First penalties imposed under the GDPR in Portugal
Isabel Bairrão, Principal Associate at Corporate Department and Technology & Outsourcing and Telecommunications & Media industries.
The Portuguese Data Protection Agency (CNPD, pursuant to its Portuguese acronym) has imposed a 400,000 euro fine on Centro Hospitalario Barreiro-Montijo due to two breaches of the General Data Protection Regulation (GDPR) which has been in force since May 25, 2018.
The first breach refers to the infringement of the principle of integrity and confidentiality by the hospital which did not put the necessary measures in place to restrict access to patients’ medical records. Professionals were allowed indiscriminate access to an excessive amount of patients’ data when they should only have been permitted occasional access, with justification. The fine imposed due to this breach is 300,000 euros.
The CNPD also imposed a 100,000 euro penalty on Centro Hospitalario Barreiro-Montijo due to not applying organizational and security measures preventing unauthorized access to personal data, in order to safeguard the confidentiality and integrity of the health-related data. The hospital allowed 985 doctors access to the medical records, despite the fact that its medical staff is comprised of only 296 doctors. Therefore, the agency concluded that the necessary controls were not applied and that there were no internal rules in place in relation to the creation or elimination of accounts according to the various levels of access to clinical records.
This decision came about following an inspection in July 2018, after a notification was received from the Portuguese Doctors’ Association. The fines imposed have been issued in the context of the powers granted to the agency by Data Protection Law 67/98, on the grounds that the implementing regulations of the GDPR have still not been approved by the Portuguese legislature. In fact, the power of the CNPD to impose fines has been questioned by management of the hospital, which argued that user profiles and access policies were imposed by third parties, probably by the Shared Services of the Ministry of Health (SPMS pursuant to its Portuguese acronym), the entity responsible for technology at public hospitals. The hospital also argued that it was not possible to determine who accessed what data in the different contexts with the software tools available.
This decision may still be appealed at the administrative courts and at least two questions are still up in the air: Are public hospitals subject to the fines envisaged in the GDPR? Does the CNPD have the power to impose the fines envisaged in the GDPR even though it has not been designated as a supervisory authority in accordance with article 54 GDPR? We will have the answers in the next few months.