Medical industry - examples of GDPR penalties

400,000 Euro for a public hospital in Portugal

An investigation revealed that hospital staff, psychologists, dieticians, and other specialists had access to patient data through fake profiles. The profile management system was found to be faulty – the hospital had 985 registered doctor profiles, while in reality, it employed only 296 doctors. Additionally, doctors had unrestricted access to all patient records, regardless of the doctor’s specialty.

14,000 Euro for a Cypriot doctor

One of the patients complained that her request for access to her medical records was not fulfilled by the hospital because the administrator could not identify/locate the documentation.

After investigating the matter, the doctor who was responsible for her treatment was fined 14,000 euros for uncontrolled loss of medical records. Additionally, the hospital was issued an administrative fine of 5,000 euros.

350,000 Euro for a Dutch hospital

It has been found that the Hospital in The Hague does not have adequate internal safeguards for patient records. A Dutch data protection supervisory authority investigation was launched when it was discovered that dozens of hospital staff had accessed the medical records of a person considered a celebrity in the Netherlands without any medical justification.

25,000 Euro for an Austrian medical company

The penalty was imposed on a medical company for failing to fulfil information obligations and for not appointing a data protection officer.

7,400 Euro for a military hospital in Bulgaria

The military hospital failed to meet the deadline for reporting personal data breaches.

50,000 Euro for the Danish Insurance Company

Menzis (Danish Health Insurance Association) was fined after finding that marketing staff had access to patient data.

320,000 Euro for an English pharmacy

Doorstep Dispensaree Ltd, a pharmacy company, stored around 500,000 documents containing names, addresses, dates of birth, NHS numbers, as well as medical information and prescriptions, in open containers at the back of the building and failed to secure the documents against natural disasters, resulting in water damage to the documents.

€65,000 for an Irish maternity hospital

The Irish Data Protection Commission imposed a fine on Cork University Maternity Hospital (CUMH) after it was discovered that the personal data of 78 patients had been disposed of at a public recycling centre. Among the discarded documents were sensitive personal data relating to six patients.

100,000 Euro for 3 Estonian online pharmacies

Third parties were able to access another person’s current prescriptions after logging into the e-pharmacy using their personal identification code without their consent. The data protection authority emphasised that while purchasing prescription drugs for other people must be possible, it is the company’s responsibility to ensure that the processing of personal data required for this purpose only takes place with the consent of the individuals concerned.

20,000 Euro for a Belgian laboratory

The fine was imposed for several violations of the GDPR, including: the lack of any encryption of patient data, failure to conduct a DPIA (data protection impact assessment) in the case of large-scale processing of health data, and the lack of a privacy policy on the website.

45,000 Euro for an Italian hospital

The Italian data protection authority (Garante) launched an investigation against the Hospital in Bergamo after a patient received, by mistake, medical and clinical documentation related to seven other patients in their digital medical record.

7,000 Euro for an Italian medical company

TECNOMEDICAL S.r.l. was fined after a patient requested a copy of their medical records and records of a dental implant surgery performed on them, but the data controller did not provide the requested information within the deadline and in full.

5,000 Euro for a Greek paediatrician

The Greek data protection authority fined a paediatrician 5000 EUR. The father requested access to his child’s medical records via email, but the administrator did not comply with this request.

80,700 Euro for a Danish medical company

In January 2021, the data protection authority learned that Medicals Nordic was using WhatsApp to transmit confidential health information and data about citizens undergoing tests in the company’s testing centres. All employees working at the testing centre were invited to a WhatsApp group linked to the testing centre. Members of this WhatsApp group received all messages sent by other employees in the groups. This meant that employees who did not have a work-related need to process data were still receiving information that included personal identification numbers and health information of citizens.

5,000 Euro for a Romanian company

MED LIFE S.A. threw documents containing sensitive patient data into a public waste bin. The person found these documents and filed a complaint with the data protection authority.

91,000 Euro for a British foundation

The Tavistock and Portman NHS Foundation Trust, a London-based mental health foundation specialising in gender identity clinics for adults, wanted to hold a competition in which patients of the clinic would submit artwork to decorate the refurbished clinic building. To do so, two emails were accidentally sent with an open list of recipients (one to 912 recipients and one to 869 recipients). The email content indicated that all recipients were patients of the clinic. The Trust immediately recognized the error and unsuccessfully tried to recall the emails. As part of the investigation, it was determined that the Trust did not have any technical or organisational measures in place to prevent or mitigate this highly predictable human error. The ICO assessed the harm suffered by individuals affected by the incident as high, given that information about the relationships of individuals affected by the illness with the gender identity clinic is highly sensitive personal data. Thanks to the immediate implementation of security measures and extensive cooperation with the ICO, the fine, initially set at 910,000 EUR, was reduced to 91,000 EUR.

2,120 Euro for a Polish hospital

The Polish data protection authority imposed a fine of EUR 2,120 on the University Hospital of the Medical University of Warsaw. There was a data breach in a university hospital where a patient received a referral from a doctor containing personal information (such as name, address, etc.) of another patient. Additionally, neither the doctor nor the hospital informed the affected patient or the data protection authority about the data breach.

202,000 Euro for a medical company in the Isle of Man

Manx Care emailed an unsecured attachment containing confidential patient health information to more than 1,870 recipients, which was not related to patient care. The company also did not inform the data subject about the data breach.

7,000 Euro for an Italian cancer centre

The Italian data protection authority imposed a fine on the I.S.P.R.O. oncology clinic after a patient received the medical records of another patient mistakenly sent by email.

16,000 Euro for a Spanish healthcare facility

The Spanish data protection authority imposed a fine on the healthcare facility HOSPITAL RECOLETAS PONFERRADA, S.L.

A patient who filed a complaint with the data protection authority against HOSPITAL RECOLETAS PONFERRADA, S.L. had filled out a consent form during a medical examination, in which certain items were already pre-checked. The original fine of EUR 20,000 was reduced to EUR 16,000 due to the voluntary and prompt payment of the penalty.


If you would like to entrust us with the role of DPO in your company, here is what we will be doing as part of this service:

  • Notify you of any legal changes related to GDPR / UK GDPR,
  • Maintain the “Record of processing activities” in accordance with Article 30 of the GDPR,
  • Provide unlimited online and phone consultations,
  • Conduct regular audits of your company (at least once a year),
  • Implement legally required changes to documentation,
  • Represent you in front of the ICO (including in case of breaches) and data subjects (Data Subject Access Requests).

Click on the DPO button to learn more about our offer

The above list contains only examples of fines imposed for violations of the GDPR / UK GDPR in companies in the medical industry

Have a question?

Go to our service page if you need a consultation or other help related to UK GDPR

Our Service
Scroll to Top
Cookie Consent with Real Cookie Banner