First Dutch GDPR fine for failing to ensure security of patient files

Since the General Data Protection Regulation (GDPR) came into force in May 2018, the data protection authorities have been making use of their new and/or enhanced supervising powers. In the Netherlands, the Dutch Data Protection Authority (DDPA) imposed the first fine in July 2019 on a hospital processing.

The GDPR

The GDPR sets out under what circumstances information relating to an identified or identifiable natural person can be processed. This kind of data is referred to as "personal data".

Especially for companies in the life sciences sector, it is important to know that where the personal data concerns (inter alia) genetic data, biometric data, sex life or sexual orientation, or health in general, it is considered to be a "special category" of personal data.

In short, this means that in addition to the rules set out for "general" personal data, companies processing special categories of personal data should adhere to (even) more strict rules.

The case

The Haga Hospital notified the DDPA of a data breach on 4 April 2018. The breach related to unlawful access of a patient file of a (well-known) Dutch data subject. The hospital informed the DDPA that, in the relevant period, 197 employees had access to the patient file – 100 of which on an unlawful basis). An investigation of the case followed.

The assessment

The GDPR sets out that there should be technical and organisational measures to ensure a level of security, appropriate to the risk in question. The Haga Hospital was found not to have applied a two-step authentication process, which would have been appropriate in this case, as health data – a special category of personal data – was processed.

The fine

The fine amounted to €460,000. Additionally, the DDPA imposed an order subject to penalty to take the measures as set out by the DDPA. Should the Haga Hospital not comply, they risk an additional fine of up to €300,000.