Malta
Hospital
20,000 €
GDPR enforcement action by Data Protection Commissioner of Malta on 2025-04-02.
Rank · Sector
#103
of 270 in Health Care
Rank · Malta
#5
of 15
Rank · All fines
#1,110
of 3,050
Case details
- Authority
- Data Protection Commissioner of Malta
- Date
- 2025-04-02
- Controller / Processor
- Hospital
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 14 GDPR, Art. 16 GDPR, Art. 37 (1) c) GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The DPA of Malta has imposed a fine of EUR 20,000 on a Hospital. The controller processed a data subject's personal data, obtained from the public electoral register, and combined it with health data. However, the controller had no legal basis to process data from the public electoral register, and failed to ensure that the data was correct. This resulted in different datasets being wrongfully combined, meaning that health data was sent to unauthorised third parties. The controller also failed to adequately respond to the data subject's requests to exercise their rights and to appoint a DPO.
Open original source
Links to the regulator's original publication or another source.
Related fines
Malta
2022
250,000 €
ETid-1835
Unknown
Not assigned
Malta
2022-01-17
65,000 €
ETid-996
C-Planet (IT Solutions) Limited
Industry and Commerce
Malta
2022
65,000 €
ETid-1911
Unknown
Not assigned
Malta
2020
20,000 €
ETid-1842
Unknown
Not assigned
Malta
2019-02-18
5,000 €
ETid-41
Lands Authority
Public Sector and Education
Malta
2020
5,000 €
ETid-1836
Unknown
Not assigned