First GDPR fine in Portugal issued against hospital for three violations

 
Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation.

The country’s supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. For those, the fine was 150,000 euros.

The second, a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and also of Article 83(5)(a), a violation of the processing basic principles. There, the fine was 150,000 euros.

Both of the above were punishable with a fine of up to 20 million euros or 4 percent of the total annual turnover.

Finally, the CNPD fined under Article 32(1)(b), the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing. There the fine was for 100,000 euros, though the maximum fine was 10 million euros to 2 percent of the total annual turnover.
The defense submitted by the hospital referred that the CNPD could not be considered as the supervisory authority as per Article 51 because it had not yet been appointed formally. To this, CNPD responded that it is, for all purposes, the national authority which has the power to control and supervise the compliance in terms of data protection in accordance with the current Portuguese Data Protection Law.

Also, among its arguments was that the hospital used the IT system provided to public hospitals by the Portuguese Health Ministry and not its own systems.

for more click here

SOURCE: iapp.org – Dr. Ana Menezes Monteiro

Next Post