作者
Judith Krens

Judith Krens

合伙人

Read More
Marthe Riewald

Marthe Riewald

律师

Read More
作者
Judith Krens

Judith Krens

合伙人

Read More
Marthe Riewald

Marthe Riewald

律师

Read More

2019年9月30日

First Dutch GDPR fine for failing to ensure security of patient files

  • QUICK READ

Since the General Data Protection Regulation (GDPR) came into force in May 2018, the data protection authorities have been making use of their new and/or enhanced supervising powers. In the Netherlands, the Dutch Data Protection Authority (DDPA) imposed the first fine in July 2019 on a hospital processing.

The GDPR

The GDPR sets out under what circumstances information relating to an identified or identifiable natural person can be processed. This kind of data is referred to as "personal data".

Especially for companies in the life sciences sector, it is important to know that where the personal data concerns (inter alia) genetic data, biometric data, sex life or sexual orientation, or health in general, it is considered to be a "special category" of personal data.

In short, this means that in addition to the rules set out for "general" personal data, companies processing special categories of personal data should adhere to (even) more strict rules.

The case

The Haga Hospital notified the DDPA of a data breach on 4 April 2018. The breach related to unlawful access of a patient file of a (well-known) Dutch data subject. The hospital informed the DDPA that, in the relevant period, 197 employees had access to the patient file – 100 of which on an unlawful basis). An investigation of the case followed.

The assessment

The GDPR sets out that there should be technical and organisational measures to ensure a level of security, appropriate to the risk in question. The Haga Hospital was found not to have applied a two-step authentication process, which would have been appropriate in this case, as health data – a special category of personal data – was processed.

The fine

The fine amounted to €460,000. Additionally, the DDPA imposed an order subject to penalty to take the measures as set out by the DDPA. Should the Haga Hospital not comply, they risk an additional fine of up to €300,000.

Call To Action Arrow Image

Latest insights in your inbox

Subscribe to newsletters on topics relevant to you.

Subscribe
Subscribe

Related Insights

酒店与休闲

Synapse - September 2019

2019年9月27日

作者

点击此处了解更多
Overhead view of scientist using centrifuge machine
专利与创新

Synapse

May 2019

2019年6月4日

作者

点击此处了解更多