Greece: Authorisation of disclosure of sensitive data to a third party for judicial purposes
Published 1 December 2014
In a number of decisions issued during this period (including, without limitation, the decisions under numbers 166/2014, 167/2014, 171/2014, 177/2014, 179/2014), the Hellenic Data Protection Authority (HDPA) authorised the disclosure by various health care providers (e.g. hospitals and/or doctors) in their capacity as data controllers of sensitive data of medical service recipients (data subjects) to third parties for judicial purposes, provided that the data subjects would be previously notified thereof.
Depending on the circumstances of each case, the disclosure of sensitive data, for which a license from the HDPA was sought, typically related to providing access to content of medical file records or other medical information regarding data subjects to third parties, for the latter to be able to use such information in the context of pending litigation relating to data subjects (e.g. defence of medical practice lawsuit filed against a dentist by a data subject, support of a lawsuit filed by a husband against data subject/his wife for the award of child custody and the determination of the family housing, support of a petition for injunctive relief filed by a parent relating to child contact).
In addressing the relevant requests of healthcare providers, the HDPA took into account the provisions of law 2472/1997 (Hellenic Data Protection Act) on terms and conditions for a lawful processing of sensitive data, and the prior notification of data subjects by the data controllers regarding the disclosure of their data to third parties as well as the provisions of Medical Code on granting of medical certificates, by way of exception, to third parties and examined whether:
- The processing purpose was in accordance with relevant provisions of the Hellenic Data Protection Act, especially Art. 7 par. 2 elem. c thereof, pursuant to which the processing of sensitive data and the formation and operation of a relevant file is, by way of exception, allowed, upon license by the HDPA, that is affirmed, among others, where the processing refers to data that are necessary for the acknowledgement, exercise and defence of rights before a court or a disciplinary body; and
- The principle of proportionality was met, especially as regards the issue whether the scope of the requested sensitive data-related information was absolutely necessary for the effectuation of the judicial purpose at issue.
Such HDPA decisions could be used, upon circumstances, as a reference in case of relevant requests by insurers to the HDPA.
Supplied by Maria Demirakou, Attorney-at-Law (Senior Associate) at Rokas Law Firm in Athens, Greece.
What action could be taken to manage risks that may arise from this development?
To be taken into account by companies if they operate in Greece, in the context of submission of requests to the HDPA for the granting of license for disclosure of sensitive data of its clients to third parties, for judicial purposes.