The Central Denmark Region – Violation Found (Denmark, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Central Denmark Region faced scrutiny after a Danish citizen complained about a photo of themselves being shared on Aarhus University Hospital's Instagram account. The investigation revealed that the hospital regularly posted pictures of patients and staff without clear consent. This case highlights the importance of obtaining proper consent before sharing personal images online.
What happened
Aarhus University Hospital published photos of patients on Instagram without clear consent from all individuals involved.
Who was affected
Patients and visitors whose images were shared on the hospital's Instagram account.
What the authority found
The investigation found that the hospital's consent practices did not fully comply with GDPR requirements for transparency and consent.
Why this matters
This case emphasizes that organizations must ensure they have valid consent before posting personal images online. It serves as a reminder for all businesses to review their consent processes to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A Danish citizen brought a complaint to the Danish DPA concerning a picture of themselves being published on the Instagram account of Aarhus University Hospital (AUH). Based on this, on 19 December 2022, the DPA initiated an investigation against the Central Denmark Region (the controller). During the investigation, the DPA found that the Instagram account regularly published photos and videos of daily life at AUH. It showed pictures of patients, staff and relatives, and the account has been active since June 2015; it had more than 15,000 followers and more than 1,400 posts. A review of the account also revealed that there were posts with pictures and information about patients dating back to 2016. In some cases, these included information on health conditions. The controller explained that the information on the account is published to inform the outside world about the hospital’s activities and daily life. It further clarified that posts containing information about citizens, including patients, were published on the basis of consent under Article 6(1)(a) GDPR and Article 9(2)(a) GDPR. Consent was obtained in writing before the publication of the post, and granting it or not did not affect the health treatment offered to the patient. The controller also stated that its processing met the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, as well as the principle of data minimisation pursuant to Article 5(1)(c) GDPR, since they did not process personal data not necessary for the hospital purposes. To limit the processing of personal data, they were attentive to whether information such as social security numbers and names were displayed on monitors, medical records and patient wristbands appearing in the pictures. Lastly, the controller claimed to observe also the principle of storage limitation of Article 5(1)(e) GDPR since data subjects could make erasure requests. The Danish DPA found that the data processed in this case could be c
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The Central Denmark Region in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Central Denmark Region - Denmark (2023). Retrieved from cookiefines.eu
Last updated: