Private Individual: Insufficient legal basis for data processing

Between February and June 2020, a private individual published information about patients on his personal Facebook page. The information included health data in terms of Art. 4 (15) GDPR. In detail, the published data comprised patient names, diagnostic findings, medical diagnoses, medication data, data on hospital admissions and discharges, patients' social security numbers and the names of the treating physicians.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 9 GDPR
Industry: Health Care