Are the Greek hospitals “unhealthy” for the GDPR?
Originally published: newspaper “Ta Nea” – Letters (in Greek)
Date: 26/07/2019
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
Mr. Director,
Earlier this month, your reputable newspaper made a revealing report about the blatant violation of personal data legislation in our country by a large public hospital in the capital. According to the report, a number of medical records of the hospital patients were stacked in its corridors and stairs, in public view.
We note that according to the recent General Data Protection Regulation, also known as the GDPR, the controller, in this case the hospital, must take appropriate technical and organizational measures to ensure the security of personal data, such as those contained in medical records. All the more reason, when it comes to health data, which is a special category of data and enjoys increased protection. The violation of the GDPR, therefore, by the above hospital, was very serious and should have already mobilized widely the competent bodies.
The dramatic situation in which it seems that many Greek hospitals are still in, regarding the non-compliance with the GDPR, is confirmed in the recent press release of the Greek Data Protection Authority dated 15-7-2019. The Authority, referring to recent publications in the press, obviously also of your reputable newspaper, invites all hospitals in Greece to appoint a Data Protection Officer. It even emphasizes that only 13 public hospitals have acted in this regard, with only 2 of them located in Attica.
We point out that the Data Protection Officer is a “key person” according to the GDPR to ensure the proper implementation of the latter within the relevant body, such as the hospital, with important responsibilities. Its appointment is mandatory in case of a public authority or body. Nevertheless, about 14 months after the commencement of the implementation of the GDPR in our country, the majority of public hospitals have not yet made such appointment!
Non-compliance with the GDPR in this critical area is disappointing. This is an extremely serious issue that must be addressed as a matter of priority by the competent Minister.