Administrative fine imposed on medical clinic for shortcomings in implementing rights of a data subject
The Office of the Data Protection Ombudsman has imposed an administrative fine on a medical clinic for failure to comply with the provisions of the General Data Protection Regulation. The medical clinic had not implemented the customer’s right to inspect their patient records in an appropriate manner, and its approach to implementing these rights was deficient. Nor did the clinic clearly specify the data in respect of which it acted as a controller.
The customer of the medical clinic who complained to the Office of the Data Protection Ombudsman stated that they had not received their patient records from the clinic. The Office of the Data Protection Ombudsman requested information from the clinic on which authority it deemed to be the data controller for patient records with respect to medical appointments of the clinic’s owner. The clinic did not, however, provide an appropriate statement regarding the matter.
The Deputy Data Protection Ombudsman considers that the clinic failed to implement the customer’s right to inspect their own data in accordance with the General Data Protection Regulation or to give a reason for restricting this right.
The clinic also failed to inform its customers in an adequate manner about the processing of personal data. The Deputy Data Protection Ombudsman draws particular attention to the fact that the clinic did not inform its customers of to what extent it acted as the controller for patient records generated in its operations.
The Deputy Data Protection Ombudsman issued the company a reprimand for violating the General Data Protection Regulation and ordered it to change its procedure to comply with the data protection regulations on informing data subjects and implementing their rights. The Sanctions Board imposed an administrative fine of EUR 5,000 on the company. The Board considers the company’s practice to be systematic, in addition to which the violation was long standing and affected a large number of data subjects.
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, tel. 029 56 66787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.