It was brought to the attention of the data protection authority that a physician was “posting” personal health and patient data in the form of selected excerpts from patient letters, findings or other medical records/protocols on his personal Facebook page as well as on the official Facebook presence of the medical association in order to publicly criticize. The data protection authority initiated proceedings pursuant to Art. 58, 57, 55 in conjunction with Art.
1 GDPR (“ex officio review procedure”).
Cease-and-desist orders from the medical association and disciplinary proceedings have so far not stopped the person responsible from continuing to publish his patients’ health data on publicly accessible social media platforms.
According to § 22 para. 4 DSG in connection with § 57 para. 1 AVG, the data protection authority is entitled to prohibit the continuation of data processing by means of a mandate notice without a prior investigation procedure if data processing poses a significant direct threat to the confidentiality interests of affected persons that are worthy of protection (imminent danger). This was objectively the case. The publication of patient and health data undoubtedly constituted a serious encroachment on the fundamental right to data protection of the persons concerned pursuant to Section 1 of the Data Protection Act. A legal basis for this type of publication was not readily apparent.
With a mandate notice, the responsible person was therefore prohibited from disclosing personal health and patient data on the personal Facebook page as well as on the official Facebook presence of the Medical Association for Vienna and other public Facebook groups/pages and social media platforms with immediate effect.