€15,000 fine from the Data Protection Authority to a Parliamentary candidate for breach of personal data

It was not only former New Democracy MEP Anna-Michelle Asimakopoulou who, ahead of the European elections last June, sent mass emails to Greek expatriates after a data leak from the Ministry of Interior’s emigrants’ registry. A similar practice was adopted during the May 2023 parliamentary elections by Myron Tsangarakis, a plastic surgeon at the National Health System (NHS) and PASOK parliamentary candidate for East Attica (who ultimately was not elected). Tsangarakis used personal data of patients and hospitalized individuals from the archive of “Andreas Syggros” Hospital.

Last week, the Personal Data Protection Authority imposed a €15,000 fine on the doctor for the breach of personal data after two citizens complained that they had been hospitalized at “Andreas Syggros” and subsequently received campaign SMS messages from the candidate.

The PASOK candidate sent SMS messages to the mobile phones of former and current patients of the hospital, urging them to vote for him. The SMS read: “You who had surgery at the NHS, vote for PASOK and Myron Tsangarakis, candidate in East Attica. Central speech 14/5, Rafina Town Hall, 18:30,” followed by his Facebook address.

One recipient of the SMS, who had undergone a minor surgical procedure at the hospital six years ago without ever being examined by Mr. Tsangarakis or having any contact with him, filed a complaint with the hospital administration on May 5, 2023.

In their letter, the complainant highlighted that the candidate had unlawfully processed their personal and sensitive medical data. They also requested to know what specific data the doctor had accessed, who had access to patients’ personal data at the hospital, and how the integrity of patient data was being safeguarded.

The hospital’s data protection officer responded to the complainant but failed to address the questions raised. The response stated that “as part of his medical duties at the hospital and exclusively for the purpose of providing medical services on behalf of the hospital, Mr. Tsangarakis legally accessed patient data.” Consequently, “the provision of access to hospital doctors to patient databases for the fulfillment of their medical duties does not in any way constitute a breach of personal data.”

Furthermore, the hospital official mentioned that Mr. Tsangarakis had been questioned about the incident and denied “engaging in any processing of patient data for the purpose of sending campaign messages, claiming that the mobile numbers he used for political communication during his campaign came from his personal archive or patients he had personally treated.”

Nevertheless, a formal administrative investigation (EDE) was conducted.

As time passed without any update on the outcome of the investigation, the complainant requested a copy of the investigation’s findings last July.

Closure

In early August, the hospital responded that it could not provide a copy of the investigation as “the necessary consent was not granted by Mr. Tsangarakis.” However, the hospital noted that “Mr. Tsangarakis, as a member of the hospital’s surgical department, lawfully has access to the data of all patients in that department, regardless of whether he personally treated them, as is the case for all medical personnel.” It also emphasized that “the personal data accessed by the doctor were demographic details.”

In another part of the response, it was mentioned that the surgical department and its doctors have access to all patient data, while the outpatient clinic secretariat has access to demographic data for scheduling purposes.

Following these developments, the complainant, through their lawyer Panagiotis Perakis, appealed to the Personal Data Protection Authority. They stated that “this is a monumental example of audacity, irresponsibility, and a violation of fundamental obligations under personal data protection law, concerning fundamental rights that were blatantly disregarded and violated, particularly in the highly sensitive field of health, by a public official and a public hospital.”

They further argued that the handling and processing of patient data were grossly inadequate and non-compliant with the law, lacking appropriate measures to protect sensitive personal and health-related data.

Embarrassment for PASOK

It was also noted that the doctor, “without any sense of duty to uphold the law and disregarding the fact that his actions exposed not only the public hospital where he works but also the political party he represents, engaged in the processing (collection and use) of my personal data.” Moreover, the data “were used for political communication purposes, i.e., solely for his personal political gain.”

It was further highlighted that the doctor “abused his position and status, exploiting the hospital’s numerous shortcomings in protecting the personal data it maintains.”

> Greece