We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
18 September 2020
In Decision 41/2020, the Litigation Chamber of the Data Protection Authority (DPA) issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal.
Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee. In its decision, published on 3 August 2020, the DPA found that the hospital's retention of the report had infringed:
The DPA stated that 'personal data' encompasses all types of information – namely:
In particular, the DPA referred to the Nowak judgment (C-434/16) and held that beyond this specific case (which concerned access to an examination), any opinion or assessment concerning a specific person is covered by the notion of personal data.
As for the breach of the right of access provided for in Article 15(3) combined with Article 12(4) of the GDPR, the DPA noted that the right to obtain a copy of personal data is the major change introduced by the GDPR in terms of the right of access. This strengthens data subjects' control over their personal data.
In addition, the DPA specified that Article 15(3) does not require that a copy of the original document be provided to the data subject. Rather, it requires the data controller to provide a copy of the personal data which was processed. This right to obtain a copy of said data does not imply that the data subject has a right to obtain a copy of the original document containing this data, as the sharing of such document could infringe the rights and freedoms of others.
In light of these considerations, the DPA rejected the hospital's objections to the employee's right of access, which were based on confidentiality, copyright and the rights and freedoms of others, on the ground that it had failed to demonstrate their concrete application. As regards the fact that the audit report contained data relating to other employees, the DPA considered that the hospital could have provided only the processed data which concerned the plaintiff and excluded the data which concerned other employees.
The DPA held that the hospital's procedure for allowing data subjects to exercise their rights did not comply with Article 12.2 (facilitation of the exercise of rights) of the GDPR. The DPA found that while it cannot be ruled out that a response to a data subject exercising their rights may require a personal meeting, having to systematically make an appointment with the hospital:
Rather, data subjects should be able to request access to their data directly from the data controller or data protection officer via a dedicated email address.
Article 221(2) of the Data Protection Act 2018 prohibits the DPA from fining government bodies (other than public law entities that offer goods or services on a market). Hence, the DPA issued a reprimand and ordered the hospital to provide access to additional documentation and comply with the data protection regulations within three months.
For further information on this topic please contact Paul Van den Bulck or Andrine Like at AKD by telephone (+32 2 629 42 39) or email (email@example.com or firstname.lastname@example.org). The AKD website can be accessed at www.akd.eu.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.