AXIOYU PYLIS CENTRE I.A – €30,000 Fine (Greece, 2022)

A patient (data subject) of diagnostic centre Pyle Axiou I.A.E. (controller) requested copies of her medical records in relation to a mammogram carried out in the past. The controller replied that it could not provide her with the images from the mammogram, as the machine can only store them for 3 months. The data subject then submitted a complaint with the DPA for violation of her right of access. She stressed that in particular the images of the mammogram were important in view of her age and state of health. After a letter of the DPA, the controller suddenly remembered that it also stored the images on a hard drive in it's storage. However, it could not recover the images. During a hearing, the controller argued: # it exhausted all possibilities to recover the images (but without success); # the most important medical record was provided to the data subject: the report on the images. # it informed the data subject in good time of the unavailability of the images; # it submitted his views on the issues of his compliance with his obligations under Articles 32-34 GDPR. The data subject argued during the hearing that, in addition to the violation of the right of access, the controller also violated her right to information. She was never informed by the controller of the definitive loss of the images. The DPA found that the retention period for the images was ten years from the data subject's last visit. The DPA further noted that the images were unavailable at the time the right was exercised. The DPA therefore held that the data subject's right of access (Article 15 GDPR) was not violated as it was impossible to provide the images, even though they were unlawfully deleted. However, the DPA, found that the loss of availability of the images constituted a violation of the principle of integrity and confidentiality pursuant to Article 5(1)(f) GDPR. The DPA followed that the above-mentioned violation was a result of insufficient technical and organizational