A plastic surgery company and its doctor are fined for publishing photographs of patient on Social Media

The Inspectorate received a complaint from the applicant about the actions of the Company and its employee (a doctor) in publishing photographs of the parts of the applicant's body from which the applicant could be identified on the Instagram account of the Company and on the personal Instagram account of the doctor.

The complaint stated that the applicant and the Company entered into a personal healthcare contract, under which the applicant received healthcare and non-medical services. The doctor providing the services took photographs of the body parts to be operated on from various angles before and after the surgery and asked the applicant whether he would agree in writing to give his consent to the publication of the photographs for commercial-promotional purposes.

The applicant claimed that he did not give such consent, either verbally or in writing, to the doctor or to the Company, but nevertheless, the images of the applicant's body before and after the surgery were published on the doctor's personal and the Company’s Instagram accounts.

Photographs of body parts, if they are directly or indirectly identifiable, fall within the category of personal data. The Inspectorate found that in the case at hand, the applicant could be indirectly identified, as the photographs published in the public domain showed the colour, shape and length of the applicant's hair, the location of the tattoo and the shape of his body. Moreover, the logo of the Company and the lines drawn in the photographs make it easy to identify the problems that the applicant has dealt with, which further adds to the information about the applicant contained in the photographs. The applicant could have been identified by the applicant himself, the Company, the doctor and persons who know the applicant, on the basis of the image captured in the published photographs. 

In view of the above, the published photographs constitute personal data of the applicant within the meaning of Article 4(1) GDPR. The patient could have been de-identified if the Company had properly depersonalised the photographs, thus eliminating the possibility of direct or indirect identification (even by the Company itself).

Consent to the publication of photographs must be explicit. Photographs of the patient's body parts were classified as health information because they were data relating to the provision of healthcare services to the patient. In such a case, according to Article 9(2)(a) of the GDPR, the Company was obliged to obtain the patient's explicit consent for such publication of personal data. The Company and the doctor sought, but did not obtain, the explicit consent of the applicant in accordance with Article 4(11) GDPR. The Company has provided the Inspectorate with evidence (correspondence) that the doctor showed the applicant the photographs to be published and asked whether the applicant would allow the use of his photographs on the doctor's Instagram account. In response to the doctor's question, the applicant repeated several times that he would allow it, but not so soon, that it is necessary to wait a few months and maybe take a better picture. The correspondence submitted demonstrated that the applicant had doubts about the publication of his photographs and was postponing his decision to the indefinite future, i.e. the applicant has apparently not given his specific, unequivocal, let alone explicit, consent to the publication of the photographs of him sent by the doctor after about 5 months, let alone on the Company's Instagram account. The data subject's vague reply by email that he will allow the publication of the photos in the future does not, in itself, constitute an explicit basis for consent under Article 9 of the GDPR (hesitation to consent is not an explicit consent). 

On this basis, the Inspectorate found that the Company and the doctor, by making the photographs public, had infringed the principles laid down in Article 5(a) and (f) of the GDPR, the conditions for lawful processing laid down in Article 6(1) of the GDPR, and the provisions of Article 9(2) of the GDPR, which set out the conditions under which the processing of health data is considered lawful.

The doctor (the employee of the Company) is personally liable. Taking into account the explanations and legal arguments put forward by the Company and the doctor, the Inspectorate held that the doctor, by posting the applicant's photographs on his Instagram account, acted as an independent data controller who is accountable and liable for his actions in accordance with Article 5(2) of GDPR. This decision was based on the following factors: