Estonia
Südameapteegi e-apteek
GDPR enforcement action by Estonian Data Protection Authority (AKI) on 2020-12-01.
Case details
- Authority
- Estonian Data Protection Authority (AKI)
- Date
- 2020-12-01
- Controller / Processor
- Südameapteegi e-apteek
- Sector
- Health Care
- Quoted Articles
- Art. 5 GDPR, Art. 6 GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Estonian DPA (Andmekaitse Inspektsioon) fined three online pharmacies EUR 100,000 each for processing personal data without the consent of the data subjects. The data in question are prescriptions for medicines of the data subjects. Third parties were able to view another person's current prescriptions in the e-pharmacy environment without their consent, based only on access to their personal identification code. The DPA highlighted that while it must be possible to purchase prescription drugs for other people, it is the responsibility of the company to ensure that the processing of the personal data required for this purpose only takes place with the consent of the data subjects. The confirmation of another person that they may access the data, however, does not correspond to the voluntary consent of the prescription holder, since the e-pharmacy cannot check whether and for what purpose the consent was given and whether it was given voluntarily.
Related fines