Latest revision |
Your text |
Line 105: |
Line 105: |
| | | |
| <pre> | | <pre> |
− | Subject
| + | <!DOCTYPE html><!--[ |
− | | |
− | Decision to impose an administrative fine
| |
− | | |
− | Dear Mr Van den Bosch
| |
− | | |
− | The Dutch Personal Data Authority (AP) has decided to impose an administrative fine of €440,000 on the OLVG Foundation (OLVG) because OLVG failed to comply with the requirement for two-factor authentication and the regular review of log files. In doing so, OLVG failed to take adequate measures as referred to in Article 32, first paragraph, of the General Data Protection Regulation (AVG).
| |
− | | |
− | The decision is explained in more detail below. Chapter 1 contains an introduction and Chapter 2 describes the legal framework. In chapter 3, the AP assesses the processing responsibility and the breach. Chapter 4 details the (level of the) administrative fine and Chapter 5 contains the operative part and the legal remedies clause.
| |
− | | |
− | 1. Introduction
| |
− | | |
− | 1.1 Legal entities involved and reason for investigation
| |
− | | |
− | OLVG is a foundation with its registered office at Oosterpark 9, in Amsterdam. OLVG is registered in the trade register of the Chamber of Commerce under number 41199082. OLVG is a top clinical teaching hospital in Amsterdam with two main locations in Amsterdam East and West. OLVG provides medical care to approximately 500,000 patients annually. In 2018, OLVG had 5890 salaried employees, of which 4274 were in patient-related positions.1
| |
− | | |
− | The AP received two data breach notifications from the OLVG Foundation regarding access by employees and work students to electronic patient
| |
| </pre> | | </pre> |