Search
Contact
26.10.2018 | KPMG Law Insights

DSGVO fine imposed

GDPR: Portuguese supervisory authority imposes fine of EUR 400,000 on hospital

The Portuguese data protection supervisory authority has imposed a fine of EUR 400,000 on a hospital. This is – at least as far as is known – the first significant fine across Europe following the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018.

Background

The Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) has announced that a large part of the fine was based on the fact that too many people had access to patient data at the hospital concerned. For example, data that was supposed to be accessible only to physicians could also be accessed by technicians. In addition, nearly 1,000 users were registered in the system as “doctors,” although the hospital actually employed just under 300 physicians.

Legal classification

Personal data must be protected – and not just since the DSGVO came into force – in such a way that only those employees have access who actually have to work with precisely this data and therefore need access. This principle is now also explicitly enshrined in law under the heading “privacy by design” (or “data protection through technology design”).

This principle applies in particular to the hospital sector, since this involves especially sensitive data that is also protected by criminal law in Germany. An incident like the one in Portugal could therefore also bring the law enforcement authorities on the scene in Germany.

Evaluation

The hospital reportedly plans to take legal action against the fine. In this respect, it remains to be seen whether the competent courts share the legal assessment of the data protection authority and, in particular, consider the amount of the fine to be appropriate.

Basically, according to the known facts, this is a serious case, which, moreover, concerns particularly sensitive data. However, it also shows that the authorities are prepared not only to look for very obvious violations, but also to delve deeper into the systems of those responsible.

Recommendation

The German data protection supervisory authorities issued guidance on the use of hospital information systems years ago. One focus of this guidance is on the design of access rights. It can be assumed that the recommendations contained in the guidance will largely remain valid after the GDPR comes into force.

Those responsible – not only from the healthcare sector – are therefore well advised to put their authorization concepts to the test. In the case of official controls, the responsible party must demonstrate an authorization concept in which access is limited to what is actually required. The controller must also be able to use it to justify why a person needs access to certain data. Even the lack of proof (under the keyword “accountability”) can trigger a fine.

Explore #more

14.05.2025 | KPMG Law Insights

BGH on customer installations: Decision orders application in line with the directive

In a ruling dated May 13, 2025, the BGH classified the supply infrastructure in the specific case of a residential complex in Zwickau as a…

13.05.2025 | In the media

KPMG Law expert in Spiegel article on energy policy

Dirk-Henning Meier, Senior Manager in the energy law department at KPMG Law, is quoted in a recent article on energy policy in Der Spiegel.…

13.05.2025 | Career, In the media

azur Karriere Magazin – All AI or what?

Artificial intelligence has long since arrived in law firms and legal departments. But dealing with it is a skill that needs to be learned. Many…

13.05.2025 | KPMG Law Insights

Initial experience with the Single-Use Plastics Fund Act: what manufacturers should bear in mind

Beverage cups, foil and plastic cigarette filters litter streets, parks and sidewalks. The cleaning costs are borne by the local authorities. The Disposable Plastics Fund…

07.05.2025 | KPMG Law Insights

Termination of fixed-term rental agreements in the case of pre-leasing

In the case of a pre-leasing, the tenancy only begins at a later date, usually the handover date. In such cases, the contracting parties usually…

06.05.2025 | In the media

Wirtschaftswoche honors KPMG Law

KPMG Law was named “TOP Law Firm 2025” in the field of M&A by WirtschaftsWoche. Ian Maywald, Partner at KPMG Law in Munich, was…

06.05.2025 | KPMG Law Insights

Social insurance obligation for teachers – transitional rule creates clarity

Teachers and lecturers are often hired on a self-employed basis. This practice makes the German pension insurance fund sit up and take notice. It is…

02.05.2025 | In the media

KPMG Law Statement in FINANCE Magazine: How CFOs can save up to 80 percent in the legal department

The cost pressure in companies is increasing – also in legal departments. Two strategies have now become established to save 50 to 80 percent of…

30.04.2025 | In the media

KPMG Law study in the Neue Kämmerer: How does the special fund get into the municipalities?

A special fund of 500 billion euros is to finance investments in infrastructure over the next twelve years. Of this, 100 billion euros are earmarked…

29.04.2025 | KPMG Law Insights

Anti-money laundering and transparency register – what will the new government change?

According to the coalition agreement, the future government wants to “resolutely combat” money laundering and financial crime. The coalition partners have announced that legal…

Contact

Sebastian Hoegl, LL.M. (Wellington)

Senior Manager
Lawyer
Specialist lawyer for IT law
LL.M. (Wellington)

Heinrich-von-Stephan-Straße 23
79100 Freiburg im Breisgau

Tel.: +49 761 769999-20
shoegl@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll