The Central Denmark Region – Violation Found (Denmark, 2023)
The Central Denmark Region faced scrutiny after a complaint about patient photos being shared on Instagram without proper consent. The investigation found that while consent was claimed, the hospital's practices raised concerns about privacy. This case highlights the importance of clear consent processes for sharing personal information online.
What happened
The Central Denmark Region was investigated for posting patient photos on Instagram without proper consent.
Who was affected
Patients whose images and health information were shared on the Instagram account of Aarhus University Hospital were affected.
What the authority found
The investigation revealed that the hospital's consent practices may not fully comply with GDPR requirements for transparency and legality.
Why this matters
This case emphasizes the need for organizations to ensure they have valid consent before sharing personal information. It serves as a reminder for hospitals and similar entities to review their data-sharing practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A Danish citizen brought a complaint to the Danish DPA concerning a picture of themselves being published on the Instagram account of Aarhus University Hospital (AUH). Based on this, on 19 December 2022, the DPA initiated an investigation against the Central Denmark Region (the controller). During the investigation, the DPA found that the Instagram account regularly published photos and videos of daily life at AUH. It showed pictures of patients, staff and relatives, and the account has been active since June 2015; it had more than 15,000 followers and more than 1,400 posts. A review of the account also revealed that there were posts with pictures and information about patients dating back to 2016. In some cases, these included information on health conditions. The controller explained that the information on the account is published to inform the outside world about the hospital’s activities and daily life. It further clarified that posts containing information about citizens, including patients, were published on the basis of consent under Article 6(1)(a) GDPR and Article 9(2)(a) GDPR. Consent was obtained in writing before the publication of the post, and granting it or not did not affect the health treatment offered to the patient. The controller also stated that its processing met the principles of lawfulness, fairness and transparency under Article 5(1)(a) GDPR, as well as the principle of data minimisation pursuant to Article 5(1)(c) GDPR, since they did not process personal data not necessary for the hospital purposes. To limit the processing of personal data, they were attentive to whether information such as social security numbers and names were displayed on monitors, medical records and patient wristbands appearing in the pictures. Lastly, the controller claimed to observe also the principle of storage limitation of Article 5(1)(e) GDPR since data subjects could make erasure requests. The Danish DPA found that the data processed in this case could be c
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for The Central Denmark Region in DK
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. The Central Denmark Region - Denmark (2023). Retrieved from cookiefines.eu
Last updated: