ANSPDCP (Romania) - Fine against Societatea Civilă Medicală Policlinica Tommed
| ANSPDCP (Romania) - Fine against Societatea Civilă Medicală Policlinica Tommed | |
|---|---|
 | |
| Authority: | ANSPDCP (Romania) |
| Jurisdiction: | Romania |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 9 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 06.12.2021 |
| Fine: | 2000 EUR |
| Parties: | Societatea Civilă Medicală Policlinica Tommed |
| National Case Number/Name: | Fine against Societatea Civilă Medicală Policlinica Tommed |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Romanian |
| Original Source: | ANSPDCP (in RO) |
| Initial Contributor: | Diana Rosu |
The Romanian DPA fined a medical clinic approximately €2.000 after it unlawfully processed and disclosed a patient's health data to another controller.
English Summary
Facts
The controller is a medical clinic, the Medical Civil Society Policlinica Tommed. The Romanian DPA started an investigation against the medical clinic after a complaint was filed by one of its patients. During the investigation, the DPA found that the clinic unlawfully disclosed the personal data belonging to a patient, including their health data, to another controller. Moreover, the patient was not informed of this.
Holding
The DPA found that the controller violated Article 5(1)(a), Article 5(1)(b), Article 5(1)(f), and Article 5(2), in conjunction with Article 9 GDPR.
First, the DPA held that there was no legal basis to process the sensitive personal data. Moreover, the principle of purpose limitation was also violated. Lastly, the DPA noted that the controller failed to implement appropriate measures to ensure security and confidentiality. The DPA concluded this since there was no regular training of persons that process the data for the controller, nor was the data protection officer properly involved in accordance with Article 37 GDPR, Article 38 GDPR, and Article 39 GDPR.
As result, the DPA imposed a fine of approximately €2.000 (RON9.898) on the controller. Moreover, the DPA applied a corrective measure, ordering the clinic to bring its processing operations into compliance to prevent further unlawful disclosure and to apply adequate security and confidentiality measures.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.
06.12.2021 & # 13; RGPD & # 13; & # 13; In November 2021, the National Supervisory Authority completed an investigation at the operator of the Civil Medical Society Tommed Polyclinic, following which it was found that the provisions of art. 5 para. (1) lit. a), b) and f) and par. (2), corroborated with art. 9 of the General Data Protection Regulation. & # 13; As such, the operator was sanctioned with a fine of 9898 lei (equivalent to 2,000 euros). & # 13; The investigation was launched following a complaint alleging that the Tommed Polyclinic Medical Society disclosed certain personal data, including health, of an individual to another operator. & # 13; During the investigation it was found that the controller disclosed the personal data without respecting the principles of processing and without complying with the legal conditions of processing of personal data, including health, and without prior information of the person involved (patient of the operator). & # 13; At the same time, the corrective measure was applied to the operator to ensure the compliance with RGPD of the operations of collection and further processing of personal data, so as to avoid the disclosure of personal data processed, in violation of legal conditions, which also involves the application of appropriate measures. security and confidentiality, through the regular training of data controllers under the authority of the controller and the appropriate involvement of the person responsible for the protection of personal data, in accordance with art. 37-39 of the RGPD. & # 13; Legal and Communication Department & # 13; A.N.S.P.D.C.P.
