The Netherlands

OLVG

440,000 €

GDPR enforcement action by Dutch Supervisory Authority for Data Protection (AP) on 2021-02-11.

Rank · Sector

#17

of 270 in Health Care

Rank · The Netherlands

#20

of 43

Rank · All fines

#259

of 3,050

Case details

Authority: Dutch Supervisory Authority for Data Protection (AP)
Date: 2021-02-11
Controller / Processor: OLVG
Sector: Health Care
Quoted Articles: Art. 32 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessary for their work. Besides medical records, the patient files also contained, the social security numbers, addresses and telephone numbers of the data subjects.

Open original source Links to the regulator's original publication or another source.