The Portuguese privacy watchdog fined a Portuguese hospital €400,000 for two violations of the General Data Protection Regulation (GDPR). The hospital is still appealing against the decision and could even take legal action.

That’s what the Portuguese publication Publico reports today. The Portuguese privacy watchdog (CNPD) fined two GDPR violations. One fine was 300,000 euros, the other 100,000 euros. This is much lower than the maximum fine that can be imposed, of 20 million euros (or a maximum of 4 percent of an organization’s worldwide turnover).

The infringements

The Barreiro Hospital was found to have given nine social workers access to clinical data on patients. Furthermore, 985 users appeared to have an account with the same access as a doctor, although only 296 doctors work at the hospital.

A fine of 300,000 euros was imposed for not respecting the privacy of patients, and a fine of 100,000 euros was imposed for the lack of data protection. The Centro Hospitalar Barreiro Montijo (CHBM) does not follow the assumptions of the National Data Protection Commission (CNPD) in this area, according to the management of the hospital. We are currently preparing legal action.

Cautious approach

Yet the CNPD seems certain of its case. A trial showed that a test profile of the hospital’s systems gave unlimited access to patient data. The hospital would have recognized that there were unused profiles on the systems, but stated that they were temporary profiles for doctors working on a contract basis.

The fine is one of the first GDPR fines issued since the legislation came into force on 25 May. The fact that it is relatively low shows that the approach is still relatively cautious.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.