First GDPR Fine by Dutch Data Protection Authority

The Dutch Data Protection Authority imposed its first GDPR fine of EUR 460,000 on Haga Hospital in The Hague on 18 June 2019.

The hospital was found in breach of GDPR by not sufficiently securing its medical log files. Approximately 85 hospital employees had unnecessary access to a specific medical file belonging to a famous Dutch reality star whose hospital admittance received a lot of media attention in the Netherlands in 2018.

This information came into light after a whistleblower shared it on the website Publeaks, eventually leading to an investigation by the Dutch Data Protection Authority.

The hospital did not meet the requirement to have a two-factor authentication process in place to protect its medical files. Moreover, medical log files were not evaluated regularly, this omission resulted in a breach of Article 32(1) of the GDPR.

The Dutch Data Protection Authority applied the 2019 Dutch fining policy rules to determine the amount of the fine. If the infringement is not fixed within 15 weeks, the hospital will incur an additional penalty of EUR 100,000 per two weeks with a maximum amount of EUR 300,000.