Processing health data on online platforms: The Garante rules on fairness

With order no. 368 of November 10, 2022, the Italian Data Protection Authority (“Garante”) ruled that the provider of an online platform aimed at connecting healthcare professionals with patients  was in breach of the personal data protection rules provided by EU Regulation 2016/679 (the “GDPR”) in processing data via their platform (the “Platform”).

How the platform works

The purpose of the platform is to facilitate communication between healthcare professionals and patients. On the platform, doctors can register and create profiles in which they indicate their skills and the geographical areas where they practice. In turn, patients register and indicate what kind of specialists they are seeking and then can access a database of available doctors and book appointments.

Investigation and complaints

Following a report of possible violation of the rules on personal data protection, the Garante initiated a preliminary investigation to identify the data controller and data processor for the processing on the Platform and to look into compliance with the principles of lawfulness, fairness, and transparency. In response to the Garante’s request for information, the Platform stated, among other things:

• that it was the data controller for the personal data of healthcare professionals, based on the contract to which the data subject is party;
• that it acts as data controller for healthcare professionals limited to the processing of data related to management of their appointments and the video-calling platform for telehealth appointments. This data includes the details of the bookings and services provided by the professionals originating via the Platform, as well as display on the Platform of the available times on their schedules;
• that it was the data controller for patient data (personal data, contact information, and payment data) during the patient registration phase only.

In addition, the Platform stated that it provides doctors with a model information notice to be provided to patients in order to obtain their consent for the processing of their personal data.

The Garante’s decision

Notwithstanding the Platform’s statements during the investigation, the Garante found that the information provided to patients when they registered with the Platform and used its services was unclear and did not correctly represent the roles of data controller and data processor. Therefore, the Garante found non-compliance with Articles 5(1)(a), 6, 7, 9, 12, and 13 of the GDPR.

The Platform’s response

In response to the proceedings initiated by the Garante, the Platform reiterated that the system had been designed to keep processing roles distinct from each other and that patients’ personal data were accessible only by the referring doctor. Moreover, according to the Platform, the latter cannot in any case be considered the data controller for data collected and processed in connection with the provision of services, which remain the sole responsibility of healthcare professionals. In this context, mentions of such services in the information notice would not, in the Platform’s opinion, automatically indicate a lack of clarity or ownership of the processing by the Platform itself.

Garante’s grounds

However, the Garante noted that the GDPR clearly establishes the roles of data controller and data processor and that it is crucial to represent these roles correctly to data subjects, as this affects the determination of the legal basis of the processing, the allocation of respective responsibilities, and the rights of data subjects. Furthermore, the Garante reiterated that the processing of personal data must be carried out in compliance with the principle of transparency (Article 5(1)(a), GDPR), with clear and accessible information provided to data subjects in advance (Articles 13 and 14, GDPR). The information must be specific, certain, and unambiguous, leaving no room for multiple interpretations. Prior to the start of the processing, both the purposes and the legal basis of the processing must be clearly indicated.

Inadequate information

In this case, according to the Garante, the Platform declared that it was acting as data controller on behalf of the healthcare professionals with whom patients seek to book healthcare services. However, during registration, the Platform presented itself as the data controller not only for creating a patient’s personal account, but also for providing the service of booking medical visits or other healthcare services. The Platform therefore should have provided data subjects with adequate information on the processing carried out as data controller and informed them of the collection of health data during the booking phase. The Garante then pointed out that the services provided by the Platform required different subjects to be involved, and that under the principle of accountability the subjects involved must clearly define the roles played in the data processing, with the specific circumstances of the relationships between the parties and the activities carried out by each subject in the specific context taken into consideration.

The Garante found that in this case the division of roles described by the Platform in the information given to patients did not correspond to the actual way processing was performed and therefore declared the processing carried out by the Platform was unlawful as it was in violation of Articles 5(1)(a), 12, and 13 GDPR. It issued a fine pursuant to Article 83(5)(a) GDPR.

This decision highlights the importance of establishing roles and governance when it comes to personal data protection, especially when dealing with complex ecosystems such as the platform in question. Identifying responsibilities correctly is critical. Though this may seem like a simple matter, it can turn out to be quite complex.