Tietosuojavaltuutetun toimisto (Finland) - 8493/161/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 8493/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 13(1) GDPR
Article 13(2) GDPR
Article 15 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 25(1) GDPR
Article 58(2)(b) GDPR
Article 58(2)(c) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.10.2019
Decided: 16.12.2021
Published: 28.02.2022
Fine: 5000 EUR
Parties: Lääkäriklinikka Estetic Oy
National Case Number/Name: 8493/161/21
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Helsingin hallinto-oikeus (Finland)
3620/2023
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA imposed a fine of €5,000 on a medical clinic for not implementing the data subject's access request and failing to inform data subjects about the processing of personal data.

English Summary

Facts

The Finnish DPA was notified that the controller (Lääkäriklinikka Estetic Oy, a medical clinic) had refused to provide patient records to the data subject despite an access request pursuant to Article 15 GDPR. The DPA had asked the controller to explain why it had refused to fulfil the data subject's request.

In response to the request, the controller clarified that the data subject had been treated at the controller's premises by a surgeon from another company, which is an independent controller of its patient records. The controller did not have access to that company's patient records.

The controller stated that its patients could access their personal data by visiting the controller's premises and that the personal data was not sent by email. The controller also claimed that it had already provided the requested personal data to the data subject.

Holding

On the basis of the information provided by the controller, the DPA considered that the controller had not provided sufficient explanation of which entity acted as the controller with regard to patient data that was generated during the treatment of the data subject at the controller's premises. Thus, the controller had not implemented the data subject’s right to access their personal data in accordance with Article 15(1) GDPR and Article 15(3) GDPR or informed the data subject of the reason for not taking action in accordance with Article 12(4) GDPR.

The DPA stated that the controller's practice of not sending personal data by email was unreasonable, considering that the controller shall facilitate the exercise of data subject rights pursuant to Article 12(2) GDPR. The controller had also not provided the information to the data subject within the deadline defined in Article 12(3) GDPR.

The DPA also noted that the controller's website did not contain information about the processing of personal data, such as which entity acted as the controller of patient data. The DPA considered that the controller had not fulfilled its obligation to provide data subjects with the information required by Article 12(1) GDPR, Article 13(1) GDPR and Article 13(2) GDPR regarding the processing of personal data. Therefore, the controller had not taken into account data protection by design and by default in its operations as required by Article 25(1) GDPR and had processed the personal data in violation of the transparency principle.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(c) GDPR, the DPA also ordered the controller to comply with the data subject's access request insofar as it concerned the personal data processed by the controller.

In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €5,000 on the controller pursuant to Article 83 GDPR. The Board considered the controller’s practice to be systematic, and in addition, the violation had been long-term and concerned a large number of data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decisions of the Deputy Data Protection Commissioner and Sanctions Board
Thing

The data subject's right to have access to data ("right of inspection"), informing data subjects
Registrar

Medical clinic

On 23 October 2019, a complaint regarding the registered person's right of inspection was initiated in the office of the data protection commissioner. The initiator has said that he requested his patient information from the doctor's clinic, but according to the initiator, the request has not been implemented. The request has been about the protection of natural persons in the processing of personal data and the request in accordance with Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the free movement of this data and the repeal of Directive 95/46/EC (later: General Data Protection Regulation).
The decision of the Deputy Data Protection Commissioner in the matter concerning the data subject's inspection right and the information of the data subject
Explanation and consultation received from the registrar
Request for clarification

In order to investigate the operation of the medical clinic, the Office of the Data Protection Commissioner has requested an explanation from the clinic with an explanation request dated August 25, 2020. The deadline for submitting the report has been September 8, 2020.

The medical clinic has not provided an explanation in the matter within the deadline, and the request for clarification has been sent to the medical clinic by email again on September 14, 2020. In this case, the presenter of the case has also called the doctor's clinic. On September 15, 2020, Lääkäriklinikka sent the following email to the data protection commissioner's office:

Hey

Have you already asked [the initiator] what papers he has already received? Personal patient information can be obtained, as he has, on the spot, we do not send it by e-mail.

On September 15, 2020, the Office of the Data Protection Commissioner has urged [medical clinic] by email to answer the questions raised in the clarification request. The Data Protection Commissioner's office has also asked whether [medical clinic] requires registered users who have submitted an inspection request to come to the office of [medical clinic].

The representative of the Office of the Data Protection Commissioner has been in contact with the medical clinic by phone on 21 September 2020 and has again brought up the fact that the supervisory authority's request for clarification has not been properly answered. In this context, the presenter has asked the medical clinic to deliver the answers to the questions raised in the clarification request to the data protection commissioner's office by September 25, 2020 at the latest.

On September 23, 2020, the medical clinic responded to the request for clarification. In its report, the medical clinic has said that it is aware of the registered person's right to inspection according to Article 15 of the General Data Protection Regulation, and stated that the initiator has already received all the patient documents concerning him. Lääkäriklinikka also wanted to inform the Office of the Data Protection Commissioner that the instigator's actions are only a matter of teasing.

On September 24, 2020, the initiator submitted a response to the doctor's clinic's report and submitted to the data protection commissioner's office that he has not received any of his information from the doctor's clinic.

On October 7, 2020, the Office of the Data Protection Commissioner has requested by email the medical clinic to deliver all documents within the scope of the initiator's inspection right to the Office of the Data Protection Commissioner by October 26, 2020. In this context, Lääkäriklinikka has provided the address information of the data protection authorized office as well as information about the Ministry of Justice's secure mail option and a link to the instructions for using secure mail.

On November 5, 2020, the representative of the data protection authorized office has been in contact with the medical clinic by phone, because the medical clinic had not delivered documents within the scope of the initiator's inspection right to the data protection authorized office within the deadline. The owner of the medical clinic has said that he will send the documents as a registered letter, and the presenter has discussed with the owner of the medical clinic about Article 15 of the General Data Protection Regulation and its practical application. During the call, the owner of the medical clinic has mentioned that there have been disagreements with the person who initiated the case. On 14 December 2020, the case presenter has given the medical clinic instructions over the phone to send the documents to the data protection commissioner's office via the Ministry of Justice's secure mail, and the medical clinic has stated that it will send the documents as a registered letter during the same day.

On 14 December 2020, Lääkäriklinikka has sent a document containing the following initiator's information to the registry of the data protection authorized office by e-mail:

name,
social security number,
telephone number,
address,
the date of the call request,
the date of the call,
the date of the reception visit,
the date of the procedure,
the date of the procedure,
the date of the reception visit,
the date of the reception visit

The representative of the data protection authorized office has contacted the medical clinic by phone on 23 December 2020 and asked for confirmation of sending the letter containing patient information and its follow-up information. The person who introduced himself as the secretary did not discuss the matter in more detail at that time, and according to the secretary, the other staff would be there next time on 28 December 2020. On 23 December 2020, the Office of the Data Protection Commissioner has also asked the medical clinic by email to confirm that the letter has been sent, and to provide the Office of the Data Protection Commissioner with the tracking number of the shipment.

On December 31, 2020, a new clarification request from the data protection authorized officer's office was sent to the medical clinic by email, in which copies of patient documents and photographs of the initiator have been requested to be delivered to the data protection authorized officer's office by January 15, 2021 at the latest. Lääkäriklinikka has not submitted information to the data protection commissioner's office within the deadline.

The representative of the Office of the Data Protection Commissioner has called the medical clinic on February 3, 2021 to discuss the incompleteness of the case and the incomplete documents submitted to the Office of the Data Protection Commissioner. The owner of the medical clinic was not there at the time, and the discussion about the problems related to the implementation of the inspection request was held with the employee who answered the call. On February 3, 2021, Lääkäriklinikka contacted the Data Protection Commissioner's office via email and said that the requested information has already been sent to the Data Protection Commissioner's office via a secure connection and a receipt has been received. The data protection commissioner's office has responded to the doctor's clinic's message on the same day and pointed out that the data protection commissioner's office has not been provided with the initiator's patient documents, but only the basic information about the client submitted on December 14, 2020. The medical clinic has responded to this during the same day as follows:

You have been sent the [doctor's clinic] [initiator's] information about customer entries. Patient documents are available from the party that operated on him and consulted with him, with whom he had a treatment relationship (XX OY, [surgeon], I do not have access to XX OY's patient register.)

On February 3, 2021, the data protection commissioner's office notified the initiator of the doctor's clinic's response. On February 3, 2021, the initiator told the data protection commissioner's office that he was not aware that, according to the medical clinic's opinion, the information should have been requested from the attending physician. In this context, the initiator has said that he has also visited the reception of the owner of the medical clinic.

The Office of the Data Protection Commissioner has inquired from the medical clinic by e-mail on February 3, 2021, which entity it considers to be the personal data controller for the clinic owner's office visits, and has asked the medical clinic to provide an answer to this question by February 8, 2021 at the latest. Lääkäriklinikka has not been in contact with the data protection commissioner's office since then.
Hearing

The medical clinic has been reserved the opportunity referred to in § 34 of the Administrative Act (434/2003) to be heard and to express its opinion on the matter and to give its explanation of such demands and explanations that may affect the resolution of the matter. At the same time, the medical clinic is given the opportunity to bring up such matters as referred to in Article 83, paragraph 2 of the General Data Protection Regulation, which, according to the medical clinic's opinion, should be taken into account when making a decision. For this purpose, a request for consultation and a request for additional clarification have been sent to Lääkäriklinika on August 6, 2021 electronically and by ground mail, to which it has been asked to respond by September 3, 2021. Lääkäriklinikka has not responded to the consultation request or request for additional clarification. In the consultation request, the medical clinic has been informed that the matter can be resolved, even if the medical clinic does not submit its answer by the end of the deadline.
Background information
Service description

Lääkäriklinikka is a company offering health services, whose services include, for example, laser and injection treatments as well as face and body cosmetic surgery procedures.
Sales

The turnover of the medical clinic in the financial period 1 September 2019 – 31 August 2020 has been approx. 500,000 euros.
On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (data protection regulation) has been applied since 25 May 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified by the national data protection act (1050/2018), which has been applied since January 1, 2019. The previously valid Personal Data Act (523/1999) was repealed by the Data Protection Act.

According to introductory paragraph 63 of the General Data Protection Regulation, the data subject's right of inspection includes the data subject's right to access his or her own health data, such as health files, which include, for example, diagnoses, examination results, assessments of attending physicians and other information regarding treatment or other procedures.

Article 5(1)(a) of the General Data Protection Regulation provides for the principle of transparency. According to the article, personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject ("lawfulness, reasonableness and transparency").

Articles 12–14 of the General Data Protection Regulation provide for informing data subjects, the implementation of which falls under the duties of the data controller. By informing registrants about the processing of personal data, the controller also implements the principle of transparency in Article 5(1)(a) of the General Data Protection Regulation.

Article 12 of the General Data Protection Regulation contains procedural regulations regarding, for example, transparent information and the use of the data subject's rights. According to Article 12(1), the controller must take appropriate measures to provide the data subject with the information in accordance with Articles 13 and 14 and all processing information in accordance with Articles 15-22 and 34 in a concise, transparent, easily understandable and accessible form in clear and simple language, especially when the information is intended especially for the child. The information must be submitted in writing or in another way and, as the case may be, in electronic form. If the data subject requests it, the information can be given verbally, provided that the identity of the data subject has been confirmed in another way.

According to Article 12, paragraph 2 of the General Data Protection Regulation, the data controller must facilitate the exercise of the data subject's rights according to Articles 15–22.

According to Article 12, paragraph 3 of the General Data Protection Regulation, the data controller must provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15–22 without undue delay and in any case within one month of receiving the request. If necessary, the deadline can be extended by a maximum of two months, taking into account the complexity and number of requests. The controller must inform the data subject of such a possible extension within one month of receiving the request and the reasons for the delay. If the data subject submits the request electronically, the information must be submitted electronically as far as possible, unless the data subject requests otherwise.

According to Article 12, paragraph 4 of the General Data Protection Regulation, if the data controller does not take measures based on the data subject's request, the data controller must inform the data subject immediately and no later than one month after receiving the request of the reasons for doing so and inform about the possibility of filing a complaint with the supervisory authority and using other legal remedies.

Article 13 of the General Data Protection Regulation stipulates the information to be provided when personal data is collected from the data subject. According to paragraph 1 of the article, when collecting personal data concerning him from the registered person, the controller must, when the personal data is obtained, provide the registered person with all the information according to Article 13, paragraph 1, subparagraphs a–e. This information includes, for example, information about the identity of the controller (subsection a).

According to Article 13, paragraph 2 of the General Data Protection Regulation, in addition to the information referred to in Article 13, paragraph 1, when personal data is obtained, the data controller must provide the data subject with additional information according to Article 13, paragraph 2, subparagraphs a-f, which is necessary to guarantee appropriate and transparent processing. This information includes, for example, information about the data subject's right to request access to his personal data from the controller (subsection b).

According to Article 15 of the General Data Protection Regulation, the data subject has the right to receive confirmation from the data controller that personal data concerning him or her is processed or that it is not processed, and if it is processed, the right to access the personal data and the information in accordance with Article 15, paragraph 1, subparagraphs a–h. According to paragraph 3 of the article, the controller must provide a copy of the personal data being processed. If the data subject requests more than one copy, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be submitted in a commonly used electronic format, unless the data subject requests otherwise.

The grounds for limiting the registered inspection right according to Article 15 of the General Data Protection Regulation are additionally provided for in Section 34 of the National Data Protection Act (1050/2018).

According to Article 25(1) of the General Data Protection Regulation, taking into account the state-of-the-art technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the risks caused by the processing, which vary in probability and severity, to the rights and freedoms of natural persons, the controller must effectively implement the data protection principles in connection with the determination of the processing methods and the processing itself, such as data minimization, appropriate technical and organizational measures for the implementation, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected.
A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The following must be assessed:

1. has the medical clinic implemented the initiator's right to inspect personal data according to Article 15 of the General Data Protection Regulation, and has the medical clinic's procedure in handling the inspection request been in accordance with data protection regulations (15(1), 15(3), 12(3) and 12(4) of the General Data Protection Regulation articles, Section 34 of the Data Protection Act)

2. has the medical clinic implemented the personal data inspection requests in accordance with Article 15 of the General Data Protection Regulation without interfering with the exercise of the data subject's rights (Article 12(2) of the General Data Protection Regulation)

3. has the medical clinic's information to the data subjects met the requirements of the data protection regulation and, in particular, has the medical clinic properly informed the data subjects of the extent to which it acts as a data controller (5(1)(a), 12(1), 13(1) of the General Data Protection Regulation, Articles 13(2) and 25(1))
Decision of the Deputy Data Protection Commissioner
The notice and order bring processing operations into compliance with the General Data Protection Regulation

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the initiator's request for access to data insofar as it concerns data whose data controller is a medical clinic.

The Deputy Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing operations into compliance with the provisions of the General Data Protection Regulation with regard to the procedures related to the exercise of the rights of the data subjects and the information of the data subjects.

The Deputy Data Protection Commissioner gives the data controller a notice in accordance with Article 58, Paragraph 2, subparagraph b of the General Data Protection Regulation regarding processing activities contrary to the provisions of the General Data Protection Regulation in exercising the data subject's rights and informing data subjects.

The deputy data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders a report on the measures taken to be submitted to the data protection commissioner's office by February 15, 2022, or no later than six weeks after notification of the decision, unless it applies for an amendment to this decision.
Administrative penalty fee

According to Section 24 of the Data Protection Act, the administrative fine stipulated in Article 83 of the General Data Protection Regulation (administrative penalty fee) is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter concerning the medical clinic is given to the sanctioning board to decide. The Sanctions Board must therefore assess whether the controller must be subject to an administrative penalty in accordance with Article 58(2)(i) of the General Data Protection Regulation in addition to the notice and order given by the Deputy Data Protection Commissioner.
Reasons for the decision
The data subject's right to access information

The Office of the Data Protection Commissioner has asked the medical clinic for an explanation of how it has implemented the personal data inspection request submitted by the initiator, in accordance with Article 15 of the General Data Protection Regulation. Lääkäriklinikka has submitted in its report to the data protection commissioner's office on 23 September 2020 that the initiator has already received all the patient documents concerning him. The initiator, on the other hand, has stated in his response to the data protection commissioner's office that he has never received any of his patient information from the medical clinic. The data protection commissioner's office has then asked the medical clinic to deliver the information covered by the initiator's inspection right to the data protection commissioner's office.

On 14 December 2020, Lääkäriklinikka submitted the initiator's basic information to the Data Protection Commissioner's office, and in this context it has not explained its view of the data controller regarding the initiator's patient data, or presented an explanation that, according to its understanding, any other data controller has carried out a request for inspection of personal data regarding the initiator's visits to the medical clinic. After this, the medical clinic has not answered the data protection authorized office's questions regarding record keeping, and it has thus remained unclear, for example, which entity, according to the medical clinic's opinion, is the data keeper of the patient data that were created in connection with visits to the medical clinic's owner's office.

The Deputy Data Protection Commissioner notes that on September 23, 2020, the medical clinic submitted to the data protection commissioner's office that the initiator has already received all patient documents concerning him. On 14.12.2020, Lääkäriklinikka has told that the initiator's patient documents are available from another company (XX Oy), which is their data controller. The report given by the Lääkäriklinika in the case has therefore contained contradictions regarding key aspects related to the implementation of the registered inspection right.

Lääkäriklinikka has not provided an explanation as to which entity is the registrar of the patient data that were created when the initiator visited the doctor's clinic owner's office. Based on the report obtained in the case, there are therefore no grounds to come to any other conclusion than that the medical clinic is at least in the position of the data controller with regard to this data, and the medical clinic has not provided the data protection commissioner's office with any other explanation in this regard. At this point, it can be noted that the regional administrative agency has granted the doctor's clinic a permit to provide health care services as defined in the Act on Private Health Care (152/1990). The license covers, among other things, doctor's reception and surgery services. This supports the fact that the doctor's clinic can be considered a data controller.

The Deputy Data Protection Commissioner considers that, based on the report obtained in the case, the medical clinic has not implemented the initiator's access to his own personal data in accordance with Article 15, paragraphs 1 and 3 of the General Data Protection Regulation, or informed the initiator of the reason for restricting the right of inspection in accordance with Article 12(4) of the General Data Protection Regulation. Based on the report obtained in the case, the controller has also not complied with the deadlines in accordance with Article 12(3) of the General Data Protection Regulation in processing the request submitted by the initiator.

Based on the above, the deputy data protection commissioner considers that the medical clinic's procedure in implementing the registered right of inspection has not met the requirements from the data protection regulation, and the initiator's access to his personal data has not been implemented as required by law.
The duty of the data controller is to facilitate the exercise of the data subject's rights

On September 15, 2020, Lääkäriklinikka explained to the data protection commissioner's office that "Individual patient data can be obtained, as [the initiator] has, on the spot, we do not send them by e-mail".

The Deputy Data Protection Commissioner considers that the requirement to arrive at the data controller's office in order to obtain information covered by the right of inspection has been a regular operating procedure. It is also known that the registrar has not used an alternative method of operation. The Deputy Data Protection Commissioner considers that the data controller's practice can be considered unreasonably difficult for the data subject, taking into account that the data controller must facilitate the exercise of the data subject's rights according to Articles 15-22 of the General Data Protection Regulation (Article 12(2) of the General Data Protection Regulation). Harassment has been particularly evident for those registered who do not live near the controller's office. In addition, attention must be paid to the fact that in order to exercise his rights, the data subject must visit the office of the data controller during its opening hours.
Informing registered users

In the case currently being evaluated, the data controller has not provided an explanation of how it informs the data subjects about the processing of personal data and, in particular, of matters related to the data controller. There is no information available on the website of the registrar about the processing of personal data.

In accordance with the principle of transparency (Article 5(1)(a) of the General Data Protection Regulation), information related to the processing of personal data should be easily accessible, and the principle of transparency applies in particular, for example, to information about the identity of the data controller and the right of data subjects to receive confirmation and notification of the processing of their personal data. The information provided on the website should be available and visible on all pages of the website, so that the data subject can see the information with one click.

Since in the case no explanation has been received from the data controller on how it has taken care of informing the data subjects, based on the information otherwise received by the data protection authorized office in the case, it must be considered that the data controller has not fulfilled its obligation to provide the data subjects with the information required by Article 12(1) and Article 13, paragraphs 1 and 2 of the General Data Protection Regulation information on the processing of personal data. The Deputy Data Protection Commissioner pays special attention to the fact that the medical clinic does not inform registered users about the extent to which it functions as a registrar of patient data generated in the medical clinic's operations. Based on the report obtained in the case, the medical clinic has also not assessed whether its actual way of processing personal data is such that it acts as joint data controller in some respects. The deputy data protection commissioner further notes that the initiator who initiated the case has remained unaware of the role of the medical clinic in the processing of his personal data, and the medical clinic has also not properly explained these matters to the supervisory authority.

In addition, it must be assessed whether the requirements of built-in and default data protection have been fulfilled in the operation of the medical clinic (Article 25 of the General Data Protection Regulation). Article 25(1) of the General Data Protection Regulation requires that the data controller should consider data protection in its operations from the beginning. The deputy data protection commissioner considers that the medical clinic has not followed an approach in its operations in which data protection is taken into account as a key factor in the processing of personal data from the beginning, and the medical clinic has not effectively implemented the measures required to implement the data protection principles (transparency, Article 5(1)(a) of the General Data Protection Regulation) in connection with the processing.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.
Sanctions board's decision on an administrative fine (administrative penalty payment)
Registrar

Medical clinic
Decision of the Sanctions Board

The Sanctions Board considers that the notice issued by the Deputy Data Protection Commissioner, the notice pursuant to Article 58, paragraph 2, subparagraph b, and the order pursuant to subparagraph d, of the General Data Protection Regulation are not a sufficient sanction, taking into account the nature and seriousness of the violation.

The sanctioning panel formed by the data protection commissioner and deputy data protection commissioners orders the data controller to pay the state an administrative penalty fee of 5,000 (five thousand) euros pursuant to article 58, paragraph 2, subparagraph i and article 83 of the general data protection regulation.
Reasons for imposing an administrative penalty

Article 83 of the General Data Protection Regulation provides for the general conditions for imposing administrative fines. According to the article, the imposition of administrative fines must be effective, proportionate and dissuasive in each individual case. Administrative fines are imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. When deciding on the imposition of an administrative fine and the amount of the administrative fine, the factors listed in Article 83, Paragraph 2 of the General Data Protection Regulation must be taken into account in each individual case.

When evaluating the matter, the instructions of the data protection working group in accordance with Article 29 on the application and imposition of administrative fines are also taken into account.

In the case in question, it has been deemed that the data controller, by not taking care of the data subject's rights and obligation to inform, has violated articles 5(1)(a) (principle of transparency), 12(1–4) (transparent information, communication and detailed rules for the use of the data subject's rights) of the General Data Protection Regulation for), 13(1–2) (information to be provided when personal data is collected from the data subject), 15(1) and (3) (the data subject's right to access data) and 25 (built-in and default data protection).
The nature and seriousness of the breach

The nature and seriousness of the violation is assessed in light of the factors according to Article 83(2)(a) of the General Data Protection Regulation.

The matter is not a minor violation referred to in preamble paragraph 148 of the General Data Protection Regulation, and the violation aimed at the exercise of the data subject's rights poses a significant risk to the data subject's rights in the case being evaluated and affects the essential content of the violated obligations. The scope and purpose of the data processing also support the evaluation of the violation as serious, so that the notice according to Article 58, paragraph 2, subparagraph b and the order according to subparagraph d of the General Data Protection Regulation cannot be considered as a sufficient sanction for the data controller.

According to information from the company and community information system maintained by the Finnish Patent and Registration Board and the Tax Administration, the medical clinic has been in the trade register since spring 2009. The domain name www.[clinic name].fi was registered in the winter of 2013 according to the company and community information system. In this case, it must be considered very unlikely that the information of the registered persons, for example through the website of the data controller, would have been properly taken care of before the start of the investigation work of the data protection authorized office. In the matter, it must also be considered very unlikely that the data controller would have implemented the data subject's access to their own personal data in a way other than the one presented now (the documents must be picked up at the office) before 2019 (the time when the matter was initiated). In addition, when assessing the duration of the violation, it must be taken into account that the inspection request made by the initiator in 2019 has still not been properly implemented. The grievances regarding the systematic operation have thus clearly existed longer than the period of application of the General Data Protection Regulation, and the violation is still ongoing. The time spent in processing the initiator's inspection request must also be taken into account. The long-term nature of the violation must be considered a justification for imposing an administrative penalty.

The supervisory authority does not have information on the number of registered users. However, the disciplinary board considers, based on the data controller's turnover data, operating hours and the nature of the activity, that the data controller processes the personal data of numerous registered users and that the violation has been systematic, not isolated. The systematic nature of the violation and its impact on numerous data subjects should be taken into account as grounds for imposing an administrative penalty.

According to the data available to the Data Protection Commissioner's office, the data subjects have not suffered concrete financial or other material damage as a result of the violation in question. However, the occurrence of material damage is not a prerequisite for imposing a fine, and the data subject can also, for example, demand compensation according to Article 82 of the General Data Protection Regulation, regardless of the imposition of a fine.

In the evaluation of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must also be taken into account, where informed self-determination has been emphasized and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy by knowing self-determination as a contrary procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. The controller must therefore be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.
Assessment of aggravating and mitigating factors
Intentional or negligent breach

The initiator has submitted a request to the medical clinic regarding the rights of the registered person in 2019. The medical clinic has not taken appropriate measures as a result of the request, and it has not given the initiator an explanation of the extent to which it acts as a data controller in the case. In addition, it can be seen from Lääkäriklinika's indifferent attitude towards fulfilling its obligations that it has not found out about the data controller's obligations from the General Data Protection Regulation. In this regard, it would seem to be a lack of understanding and carelessness, as a result of which the rights of the data subjects have not been implemented as required by law. Consequently, no extenuating circumstances can be found for the activities of the registrar in this regard. The registrar's disregard for data protection regulations must be considered an aggravating factor in the case.
Actions taken by the registrar to mitigate the damage caused to the data subjects

In the assessment of damages caused to registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized informed self-determination and stated that the wording of the personal registration offense referred to in Section 43 of the Personal Registration Act (471/1987), which has since been repealed, showed that violating the protection of privacy as a violation of informed self-determination as a procedure meant causing the damage or harm required by law. This is still true. A mere breach of privacy means causing harm or inconvenience. The condition is not the occurrence of financial or other material damage per se, although the occurrence of such damages is taken into account in accordance with the provisions of Article 83, paragraph 2, letter a of the General Data Protection Regulation, when imposing an administrative penalty fee and deciding on its amount. In the selection of the type, it has therefore been taken into account that the data controller must be considered to have violated the rights of the data subjects according to the General Data Protection Regulation, as a result of which the data subjects have suffered damage.

Regarding the measures taken by the data controller to mitigate the damage, it can be stated that the data controller has not taken any steps to mitigate the damage caused to the data subject. The registrar's inactivity in these respects must be considered an aggravating factor in the case.
The degree of responsibility of the controller, taking into account the technical and organizational measures taken by it under Articles 25 and 32

The controller has not implemented technical and organizational measures that would have ensured the implementation of built-in and default data protection at all organizational levels. The registrar has not ensured that it has appropriate procedures in place for the exercise of the registered right of inspection, and it has not taken into account the risk to the rights of natural persons caused by the lack of procedures. In addition, the controller has not implemented processes to properly inform the data subjects about the processing of personal data. It was a systematic error by the registrar. Neglect of appropriate technical and organizational measures must be considered an aggravating factor in the case.
Cooperation with the supervisory authority

The registry keeper's cooperation with the supervisory authority has been insufficient, and it has not shown initiative in the matter to investigate the matter. The controller has not responded appropriately to the supervisory authority's clarification requests, and it has not, for example, responded to the clarification request submitted to it on December 31, 2020, or to the consultation and additional clarification request submitted on August 6, 2021 at all. The registry keeper's passivity when investigating the matter must be considered an aggravating factor.
Personal data groups affected by the breach

The controller is a company providing health services that processes data belonging to special personal data groups (Article 9 of the General Data Protection Regulation). Inspection requests for patient data are directed to sensitive data, related to the registered person's health. In the case of patient data, the implementation of the registered inspection right is also of particular importance in terms of the confidential patient relationship and the patient's right to self-determination. The focus of data processing on health information must be considered an aggravating factor in the case.
The way in which information about the violation came to the attention of the supervisory authority

