[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpiML2wvZAubZCVGT9liRyRzUNnMtmt2DnU6sUIOr6Zw":3},{"article":4,"iocs":41},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":28},"7370e1d0-752b-41af-9536-c95f2cf6890d","Persónuvernd (Island) - 2025020471","personuvernd-island-2025020471-12bfea","Created page with \"{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2025020471 |ECLI= |Original_Source_Name_1=Persónuvernd |Original_Source_Link_1=https:\u002F\u002Fisland.is\u002Fs\u002Fpersonuvernd\u002Furskurdir-akvardanir-og-alit\u002Fuppflettingar-landspitala-og-serfraedilaeknis-i-sjukraskra |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_...\" New page {{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo= |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Island) |Case_Number_Name=2025020471 |ECLI= |Original_Source_Name_1=Persónuvernd |Original_Source_Link_1=https:\u002F\u002Fisland.is\u002Fs\u002Fpersonuvernd\u002Furskurdir-akvardanir-og-alit\u002Fuppflettingar-landspitala-og-serfraedilaeknis-i-sjukraskra |Original_Source_Language_1=Icelandic |Original_Source_Language__Code_1=IS |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Complaint |Outcome=Other Outcome |Date_Started=12.09.2023 |Date_Decided=12.05.2026 |Date_Published= |Year=2026 |Fine= |Currency= |GDPR_Article_1=Article 6(1) GDPR |GDPR_Article_Link_1=Article 6 GDPR#1 |GDPR_Article_2=Article 9(2) GDPR |GDPR_Article_Link_2=Article 9 GDPR#2 |GDPR_Article_3= |GDPR_Article_Link_3= |GDPR_Article_4= |GDPR_Article_Link_4= |EU_Law_Name_1= |EU_Law_Link_1= |EU_Law_Name_2= |EU_Law_Link_2= |National_Law_Name_1= |National_Law_Link_1= |National_Law_Name_2= |National_Law_Link_2= |Party_Name_1= |Party_Link_1= |Party_Name_2= |Party_Link_2= |Appeal_To_Body= |Appeal_To_Case_Number_Name= |Appeal_To_Status=Unknown |Appeal_To_Link= |Initial_Contributor=ds | }} The DPA held that a doctor unlawfully accessed a data subject’s medical records without proving a valid legal basis, but took no corrective measure due to proportionality considerations. == English Summary == === Facts === On 12 September 2023, a data subject filed a complaint with the Icelandic DPA against a doctor (the controller). The controller had a family connection to the data subject, as he was the father of the mother of the data subject’s child. The data subject alleged that the controller accessed his medical records without authorisation on multiple occasions between 19 October 2017 and 1 May 2021 and specifically on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019, 20 August 2019, 28 April 2020, 14 September 2020, 15 September 2020 and 1 May 2021. The data subject argued that the controller was neither his doctor nor had he ever treated him as a patient. Additionally, the data subject noted that these unauthorised search queries occurred while he was in a relationship with the controller’s daughter. The DPA asked the controller and the Landspítali Hospital for their submissions, since the controller was a doctor of the hospital during that period. The hospital stated that the data subject sought medical assistance on three occasions (on 20 August 2019, 28 April 2020, and 1 May 2021). It noted that the processing of his personal data on these occasions was legitimate, as it was for his health benefit, at his request, and based on the therapeutic relationship between doctor and patient. Additionally, the hospital stated it could not confirm the lawfulness or proper authorisation of the other searches. The controller stated that from 2017 to 2021, he worked in the hospital and had access to the medical records system via hospital computers and remote access from his own computer, particularly during night shifts. He pointed out that he often assisted close relatives and their families with both major and minor health issues. Moreover, he claimed that during the period when the data subject was related to him, the latter also sought and received similar medical advice and assistance from him. He presented screenshots of their communications during this time, demonstrating interactions regarding medical advice and services. The controller maintained that all searches were conducted in accordance with the data subject's requests for medical assistance and were necessary for this reason. === Holding === The DPA first examined the controllership status regarding the processing of medical records. It distinguished between searches attributable to the hospital and searches for which the doctor himself was responsible as the controller. The DPA concluded that the hospital should be considered the responsible party for searches of medical records conducted by healthcare personnel involved in a patient’s treatment. Therefore, it ruled that the three searches conducted on 20 August 2019, 28 April 2020 and 1 May 2021 were lawful. It noted that these searches were carried out in connection with medical assistance sought by the data subject and within the doctor’s professional role at the hospital. For the remaining searches, the DPA ruled that, since