Free Preparation Discussions
MENU
Exin Exam PDPF Topic 7 Question 83 Discussion
Topic #: 7
A secretary at a pediatric cardiology clinic instead of sending the doctor the list of patients scheduled for the day, sends it to all those responsible registered for the children with scheduled appointments.
According to the GDPR, does the Supervisory Authority need to be notified? And those responsible for the data holders?
This is an issue that addresses two very important points -- sensitive data and data from minors.
As these are, it is necessary to inform the Supervisory Authority and those responsible for the data subjects. Article 34 mentions:
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Recital 38 says:
Children merit specific protection regarding their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Currently there are no comments in this discussion, be the first to comment!