The information has come to the supervisory authority through a complaint, not from the data controller's own notification. Therefore, there are no mitigating factors in this regard.
Summary and the amount of the administrative fine

According to Article 83(1) of the General Data Protection Regulation, the fine must be effective, proportionate and dissuasive. The assessment is made based on the circumstances of each individual case. When examining an individual case, it must be assessed whether the aim is only to change the activity to comply with the law, or whether it is justified to set the goal of punishing the controller for illegal activity. Regarding the amount of the fine, on the other hand, it must be taken into account whether the violation concerns the articles of the General Data Protection Regulation listed in Article 83(4) of the General Data Protection Regulation or Article 83(5) of the Regulation. Grading into two different categories forms the framework for setting the maximum amount of the fine, and the general data protection regulation does not specify fine amounts by type of violation, for example. In turn, the combined effect of all factors mentioned in Article 83(2) is taken into account in the assessment of the seriousness of the violation.

In the case of the medical clinic, it is justified to set the goal of both making the operation legal and drawing the attention of the registrar to the illegality of the method of operation with a financial penalty. The violation has been long-lasting in terms of making it difficult for the registrant to exercise his rights and providing insufficient information to the registrants, and considering the turnover data, it can be reasonably assumed to have affected a large number of registrants. In addition, the controller has not taken appropriate measures to implement the initiator's inspection right, even at the request of the supervisory authority. Therefore, the background of the violation can be considered to be the controller's disregard for compliance with the data protection regulation in the individual case of the last-mentioned initiator. In the case of the other mentioned points, it can be considered to be either the controller's lack of understanding or disregard for the data protection regulation's obligations to the controller. In the case of Lääkäriklinika, simply bringing the operation into compliance with the requirements of the data protection regulation cannot be considered sufficient. This point of view is also strongly supported by the reluctance of the data controller to cooperate with the supervisory authority, as well as the fact that it has been a violation of the regulation on the rights of the data subject and the data protection principles according to Article 5 of the General Data Protection Regulation. The registrar has not taken appropriate measures to correct the deficiencies, and the registrar's attitude towards the investigative work carried out by the supervisory authority has been indifferent.

In the case of Lääkäriklinika, the upper limit of the fine in euros is formed in accordance with Article 83(5) of the General Data Protection Regulation, because the violation targets both Article 83(4) of the General Data Protection Regulation (violated articles: Article 25) and Article 83(5) of the General Data Protection Regulation ( violated articles: 5, 12, 13 and 15) to regulations. Non-fulfillment of the obligations arising from Articles 5, 12, 13 and 15 must thus be assessed as a more serious violation, and it is possible to apply Article 83(5) of the General Data Protection Regulation when determining the overall penalty. In the amount of the fine, it must be taken into account that it fulfills the requirement of Article 83(1) of the General Data Protection Regulation regarding the warning effect of an administrative fine.

As aggravating factors, the controller's passivity in handling the case, the controller's passivity in taking corrective measures, the controller's passivity in implementing appropriate technical and organizational measures, the controller's passivity in mitigating the damage caused to the data subject, the controller's disregard for data protection regulations, the systematicity of the breach, and the targeting of the breach to data belonging to special personal data groups must be taken into account in the assessment. (concerning health information). In accordance with Article 83(5)(b) of the General Data Protection Regulation, an administrative fine of up to EUR 20,000,000 or, in the case of a company, four percent of the leaked total global turnover of the previous financial year is imposed in accordance with paragraph 2 for the violation of the rights of registered persons according to Articles 12 to 22 , whichever of these amounts is greater. Even though the General Data Protection Regulation has been applied on 25 May 2018, and the Personal Data Act has not contained a corresponding fine provision, it is possible to impose a fine for a so-called continuous violation and thus it is also possible to take into account a violation prior to the start of the application of the General Data Protection Regulation.

In the consultation request delivered to the data controller on August 6, 2021, the data controller has been informed that the matter can be resolved even if the data controller does not submit an answer by the end of the deadline.

The decision to impose an administrative fine has been made by the members of the data protection commissioner's sanctioning board.