26.10.2018 | KPMG Law Insights

DSGVO fine imposed

GDPR: Portuguese supervisory authority imposes fine of EUR 400,000 on hospital

The Portuguese data protection supervisory authority has imposed a fine of EUR 400,000 on a hospital. This is – at least as far as is known – the first significant fine across Europe following the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018.


The Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) has announced that a large part of the fine was based on the fact that too many people had access to patient data at the hospital concerned. For example, data that was supposed to be accessible only to physicians could also be accessed by technicians. In addition, nearly 1,000 users were registered in the system as “doctors,” although the hospital actually employed just under 300 physicians.

Legal classification

Personal data must be protected – and not just since the DSGVO came into force – in such a way that only those employees have access who actually have to work with precisely this data and therefore need access. This principle is now also explicitly enshrined in law under the heading “privacy by design” (or “data protection through technology design”).

This principle applies in particular to the hospital sector, since this involves especially sensitive data that is also protected by criminal law in Germany. An incident like the one in Portugal could therefore also bring the law enforcement authorities on the scene in Germany.


The hospital reportedly plans to take legal action against the fine. In this respect, it remains to be seen whether the competent courts share the legal assessment of the data protection authority and, in particular, consider the amount of the fine to be appropriate.

Basically, according to the known facts, this is a serious case, which, moreover, concerns particularly sensitive data. However, it also shows that the authorities are prepared not only to look for very obvious violations, but also to delve deeper into the systems of those responsible.


The German data protection supervisory authorities issued guidance on the use of hospital information systems years ago. One focus of this guidance is on the design of access rights. It can be assumed that the recommendations contained in the guidance will largely remain valid after the GDPR comes into force.

Those responsible – not only from the healthcare sector – are therefore well advised to put their authorization concepts to the test. In the case of official controls, the responsible party must demonstrate an authorization concept in which access is limited to what is actually required. The controller must also be able to use it to justify why a person needs access to certain data. Even the lack of proof (under the keyword “accountability”) can trigger a fine.

Explore #more

12.07.2024 | Business Performance & Resilience, In the media

Guest article in the IPE Dach: Necessary contract adjustments for DORA implementation

Deadline January 17, 2025: Financial companies and other service providers should start implementing the rules of the “Digital Operational Resilience Act” today, because the preparations,…

08.07.2024 | In the media

Article in In-house Counsel with KPMG Law Statement: Have software modules delivered, assemble, fine-tune, done

The article from 05.07.2024 contains an article with a statement by KPMG Law expert Kai Kubsch. IT applications for the legal department programmed by…

05.07.2024 | In the media

Guest article in Deutscher AnwaltsSpiegel: Transformation in legal departments

The KPMG Legal Department Report, now in its tenth edition (see here), has established itself as the standard work for general counsel since 2005…

03.07.2024 | KPMG Law Insights

BImSchG amendment to speed up approval procedures

On 17.05.2024, the traffic light parliamentary groups agreed on the amendment to the Federal Immission Control Act (BImSchG). The law is intended to create faster…

01.07.2024 | In the media

Guest article in Business Punk: Startup insolvency – bargain for investors or incalculable risk?

The issue of June 25, 2024 contains a guest article by KPMG Law experts Stefan Kimmel and Gunars Urdze. The Covid-19 pandemic and the…

01.07.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

28.06.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: ESG and employment law

Sustainable corporate governance is increasingly becoming a legal obligation. The HR department is also affected. Because “sustainable” also includes social aspects. Accordingly, companies have numerous…

25.06.2024 | In the media

Guest article in the ESGZ: Is antitrust law becoming “greener”? – An update

The June issue of ESGZ contains a guest article by KPMG Law expert Jacqueline Unkelbach. Sustainability goals and criteria – in a broader sense…

19.06.2024 | In the media

Guest article in the Börsenzeitung: Tackling succession planning for family businesses early on

Experience shows that less is better than nothing – even individual measures can have a major impact. KPMG Law expert Mark Uwe Pawlytta knows which…

13.06.2024 | In the media

Commentary on the Whistleblower Protection Act (HinSchG) published with contributions from KPMG Law

After years of wrangling, the Bundestag and Bundesrat transposed the EU Whistleblowing Directive into national law in 2023: The Whistleblower Protection Act (HinSchG), which has…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.