TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | First GDPR fine in Portugal issued against hospital for three violations Related reading: Looking ahead to the first full year of the GDPR




Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the General Data Protection Regulation.

The country's supervisory authority, Comissão Nacional de Protecção de Dados, found that there were three violations of the GDPR. First was a violation of Article 5(1)(c), a minimization principle, by allowing indiscriminate access to an excessive number of users, and a violation of Article 83(5)(a) a violation of the processing basic principles. For those, the fine was 150,000 euros. 

The second, a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data under Article 5(1)(f), and also of Article 83(5)(a), a violation of the processing basic principles. There, the fine was 150,000 euros. 

Both of the above were punishable with a fine of up to 20 million euros or 4 percent of the total annual turnover. 

Finally, the CNPD fined under Article 32(1)(b), the incapacity of the defendant to ensure the continued confidentiality, integrity, availability and resilience of treatment systems and services as well as the non-implementation of the technical and organizational measures to ensure a level of security adequate to the risk, including a process to regularly testing, assessing and evaluating the technical and organizational measures to ensure the security of the processing. There the fine was for 100,000 euros, though the maximum fine was 10 million euros to 2 percent of the total annual turnover. 

The defense submitted by the hospital referred that the CNPD could not be considered as the supervisory authority as per Article 51 because it had not yet been appointed formally. To this, CNPD responded that it is, for all purposes, the national authority which has the power to control and supervise the compliance in terms of data protection in accordance with the current Portuguese Data Protection Law.

Also, among its arguments was that the hospital used the IT system provided to public hospitals by the Portuguese Health Ministry and not its own systems.

Some facts considered proven by the CNPD:

  • There was no document containing the correspondence between the functional competences of the users and the profiles for access to the information (including to clinical information).
  • There was also no document defining the rules for creating users of the hospital's information system.
  • Nine technical employees enjoyed the level of access reserved for the medical group, which resulted in the indiscriminate possibility of such employees consulting the clinical processes of all hospital users.
  • Existence of access credentials which allowed any doctor, regardless of his/her specialty, to access at any time the data of the clients of a hospital. This was considered as violating the principle of "need to know" and the principle of "minimization of data." 
  • There were 985 users associated with the profile "doctor," but in the official hospital human resources charts there are only 296 doctors in that hospital.
  • Maintenance of useless profiles for doctors who no longer provide services to the hospital.
  • There were only 18 user accounts that were inactive and the last one was deactivated in November 2016.
  • The defendant acted in a free and voluntary way and consciously knowing that its acts are prohibited by law.

When determining the amount of the fine, which was relatively low considering what it could have been, the CNPD considered the following, in accordance with Article 83(1)(a-k):

  • The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing as well as the number of data subjects affected. It was also considered as relevant the fact that the personal data involved were special categories of data, including health data which increased significantly the risk of damages to the data subjects.
  • Possible fraud: the defendant represented the practice of misconduct as a possible consequence of the conduct and conformed to it.
  • The defendant's initiative to mitigate the damages suffered by the data subjects.
  • The degree of responsibility of the defendant, taking into account the technical and organizational measures implemented.
  • There were no previous infractions.
  • Degree of cooperation with the CNPD in order to remedy the infringement and mitigate its possible negative effects.
  • How the CNPD learned of the infraction, in that it was not communicated by the hospital but rather was known through the media and later confirmed by the CNPD inspection.

When determining the amount of the penalty the CNPD also considered the fact that the defendant took measures to regularize the situation.

The striking fact about this fine is that the CNPD acted upon a newspaper article and not on a complaint. From this we consider that it was particularly relevant to the CNPD that there were no documented procedures for access to the data, but also that the data involved were special categories of data. 

It is also worth mentioning that in the first draft of the proposed new data protection law, there were no penalties applicable to the public entities. This was referred to by the CNPD: That it was not in line with the Portuguese legislative tradition. This fine is in line with that opinion. In fact, according to the CNPD, to exempt public entities from the application of the fines violates the principle of equality and weakens the protection of citizens' fundamental rights.

The decision was not published in the CNPD site, which obviously does not contribute to promote public awareness and understanding of the risks, rules, safeguards in relation to the processing, as provided for in Article 57 of the GDPR.


photo credit: Images_of_Money Lots of Euro Notes via photopin (license)


If you want to comment on this post, you need to login.

  • comment Beverley Zabow • Jan 4, 2019
    Wow. Thanks for sharing this important article. I think that this precedent is going to shake up the privacy practices in hospitals all over the world!
  • comment Jurgen Otten • Jan 4, 2019
    Thank you for offering this insightful article. I question the argument of the SA's first violation. As far as I am aware, the principle of data minimization applies to the amount of data collected and retained for a particular purpose, not so much related to "allowing indiscriminate access to an excessive number of users". This seems to be an overly broad interpretation of the principle on behalf of the Comissão Nacional de Protecção de Dados.
  • comment Jose Belo • Jan 4, 2019
    Jurgen, this is not as straightforward as it may seem and I'm sure the CNPD thought this over well - they are very good, thourough in their assessments and their reports are, usually, some of the best I've ever seen from DPAs. The CNPD is underestimated, to be honest, and should have more recognition for the good work they do. Here's what I think they thought over : it's art. 9 data so article 9(4) applies. This means that a professional that is bound by professional secrecy, as doctors are, does not violate the confidentiality principle by the nature of his position. However, they should not have access to data from patients that are not theirs. So does the confidentiality principle apply here, nonetheless, as they are authorized, even if wrongly, by the hospital to access that data? Is the confidentiality principle violated then? That's why I think they went for the negative dimension of the data minimization principle: you should not be able to process data that is not "necessary in relation to the purposes for which they are processed".
  • comment ShanShan Pa • Jan 4, 2019
    Thank you for sharing! This is an interesting article that covers different aspects: GDPR, special category data, and public sector. Well explained.
  • comment Jurgen Otten • Jan 9, 2019
    Thanks for taking the time to respond to my comment Jose, much appreciated. This was by no means meant to criticize the SA's professionalism or quality of work. I have tried to find the actual decision of the CNPD, but unfortunately could not find it. There was no additional detail in the news articles I did find. If there are local derogations at play (ref. art. 9.4), it may shed a different light on why they chose for art. 5(c). @Ana, do you know where we could reference the actual decision?
  • comment Vlad Nekrutenko • Jan 22, 2019
    Anybody want to shed light on the 50-million fine imposed by the French regulatory body on Google LLC? :)
  • comment Thomas Kenny • Aug 22, 2019
    Does anyone know where to find the actual fine? Where did this information in this article come from?
  • comment Ana Monteiro • Aug 27, 2019
    Hello Thomas, The decision to apply the fine was made available to me by the Supervisory authority when I asked them about the fine.
  • comment Oscar Molina • Sep 1, 2019
    Does anyone have a link to the decision or can kindly share the document?