News

📸 Doctor: Publication of post-op photos of a former patient...

Source : N°50-2024
Greece

💥 The Hellenic Data Protection Authority has issued an exemplary decision following a complaint against a doctor who had repeatedly published post-operative photos of a patient on Instagram and Facebook, despite her explicit refusal.

⚠️ The facts:
👩‍⚕️ The doctor had assured that the patient's data would be used exclusively for medical purposes.
📑 The patient had expressly refused to allow photos to be published online.
📲 Despite this, the doctor published several photos online, face masked but identifiable elements visible, with a detailed description of the procedure.
🚫 After an initial deletion at the patient's request... the photos were published again, “by mistake” a few months later.

🔍 Authority's analysis:
✅ The data controller (the doctor) complied with Article 17 GDPR (right to erasure) after the express request.
❌ But the ex officio investigation highlighted serious breaches:
- ❗ Lack of transparency on the promotional use of data (Article 5.1.a and b GDPR).
- ❗ No explicit mention of marketing use in the consent form (Article 13 GDPR).
- ❗ Unlawful processing of sensitive data without clear consent (Articles 6.1.a and 9 GDPR).

📌 Decision:
🛑 The physician is ordered to:
1.   To amend the consent form to clearly include all purposes, including marketing.
2.  To keep a rigorous record of requests to withdraw consent