First GDPR fines
Austria
Based on the GDPR, the Austrian data protection authority imposed a fine on an undertaking which had installed a surveillance camera in a way that it also made records of a public sidewalk and failed to give proper prior information to the data subjects about the camera's use. With a view to this, the authority established that there had been a violation with regards to the camera's surveillance angle and the obligation to give prior information, for which it imposed a fine of Euro 4,800.
As of the beginning of October,
(i) there were 115 "fine proceedings" out of which 36 had been initiated after the applicability date of the GDPR;
(ii) 252 data breaches were reported to the authority;
(iii) the authority launched 58 ex officio investigations; and
(iv) the authority registered 721 complaints from data subjects.
Portugal
The Portuguese data protection authority imposed the highest fine in its history. Namely, it imposed a fine of EUR 400,000 (about HUF 130 million) on a hospital on grounds that access rights to personal data had not been properly established within the health institution.
The authority established that, even though there were 296 physicians working in the hospital, 985 persons had a physician-level access to the data (and all persons with a physician-level access could see all data) and the level of security was not properly ensured, thus, the hospital failed to take the appropriate technical and organizational measures necessary for ensuring data security.
The authority established that the principles of the integrity and confidentiality of data and that of data minimization were violated with regard to the fact that the security level of data was not appropriate and the persons with access rights were not limited to only seeing those data which they needed to see so that they could properly perform their duties.
What is interesting about this case is that Portugal did not designate any authority to be responsible for the enforcement of the GDPR, even though all Member States are required to formally designate an authority under Article 51 of the regulation so that the same may act under the GDPR. Therefore, it is a question as to what justification the Portuguese authority provided for having the power to act as per the regulation. The hospital announced that it would challenge the administrative resolution.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attorneys at Law, Budapest, Hungary (zoltan.kovacs@szecskay.com)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.