they either occurred outside the hospital or lacked a clear health reason documented in the data subject’s medical records, the doctor should be held responsible as controller for the relevant processing. The DPA accepted that informal medical advice had been provided in some instances, but stressed that this could not by itself justify access to the data subject’s medical records. It pointed out that the doctor as the controller still had to demonstrate a valid legal basis and necessity for the specific searches. Accordingly, it held that the controller did not clearly prove that the relevant search queries in the data subject's medical record were based on a legal basis pursuant to [[Article 6 GDPR#1|Article 6(1) GDPR]] and [[Article 9 GDPR#2|Article 9(2) GDPR]]. Additionally, the DPA stated that although the controller violated the aforementioned provisions, it decided not to issue a warning or impose a fine on proportionality grounds. The DPA took into account that the doctor had, in some instances, provided medical advice or services to the data subject at his request. == Comment == ''Share your comments here!'' == Further Resources == ''Share blogs or news articles here!'' == English Machine Translation of the Decision == The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. The Data Protection Authority ruled in a case where a complaint was made about a specialist doctor’s searches of an individual’s medical record. The case concerned whether the searches had been necessary for medical treatment or advice and who was responsible for them. The Data Protection Authority concluded that three searches, which were related to the complainant’s prescription and treatment, had been in compliance with Act No. 90\u002F2018 and Regulation (EU) 2016\u002F679. Landspítali was considered the controller of that processing. However, other searches were not considered sufficiently explained. It was not demonstrated that the doctor had been involved in the complainant’s treatment or that access to the medical record had been necessary at the time that other searches had taken place. In addition, the complainant did not have clear and unequivocal consent for the processing. The Data Protection Authority therefore considered that those searches had not been in compliance with Articles 9 and 11 of Act No. 90\u002F2018, paragraph 1, Article 6 and Article 9 of Regulation (EU) 2016\u002F679, cf. as appropriate, the previous Act No. 77\u002F2000. No reason was considered to issue a warning or impose an administrative fine. The decision-makers complained about searches in a medical record, in case no. 2025020471 (previously 2023091441):Case procedure1. On 12 September 2023, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about alleged unauthorized searches of [B] (hereinafter [B]), a specialist physician at Landspítali and owner of the medical practice [Y] ehf., in the complainant's medical record. More specifically, it is complained that the doctor in question has, during the period from 19 October 2017 to 1 May 2021, looked up the complainant's medical record on specified occasions, without authorization. The attached complaint was a summary of the searches in the complainant's medical record during the period from 27 August 2012 to and including 7 September 2023. 2. The Data Protection Authority invited Landspítali to comment on the complaint by letter dated 14 May 2024 and the hospital's responses were received on 6 June 2024. Following the hospital's response letter, [B] was invited to comment on the complaint on 19 August 2024. [B's responses were received by letter dated 5 September 2024. The Data Protection Authority then received additional responses from the Landspítali Electronic Health Record Supervisory Committee on 19 December 2024, which had taken up the matter for investigation following the aforementioned letter from the Data Protection Authority from 14 May 2024. The complainant was given the opportunity to submit comments on the responses from the Landspítali and [B], by letter of 8 January 2025. The complainant's responses were received by email on 21 January 2025. 3. In resolving the matter, all of the above-mentioned data has been taken into account. Disputes4. There is a dispute about the legality of searches [B] in the complainant's medical record during the period from 19 October 2017 to 1 May 2021, more specifically on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019, 20 August 2019, 28 April 2020, 14 September 2020, 15 September 2020 and 1 May 2021. Case delimitation and legal distinction5. The complainant initially requested that the Data Protection Authority also investigate whether a specified specialist had searched the medical record of his minor daughter. However, by email on 18 September 2024, the complainant confirmed that his daughter had been given a summary of the searches in her medical record. According to the summary, it does not appear that the doctor had looked up the complainant's daughter in her medical record. This aspect of the complaint was therefore not taken up for further investigation. This case is therefore limited to the legality of the doctor [B]'s searches of the complainant's medical record on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2017, 20 August 2017, 28 April 2020, 14 and 15 September 2017 and 1 May 2021.6 As stated above, the alleged unauthorized searches took place, among other things, in October 2017 and May 2018, i.e. during the period of validity of the previous Act no. 77\u002F2000, on the protection of personal data and the processing of personal data, while other searches took place in 2019, 2020 and 2021. Act No. 77\u002F2000 was replaced by Act No. 90\u002F2018, on the protection of personal data and the processing of personal data, which entered into force on 15 July 2018. It also enacted Regulation (EU) 2016\u002F679 on the protection of personal data, as adapted and incorporated into the EEA Agreement. After Act No. 90\u002F2018 entered into force, it applied to searches that took place after the entry into force of the Act. No substantive changes were made by Act No. 90\u002F2018 to the rules that apply to the processing under discussion here. Consequently, the case will be resolved on the basis of current law, but reference will be made to the provisions of older laws as appropriate.Parties' viewsComplainant's main views7. The complainant considers the doctor [B]'s searches of his medical record to be unlawful. The complainant points out that [B] has never been his doctor or treated him as a patient. The complaint states that [B] is the father of the complainant's mother and that the searches in question took place while the complainant was in a relationship with [B's] daughter. Landspítali's main views8. Landspítali points out that during the investigation of the case it became clear that the first two searches, i.e. on 19 October 2017 and 18 May 2018, had not taken place at the hospital and therefore the hospital could not be held liable for them. 9. The conclusion of the Electronic Health Record Supervisory Committee revealed that the searches [B] on 20 August 2019, 28 April 2020 and 1 May 2021 were considered lawful in light of the fact that the processing was for the benefit of the complainant, i.e. for the purpose of assisting him with minor medical incidents, i.e. prescribing medication. This created a therapeutic relationship between the doctor and the patient (complainant) and the processing therefore fell under point 3 of the first paragraph of Article 9 and point 8 of the first paragraph of Article 11 of Act No. 90\u002F2018, cf. point 1 of Article 13 of Act No. 55\u002F2009 on the Health Record, for the purpose of providing treatment. When a patient requests medical care, as the complainant did on the three occasions mentioned above that Landspítali has been able to verify, even for a minor incident such as a prescription for medication, the hospital considers that the processing of personal data in connection with the incident should be considered to be carried out in a lawful, fair and transparent manner towards the patient, i.e. at his request. When a therapeutic relationship is established between a doctor and a patient and the personal data is used for the benefit of the patient, it must be considered that it is obtained for a clearly specified, lawful and objective purpose and not for any other or incompatible purpose. 10. The response letter from Landspítali also states that it was not possible to trace what [B] had done in the complainant's medical record on 6 May 2019, 17 June 2019, 14 and 15 September 2020. It is noted that [B] himself believed that they must have been related to some incident in the complainant's interest. However, the Supervisory Committee did not believe that it was possible to confirm that they had been lawful or had been carried out at the complainant's request, and therefore the Committee would not be able to proceed with that investigation. [B's] main points of view11. [B's] explanations state that he worked in the medical department of Landspítali during the period in question, i.e. the years 2017-2021, and had access to the Historical System through the hospital's computers but also through his own computer with remote access to the system, as he was often on back-up shifts. He stated that he had assisted close relatives and their families with major and minor health problems and, where appropriate, helped to get their health problems on the right track. This included advice on whether the person concerned should seek medical care, an emergency room or specialists for certain health problems, assistance with referrals to doctors, physiotherapists or other health professionals and\u002For minor therapeutic interventions of his own, such as prescribing antibiotics or painkillers. During the time that the complainant had family ties with him, the complainant had been offered comparable access to medical advice and assistance from him, which the complainant had made extensive use of. 12. However, [B] stated that he could not recall the reasons for each review of the complainant's medical records, as both the time had passed and, in addition, his conversations with the complainant about medical problems were numerous during the period in question and generally minor. However, all the searches he carried out in the complainant's medical record were carried out following the complainant's request for medical assistance during the period in question, i.e. from 2017 to 2021. In support of the above, [B] refers to the supporting documents with the reply letter, which show screenshots of various communications between him and the complainant and his daughter via a text messaging application, and confirmed that the complainant had requested medical advice and\u002For prescriptions from him at different times. Legal environment13. This case concerns the searches carried out by the doctor [B] in the complainant's medical record. It therefore concerns the processing of personal data that falls within the scope of Act No. 90\u002F2018 on the Protection of Personal Data and the Processing of Personal Data and thus the competence of the Data Protection Authority, cf. Article 4(1), Article 1(2) and Article 39(1) of the Act. of the Act, cf. the corresponding provisions of Article 3, Paragraph 1, Article 37, Article 1, and Article 37, Article 37, of the former Act No. 77\u002F2000, on the Protection of Personal Data and the Processing of Personal Data. 14. The person responsible for ensuring that the processing of personal data complies with Act No. 90\u002F2018 is referred to as the controller. According to Article 3, Paragraph 6, of the Act, this refers to an individual, legal entity, public authority or other party who, alone or in cooperation with others, determines the purposes and methods of processing personal data, cf. Article 4, Paragraph 7, of the Regulation, cf. the corresponding provisions of Article 2, Paragraph 4, Article 2, of the former Act No. 77\u002F2000. The controller of medical records is defined in Article 3, Paragraph 12, of the Act No. 55\u002F2009 on medical records, as a health institution or a health care professional's office where medical records are kept. It is generally understood that the controller is the relevant institution or company and not individual employees, whether managers or general employees. If, however, an employee of an institution or company has used personal data for his own benefit, or for any work that does not fall within the scope of the controller, he is personally responsible for that action.15. All processing of personal data must be based on one of the authorities listed in Article 9 of Act No. 90\u002F2018, cf. Article 6 of Regulation (EU) 2016\u002F679, cf. the comparable provision in the first paragraph of Article 8 of Act No. 77\u002F2000. This includes the fact that personal data may be processed on the basis of the data subject's consent, cf.1. point. 9. Article. Act No. 90\u002F2018 and point a of the regulatory provision, cf. the provisions of point 1. Article. 8. Act No. 77\u002F2000, or if the processing is necessary to comply with a legal obligation to which the controller is subject, cf. point 3. Article. 9. Act No. 90\u002F2018 and point c of the regulatory provision, cf. the provisions of point 3. Paragraph 1. Article. 8. of the previous Act No. 77\u002F2000. The basis for such processing shall be prescribed by law, cf. Paragraph 3. Article. 6. of Regulation 16. Processing of sensitive personal data, including health information, cf. Point b. Point 3. Article. 3. Act No. 90\u002F2018 and Point 1. Article 9 of Regulation (EU) 2016\u002F679, cf. point c of point 8 of Article 2 of the former Act No. 77\u002F2000, must also comply with one of the additional conditions of paragraph 1 of Article 11 of the Act, cf. paragraph 2 of Article 9 of the Regulation, cf. a comparable provision of Article 9 of the then applicable Act No. 77\u002F2000. As such, points 1 and 8 of paragraph 1 of Article 11 of Act No. 90\u002F2018, to the effect that the data subject has given his or her explicit consent to the processing for one or more specific purposes or if the processing is considered necessary for the prevention of disease or for the treatment of occupational diseases, to assess the employee's working capacity, diagnose diseases and provide care or treatment in the field of health or social services and there is a specific legal authorization for it, provided that it is carried out by an employee of such a service who is bound by a duty of confidentiality, cf. point h of the 2nd paragraph of Article 9 of the Regulation. The aforementioned provisions of Act No. 90\u002F2018 are comparable to the provisions of points 1 and 8 of Article 9 of Act No. 77\u002F2000, which stipulated that the processing of sensitive personal data was permitted if the data subject consented to the processing or if it was considered necessary for medical treatment or for routine administration in the field of healthcare, provided that it was carried out by a healthcare employee who was bound by a duty of confidentiality. 17. When assessing whether there is authorization for the processing in question, and, where applicable, whether the conditions for the processing of sensitive personal data have been met, the provisions of other applicable laws must also be taken into account. In the present case, Act No. 55\u002F2009 on medical records is under examination.18. Article 2 of Act No. 55\u002F2009 states that when entering and storing medical records and accessing them, the human rights and the right to self-determination of patients shall be respected, care shall be taken that medical records contain sensitive personal data and that medical record information is confidential. According to Article 12 of the Act, of the Act, access to medical records is not permitted unless there is a legal authority for it under the provisions of the Act or other laws. In the first paragraph of Article 13 of the Act, it is stated that healthcare professionals involved in the treatment of a patient and who need their medical record information for the treatment shall have access to the patient's medical record with restrictions in accordance with the provisions of the Act and the rules established on the basis thereof. 19. In addition to the authority as stated above, the processing of personal data must be compatible with all the principles of the first paragraph of Article 8 of Act No. 90\u002F2018, cf. the first paragraph of Article 5 of Regulation (EU) 2016\u002F679, cf. the comparable provision of the first paragraph of Article 7 of Act No. 77\u002F2000. The principles stipulate, among other things, that personal data shall be processed lawfully, fairly and transparently in relation to the data subject, cf. 1. point. of the above-mentioned legal provisions and point a of the regulatory provision, that they shall be obtained for a clearly specified, legitimate and objective purpose and not further processed for other and incompatible purposes, cf. point 2. of the legal provisions and point b of the regulatory provision, and that they are adequate, relevant and not excessive in relation to the purposes of the processing, cf. point 3. of the legal provisions and point c of the regulatory provision. 20. The controller is responsible for ensuring that the processing of personal data always complies with the principles of data protection legislation and must be able to demonstrate this, cf. paragraph 2. of Article 8. of Act No. 90\u002F2018, cf. paragraph 2. of Article 5 of Regulation (EU) 2016\u002F679. The liability obligation as a general and independent obligation of the controller was introduced as a novelty in Act No. 90\u002F2018. In the older Act No. 77\u002F2000, however, the liability obligation was not legislated as a separate principle in a comparable manner. However, the elements of the rule were to some extent present in the older Act No. 77\u002F2000. More specifically, the elements of the rule can be found in the then applicable law in more diffuse and specific mandatory provisions, such as Article 7(1) and Article 11 of the same Act, which prescribed the controller's responsibility for security assessment, security measures and that the processing was in accordance with, among other things, Article 7 of the Act. Conclusion21. The Data Protection Authority has generally considered that Landspítali is considered the controller of its employees' searches of medical records, when they are carried out by healthcare professionals involved in the treatment of a patient and who need his or her medical record information for the treatment, cf. Article 13 of Act No. 55\u002F2009 on medical records. However, if an employee exceeds his or her access rights under the aforementioned Act, he or she is personally responsible for this, cf. also the discussion in paragraph 14. 22. In the case in question, the Supervisory Committee for Landspítali's electronic medical record concluded that the searches by doctor [B] in the complainant's medical record on 20 August 2019, 28 April 2020 and 2 May 2021 had been lawful, given that a therapeutic relationship had been established between the doctor and the complainant and the searches were related to the doctor's normal duties in relation to prescribing medication. The Data Protection Authority has no grounds to review the aforementioned assessment of the Supervisory Committee on when a treatment relationship has been established and when access to medical record information is necessary for the purpose of treatment. The Authority's supervision is therefore limited to examining whether the processing of personal data, which consists of a search in the medical record, has been in accordance with the requirements of the Data Protection Act, including whether the search is considered to have been necessary for a clearly specified purpose in light of the explanations of the responsible party. As it stands, there is nothing more than that the doctor's searches in the complainant's medical record on 20 August 2019, 28 April 2020 and 2 May 2021 were part of providing healthcare to the complainant and that he needed the complainant's medical record information for the treatment. 23. It is therefore the opinion of the Data Protection Authority that there is no evidence other than that the above-mentioned searches [B] in the complainant's medical record were authorized, cf. Article 13 of Act No. 55\u002F2009, and the processing was therefore in accordance with point 3 of the first paragraph of Article 9 and point 8 of the first paragraph of Article 11 of Act No. 90\u002F2018, cf. point c of the first paragraph of Article 6 and point h of the second paragraph of Article 9 of Regulation (EU) 2016\u002F679, and that Landspítali is also considered the controller of the processing of personal data involved, cf. point 6 of Article 3 of Act No. 90\u002F2018 and point 7 of Article 4 of Regulation (EU) 2016\u002F679. Regulation (EU) 2016\u002F679.24. With regard to other searches in the complainant's medical record, i.e. on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019 and 14 and 15 September 2020, the Electronic Health Record Supervisory Committee concluded that searches had either not taken place at Landspítali or that it had not been possible to trace what business the doctor had in the complainant's medical record on the said occasions. [B] will therefore be considered responsible for the processing of personal data involved in searches in the complainant's medical record on the aforementioned dates, cf. point 6 of Article 3 of Act No. 90\u002F2018 and point 7 of Article 4 of the Act. Regulation (EU) 2016\u002F679, cf. point 4 of Article 2 of the previous Act No. 77\u002F2000. 25. In his explanations to the Data Protection Authority, [B] has based his explanations on the fact that all his searches in the complainant's medical record were necessary due to his many years of informal treatment relationship with the complainant at the time when they were family members. For this reason, he referred to screenshots of their communication during the period regarding medical advice and services, as well as communication with his daughter for the purpose of advice and services to the complainant. 26. In view of [B's explanations and the available data, the Data Protection Authority considers it indisputable that [B] has in some cases provided the complainant with medical advice and services. However, the evidence in the case does not conclusively show that [B] was involved in the treatment of the complainant at the time the searches in question were carried out or that he had necessary access to the complainant's medical record information at the time in question, cf. Article 13 of Act No. 55\u002F2009. Furthermore, it is not clear that the complainant gave his clear and unequivocal consent to such processing of personal data by [B] at the time the searches were carried out.27. In light of the above, the Data Protection Authority is of the opinion that [B] has not demonstrated that the searches in the complainant's medical record at the time in question were based on an appropriate processing authorisation, pursuant to Articles 9 and 11 of Act No. 90\u002F2018, cf. Article 6(1) and Article 9(2) of the Act. of Regulation (EU) 2016\u002F679, cf. the corresponding provisions of Articles 8 and 9 of Act No. 77\u002F2000, cf. also Paragraph 2 of Article 8 of Act No. 90\u002F2018 and Paragraph 2 of Article 5 of the Regulation. In this context, it is reiterated that it is the responsibility of the controller of personal data to demonstrate compliance with data protection laws, where appropriate by means of documentation, as set out in paragraph 20 above.28. For that reason, the Data Protection Authority has concluded that the processing of personal data, which consisted of searches [B] in the complainant's medical record on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019, 14 and 15 September 2020, did not comply with Act No. 90\u002F2018 and Regulation (EU) 2016\u002F679, and Act No. 70\u002F2000, as applicable. Decision on the exercise of powers29. The Data Protection Authority may issue a warning to the controller or processor if the processing operations have violated Regulation (EU) 2016\u002F679, cf. point 2 of Article 42 of Act No. 90\u002F2018, and impose administrative fines on those who violate, intentionally or negligently, any of the provisions of the Regulation listed in paragraphs 2 and 3 of Article 46 of Act No. 90\u002F2018, cf. paragraphs 1 and 5 of that article. According to points 1 and 2 of paragraph 3 of Article 46, these include provisions on basic principles of processing, including pursuant to paragraph 1 of Article 5, paragraph 1 of Article 6 and paragraph 2 of Article 9 of the Regulation.30. Having regard to the considerations set out in paragraph 1 of Article 47 of Act No. 90\u002F2018, and taking into account other legally prescribed considerations and the circumstances of the case as a whole, and especially when considering that [B] demonstrably provided the complainant in some cases with medical advice and services at his request, as well as taking into account the rules of proportionality, cf. the 1st paragraph. Article 83. of Regulation (EU) 2016\u002F679 and Article 12. of the Administrative Procedure Act no. 37\u002F1993, do not consider it necessary to issue [B] a warning or impose an administrative fine on him for the violations outlined in paragraphs 27-28. R e s u r e s: Landspítali's processing of [A]'s personal data, which consisted of [B's] searches in his medical record on 20 August 2019, 28 April 2020 and 2 May 2021, was in accordance with the provisions of Act No. 90\u002F2018, on the Protection of Personal Data and the Processing of Personal Data. The processing of [B]'s personal data [A], which consisted of searches in his medical record on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019 and 14 and 15 September 2020, was not in accordance with the provisions of Articles 9 and 11 of Act No. 90\u002F2018 on the Protection of Personal Data and the Processing of Personal Data and the 1st paragraph of Articles 6 and 9 of Regulation (EU) 2016\u002F679, cf. as appropriate the provisions of Articles 8 and 9 of the then applicable Act No. 77\u002F2000 on the Protection of Personal Data and the Processing of Personal Data. Personal Data, 27 May 2026Edda Þuríður Hauksdóttir Inga Amal Hasan","The Icelandic DPA (Persónuvernd) investigated a complaint about a doctor accessing a data subject's medical records without authorization. The DPA determined that while some searches were legitimate due to a therapeutic relationship, others lacked a valid legal basis under GDPR. Despite the violation, no fine or warning was issued due to proportionality considerations.","Icelandic DPA found a doctor unlawfully accessed medical records but issued no fine.","Help Persónuvernd (Island) - 2025020471: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 14:29, 29 May 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators61 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 14:29, 29 May 2026 Persónuvernd - 2025020471 [[File:|center|250px]] Authority: Persónuvernd (Island) Jurisdiction: Iceland Relevant Law: Article 6(1) GDPR Article 9(2) GDPR Type: Complaint Outcome: Other Outcome Started: 12.09.2023 Decided: 12.05.2026 Published: Fine: n\u002Fa Parties: n\u002Fa National Case Number\u002FName: 2025020471 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Icelandic Original Source: Persónuvernd (in IS) Initial Contributor: ds The DPA held that a doctor unlawfully accessed a data subject’s medical records without proving a valid legal basis, but took no corrective measure due to proportionality considerations. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts On 12 September 2023, a data subject filed a complaint with the Icelandic DPA against a doctor (the controller). The controller had a family connection to the data subject, as he was the father of the mother of the data subject’s child. The data subject alleged that the controller accessed his medical records without authorisation on multiple occasions between 19 October 2017 and 1 May 2021 and specifically on 19 October 2017, 18 May 2018, 6 May 2019, 17 June 2019, 20 August 2019, 28 April 2020, 14 September 2020, 15 September 2020 and 1 May 2021. The data subject argued that the controller was neither his doctor nor had he ever treated him as a patient. Additionally, the data subject noted that these unauthorised search queries occurred while he was in a relationship with the controller’s daughter. The DPA asked the controller and the Landspítali Hospital for their submissions, since the controller was a doctor of the hospital during that period. The hospital stated that the data subject sought medical assistance on three occasions (on 20 August 2019, 28 April 2020, and 1 May 2021). It noted that the processing of his personal data on these occasions was legitimate, as it was for his health benefit, at his request, and based on the therapeutic relationship between doctor and patient. Additionally, the hospital stated it could not confirm the lawfulness or proper authorisation of the other searches. The controller stated that from 2017 to 2021, he worked in the hospital and had access to the medical records system via hospital computers and remote access from his own computer, particularly during night shifts. He pointed out that he often assisted close relatives and their families with both major and minor health issues. Moreover, he claimed that during the period when the data subject was related to him, the latter also sought and received similar medical advice and assistance from him. He presented screenshots of their communications during this time, demonstrating interactions regarding medical advice and services. The controller maintained that all searches were conducted in accordance with the data subject's requests for medical assistance and were necessary for this reason. Holding The DPA first examined the controllership status regarding