The Estonian Data Protection Inspectorate obliged e-pharmacies to immediately terminate access to another person’s prescription information

Dec 7, 2020

Source: European Data Protection Board

On 30 November, the Estonian Data Protection Inspectorate issued a precept, granted in a warning, with a one-day compliance deadline and a penalty of 100,000 euros to three pharmacy chains that allowed viewing in the e-pharmacy environment the current prescriptions of another person without their consent on the basis of access to their personal identification code.

‘We considered it necessary to urgently suspend the display of valid prescriptions to third persons in e-pharmacy environments on the basis of personal identification codes, as there is no legal basis for such display,’ said Maris Juha, Supervisory Director.

It must be possible to buy prescription medicine for other people, but the solution must ensure that the pharmacist is sure that the prescription information is accessed with the consent of the prescription holder. The Estonian Data Protection Inspectorate cannot approve the violation of data protection requirements in the e-pharmacy environments of the three pharmacy chains.

When the lawyer of the Data Protection Inspectorate checked the e-pharmacy environments, they were able to gain quick access to the prescription information of other persons, using the chat window. First, they had to choose in the chat window whether they requested their own prescription information or the prescription information of someone else, and if they entered the personal identification code of another person, the corresponding information became available. Only one of the three pharmacy chains had a solution which required prior confirmation of whether the person has the right to view the above information. However, another person’s justification is not equivalent to the voluntary consent of the prescription holder, because the e-pharmacy cannot check whether and for what purpose consent has been given and whether it has been given voluntarily.

The Estonian Data Protection Inspectorate initiated an own-initiative procedure pursuant to clause 56 (3) 8) of the Personal Data Protection Act. On 30 November, the e-pharmacies of Apotheka, Südameapteek, and Azeta.ee received the precept, granted in a warning, due by 1 December.

Recent news

EDPB calls for coherence of digital legislation with the GDPR

Brussels, 04 December - During its December 2024 plenary, the European Data Protection Board (EDPB) adopted a statement on the second report of the European Commission on the application of the General Data Protection Regulation (GDPR).* In its statement, the EDPB...

read more

EDPB stakeholder event AI models

The EDPB is holding a stakeholder event on “AI models” with participants representing European sector associations, organisations, NGOs, individual companies, law firms and academics.    During today’s event, the EDPB will collect input for of the preparation of a...

read more