Cy Data Commissioner: Nicosia General Hospital (

A patient claimed that the she shall receive the medical report under the veil of GDPR.

A patient after her hospitalization thought that a detailed medical report is part of her personal data which have been collected by the hospital and for that reason claimed that the she shall receive the medical report under the veil of GDPR. The Cypriot Office of the Commissioner for Personal Data Protection disagreed.


According to the hospital’s policy on discharges procedure, the patient receives only an attestation form and a digital copy of MRI scans. The complainant was hospitalized for several days back in 2016. In September 2019 she asked for her full medical report for which the hospital has asked her to pay administrative fees.

Furthermore, some days after the discharge from the hospital, her employer has fired her. She thought that the firing was on the ground of the health incident, and the only possible source to her employer was the very same hospital’s employee.


The main part of the decisions dealing the question of whether the article 15 activate in advance any “ex-ante right” of the data-subject to access his or her personal data and/or information, even when these data have not prepared, drafted and/or assembled yet.


With regard to the leak of the complainant’s health information, the Cypriot Office of the Commissioner for Personal Data Protection has not been convinced for the substance of relevant complaints. It appears that a complainant for any allegation shall provide some evidence compatible with a minimum burden and standard of proof. Nevertheless, Cypriot DPA has not specified the bottom level of the required proof furthermore.

Regarding the primary concern, Cypriot DPA started her reasoning with the fact that the state health rules command a health facility prepare a medical report only upon request from the patient and only if (s)he pays the regulated fee. Hence, before the patient’s request, the desired information and data did not exist at all. That means the right of access, as the GDPR describes, it is entirely incompatible under such circumstances.

Secondary allegation from the complainant was her belief that the medical report has been lost by negligence of the hospital’s employees. Cypriot Commissioner for Personal Data Protection was satisfied with the security measures which the health facility adopts, while had considered not only these measures of that sort was mentioned as the part of the defence reply. On the contrary, Cypriot Commissioner for PDP also considered all measures, which already have been brought to commissioner’s notice by previous DPA’s initiative enquiries and activities.

Article 15 of GDPR | Article 32(1)(b) οf GDPR | Article 32(1)(d) of GDPR | Article 32(4) of GDPR

This case summary was first published on GDPRHub

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Δημήτρη Δημηρίου v. Cyprus Popular Bank Public Co Limited κ.α. (2018), Πολιτική Έφεση υπ’ αριθμόν E151/156

Το Ανώτατο Δικαστήριο αφού υποβάθμισε τα παραδοσιακά κριτήρια σε βοηθητικά κριτήρια, αποφάνθηκε ότι οι προτεινόμενες τροποποιήσεις δικογράφων δεν προσθέτουν κάτι στην δικαστική κρίση.

Athena Varianes v. Dr. Andreas Vorkas, appeal 269/2006

Cyprus Law on medical negligence - The appellant had filed a legal action against her doctor. The doctor is an eye specialist and well-known for his services to treat nearsightedness with laser surgeries. When the patient arrived home, she could already feel nuisances on both her eyes. There is still doubt as to whether patient's eye sight may ever fully recover.

Slowakische Republik v. Achmea BV, C-284/16

Όταν Διμερή Συνθήκη μεταξύ Κρατών μελών επικαλύπτει το Ενωσιακό Δίκαιο & η θέση των ρητρών διαιτησίας στην ΕΕ

Peter Gauweiler v. Deutscher Bundestag, C-62/14

Κατά τις διορθωτικές παρεμβάσεις της ΕΚΤ δεν πρέπει να παρακινεί τα κράτη-μέλη να παραιτούνται από την επιβαλλόμενη εκ συνθηκών εξυγίανση των δημόσιων οικονομικών τους.