Fine because of lost medical record
A patient of a hospital has made use of his Right of access by the data subject and requested from a hospital all personal data stored there about him.
The hospital could not answer the request positively, because the patient file was lost. As a result, the person complained to the data protection authority in Cyprus.
In the course of the investigation, the agency clarified that data protection not only covers protection against unauthorized access but also to ensures that personal data are not lost. Therefore, the hospital has violated the General Data Protection Regulation. A fine of € 5,000 was imposed. The authority emphasized that the original sanction would have been significantly higher if the hospital had not promptly taken action to prevent such incidents in the future.
When it comes to data protection, people first think of protection against unauthorized access. But this topic includes much more. Companies also need to make sure that collected data is accurate. Outdated data sets pose a risk for companies and those affected. Therefore, the General Data Protection Regulation has also introduced the right to rectification.
Another important aspect of data protection is data availability. If data is lost and there is no backup then companies not only risk a fine by the DPA, as this case shows, but a company also loses its business foundation. A loss of data does not mean automaticaly that a hard disk has become defective. At present, a particularly large number of encryption Trojans are causing trouble and demanding ransom for encrypted data. Therefore, it is essential for companies to efficiently protect their computer networks from cybercriminals. One way is our easyGDPR package for privacy and data security. Not only do you create your procedural directory and thus fulfill the formal requirements of the GDPR, but thanks to state-of-the-art firewalls, you are also optimally protected against threats from the internet.
Type of Issue:
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph: