Back

DATA PROTECTION AUTHORITY SANCTIONS A DENTAL CLINIC FOR CALLING PATIENTS. Interesting decision for all the healthcare facilities

26/07/2017
Silvia Stefanelli

After some patients reported the fact to the Padova’s Medical Association, the Data Protection Authority (DPA), with the act no. 6629169, found a dental clinic guilty of making promotional calls to patients without their consent.

The Anti-Adulteration Unit found out that the dental facility had acquired the database of over a million patients’ data from a foreign company. The dental facility called the people whose contacts were made available by such database to offer them a free dental visit. In fact, the company worked in collaboration and through a subsidiary company.

In this case, the Authority ordered the companies to stop their unlawful activities, also reserving the right to initiate an administrative fine in the future.

During the verifications of the Anti-Adulteration Unit, it was found that the two companies:

  • did not have complete knowledge regarding the origin of the data

  • did not acquire the patients’ specific consent to perform marketing activities

  • did not carry out the necessary audits to determine if the users wanted to receive promotional calls (trusting the company that sold them the data)

The Authority also ensured that the information provided online to patients was incomplete and unclear. In addition, the response given via phone to the patients, who asked for information about how the company acquired their data, was vague and not truthful. 

The first consequence of the provision was the immediate block of the database. In addition, the company was ordered to undertake appropriate measures that would allow the website’s users to give an informed and free consent. The company now has to reformulate the disclosure (clearly stating the data’s area of usage and the entity that they should contact for the requests regarding the exercise of their rights).

The data protection issue was always taken lightly. Now, because of the arrival of the new Reg. 679/2016 and patients’ increased awareness, controls and sanctions are rising.

The question is if the controllers knew they were not complying with the law, or if they had no knowledge of the regulation and its consequences. The first would indicate a questionable behavior, but would be a free entrepreneurial choice. The second is far more serious because it underlines that, at the threshold of the application of the new Reg. 679/2016 (in May 2018), the operators in the sector work without knowing the rules of the game.

This incident may help in reminding every professional about the necessity of handling their patients’ data with much more consideration. Maybe it is time to understand that, regarding data protection, the society, the regulations and the patients have all changed.

Health Law Data Protection
Share