Doctor fined EUR 2,000 by the Romanian DPA over several GDPR violations, including unlawful disclosure of health data


On 31 August 2023, the Romanian DPA announced a fine of EUR 2,000 imposed against a natural person (doctor) for several GDPR violations, including infringements of the GDPR principles and the rules on lawfulness of processing, and processing of special categories of data.

During the investigation following a complaint, it was found that the sanctioned doctor had recorded a patient without her consent and subsequently posted the video on his Facebook page. Posting this audio-video recording led to the disclosure of the patient’s personal data, such as image, voice, name, surname and health data.

Even though the recording was deleted from the Facebook page the same day, it was already viewed by a very large number of people and uploaded and disseminated on various websites and social media platforms.

The Romanian DPA also applied a corrective measure, the controller being ordered to ensure GDPR compliance of personal data processing operations.

The press release is available here (only in Romanian).