ANSPDCP (Romania) - Fine against Societatea Civilă Medicală Policlinica Tommed

From GDPRhub
Revision as of 16:11, 15 December 2021 by Cms (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ANSPDCP (Romania) - Fine against Societatea Civilă Medicală Policlinica Tommed
Authority: ANSPDCP (Romania)
Jurisdiction: Romania
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 9 GDPR
Type: Investigation
Outcome: Violation Found
Published: 06.12.2021
Fine: 2000 EUR
Parties: Societatea Civilă Medicală Policlinica Tommed
National Case Number/Name: Fine against Societatea Civilă Medicală Policlinica Tommed
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Romanian
Original Source: ANSPDCP (in RO)
Initial Contributor: Diana Rosu

The Romanian DPA fined a medical clinic approximately €2.000 after it unlawfully processed and disclosed a patient's health data to another controller.

English Summary


The controller is a medical clinic, the Medical Civil Society Policlinica Tommed. The Romanian DPA started an investigation against the medical clinic after a complaint was filed by one of its patients. During the investigation, the DPA found that the clinic unlawfully disclosed the personal data belonging to a patient, including their health data, to another controller. Moreover, the patient was not informed of this.


The DPA found that the controller violated Article 5(1)(a), Article 5(1)(b), Article 5(1)(f), and Article 5(2), in conjunction with Article 9 GDPR.

First, the DPA held that there was no legal basis to process the sensitive personal data. Moreover, the principle of purpose limitation was also violated. Lastly, the DPA noted that the controller failed to implement appropriate measures to ensure security and confidentiality. The DPA concluded this since there was no regular training of persons that process the data for the controller, nor was the data protection officer properly involved in accordance with Article 37 GDPR, Article 38 GDPR, and Article 39 GDPR.

As result, the DPA imposed a fine of approximately €2.000 (RON9.898) on the controller. Moreover, the DPA applied a corrective measure, ordering the clinic to bring its processing operations into compliance to prevent further unlawful disclosure and to apply adequate security and confidentiality measures.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.

06.12.2021 & # 13;
RGPD & # 13;
& # 13;
In November 2021, the National Supervisory Authority completed an investigation at the operator of the Civil Medical Society Tommed Polyclinic, following which it was found that the provisions of art. 5 para. (1) lit. a), b) and f) and par. (2), corroborated with art. 9 of the General Data Protection Regulation. & # 13;
As such, the operator was sanctioned with a fine of 9898 lei (equivalent to 2,000 euros). & # 13;
The investigation was launched following a complaint alleging that the Tommed Polyclinic Medical Society disclosed certain personal data, including health, of an individual to another operator. & # 13;
During the investigation it was found that the controller disclosed the personal data without respecting the principles of processing and without complying with the legal conditions of processing of personal data, including health, and without prior information of the person involved (patient of the operator). & # 13;
At the same time, the corrective measure was applied to the operator to ensure the compliance with RGPD of the operations of collection and further processing of personal data, so as to avoid the disclosure of personal data processed, in violation of legal conditions, which also involves the application of appropriate measures. security and confidentiality, through the regular training of data controllers under the authority of the controller and the appropriate involvement of the person responsible for the protection of personal data, in accordance with art. 37-39 of the RGPD. & # 13;
Legal and Communication Department & # 13;