You are here:
17 July 2019 / news

First GDPR fine in the Netherlands is a reality

Hospital HagaZiekenhuis in The Hague is fined EUR 460.000 for failure to implement adequate technical and organisational measures to secure patient files.


Investigation by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) was launched earlier in 2018 following claims that over 80 hospital staff were unlawfully snooping into the reality star ‘Barbie’s’ confidential patient files. The AP found that the hospital should regularly check who accesses which files in order to flag unauthorized access in a timely manner. Such unauthorised access should immediately be addressed with appropriate measures. The AP also found that an adequate security system requires authentication involving at least two factors (access to a patient file should for instance require a code in combination with an employee pass).

In addition to the fine, the AP has imposed an order subject to a penalty on the hospital to force the hospital to adequately bring their security measures up to standard. In case of non-compliance by 2 October 2019, the hospital will have to pay EUR 100,000 every two weeks (with a maximum of EUR 300,000).

The AP emphasised that patient confidentiality is of utmost importance and that failure to meet this obligation warrants a hefty fine.

Full article available here (in Dutch). Get in touch with us in case of any questions!

Class actions for breaches of the GDPR

Since the GDPR entered into force, there has been ample attention for regulatory enforcement and high fines. read more

The coronavirus outbreak in the Netherlands

Dealing with the risk of corona at the workplace in the Netherlands. read more

Supervision of AI and algorithmic processing of personal data

Dutch Data Protection Authority publishes vision document on supervision of AI and algorithmic processing of personal data. read more