Medical clinic: Insufficient fulfilment of information obligations

The Finnish DPA has fined a medical clinic EUR 5,000. A customer of the clinic had complained to the DPA that he had not received access to his medical records from the clinic following a request for information. In addition, the clinic failed to adequately inform its clients about the processing of personal data. Specifically, the DPA points out that the clinic did not inform its clients about the extent to which it was acting as a data controller for patient data generated by its activities.

GDPR Articles: Art. 5 (1) a) GDPR, Art. 12 (1), (2), (3), (4) GDPR, Art. 13 (1), (2) GDPR, Art. 15 (1), (3) GDPR, Art. 25 GDPR
Industry: Health Care