The Estonian Data Protection Inspectorate obliged e-pharmacies to immediately terminate access to another person’s prescription information

8 December 2020

On 30 November, the Estonian Data Protection Inspectorate issued a precept, granted in a warning, with a one-day compliance deadline and a penalty of 100,000 euros to three pharmacy chains that allowed viewing in the e-pharmacy environment the current prescriptions of another person without their consent on the basis of access to their personal identification code.

‘We considered it necessary to urgently suspend the display of valid prescriptions to third persons in e-pharmacy environments on the basis of personal identification codes, as there is no legal basis for such display,’ said Maris Juha, Supervisory Director.

It must be possible to buy prescription medicine for other people, but the solution must ensure that the pharmacist is sure that the prescription information is accessed with the consent of the prescription holder. The Estonian Data Protection Inspectorate cannot approve the violation of data protection requirements in the e-pharmacy environments of the three pharmacy chains.

When the lawyer of the Data Protection Inspectorate checked the e-pharmacy environments, they were able to gain quick access to the prescription information of other persons, using the chat window. First, they had to choose in the chat window whether they requested their own prescription information or the prescription information of someone else, and if they entered the personal identification code of another person, the corresponding information became available. Only one of the three pharmacy chains had a solution which required prior confirmation of whether the person has the right to view the above information. However, another person’s justification is not equivalent to the voluntary consent of the prescription holder, because the e-pharmacy cannot check whether and for what purpose consent has been given and whether it has been given voluntarily.

The Estonian Data Protection Inspectorate initiated an own-initiative procedure pursuant to clause 56 (3) 8) of the Personal Data Protection Act. On 30 November, the e-pharmacies of Apotheka, Südameapteek, and received the precept, granted in a warning, due by 1 December.

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.