GHARL - 200.332.312/01

GHARL - 200.332.312/01
Court:	GHARL (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 12(1) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 15(4) GDPR Article 23 GDPR Artikel 35 UAVG
Decided:	26.08.2024
Published:	04.09.2024
Parties:	[Verzoeker] Stichting Sint Antonius Ziekenhuis
National Case Number/Name:	200.332.312/01
European Case Law Identifier:	ECLI:NL:GHARL:2024:5384
Appeal from:	Rb. Midden-Nederland 545440
Appeal to:	Not appealed
Original Language(s):	Dutch
Original Source:	Uitspraak (in Dutch)
Initial Contributor:	jaslvl4

A court held that a hospital failed to comply with a minor patient’s father’s access request by failing to disclose the log data of the child’s medical file.

English Summary

Facts

The claimant is the father of a child treated at Antonius Hospital (controller). During the treatment a social worker was involved with the child and the parents who performed social work for his family.

In 2015, upon his request, the father received a copy of his child's medical record from the controller but claimed that several details were missing, including details about the social worker.

In May 2022, the father exercised his right to access, pursuant to Article 15 GDPR, requesting information from the controller about the social worker, log data on his child's file and involved healthcare providers registration data. The controller provided limited data, arguing further records didn’t exist or weren’t covered by the request.

The father filed a case before the Court of first instance which rejected the father's request.

Before the Court of Appeal, the father explained that he had requested several times to obtain access to all personal data regarding himself and his child but the controller has not provided any data outside his child's medical record and that the controller has misunderstood his request.

The controller claimed that they did not need to provide an overview of the complete log data, because the father is not entitled to this data under Article 15 GDPR, because it does not concern personal data of him or his child.

Holding

The court of Appeal decided to overturn the decision of the Court of first instance and grant part of the fathers requests.

First, the Court of Appeal held that the controller must provide the father with a copy of the personal data it processes about himself and his child in connection with the treatment that still has in his possession, pursuant to Article 15(1) and Article 15(3) GDPR, noting that the controller interpreted the father's access request too narrowly. As far as possible, the controller must choose to provide the personal data in a way that does not infringe the rights or freedoms of its employees and of the mother of the child, according to Article 23(1)(i) GDPR.

Second, the Court of Appeal decided that log data fall within the right of access because consulting or modifying the child's file consists of data processing and therefore falls within the scope of Article 15(1) GDPR. Therefore the controller should provide the log overviews in a way that does not infringe the privacy rights of its employees, without mentioning names of the employees involved, but without depriving the father of all information, according to Article 12(1) GDPR.

Third, Court of Appeal rejected the request of access to healthcare providers’ registration details as disproportionate to the privacy interests of third parties.

Thereby, the Court of Appeal orders the controller to provide access to the father to all personal data of himself and his child processed by it in connection with the child's treatment and to the logs of his child's files within one month. Furthermore, it orders the controller to pay a penalty of €100 per day it fails to comply with the orders with a maximum of €1,000 per separate order.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Judgment
COURT OF APPEAL ARNHEM-LEEUWARDEN
location Arnhem, civil law department

case number court of appeal: 200.332.312

(case number court Midden-Nederland, location Utrecht: 545440)

order of 26 August 2024

regarding

[applicant] ,

who lives in [place of residence1] ,

who has lodged an appeal

and acted as applicant before the court,

hereinafter: [the father] ,

attorney: mr. J. Bredius,

against:

Stichting Sint Antonius Ziekenhuis,

which is established in Nieuwegein

and acted as defendant before the court,

hereinafter: Antonius Ziekenhuis ,

attorney: mr. W.K. Bischot.

and

[the mother] ,
residing in [place of residence2] ,
interested party,
hereinafter: the mother.

1The proceedings before the court
1.1.
For the proceedings before the court, the court refers to the contents of the order of the Midden-Nederland court, Utrecht location, of 14 June 2023.

1.2.
[the father] had requested the court, after supplementing his request, to order Antonius Hospital to provide access to:

the complete files of his daughter, including all contact moments, correspondence and reports;

all (medical) personal data about his daughter, her situation and about himself;

the log overviews concerning the files of his daughter;

the registration data of the healthcare providers involved.

1.3.
The court rejected [the father]'s requests.

2The appeal proceedings
2.1.
[the father] has appealed against the court's decision. The course of the proceedings on appeal is apparent from:

-
the notice of appeal with exhibits A to C;

-
the statement of defence of Antonius Hospital with appendices A to C;

-
deed of submission of further exhibits of [the father] with exhibits D to H.

2.2.
An oral hearing took place on 27 May 2024. A report was made of this and added to the file (the official report). In the official report, the member of the court Mr Lucassen accidentally incorrectly mentioned a 'K.' as the initial instead of 'P.E.', as stated below this decision. Despite this difference in initials, this concerns the same member of the court.

2.3.
The court then determined a decision.

3The facts
3.1.
Due to [the father]'s complaints against the court's fact-finding, the court will hereinafter establish the facts itself.

3.2.
[the father] and his ex-partner had a daughter in 2012. The daughter was admitted to the Antonius Hospital in July and August 2012 because she was born prematurely. The daughter was then admitted briefly again and was treated at Antonius Hospital for a few more years.

3.3.
During her first admission, a social worker from Antonius Hospital was involved with the daughter and the parents. [the father] lost confidence in this social worker at the beginning of October 2012. This was confirmed by the social worker on 4 October 2012. [the father] has made various complaints to the Antonius Hospital in the years that followed.

3.4.
[the father] received a copy of his daughter's medical file from the Antonius Hospital at his request in February 2015. According to [the father], various details are missing from the copy of the medical file he received, including the termination of confidence in the social worker.

3.5.
The parties followed a mediation process that ended in September 2022 without the parties reaching a solution.

3.6.
In May 2022, [the father] asks Antonius Hospital for the registration details of the social worker and for access to the file relating to the social work performed for his family or his daughter since 2012. Later, [the father] also requested the log data of his daughter's file.

3.7.
On 17 October 2022, the board of directors and the data protection officer (FG) respond to [the father]'s emails by email. The email includes the following:

“Medical file log data

On behalf of the FG (…) we are sending you (…) the log data of the accesses to your daughter’s medical file by the [social worker, court] that are in our systems (…).

Social work file and AMK notification

You have asked us several times to issue the ‘social work file’. We cannot comply with this request because such a file does not exist. (…) They pass on relevant information for the treatment of the child to the treating pediatrician or the nurses involved, who ensure that it is recorded in the medical file or they themselves note it directly in the medical file.

(…)

Finally

We know and understand that it is very important for you that it is clear to you what the hospital has communicated to third parties in relation to the treatment of your daughter and the notification made by the GP. We have informed you of this with the above and the information provided earlier.”

4The motivation for the decision on appeal
4.1.
[the father] requested that the court annul the district court's order and grant his requests after all. He withdrew the increase in his request on appeal, namely that the court determine that the Antonius Hospital violated the GDPR, during the oral hearing on appeal.

The outcome

4.2.
The court will grant part of [the father]'s requests and will explain below how it arrived at that decision.

Information from mediation will not be taken into account

4.3.
Prior to the assessment, the court points out that it will not take into account information provided about the content of the mediation, because it took place under the obligation of confidentiality. This means that the court will disregard, among other things, the quotation in paragraph 42 of the second supplement to [the father]'s petition and the attached appendix 13 and everything that the parties have stated about the content of the mediation at the oral hearing before the court.

Scope of the request for access

4.4.
[the father] requests access to all personal data that Antonius Hospital processes about him and his daughter. According to Antonius Hospital, [the father]'s request for access was limited to 1) access to and a copy of his daughter's medical file, 2) the log data of this medical file and 3) the registration data of the care providers involved. According to Antonius Hospital, correspondence or other data that are not included in the medical file do not fall under the request for access that [the father] made to her.

4.5.
At the oral hearing before the court, [the father] explained that he had repeatedly requested Antonius Hospital orally to obtain access to all personal data. The court is of the opinion that [the father] has made it sufficiently clear that he wanted access to all personal data that Antonius Hospital has processed about his daughter and him in the context of his daughter's treatment. Antonius Hospital should have understood it that way. The text under "Finally" in the message of 17 October 2022 on behalf of the board of directors and the data protection officer of Antonius Hospital also shows that the hospital understood his request in this way (see 3.7. above). This means that the court will rule on the request for access as [the father] formulated it in his petition, whereby the request under a. and b. (see 1.2. above) is understood as (also) access to all personal data that Antonius Hospital (has) processed in the context of his daughter's treatment, including correspondence and other processing of their personal data that is not included in the medical file.

Full access not yet provided

4.6.
Under Article 15 paragraph 3 GDPR, Antonius Hospital must provide [the father] with a copy of the personal data it processes about him and his daughter. This obligation means that Antonius Hospital must provide a faithful and comprehensible reproduction of the personal data it processes about them. This may entail that Antonius Hospital would have to provide parts of documents or even complete documents if this is necessary to enable [the father] to actually exercise his GDPR rights. In doing so, the rights and freedoms of others must (of course) be taken into account.1

4.7.
It has been established that [the father] received his daughter's medical file in February 2015. Antonius Hospital thereby provided access to the personal data contained therein. According to [the father], this file is not complete, because it contains nothing about, among other things, withdrawing confidence in the social worker involved. Antonius Hospital confirmed that this information is not in the medical file and, after the court hearing, provided an e-mail exchange between the social worker and the AMK (now Veilig Thuis) from early 2013. Antonius Hospital did not provide [the father] with an overview of the personal data that it processed outside of the medical file of [the father] and his daughter. As a result, it is not clear to him - or to the court - which processing operations are involved. During the oral hearing at the court, Antonius Hospital explained, among other things, that it did not search for personal data of [the father] or his daughter in the mailboxes of the employees. Antonius Hospital only asked the social worker to search his own mailbox for this. A copy of the aforementioned e-mail exchange was then provided to [the father]. It follows that Antonius Hospital has not yet provided access to all personal data that it has processed of [the father] and his daughter, such as personal data that appear in the (internal and external) correspondence and other messages that are not included in the medical file. The court will therefore order Antonius Hospital to provide access to all personal data of [the father] and his daughter that it has processed in the context of the treatment of the daughter and to the extent that these have not yet been provided to [the father].

4.8.
The court notes that Antonius Hospital can only provide access to personal data that it still has. Given the time that has elapsed since the daughter's treatment ended, it is possible that some of the processed personal data has already been destroyed. For example, Antonius Hospital noted that employee mailboxes are cleaned because they may not be kept for long. Antonius Hospital cannot provide access to personal data that it no longer has. In addition, when providing access, Antonius Hospital must - as it itself argues - take into account the rights of others (Articles 15 paragraph 4 and 23 paragraph 1 opening sentence and under i GDPR). This concerns in particular the privacy rights of its employees and the mother. During the oral hearing at the court, the mother noted that Antonius Hospital had not sufficiently taken her privacy rights into account when previously providing personal data to [the father]. Antonius Hospital subsequently confirmed that it may not have paid sufficient attention to this.

4.9.
Considerations relating to the protection of the rights and freedoms of others only justify a restriction of the right of access, insofar as such a restriction does not affect the essential content of those rights and freedoms and, as provided for in Article 23, paragraph 1, under i GDPR, is a necessary and proportionate measure to guarantee that protection.2 This means that Antonius Hospital must weigh up the interest of [the father] in accessing the personal data and the interest of others in protecting their privacy. As far as possible, Antonius Hospital must choose to provide the personal data in a manner that does not infringe on the rights or freedoms of those others. In doing so, it must take into account that this balancing of interests may not result in [the father] being denied all information.3 Blacking out data that can be traced back to third parties can be a good method for this.

Log data

4.10.
It is not disputed between the parties that [the father] requests access to the complete log overviews of his daughter's files. Antonius Hospital has limited itself to providing the social worker's log data, because according to her, it contains the data that [the father] is looking for. In addition, Antonius Hospital argues that it does not have to provide an overview of the complete log data, because [the father] is not entitled to this data on the basis of Article 15 GDPR, because it does not concern personal data of [the father] or his daughter. According to Antonius Hospital, its employees are not recipients within the meaning of Article 15 paragraph 1 under c GDPR, or the interests of its employees take precedence over the interests of [the father]. In the latter case, Antonius Hospital explained that, among other things, the manner in which [the father] has approached a number of employees to date has led to this balancing of interests.

4.11.
The first question before us here is whether providing access to the requested log data falls within the scope of the right of access under Article 15 GDPR. The broad definition of the term ‘personal data’ in the GDPR includes not only the data collected and stored by Antonius Hospital, but also all information resulting from the processing of personal data of [the father] and his daughter.4 The terms ‘processing’ and ‘recipients’ in the GDPR are also interpreted broadly. This means that the right of access under Article 15 paragraph 1 GDPR is also characterised by the broad scope of the information that the controller must provide to [the father].5 The log overviews of the daughter’s medical and nursing file contain information about who consulted or modified that file and when. Providing log data may therefore be necessary to comply with the obligation to grant [the father] access to the information referred to in Article 15 paragraph 1 GDPR. Consulting or modifying the daughter’s file constitutes data processing and therefore falls within the scope of Article 15 paragraph 1 GDPR. On the basis of these log overviews, [the father] can ascertain whether the processing carried out is lawful, which is one of the objectives of the right of access.6 This means that Antonius Hospital must in principle provide access to the log data. Because the log overviews contain personal data of employees of Antonius Hospital, it may not infringe on the rights and freedoms of these employees. As considered above in 4.9., Antonius Hospital must also choose to provide the log overviews in a manner that does not infringe on the privacy rights of its employees, but without withholding all information from [the father]. In addition, the log overviews must be understandable to [the father] on the basis of Article 12 paragraph 1 GDPR, for example by providing a further explanation of the terms used therein.

4.12.
The court therefore does not follow Antonius Hospital in its position that the balancing of interests should result in it not having to provide access to more log overviews. The court considers that providing the log overviews with only the job description of the employees without names and registration details, as Antonius Hospital argues in the alternative, is in principle a correct way to comply with this part of [the father]'s request for access. The court does not follow [the father] in his argument that he should also be given access to the identity of the employees in question. [the father] must be able to assess on the basis of the job description whether the relevant consultation of the file was lawful. Moreover, the interest of the employees of Antonius Hospital not to be approached or sued directly by him outweighs his right to access their identity in order to be able to initiate any (disciplinary) complaints.

4.13.
The foregoing means that the court does not proceed with the provision of log data on the basis of the Supplementary Provisions for the Processing of Personal Data in Healthcare Act. This Act applies, as the parties also rightly recognise, in addition to the GDPR. [the father] bases his request, however, on Article 15 GDPR in conjunction with Article 35 of the Implementation Act on the GDPR (UAVG).

Registration data

4.14.
Finally, [the father] requests access to the registration data of the healthcare providers involved in the treatment of his daughter. [The father] has not sufficiently explained why these data, which are not personal data of [the father] or the daughter, but personal data of the healthcare providers concerned, fall within the scope of the right of access under Article 15 GDPR. He does state that this information is essential to enable him to check whether they have processed personal data under the authority and in accordance with various regulations, but he has not explained which processing of personal data this would involve. To the extent that he wishes to receive these data from the employees who have consulted or modified his daughter's files on the basis of the log overviews, the court refers to its judgment in 4.12. The privacy interest of these employees outweighs the interest of [the father] in this request.

4.15.
To the extent that the court must understand the comments of Antonius Hospital regarding abuse of rights to mean that it itself also invokes abuse of rights in the context of the request for registration data of the healthcare providers, the court will not do so, because it follows from the foregoing that the request for access to the registration data will be rejected.

The requests

4.16.
It follows from the judgments given above that the court will largely grant the requests of [the father] under a. to c. (see above in 1.2.) and will reject the request under d. This means that the court will order Antonius Hospital to provide [the father] with access to all personal data that it (has) processed of [the father] and his daughter in the context of the treatment of the daughter with the information as referred to in Article 15 paragraph 1 GDPR, insofar as this has not yet been provided to [the father] and with due observance of the privacy rights of others, such as the mother and the employees of Antonius Hospital. In addition, the court will order Antonius Hospital to provide the log overviews of the files of [the father]'s daughter without mentioning the names of the employees concerned. These overviews must be understandable to [the father], for which an explanation of these overviews and the terms mentioned therein may be necessary. The court will reject the request for registration data.

4.17.
[the father] has also requested that a penalty be imposed in the event that Antonius Hospital does not comply with providing access within one week. According to Antonius Hospital, there are no grounds for a penalty and it will cooperate in a conviction. The court nevertheless sees reason to award a limited penalty of € 100 per day with a maximum of € 1,000 per individual conviction. Despite the fact that Antonius Hospital has not explicitly defended the term of one week, the court will - due to the long period that has elapsed since [the father]'s daughter was treated at Antonius Hospital, which may require more effort to unlock and make the requested data available - set a term of one month.

5Conclusion
5.1.
The appeal is largely successful and Antonius Hospital will be ordered to pay [the father]'s legal costs as the predominantly unsuccessful party.

6The decision
The court, ruling on appeal:

6.1.
annuls the decision of the Midden-Nederland District Court, Utrecht seat, of 14 June 2023;

6.2.
orders Antonius Hospital to provide [the father] with access to all personal data of [the father] and his daughter processed by it in the context of the treatment of the daughter, regardless of whether these are included in a medical file - insofar as these have not yet been provided to [the father] and insofar as this access does not infringe on the rights and freedoms of third parties - including the information included in Article 15 paragraph 1 GDPR;

6.3.
orders Antonius Hospital to provide [the father] with access to the log overviews of his daughter's files within one month of this decision in a manner that is understandable to [the father] and does not infringe on the rights and freedoms of third parties;

6.4.
orders Antonius Hospital to pay a penalty of € 100 per day, including part of a day, on which it fails to comply with the orders of 6.2. and/or 6.3., with a maximum of € 1,000 per individual conviction;

6.5.
orders Antonius Hospital to pay the following legal costs of [the father] until the court's judgment:

€ 314 in court fees

€ 1,196 in fees of [the father]'s lawyer (2 procedural points x rate € 598)

and to pay the following legal costs of [the father] in the principal appeal:

€ 343 in court fees

€ 2,428 in fees of [the father]'s lawyer (2 procedural points x appeal rate € 1,214)

6.6.
declares the above convictions provisionally enforceable;

6.7.
dismisses the other requests.

This order was made by Mrs. M.P.M. Hennekens, W.F. Boele and P.E. Lucassen and was pronounced in the presence of the registrar at the public hearing of 26 August 2024.