Inquiry into Centric Health Ltd. (“Centric”) - February 2023

Date23 January 2023
SectionDecisions made under data protection act 2018
1
In the matter of the General Data Protection Regulation
DPC Case Reference: IN-21-2-4
In the matter of Centric Health Ltd.
Decision of the Data Protection Commission made pursuant to Section 111 of the Data Protection Act
2018
Further to an own-volition inquiry commenced pursuant to Section 110 of the Data Protection Act 2018
DECISION
Decision-Maker for the Data Protection Comm ission:
_______________________
Helen Dixon
Commissioner for Data Protection
23 January 2023
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland
2
Contents
A. Introduction .................................................................................................................................... 4
B. Legal Framework for the Inquiry and the Decision ......................................................................... 4
i) Legal Basis for the Inquiry ........................................................................................................... 4
ii) Data Controller ............................................................................................................................ 4
iii) Legal Basis for the Decision ......................................................................................................... 5
C. Factual Background ......................................................................................................................... 5
D. Scope of the Inquiry and the Application of the GDPR ................................................................. 12
E. Centric’s Submissions in relation to the Draft Decision ................................................................ 14
F. Issues for Determination............................................................................................................... 15
G. Analysis of the Issues for Determination ...................................................................................... 16
a) Assessment of the Risks ............................................................................................................ 16
b) Measures Implemented by Centric to Address the Risks ......................................................... 19
c) Processes to test, assess and evaluate effectiveness of measures .......................................... 27
H. Findings Regarding Article 5(1)(f) and 32(1) ................................................................................. 28
I. Accountability Principle ................................................................................................................ 29
J. Finding Regarding Article 5(2)GDPR ............................................................................................. 30
K. Decision on Corrective Powers ..................................................................................................... 30
L. Reprimand ..................................................................................................................................... 31
M. Administrative Fines ................................................................................................................. 31
Article 83(2)(a) GDPR: the nature, gravity and duration of the infringement taking into account
the nature scope or purpose of the processing concerned as well as the num ber of data subjects
affected and the level of damage suffered by them; ...................................................................... 33
The nature of the infringement ..................................................................................................... 34
The gravity of the infringement .................................................................................................... 34
The duration of the infringement .................................................................................................. 35
Article 83(2)(b) GDPR: the intentional or negligent character of the infringement; ..................... 35
Article 83(2)(c) GDPR: any action taken by the controller or proc essor to mitigate the damage
suffered by data subjects; ................................................................................................................ 37
Article 83(2)(d) GDPR: the degree of responsibility of the controller or processor taking into
account technical and organisational measures implemented by them pursuant to Articles 25
and 32 GDPR; .................................................................................................................................... 39
Article 83(2)(e) GDPR: any relevant previous infringements by the controller or processor; ...... 39
Article 83(2)(f) GDPR: the degree of cooperation with the super visory authority, in order to
remedy the infringement and mitigate the possible adverse effects of the infringement; .......... 39
3
Article 83(2)(g) GDPR: the categories of personal data affected by the infringement;................. 40
Article 83(2)(h) GDPR: the manner in which the infringement becam e known to the supervisory
authority, in particular whether, and if so to what extent, the controller or processor notified
the infringement; ............................................................................................................................. 40
Article 83(2)(i) GDPR: where measures referred to in Article 58(2) have previously been ordered
against the controller or processor concerned with regard to t he same subject-matter,
compliance with those measures; ................................................................................................... 40
Article 83(2)(j) GDPR: adherence to approved codes of conduct pursuant t o Article 40 GDPR or
approved certification mechanisms pursuant to Article 42 GDP R; and ......................................... 41
Article 83(2)(k) GDPR: any other aggravating or mitigating factor applicable to the circumstances
of the case, such as financial benefits gained, or losses avoi ded, directly or indirectly, from the
infringement. .................................................................................................................................... 41
N. Decisions on Whether to Impose Administrative Fines ................................................................ 41
Article 83(3) GDPR ............................................................................................................................ 43
Articles 83(4) and 83(5) GDPR .......................................................................................................... 46
O. Summary of Envisaged Action ...................................................................................................... 50
P. Right of Appeal .............................................................................................................................. 50

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT