A financial penalty of €5,000 was imposed recently by the Office of the Commissioner for Personal Data Protection at a State Hospital under the new General Regulation 2016/679 and the Protection of Individuals regarding the Processing of Personal Data and the Free Movement of Data.
In particular, a patient complained to the Commissioner that the request for access to her medical file was not satisfied by the hospital because the dossier could not be identified/located by the controller.
After investigating the case, an administrative fine of €5,000 was imposed on the hospital.
In this case, violation of personal data means a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored, or otherwise processed.
In a separate decision, the Office of the Commissioner for Personal Data Protection imposed a financial penalty of €10,000 to a newspaper for unlawful disclosure of the names and pictures of two police officers.
The publication of the newspaper, both in hard copy and in electronic form, allegedly involved inconvenience, unnecessary and unlawful detention of a citizen, and revealed the names and pictures of the two police investigators involved, as well as the photograph of a third police investigator.
The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance so that it was impossible to identify the persons, and these actions would not bring any change in the nature of the case.
For the decision, the Commissioner has taken into consideration relevant judgments of the EU Court of Justice on the balance between freedom of expression and the right to privacy that requires special handling.