OLVG – €440,000 Fine (Netherlands, 2021)

€440,000Autoriteit Persoonsgegevens11 February 2021Netherlands
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Dutch privacy authority fined Amsterdam's OLVG hospital EUR 440,000 for not keeping patient records secure. Unauthorized employees, including students, could access sensitive information like medical records and social security numbers. This case highlights the importance of strong security measures in healthcare settings.

What happened

OLVG hospital failed to prevent unauthorized access to patient records between 2018 and 2020.

Who was affected

Patients whose medical records, social security numbers, addresses, and phone numbers were accessed by unauthorized employees.

What the authority found

The Dutch DPA found that OLVG did not take enough security measures to protect patient data, violating GDPR's requirement for data security.

Why this matters

This fine underscores the critical need for hospitals to implement robust security measures to protect patient data. Healthcare providers must ensure only authorized personnel can access sensitive information.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
View original scraped data
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Netherlands enforcementAutoriteit Persoonsgegevens actionsAll OLVG actions
Full Legal Summary
Detailed

The Dutch DPA (AP) imposed a fine of EUR 440,000 on the Amsterdam hospital OLVG. The controller had taken insufficient measures between 2018 and 2020 to prevent access by unauthorized employees to medical records. The controller did not check adequately who had access to which file nor did the controller ensure that the computer system presented sufficient security. This resulted, among others, in working students and other employees being able to access patient files without this being necessary for their work. Besides medical records, the patient files also contained, the social security numbers, addresses and telephone numbers of the data subjects.

Related Enforcement Actions (1)

Other enforcement actions involving OLVG in NL

Current
Feb 2021

Fine

€440K

Court Ruling
Mar 2021· Autoriteit Persoonsgegevens

The District Court of The Hague reduced a fine imposed on a private hospital by the Dutch DPA from €460,000 to €350,000 after the hospital improved it...

Details

Fine Date

11 February 2021

Authority

Autoriteit Persoonsgegevens

Fine Amount

€440,000

Enforcement Tracker ID

ETid-555

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. OLVG - Netherlands (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: