Isle OF Man
Manx Care Ltd
GDPR enforcement action by Information Commissioner of Isle of Man on 2022-07-13.
Case details
- Authority
- Information Commissioner of Isle of Man
- Date
- 2022-07-13
- Controller / Processor
- Manx Care Ltd
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) c), f) GDPR, Art. 5 (2) GDPR, Art. 24 GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 34 GDPR, Art. 58 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The DPA of Isle of Man has imposed a fine of EUR 202,000 on Manx Care Ltd. Manx Care had emailed an unsecured attachment containing a patient's confidential health information to more than 1870 recipients. The DPA had subsequently issued an enforcement notice against Manx Care. However, Manx Care had failed to comply with the DPA's orders. As a result, the DPA came to the decision to impose a fine on the company. The DPA primarily found that the company had failed to implement appropriate technical and organizational measures to protect personal data. Also, the DPA found that the company had violated the principle of data minimization according to Art. 5 (1) c) GDPR by sending the patient's data to persons not related to the patient's care. Finally, the DPA found that the company had not informed the data subject of the data breach.
Related fines
