Lääkäriklinikka Estetic Oy – €5,000 Fine (Finland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Finnish medical clinic, Lääkäriklinikka Estetic Oy, was fined for not giving a patient access to their medical records upon request. The clinic claimed the records were held by another company, but the Finnish data protection authority found this explanation insufficient. This case highlights the importance of clear communication and cooperation between companies handling personal data.
What happened
Lääkäriklinikka Estetic Oy refused to provide a patient with access to their medical records, citing another company as the record holder.
Who was affected
Patients who requested access to their medical records from Lääkäriklinikka Estetic Oy.
What the authority found
The Finnish authority found that the clinic failed to fulfill the patient's right to access their data and did not provide a valid reason for the refusal.
Why this matters
This ruling stresses the need for businesses to clearly define and communicate responsibilities regarding data access. It serves as a reminder that companies must facilitate easy access to personal data and respect individuals' rights under data protection laws.
GDPR Articles Cited
The Finnish DPA was notified that the controller (Lääkäriklinikka Estetic Oy, a medical clinic) had refused to provide patient records to the data subject despite an access request pursuant to Article 15 GDPR. The DPA had asked the controller to explain why it had refused to fulfil the data subject's request. In response to the request, the controller clarified that the data subject had been treated at the controller's premises by a surgeon from another company, which is an independent controller of its patient records. The controller did not have access to that company's patient records. The controller stated that its patients could access their personal data by visiting the controller's premises and that the personal data was not sent by email. The controller also claimed that it had already provided the requested personal data to the data subject. On the basis of the information provided by the controller, the DPA considered that the controller had not provided sufficient explanation of which entity acted as the controller with regard to patient data that was generated during the treatment of the data subject at the controller's premises. Thus, the controller had not implemented the data subject’s right to access their personal data in accordance with Article 15(1) GDPR and Article 15(3) GDPR or informed the data subject of the reason for not taking action in accordance with Article 12(4) GDPR. The DPA stated that the controller's practice of not sending personal data by email was unreasonable, considering that the controller shall facilitate the exercise of data subject rights pursuant to Article 12(2) GDPR. The controller had also not provided the information to the data subject within the deadline defined in Article 12(3) GDPR. The DPA also noted that the controller's website did not contain information about the processing of personal data, such as which entity acted as the controller of patient data. The DPA considered that the controller had not fulfilled
Related Enforcement Actions (1)
Other enforcement actions involving Lääkäriklinikka Estetic Oy in FI
Details
About this data
Cite as: Cookie Fines. Lääkäriklinikka Estetic Oy - Finland (2021). Retrieved from cookiefines.eu
Last updated: