News
π¬π· Health data and online publication
πΈ Doctor: Publication of post-op photos of a former patient...
Source : N°50-2024
Greece
π₯ The Hellenic Data Protection Authority has issued an exemplary decision following a complaint against a doctor who had repeatedly published post-operative photos of a patient on Instagram and Facebook, despite her explicit refusal.
β οΈ The facts:
π©βοΈ The doctor had assured that the patient's data would be used exclusively for medical purposes.
π The patient had expressly refused to allow photos to be published online.
π² Despite this, the doctor published several photos online, face masked but identifiable elements visible, with a detailed description of the procedure.
π« After an initial deletion at the patient's request... the photos were published again, “by mistake” a few months later.
π Authority's analysis:
β
The data controller (the doctor) complied with Article 17 GDPR (right to erasure) after the express request.
β But the ex officio investigation highlighted serious breaches:
- β Lack of transparency on the promotional use of data (Article 5.1.a and b GDPR).
- β No explicit mention of marketing use in the consent form (Article 13 GDPR).
- β Unlawful processing of sensitive data without clear consent (Articles 6.1.a and 9 GDPR).
π Decision:
π The physician is ordered to:
1. To amend the consent form to clearly include all purposes, including marketing.
2. To keep a rigorous record of requests to withdraw consent