Centro Hospitalar Barreiro Montijo is fined 400,000 euros for violating the General Data Protection Regulation. It was the first fine made by the Portuguese Supervisory Data protection Bill Authority in the scope of GDPR. They found that there were three violations caused by the hospital.
- First, they made a violation of Art. 5(1)(c) of GDPR, minimisation principle on allowing unlimited access to the database of users, and then the violation of Article 83(5)(a) and violation of basic principles of processing. The fine for them was 150,000 euros.
- Second, they made a violation by not putting technical and organisational measures for preventing unlawful access to the personal data. And the fine for it was 150,000 euros.
- Lastly, the supervisory authority fined the hospital on Art. 32(1)(b) of GDPR on the inability of the organisation to ensure the integrity, confidentiality, availability and resilience of the systems. Failing to maintain the level of security to mitigate the risks and they were fined 100,000 euros, although the maximum fine could be 10 million euros, 2 per cent of the total annual turnover.
This decision by CNPD was not published on their website, which is not a good practice in the scope of public awareness.