Persónuvernd (Island) - 2025020471

Summary

The Icelandic DPA (Persónuvernd) investigated a complaint about a doctor accessing a data subject's medical records without authorization. The DPA determined that while some searches were legitimate due to a therapeutic relationship, others lacked a valid legal basis under GDPR. Despite the violation, no fine or warning was issued due to proportionality considerations.

Full text

Help Persónuvernd (Island) - 2025020471: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:29, 29 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators61 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:29, 29 May 2026 Persónuvernd - 2025020471 [[File:|center|250px]] Authority: Persónuvernd (Island) Jurisdiction: Iceland Relevant Law: Article 6(1) GDPR Article 9(2) GDPR Type: Complaint Outcome: Other Outcome Started: 12.09.2023 Decided: 12.05.2026 Published: Fine: n/a Parties: n/a National Case Number/Name: 2025020471 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Icelandic Original Source: Persónuvernd (in IS) Initial Contributor: ds The DPA held that a doctor unlawfully accessed a data subject’s medical records without proving a valid legal basis, but took no corrective measure due to proportionality considerations. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 12 September 2023, a data subject filed a complaint with the Icelandic DPA against a doctor (the controller). The controller had a family connection to the data subject, as he was the father of the mother of the data subject’s child. The data subject alleged that the controller accessed his medical records without authorisation on multiple occasions between 19 October 2017 and 1 May 2021 and specifically on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019, 20 August 2019, 28 April 2020, 14 September 2020, 15 September 2020 and 1 May 2021. The data subject argued that the controller was neither his doctor nor had he ever treated him as a patient. Additionally, the data subject noted that these unauthorised search queries occurred while he was in a relationship with the controller’s daughter. The DPA asked the controller and the Landspítali Hospital for their submissions, since the controller was a doctor of the hospital during that period. The hospital stated that the data subject sought medical assistance on three occasions (on 20 August 2019, 28 April 2020, and 1 May 2021). It noted that the processing of his personal data on these occasions was legitimate, as it was for his health benefit, at his request, and based on the therapeutic relationship between doctor and patient. Additionally, the hospital stated it could not confirm the lawfulness or proper authorisation of the other searches. The controller stated that from 2017 to 2021, he worked in the hospital and had access to the medical records system via hospital computers and remote access from his own computer, particularly during night shifts. He pointed out that he often assisted close relatives and their families with both major and minor health issues. Moreover, he claimed that during the period when the data subject was related to him, the latter also sought and received similar medical advice and assistance from him. He presented screenshots of their communications during this time, demonstrating interactions regarding medical advice and services. The controller maintained that all searches were conducted in accordance with the data subject's requests for medical assistance and were necessary for this reason. Holding The DPA first examined the controllership status regarding the processing of medical records. It distinguished between searches attributable to the hospital and searches for which the doctor himself was responsible as the controller. The DPA concluded that the hospital should be considered the responsible party for searches of medical records conducted by healthcare personnel involved in a patient’s treatment. Therefore, it ruled that the three searches conducted on 20 August 2019, 28 April 2020 and 1 May 2021 were lawful. It noted that these searches were carried out in connection with medical assistance sought by the data subject and within the doctor’s professional role at the hospital. For the remaining searches, the DPA ruled that, since they either occurred outside the hospital or lacked a clear health reason documented in the data subject’s medical records, the doctor should be held responsible as controller for the relevant processing. The DPA accepted that informal medical advice had been provided in some instances, but stressed that this could not by itself justify access to the data subject’s medical records. It pointed out that the doctor as the controller still had to demonstrate a valid legal basis and necessity for the specific searches. Accordingly, it held that the controller did not clearly prove that the relevant search queries in the data subject's medical record were based on a legal basis pursuant to Article 6(1) GDPR and Article 9(2) GDPR. Additionally, the DPA stated that although the controller violated the aforementioned provisions, it decided not to issue a warning or impose a fine on proportionality grounds. The DPA took into account that the doctor had, in some instances, provided medical advice or services to the data subject at his request. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. The Data Protection Authority ruled in a case where a complaint was made about a specialist doctor’s searches of an individual’s medical record. The case concerned whether the searches had been necessary for medical treatment or advice and who was responsible for them. The Data Protection Authority concluded that three searches, which were related to the complainant’s prescription and treatment, had been in compliance with Act No. 90/2018 and Regulation (EU) 2016/679. Landspítali was considered the controller of that processing. However, other searches were not considered sufficiently explained. It was not demonstrated that the doctor had been involved in the complainant’s treatment or that access to the medical record had been necessary at the time that other searches had taken place. In addition, the complainant did not have clear and unequivocal consent for the processing. The Data Protection Authority therefore considered that those searches had not been in compliance with Articles 9 and 11 of Act No. 90/2018, paragraph 1, Article 6 and Article 9 of Regulation (EU) 2016/679, cf. as appropriate, the previous Act No. 77/2000. No reason was considered to issue a warning or impose an administrative fine. The decision-makers complained about searches in a medical record, in case no. 2025020471 (previously 2023091441):Case procedure1. On 12 September 2023, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about alleged unauthorized searches of [B] (hereinafter [B]), a specialist physician at Landspítali and owner of the medical practice [Y] ehf., in the complainant's medical record. More specifically, it is complained that the doctor in question has, during the period from 19 October 2017 to 1 May 2021, looked up the complainant's medical record on specified occasions, without authorization. The attached complaint was a summary of the searches in the complainant's medical record during the period from 27 August 2012 to and including 7 September 2023. 2. The Data Protection Authority invited Landspítali to comment on the complaint by letter dated 14 May 2024 and the hospital's responses were received on 6 June 2024. Following the hospital's response letter, [B] was invited to comment on the complaint on 19 August 2024. [B's responses were received by letter dated 5 September 2024. The Data Protection Authority then received additional responses from the Landspítali Electronic Health Record Supervisory Committee on 19 December 2024, which had taken up the matter for investigat

Entities