Spain
Hospital Campogrande DE
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2021-03-10.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2021-03-10
- Controller / Processor
- Hospital Campogrande DE
- Sector
- Health Care
- Quoted Articles
- Art. 5 (1) f) GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Spanish DPA (AEPD) imposed a fine of EUR 10,000 on Hospital Campogrande DE. A patient filed a complaint against the controller with the DPA. The controller had performed an MRI on the patient on September 05, 2019 due to an injury of the right knee. The cost of the examination was covered by the patient's private health insurance. Due to a work-related injury, another MRI of the same knee had to be performed on September 27, 2019. Although the second MRI was performed at another hospital, albeit one belonging to the corporate group, the hospital system also linked the first, privately arranged MRI to the patient's record at the second hospital. The first MRI was provided through the hospital network without any medical justification.
This turned out to be very unfavorable for the patient when, upon presentation of the second MRI, the company physician informed him that he would have to contact his private physician or the social insurance with this injury, since the incident could not be considered an occupational accident. He justified this with the existence of the first MRI, which had a non-occupational cause.
Related fines