Lääkärikeskus Gyneko Oy – Violation Found (Finland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 14 March 2023, the DPA requested the controller (Lääkärikeskus Gyneko Oy, a healthcare provider) to explain how its online appointment booking system worked. At the same time, the controller was notified of [https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_5546/163/2019 a previous decision by the DPA regarding electronic healthcare appointment booking systems concerning another healthcare provider]. In response to the request, the controller clarified that a person had to provide their name and personal identity code in order to book an appointment online. It also stated that no abuse of the system had been detected, and efforts had been made to detect possible misuse by monitoring the number of logins and failed login attempts. For the system, it would have also been possible to set a password, but the controller had not implemented such an arrangement. To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online does not verify the person's identity. The personal identity code is not intended to be used as a means of identification, like a password, but to distinguish one person from another. The DPA acknowledged that using the personal identity code as a password is based on the assumption that the personal identity code is not known to third parties and that knowing the personal identity code is enough to verify the identity of the person. In reality, the DPA stressed that one's personal identification number is often known to several other people. Thus, the DPA considered that the controller's appointment booking system enabled an unknown third party to book an appointment if they knew the name and personal identity code of the data subject. Such misuse may cause a variety of damage to the data subject in the form of false invoices or identity theft. In light of this, the DPA emphasised that information regarding healthcare appointments is health data according to
GDPR Articles Cited
On 14 March 2023, the DPA requested the controller (Lääkärikeskus Gyneko Oy, a healthcare provider) to explain how its online appointment booking system worked. At the same time, the controller was notified of [https://gdprhub.eu/index.php?title=Tietosuojavaltuutetun_toimisto_(Finland)_-_5546/163/2019 a previous decision by the DPA regarding electronic healthcare appointment booking systems concerning another healthcare provider]. In response to the request, the controller clarified that a person had to provide their name and personal identity code in order to book an appointment online. It also stated that no abuse of the system had been detected, and efforts had been made to detect possible misuse by monitoring the number of logins and failed login attempts. For the system, it would have also been possible to set a password, but the controller had not implemented such an arrangement. To begin with, the DPA pointed out that only requesting a name and personal identity code when booking an appointment online does not verify the person's identity. The personal identity code is not intended to be used as a means of identification, like a password, but to distinguish one person from another. The DPA acknowledged that using the personal identity code as a password is based on the assumption that the personal identity code is not known to third parties and that knowing the personal identity code is enough to verify the identity of the person. In reality, the DPA stressed that one's personal identification number is often known to several other people. Thus, the DPA considered that the controller's appointment booking system enabled an unknown third party to book an appointment if they knew the name and personal identity code of the data subject. Such misuse may cause a variety of damage to the data subject in the form of false invoices or identity theft. In light of this, the DPA emphasised that information regarding healthcare appointments is health data according to
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Lääkärikeskus Gyneko Oy in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Lääkärikeskus Gyneko Oy - Finland (2023). Retrieved from cookiefines.eu
Last updated: