Lääkäriklinikka Estetic Oy – Court Ruling (Finland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Finnish medical clinic, Lääkäriklinikka Estetic Oy, lost its appeal against a €5,000 fine for not properly handling a patient's data access request. The court found that the clinic was responsible for informing patients about where their records were held. This case shows that clinics must clearly communicate data responsibilities to patients.
What happened
Lääkäriklinikka Estetic Oy failed to fulfill a patient's data access request and did not inform them about the location of their medical records.
Who was affected
Patients treated at Lääkäriklinikka Estetic Oy who were not informed about the location of their medical records.
What the authority found
The court ruled that the clinic was responsible for the data and had violated GDPR by not informing the patient properly.
Why this matters
This ruling highlights the importance of transparency in handling patient data, emphasizing that clinics must clearly communicate who holds patient records. It serves as a warning to medical providers to ensure compliance with data access requests.
GDPR Articles Cited
The controller (Lääkäriklinikka Estetic Oy, a medical clinic) had asked the Administrative Court of Helsinki (the Court) to overturn the €5,000 administrative fine imposed by the Finnish DPA and the DPA's decision, according to which the controller had not implemented the data subject's access request. The controller filed the appeal claiming that it had already fulfilled the data subject's access request as far as it concerned the personal data it processed. The controller emphasised that it did not have access to the patient records of another company whose surgeon had treated the data subject at the controller's premises. The controller argued that the DPA should have requested an explanation from the other company as well, because the data subject was not a patient of the controller, but a patient of the other company. The controller also stated that the DPA's actions had not been based on a sufficient and appropriate investigation. The DPA emphasised that the data subject had received treatment from the controller at the controller's premises and that the controller had not informed the data subject that their patient records are in the possession of another company. The DPA also stated that the controller had not instructed the data subject to request their personal data from another company or otherwise informed the data subject about the matters related to the controllership of their personal data. The Court noted that, despite the opportunity reserved for it, the controller had not sufficiently demonstrated that some other entity had acted as a controller of the personal data generated in connection with the treatment that took place on its premises. In its appeal, the controller had not denied that the data subject had received treatment from the controller. Thus, the Court stated that the controller had to be considered as a controller within the meaning of the GDPR. In light of this, the Court agreed with the DPA that the controller had violated Articl
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Lääkäriklinikka Estetic Oy in FI
Details
About this data
Cite as: Cookie Fines. Lääkäriklinikka Estetic Oy - Finland (2023). Retrieved from cookiefines.eu
Last updated: