Tietosuojavaltuutetun toimisto (Finland) - 6629/163/21
Tietosuojavaltuutetun toimisto - 6629/163/21 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 12(2) GDPR Article 15 GDPR Article 58(2)(b) GDPR Article 58(2)(d) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 12.08.2021 |
Decided: | 27.09.2023 |
Published: | 03.01.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 6629/163/21 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | fred |
The Finnish DPA ordered a healthcare provider to facilitate the exercise of the right of access and inform data subjects of the possibility of obtaining a copy of their personal data, such as copies of their MRI scans, free of charge pursuant to Article 15 GDPR.
English Summary
Facts
The Finnish DPA was notified that a healthcare provider (the controller) charged a fee for handing over copies of magnetic resonance images (MRI) when data subjects requested access to their personal data in accordance with Article 15 GDPR.
The DPA had asked the controller to explain how it facilitated the exercise of data subject rights under Article 15 GDPR in situations where a data subject would request their MRIs without explicitly referring to their right under the GDPR.
In response to the request, the controller clarified that it provided the MRIs free of charge when a patient made an access request in accordance with Article 15 GDPR. The controller also stated that it provided patients with medical records once a year free of charge when they invoked the right of access under the GDPR. However, the controller considered that when a patient requested a recording of their MRI examination directly from the MRI scanning, the right of access was not invoked, and the recording was chargeable.
The controller also stated that in its price list, it was mentioned that the provision of material related to the right of access would be free of charge if the request was made using an access request form or from the controller's registry office and that in other cases, a fee was charged for the request. It added that when the patient requested access to their personal data, the controller did not separately ask whether it was a request regarding the right of access under the GDPR.
Holding
On the basis of the information provided by the controller, the DPA stated that data subjects do not need to know how to invoke a specific provision of the GDPR in order to obtain their personal data free of charge under the right of access. Instead, the controller has an obligation to facilitate the exercise of the right of access and to inform the data subjects of the possibility of obtaining a copy of their personal data free of charge pursuant to Article 15 GDPR.
The DPA considered that the data subject cannot, therefore, be required to familiarise themselves with, for example, the price list in order to be able to submit an access request. Also, by default, the controller may not charge a fee for the provision of MRIs to the data subject directly from the MRI scanning.
On the basis of the information gathered, the DPA held that the controller had violated Article 12(2) GDPR by not facilitating the exercise of the right of access under Article 15 GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to bring its processing operations into compliance with the aforementioned provisions of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
The decision of the Deputy Data Protection Commissioner in a case concerning the right to access information Thing The registrant's right to access the magnetic images concerning him/her free of charge A matter brought to the attention of the Office of the Data Protection Commissioner On August 12, 2021, the Office of the Data Protection Commissioner was informed of an observation that the data controller would charge a fee for handing over copies of magnetic images when the data subject requests information pursuant to the right in accordance with Article 15 of the General Data Protection Regulation. Statement received from the registrar The Office of the Data Protection Commissioner has requested an explanation from the data controller with clarification requests dated 21 September 2022 and 4 November 2022. The registrar has given a written statement on the matter on 14.10.2022 and 2.12.2022. In the report issued on 14 October 2022, the controller states that when the customer requests magnetic images, based on Article 15 of the General Data Protection Regulation, no payment is requested for the images. According to the registrar, patient information ordered through the archive is given to the patient once a year free of charge if the patient invokes the right of inspection. According to the registrar, if the patient orders, for example, a CD recording of MRI examinations directly from the imaging, then the right of inspection is not invoked and the recording is paid for. On November 4, 2022, the controller has been asked for an explanation of how it has taken into account the obligation according to Article 12, paragraph 2 of the General Data Protection Regulation to facilitate the exercise of the data subject's rights according to Article 15. The controller has been asked to explain how this obligation has been taken into account in situations where the patient requests magnetic images taken of himself without reference to Article 15 of the General Data Protection Regulation. The registrar states in the report issued on 2 December 2022 that the registrar's price list mentions that the delivery of material related to the right of revision is free via the information request form or from the registry office. According to the registrar, otherwise a fee will be charged for the order. The registrar states that when the patient makes the order directly, it is not specifically asked whether it is an order related to the right of inspection. Applicable legislation The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) applies to the processing of personal data. The general data protection regulation is specified in the national data protection act (1050/2018). The right to access information is regulated in Article 15 of the General Data Protection Regulation. The procedure to be followed in exercising the right is stipulated in Article 12 of the General Data Protection Regulation. According to Article 15 of the General Data Protection Regulation, the data subject has the right to receive confirmation from the controller as to whether personal data concerning him or her is being processed, and if this personal data is processed, the right to access the personal data and to receive other information on the processing of personal data listed in more detail in Article 15, paragraph 1 of the General Data Protection Regulation. According to paragraph 3 of the article, the controller must provide a copy of the personal data being processed. If the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be submitted in a commonly used electronic format, unless the data subject requests otherwise. Article 12 paragraph 5 of the General Data Protection Regulation provides for the basic free-of-charge of information and measures based on Article 15 of the General Data Protection Regulation, as well as the grounds for charging a fee. According to the article, all information and measures based on Article 15 of the General Data Protection Regulation are free of charge. If the data subject's requests are manifestly unfounded or unreasonable, especially if they are presented repeatedly, the data controller may either charge a reasonable fee, taking into account the administrative costs arising from the delivery of information or messages or the implementation of the requested action, or the data controller may refuse to perform the requested action. In these cases, the controller must demonstrate the obvious groundlessness or unreasonableness of the request. According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. A legal issue The Deputy Data Protection Commissioner evaluates and decides the case based on the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The matter has to be resolved 1. Has the data controller charged a fee for providing copies of magnetic images to the data subject pursuant to Article 15 of the General Data Protection Regulation, as stipulated in Article 12(5) and Article 15(3) of the General Data Protection Regulation 2. Has the data controller facilitated the exercise of the right pursuant to Article 15 of the General Data Protection Regulation in accordance with Article 12(2) of the General Data Protection Regulation 3. Should the deputy data protection officer use the remedial powers provided for in Article 58, Paragraph 2 of the General Data Protection Regulation due to the questions presented above. Decision and reasons of the Deputy Data Protection Commissioner Collection of a fee when copies of magnetic images are requested pursuant to Article 15 of the General Data Protection Regulation The procedure of the registrar for collecting the fee when the request has been submitted specifically under Article 15 of the General Data Protection Regulation has been in accordance with Article 12(5) and Article 15(3) of the General Data Protection Regulation. Therefore, in this respect, the deputy data protection officer does not need to use the remedial powers provided for in Article 58, paragraph 2 of the General Data Protection Regulation. Making it easier to use the right of inspection The data controller has not complied with Article 12, paragraph 2 of the General Data Protection Regulation in its operations, because the data controller has not facilitated the exercise of the registered person's right of inspection in accordance with Article 15 of the General Data Protection Regulation. Accordingly, the data controller is given an order in accordance with Article 58, paragraph 2, subsection d of the General Data Protection Regulation to bring the processing activities into compliance with the provisions of the General Data Protection Regulation, and a notice in accordance with subsection b. The controller must inform the data subjects of the possibility to obtain a copy of their personal data pursuant to Article 15 of the General Data Protection Regulation. Reasoning This decision evaluates the general operating method of the controller. The decision does not take a position on the legality of the controller's actions regarding the processing of any individual registered request. Collection of a fee when copies of magnetic images are requested pursuant to Article 15 of the General Data Protection Regulation In the case under review, the registrar has charged a fee for handing over magnetic images to the customer, if the customer has requested magnetic images in a way other than an information request form or directly from the registry office. However, the controller has not charged a fee when the data subject has been able to identify his request based on Article 15 of the General Data Protection Regulation. According to the introductory paragraph 63 of the General Data Protection Regulation, the data subject's right to access personal data includes the data subject's right to gain access to their own health data, such as health files, which include, for example, diagnoses, examination results, assessments of attending physicians and other information regarding treatment or other procedures. In principle, the registered inspection right can be considered to cover, for example, patient documents, which are, according to Section 2 of the Patient Act (785/1992), documents prepared or received that are used in the organization and implementation of the patient's care, or technical recordings that contain information about the patient's state of health or other personal information. According to the registrar, if the patient orders, for example, a CD recording of MRI examinations directly from the imaging, then the right of inspection is not invoked and the recording is paid for. In his report, the registrar has not explained in more detail which legal section the collection of the fee is based on. As a rule, it is not possible to collect a fee from the registered person for the work input, materials or postal costs related to the implementation of the information request made by the registered person, but the charging of the fee must be based on the reasons according to Article 15, paragraph 3 and Article 12, paragraph 5 of the General Data Protection Regulation. According to Article 15, paragraph 3 of the General Data Protection Regulation, if the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. According to Article 12, paragraph 5 of the General Data Protection Regulation, if the data subject's requests are manifestly unfounded or unreasonable, in particular, if they are presented repeatedly, the controller can either charge a reasonable fee, taking into account the administrative costs of providing information or messages or implementing the requested action, or refuse to perform the requested deal with. Based on the above, the deputy data protection commissioner considers that the obligation of the data controller to provide the data subject with a copy of the personal data being processed, free of charge, also covers the magnetic images provided by health care on a CD. Based on the information received, the data controller has acted in accordance with Articles 12 and 15 of the General Data Protection Regulation when the data subject has identified a right according to Article 15 of the General Data Protection Regulation as the basis for his request. Therefore, there is no need for the deputy data protection officer to use the remedial powers provided for in Article 58, Paragraph 2 of the General Data Protection Regulation to the extent that the procedure of the data controller is to be evaluated with regard to the requests that the data subject has made specifically with reference to Article 15 of the General Data Protection Regulation. Facilitating the exercise of the right of inspection According to his report, when the patient makes an order, the registrar does not directly ask separately whether it is an order related to the right of inspection. According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22. According to introductory paragraph 63 of the General Data Protection Regulation, the data subject should have the right to access the personal data that has been collected from him, and the opportunity to exercise this right easily and at reasonable intervals, so that he can stay informed about the legality of the processing and check it. The deputy data protection commissioner states that the registered person does not need to know how to invoke a certain provision himself in order to obtain patient data free of charge based on the right of inspection, but the data controller has an obligation to facilitate the implementation of the right of inspection and to inform the registered person of how the patient data can be obtained free of charge. The registrant cannot therefore be required to familiarize himself with the price list, for example, in order to be able to submit a request for the right of inspection. Based on the above, the deputy data protection commissioner considers that the data controller has not complied with Article 12, paragraph 2 of the General Data Protection Regulation, and the data controller's procedure regarding the implementation of the inspection of the registered person's right to information has therefore not been in accordance with the General Data Protection Regulation. The controller is given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation. By default, the data controller cannot charge a fee for the delivery of magnetic images to the data subject for direct imaging, but the data controller must inform data subjects of the possibility to obtain a copy of their personal data free of charge pursuant to Article 15 of the General Data Protection Regulation. The data controller is also given a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation, because the data controller's procedure regarding informing the data subject of the exercise of the inspection right has not been in accordance with the General Data Protection Regulation. Applicable legal provisions Those mentioned in the justifications. Appeal According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court. Service The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt. The decision was made by deputy data protection commissioner Heljä-Tuulia Pihamaa. The decision is legally binding. Supervision of the deputy data protection officer The registrar states in his report on 14 October 2022 that patient information ordered through the archive is given to the patient once a year free of charge if the patient invokes the right of inspection. The deputy data protection commissioner draws the attention of the data controller to the fact that the practice according to which patient data can only be obtained once a year for free is a practice in accordance with the Personal Data Act. The Deputy Data Protection Commissioner states that this cannot be considered as a time limit for directly determining payment once the data protection regulation has entered into force. According to Article 12, paragraph 5 of the General Data Protection Regulation, if the data subject's requests are manifestly unfounded or unreasonable, especially if they are presented repeatedly, the controller can either charge a reasonable fee, taking into account the administrative costs of providing information or messages or implementing the requested action, or refuse to perform the requested action. In these cases, the controller must demonstrate the obvious groundlessness or unreasonableness of the request. According to Article 15, paragraph 3 of the General Data Protection Regulation, if the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. According to introductory paragraph 63 of the General Data Protection Regulation, the data subject should have the opportunity to use the right of inspection at reasonable intervals, so that he can stay informed about the legality of the processing and check it. Requesting patient information more than once a year cannot, in principle, be considered manifestly unreasonable in all cases. The controller must assess when inspection requests are considered to be clearly unreasonable or repetitive. According to the European Data Protection Council's guideline 01/2022 p. 54, when assessing unreasonableness, the controller should take into account, among other things - how often the information requested for review is changed, - data quality, - purpose of data processing, - whether the requests following the first request concern the same information and processing operations or different information and processing operations. You cannot apply for a change to this guidance of the deputy data protection officer by appealing.