Hospital Campogrande DE – €10,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Hospital Campogrande DE was fined EUR 10,000 by Spain's data protection authority for improperly sharing a patient's MRI results within its hospital network. The hospital linked a private MRI to the patient's record without medical justification, affecting the patient's insurance claim. This case stresses the importance of handling medical data with care and justification.
What happened
Hospital Campogrande DE improperly shared a patient's MRI results within its network without medical justification.
Who was affected
A patient whose privately arranged MRI was linked to their record at another hospital without proper justification.
What the authority found
The authority ruled that the hospital violated GDPR by not ensuring the confidentiality and proper justification for sharing the patient's medical data.
Why this matters
This case serves as a reminder for healthcare providers to handle patient data with strict confidentiality and only share it when medically justified. It highlights the need for clear data handling policies to protect patient privacy.
GDPR Articles Cited
The Spanish DPA (AEPD) imposed a fine of EUR 10,000 on Hospital Campogrande DE. A patient filed a complaint against the controller with the DPA. The controller had performed an MRI on the patient on September 05, 2019 due to an injury of the right knee. The cost of the examination was covered by the patient's private health insurance. Due to a work-related injury, another MRI of the same knee had to be performed on September 27, 2019. Although the second MRI was performed at another hospital, albeit one belonging to the corporate group, the hospital system also linked the first, privately arranged MRI to the patient's record at the second hospital. The first MRI was provided through the hospital network without any medical justification. This turned out to be very unfavorable for the patient when, upon presentation of the second MRI, the company physician informed him that he would have to contact his private physician or the social insurance with this injury, since the incident could not be considered an occupational accident. He justified this with the existence of the first MRI, which had a non-occupational cause.
Related Enforcement Actions (0)
No other enforcement actions found for Hospital Campogrande DE in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 March 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€10,000
Enforcement Tracker ID
ETid-587
About this data
Cite as: Cookie Fines. Hospital Campogrande DE - Spain (2021). Retrieved from cookiefines.eu
Last updated: