Medical service provider sanctioned for noncompliance with several GDPR requirements


On 6 December 2021, the Romanian DPA announced it sanctioned a medical service provider with a fine of EUR 2,000 for failure to comply with the lawfulness, fairness and transparency, purpose limitation, integrity and confidentiality, as well as accountability principles.

The investigation was launched following the receipt of a complaint in respect to the disclosure of an individual’s personal data, including health data, to another controller. Further, the Romanian DPA concluded that the medical service provider failed to comply with the data protection principles, including the additional requirements in respect to processing of health data.

Moreover, the Romanian DPA imposed a corrective measure to ensure compliance with the GDPR requirements for data collection and further processing activities. This corrective measure aims at establishing an adequate level of security of personal data through ensuring training for individuals involved in the data processing, as well as appropriate involvement of the data protection officer.

The press release is available here (only in Romanian).