Fonte: DLA Piper
Today, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, “Dutch DPA“) issued its first GDPR-fine of EUR 460,000. The fine is imposed on the Dutch Haga Hospital for having an insufficient internal security of patient records. The fact that the first GDPR-fine was imposed on a hospital isn’t a complete surprise, as already in December 2018, the Dutch DPA already announced that it would focus its enforcement actions on the public and health sector.
Prior to imposing the fine, the Dutch DPA initiated an investigation after it appeared that a large amount of hospital staff had accessed the medical records of a Dutch celebrity (197 employees!) During its investigation, the Dutch DPA checked whether to hospital’s information security systems met the security requirements of Article 32 GDPR and, more specifically, specific health care sector security standards.