 17
Right to erasure of data ('right to oblivion')

1. The data subject shall have the right to obtain from the data controller the erasure of personal data relating to him without unreasonable delay and the data controller shall be obliged to erase personal data without unreasonable delay where one of the following applies:

[…]
(b) the data subject withdraws the consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing;
[…]
(d) personal data have been unlawfully processed;
[…]

Implementing Act General Data Protection Regulation

Article 22. Prohibition of processing of special categories of personal data and general Regulation exceptions

1. According to Article 9(1) of the Regulation, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the unique identification of a person, or data concerning health, or data concerning a person's sexual behaviour or orientation shall be prohibited.

2 In accordance with Article 9(2)(a), (c), (d), (e) and (f) of the Regulation, the prohibition to process special categories of personal data shall not apply if:

a. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;

[…]

Article 46. Processing national identification number

1. A number prescribed by law for the identification of a person shall only be used in the processing of personal data for the implementation of the relevant law or for purposes laid down by law.

[…]


Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg (Act on additional provisions for the processing of personal data in the healthcare sector)

Article 4

A healthcare provider uses a client's citizen service number to ensure that the personal data to be processed in the context of the provision of care relates to that client.

Article 8

1. The care provider will include the client's citizen service number in its records when recording personal data relating to the provision of care.

2 If, in accordance with the provisions of Article 15a, the healthcare provider makes the client's data available via an electronic exchange system, the legal entity that manages and maintains that electronic exchange system is authorised to process that client's citizen service number to the extent that this is necessary to perform its task as manager.

Article 15a

1. The healthcare provider will only make the client's data available via an electronic exchange system, insofar as the healthcare provider has established that the client has given explicit permission for this.

[…]

3 The healthcare provider only makes the client's data available via an electronic exchange system, insofar as the privacy of a person other than the client is not harmed when another healthcare provider consults these data.

Article 15c

1. The healthcare provider shall provide the customer with information on his rights when exchanging data electronically, on how to exercise his rights and on the functioning of the electronic exchange system used for data exchange. If new categories of healthcare providers join the electronic exchange system, or the functioning of the electronic exchange system is otherwise substantially changed, the healthcare provider shall inform the customer about this change and about the possibility to amend or withdraw the consent given, as referred to in Article 15a.

[…]

Electronic Data Processing by Care Providers Decree

Article 3

1. The person responsible for an electronic exchange system shall, in accordance with the provisions of NEN 7510 and NEN 7512, ensure safe and careful use of that electronic exchange system.

[…]

Article 5

1. The healthcare provider as responsible for a healthcare information system and the person responsible for an electronic exchange system ensure that the logging of the system complies with the provisions of NEN 7513. […]

1 This application resulted in the appeal with number UTR 19/607 and was also heard by this court on 15 October 2019.

2 This concerns the aforementioned appeal with number UTR 19/607, which was also heard by this court on 15 October 2019.

3 ECLI:NL:HR:2017:3053

4 Parliamentary Papers I, 2018/2019, 27 529, no. K