the processing of medical records. It distinguished between searches attributable to the hospital and searches for which the doctor himself was responsible as the controller. The DPA concluded that the hospital should be considered the responsible party for searches of medical records conducted by healthcare personnel involved in a patient’s treatment. Therefore, it ruled that the three searches conducted on 20 August 2019, 28 April 2020 and 1 May 2021 were lawful. It noted that these searches were carried out in connection with medical assistance sought by the data subject and within the doctor’s professional role at the hospital. For the remaining searches, the DPA ruled that, since they either occurred outside the hospital or lacked a clear health reason documented in the data subject’s medical records, the doctor should be held responsible as controller for the relevant processing. The DPA accepted that informal medical advice had been provided in some instances, but stressed that this could not by itself justify access to the data subject’s medical records. It pointed out that the doctor as the controller still had to demonstrate a valid legal basis and necessity for the specific searches. Accordingly, it held that the controller did not clearly prove that the relevant search queries in the data subject's medical record were based on a legal basis pursuant to Article 6(1) GDPR and Article 9(2) GDPR. Additionally, the DPA stated that although the controller violated the aforementioned provisions, it decided not to issue a warning or impose a fine on proportionality grounds. The DPA took into account that the doctor had, in some instances, provided medical advice or services to the data subject at his request. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details. The Data Protection Authority ruled in a case where a complaint was made about a specialist doctor’s searches of an individual’s medical record. The case concerned whether the searches had been necessary for medical treatment or advice and who was responsible for them. The Data Protection Authority concluded that three searches, which were related to the complainant’s prescription and treatment, had been in compliance with Act No. 90\u002F2018 and Regulation (EU) 2016\u002F679. Landspítali was considered the controller of that processing. However, other searches were not considered sufficiently explained. It was not demonstrated that the doctor had been involved in the complainant’s treatment or that access to the medical record had been necessary at the time that other searches had taken place. In addition, the complainant did not have clear and unequivocal consent for the processing. The Data Protection Authority therefore considered that those searches had not been in compliance with Articles 9 and 11 of Act No. 90\u002F2018, paragraph 1, Article 6 and Article 9 of Regulation (EU) 2016\u002F679, cf. as appropriate, the previous Act No. 77\u002F2000. No reason was considered to issue a warning or impose an administrative fine. The decision-makers complained about searches in a medical record, in case no. 2025020471 (previously 2023091441):Case procedure1. On 12 September 2023, the Data Protection Authority received a complaint from [A] (hereinafter the complainant) about alleged unauthorized searches of [B] (hereinafter [B]), a specialist physician at Landspítali and owner of the medical practice [Y] ehf., in the complainant's medical record. More specifically, it is complained that the doctor in question has, during the period from 19 October 2017 to 1 May 2021, looked up the complainant's medical record on specified occasions, without authorization. The attached complaint was a summary of the searches in the complainant's medical record during the period from 27 August 2012 to and including 7 September 2023. 2. The Data Protection Authority invited Landspítali to comment on the complaint by letter dated 14 May 2024 and the hospital's responses were received on 6 June 2024. Following the hospital's response letter, [B] was invited to comment on the complaint on 19 August 2024. [B's responses were received by letter dated 5 September 2024. The Data Protection Authority then received additional responses from the Landspítali Electronic Health Record Supervisory Committee on 19 December 2024, which had taken up the matter for investigat","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Pers%C3%B3nuvernd_(Island)_-_2025020471&diff=51772&oldid=0",null,"2026-05-29T14:29:26+00:00","2026-05-29T16:00:14.040455+00:00",7,[18,21],{"name":19,"type":20},"Persónuvernd","vendor",{"name":22,"type":23},"Landspítali Hospital","product","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":24,"icon":13,"name":26,"slug":27},"GDPR","gdpr",[29,31,36],{"category":30},{"id":24,"icon":13,"name":26,"slug":27},{"category":32},{"id":33,"icon":13,"name":34,"slug":35},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":37},{"id":38,"icon":13,"name":39,"slug":40},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",[]]