On October 11, 2023, the State Data Protection Inspectorate (hereinafter “VDAI”, “Authority”) announced that fines were imposed on an individual and a healthcare institution (hereinafter “Clinic”) for sharing a picture of a patient’s body part on the social media platform “Instagram”.
This ruling is noteworthy in the VDAI’s practice as it involves fining an individual, signifying the first occurrence of such action by the VDAI since the implementation of the GDPR.
Background of the violation
According to the VDAI, a complaint was received, which prompted the inquiry into the Clinics and doctors’ data protection practices. The complaint concerned the unauthorized public posting, without the patient’s permission, of a picture of a body part on the social media site.
Key considerations of the investigation
The decision to impose fines on both the Clinic and its doctor was based on several key considerations, including:
Is a picture of a body part considered personal data?
According to the VDAI, in this situation, indirect identification of the person was possible. The published photographs allowed for the identification of the applicant’s features, making a part of a person’s body qualify as personal data. This disclosure can also be considered as the processing of personal data, and such data can be used to identify other information, including health data.
Validity of consent
Despite the data controller seeking consent, the obtained response did not meet the necessary criteria for validity. The data subject expressed a willingness to potentially allow the photo’s publication but suggested waiting for a few months to capture a better photo. This response fell short of constituting explicit consent.
Issuing a Fine to Both: the Institution and the Doctor
The focal point of the VDAI’s decision lies in its rationale, justifying the imposition of a fine not only on the establishment but also on the associated healthcare professional. According to the decision, when an employee gains unauthorized access to personal data, they are not considered to be acting on behalf of the data controller. In contrast, it was determined that the doctor, through publishing the photos on their Instagram account, operated as an independent data controller and that the purpose for processing data was specifically to enhance their professional profile. This conclusion was drawn because the healthcare professional failed to provide evidence that they posted the photo under the direction of the Clinic, and there was no indication that the Clinic could control the social media account.
What can we learn from this fine?
Utilizing client images on social media platforms is becoming more common as businesses and their employees use personal information to draw in new clients and establish their brand across a range of industries. Amidst this, it’s critical to remember how important it is to comply with data protection laws and determine whether sharing such personal information is permitted.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding a specific situation related to GDPR compliance or any other personal data protection question, please consult the experts of ECOVIS ProventusLaw.
The link to the press release can be found here (text available in Lithuanian only).
Prepared by ECOVIS ProventusLaw junior associate Julija Ginotytė