Administrative fine imposed on psychotherapy provider for shortcomings in fulfilling the client's right of access to data
In early September, the Office of the Data Protection Ombudsman's Sanctions Board imposed an administrative fine of 1,600 euros on a company offering psychotherapy services. The company had not provided its client with a reason for why it could not deliver the patient records for the client's psychotherapy sessions.
A client of the psychotherapy provider had requested access to their data on several occasions in 2017–2019. However, the client never received any justification for why the data could not be delivered. The client had made requests to the psychotherapy provider both personally and through a third party.
In its report to the Office of the Data Protection Ombudsman, the psychotherapy provider admitted that it had not fulfilled the client's right of access to data as required by the General Data Protection Regulation. In its decision, the Sanctions Board paid particular attention to the fact that the Office of the Data Protection Ombudsman had given the psychotherapy provider guidance for replying to the client's request already in 2020. The company delivered the information to the client in April 2021.
A controller is required to reply to the data subject without delay and at the latest within one month of receiving the request. If necessary, the deadline for replying to the request can be extended by at most two months. If the controller refuses to fulfil the request, it must notify the data subject of this within one month and state the reasons for its refusal.
”It is important that the data subject is told the reasons for refusal without delay so that they can amend their request if necessary or refer the matter to the Office of the Data Protection Ombudsman for assessment”, says Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa.
The Sanctions Board notes that the duty of care and responsibility for fulfilling the data protection rights of the data subject are emphasised in psychotherapy services. Psychotherapy clients may be in a vulnerable position and are not necessarily able to monitor the fulfilment of their data protection rights.
The imposition of an administrative fine was supported by the intentionality of the company's actions and the damage caused to the client. The client's legal action had been hindered by the delay in delivering the information. They had also incurred financial losses from having to engage a third party. The isolated nature of the violation was taken into account as a mitigating circumstance in the decision.
In addition to the administrative fine, the Deputy Data Protection Ombudsman reprimanded the company for the shortcomings in fulfilling the right of access. The decision is not yet final.
Further information:
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, puh. +358 29 566 6787
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.