26.10.2018 | KPMG Law Insights

DSGVO fine imposed

GDPR: Portuguese supervisory authority imposes fine of EUR 400,000 on hospital

The Portuguese data protection supervisory authority has imposed a fine of EUR 400,000 on a hospital. This is – at least as far as is known – the first significant fine across Europe following the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018.


The Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) has announced that a large part of the fine was based on the fact that too many people had access to patient data at the hospital concerned. For example, data that was supposed to be accessible only to physicians could also be accessed by technicians. In addition, nearly 1,000 users were registered in the system as “doctors,” although the hospital actually employed just under 300 physicians.

Legal classification

Personal data must be protected – and not just since the DSGVO came into force – in such a way that only those employees have access who actually have to work with precisely this data and therefore need access. This principle is now also explicitly enshrined in law under the heading “privacy by design” (or “data protection through technology design”).

This principle applies in particular to the hospital sector, since this involves especially sensitive data that is also protected by criminal law in Germany. An incident like the one in Portugal could therefore also bring the law enforcement authorities on the scene in Germany.


The hospital reportedly plans to take legal action against the fine. In this respect, it remains to be seen whether the competent courts share the legal assessment of the data protection authority and, in particular, consider the amount of the fine to be appropriate.

Basically, according to the known facts, this is a serious case, which, moreover, concerns particularly sensitive data. However, it also shows that the authorities are prepared not only to look for very obvious violations, but also to delve deeper into the systems of those responsible.


The German data protection supervisory authorities issued guidance on the use of hospital information systems years ago. One focus of this guidance is on the design of access rights. It can be assumed that the recommendations contained in the guidance will largely remain valid after the GDPR comes into force.

Those responsible – not only from the healthcare sector – are therefore well advised to put their authorization concepts to the test. In the case of official controls, the responsible party must demonstrate an authorization concept in which access is limited to what is actually required. The controller must also be able to use it to justify why a person needs access to certain data. Even the lack of proof (under the keyword “accountability”) can trigger a fine.

Explore #more

17.05.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: When the family business is to be sold

Around 38,000 family businesses are currently handed over each year. In most cases, the change of ownership takes place within the family. But more and…

03.05.2024 | KPMG Law Insights

Doubts about inability to work? What employers can do

The certificate of incapacity for work (AU certificate) serves as proof of incapacity for work due to illness. However, only if the certificate meets certain…

29.04.2024 | KPMG Law Insights

Agreement on ecodesign regulation: products to become more sustainable

After lengthy negotiations, the Council and Parliament of the European Union reached a provisional agreement on the Ecodesign Regulation on the night of December 5,…

27.03.2024 | KPMG Law Insights

EU Buildings Directive: life cycle greenhouse potential becomes relevant

On March 12, 2024, the EU Parliament approved the amendment to the EU Buildings Directive. The directive obliges member states and, indirectly, building owners and…

19.03.2024 | Business Performance & Resilience, KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

The EU member states agreed on the CSDDD, the EU Supply Chain Directive, on March 15, 2024. Germany abstained from the vote. Negotiators from the…

19.03.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | Business Performance & Resilience, PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…


Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

tel: +49 761 769999-20

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.