The National Supervisory Authority completed in December 2022 two investigations at a dental practice and at a dentist, collaborator of the dental practice, both operators of personal data.
Thus, it was found that:
- the operator Dent Estet Clinic SA violated the provisions of art. 33 of Regulation (EU) 2016/679 and the contravention sanction of a fine of 4,919.2 lei (the equivalent of 1000 EURO) and a corrective measure was applied;
- the dentist operator, collaborator of Dent Estet Clinic SA, violated the provisions of art. 6 para. (1) lit. a) and of art. 9 para. (2) lit. a) from Regulation (EU) 2016/679 in conjunction with art. 12-14 of the same normative act and the contraventional sanction of a fine of 4,919.2 lei (the equivalent of 1000 EURO) and a corrective measure was applied.
The investigations were started as a result of a complaint submitted by a concerned person who complained that the operators of Dent Estet Clinic SA and the collaborating doctor disclosed his health data in the online environment.
During the investigations carried out, it was found that the operators disclosed medical information regarding the petitioner’s orthodontic treatment to the Authority, consisting of a set of photographs and radiographs that could be correlated with the person’s name, by publishing an article on a specialized blog. This information has been published for both scientific and commercial purposes.
It was found that the operator Dent Estet Clinic SA , although he was informed by the petitioner himself about the unauthorized disclosure of his personal data regarding his state of health, did not notify the National Supervisory Authority, within no more than 72 hours from the date on which he aware of the security breach, thus violating art. 33 of Regulation (EU) 2016/679.
The operator Dent Estet Clinic SA was also applied the corrective measure to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, by implementing technical and organizational security measures appropriate to the specifics of the processing and identified risks, throughout the data processing cycle, in terms of the appropriate training of authorized persons and other persons who process data under its authority and compliance with the conditions of legality of the processing and full information of the persons concerned.
At the same time, the National Supervisory Authority found that the collaborating dentist operator processed, including through use and disclosure, the personal data regarding the state of health of the person concerned, in an article posted on the personal blog, without presenting evidence of obtaining the express consent of to the person involved and without his prior information, thus violating the provisions of art. 6 para. (1) lit. a) and art. 9 para. (2) lit. a) from Regulation (EU) 2016/679, combined with the provisions of art. 12-14 of the same normative act.
The corrective measure was also applied to the dental operator to ensure compliance with Regulation (EU) 2016/679 of personal data processing operations, so that the processing of patients’ personal data is processed in strict compliance with the legal provisions regarding the provision of medical services and personal data protection. Also, in the case of the use of their personal data for other purposes, it was decided to comply with all the conditions of legality of the processing and information of the persons concerned, depending on the purposes of the processing and the categories of processed data, taking the necessary measures to anonymization or pseudonymization of data, where appropriate.
https://www.dataprotection.ro/index.jsp?page=Comunicat_Presa_31_01_2023_1&lang=ro