Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



A plastic surgery company and its doctor are fined for publishing photographs of patient on Social Media

PrintMailRate-it

​​​​published on 27 November 2023 | reading time approx. 5 minutes

The State Data Protection Inspectorate ("the Inspectorate"), after examining the complaint, imposed a fine of EURO 6,000 on a company providing plastic surgery services ("the Company") and a fine of EURO 840 on the Company's doctor, in a decision of 11/09/2023, for the infringements of the General Data Protection Regulation ("the GDPR") found. Specifically, the Company was fined for publishing photographs of the patient's body parts on its Instagram account without the patient's consent. The Inspectorate found that the photographs made public were identifiable from the patient’s identity.

The Inspectorate received a complaint from the applicant about the actions of the Company and its employee (a doctor) in publishing photographs of the parts of the applicant's body from which the applicant could be identified on the Instagram account of the Company and on the personal Instagram account of the doctor.

The complaint stated that the applicant and the Company entered into a personal healthcare contract, under which the applicant received healthcare and non-medical services. The doctor providing the services took photographs of the body parts to be operated on from various angles before and after the surgery and asked the applicant whether he would agree in writing to give his consent to the publication of the photographs for commercial-promotional purposes.

The applicant claimed that he did not give such consent, either verbally or in writing, to the doctor or to the Company, but nevertheless, the images of the applicant's body before and after the surgery were published on the doctor's personal and the Company’s Instagram accounts.

Important and memorable aspects of the Inspectorate's decision

Photographs of body parts, if they are directly or indirectly identifiable, fall within the category of personal data. The Inspectorate found that in the case at hand, the applicant could be indirectly identified, as the photographs published in the public domain showed the colour, shape and length of the applicant's hair, the location of the tattoo and the shape of his body. Moreover, the logo of the Company and the lines drawn in the photographs make it easy to identify the problems that the applicant has dealt with, which further adds to the information about the applicant contained in the photographs. The applicant could have been identified by the applicant himself, the Company, the doctor and persons who know the applicant, on the basis of the image captured in the published photographs. 

In view of the above, the published photographs constitute personal data of the applicant within the meaning of Article 4(1) GDPR. The patient could have been de-identified if the Company had properly depersonalised the photographs, thus eliminating the possibility of direct or indirect identification (even by the Company itself).

Consent to the publication of photographs must be explicit. Photographs of the patient's body parts were classified as health information because they were data relating to the provision of healthcare services to the patient. In such a case, according to Article 9(2)(a) of the GDPR, the Company was obliged to obtain the patient's explicit consent for such publication of personal data. The Company and the doctor sought, but did not obtain, the explicit consent of the applicant in accordance with Article 4(11) GDPR. The Company has provided the Inspectorate with evidence (correspondence) that the doctor showed the applicant the photographs to be published and asked whether the applicant would allow the use of his photographs on the doctor's Instagram account. In response to the doctor's question, the applicant repeated several times that he would allow it, but not so soon, that it is necessary to wait a few months and maybe take a better picture. The correspondence submitted demonstrated that the applicant had doubts about the publication of his photographs and was postponing his decision to the indefinite future, i.e. the applicant has apparently not given his specific, unequivocal, let alone explicit, consent to the publication of the photographs of him sent by the doctor after about 5 months, let alone on the Company's Instagram account. The data subject's vague reply by email that he will allow the publication of the photos in the future does not, in itself, constitute an explicit basis for consent under Article 9 of the GDPR (hesitation to consent is not an explicit consent). 

On this basis, the Inspectorate found that the Company and the doctor, by making the photographs public, had infringed the principles laid down in Article 5(a) and (f) of the GDPR, the conditions for lawful processing laid down in Article 6(1) of the GDPR, and the provisions of Article 9(2) of the GDPR, which set out the conditions under which the processing of health data is considered lawful.

The doctor (the employee of the Company) is personally liable. Taking into account the explanations and legal arguments put forward by the Company and the doctor, the Inspectorate held that the doctor, by posting the applicant's photographs on his Instagram account, acted as an independent data controller who is accountable and liable for his actions in accordance with Article 5(2) of GDPR. This decision was based on the following factors:
  1. neither the Company nor the doctor have provided any evidence that the doctor created his Instagram account and published the content on it acting under the Company's instructions, i.e. that the doctor acted under the authority of the employer, as set out in Article 29 of GDPR. The employment contract with the doctor attached to the Company's explanations did not cover any obligations of the doctor in relation to the management of his Instagram account;
  2. neither the Company nor the doctor has provided any evidence that the doctor acted under the Company's instructions when posting the applicant's photographs on his Instagram account. When asking the applicant for consent to publish the photographs, the doctor indicated that he was asking for consent for the use of the photographs specifically on his Instagram account;
  3. the Company has itself acknowledged that the information published on the doctor's Instagram account raises the doctor's profile among users, and that, accordingly, raising the doctor's profile is related to his professional activity and benefits the doctor in particular;
  4. the Company did not provide any evidence that it has the technical and legal means to influence the processing of personal data on the doctor's Instagram account, and the Inspectorate therefore concluded that the Company does not independently control the doctor's Instagram account.

 DATA PROTECTION BITES

Author

Contact Person Picture

Laima Nevarauskaitė

Assistant Attorney at Law

+370 5 2123 590

Invia richiesta

 RÖDL & PARTNER LITHUANIA

Discover more about our offices in Lithuania. Read more »
Deutschland Weltweit Search Menu