Hospital – €20,000 Fine (Malta, 2025)

€20,000Information and Data Protection Commissioner2 April 2025Malta
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A hospital in Malta was fined for mishandling personal data by combining health information with data from a public electoral register. They did not have permission to process this data, which led to unauthorized access. This case highlights the need for proper data handling practices in healthcare.

What happened

The hospital processed personal data from the public electoral register without legal permission and combined it with health data.

Who was affected

Patients whose health data was improperly combined with information from the electoral register.

What the authority found

The Maltese Data Protection Authority found that the hospital violated multiple GDPR rules by failing to have a legal basis for processing the data and not ensuring its accuracy.

Why this matters

This ruling underscores the importance of having a valid legal basis for processing personal data, especially in sensitive sectors like healthcare. Organizations must ensure they follow strict data handling protocols.

GDPR Articles Cited

AI-verified

Art. 14(GDPR)
Art. 16(GDPR)
Art. 5(1)(a) GDPR
Art. 6(1) GDPR
Art. 37(1)(c) GDPR
View original scraped data
Art. 5(1) a) GDPR
Art. 6(1) GDPR
Art. 14(GDPR)
Art. 16(GDPR)
Art. 37(1) c) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 May 2026
articles corrected
Malta enforcementInformation and Data Protection Commissioner actionsAll Hospital actions
Full Legal Summary
Detailed

The DPA of Malta has imposed a fine of EUR 20,000 on a Hospital. The controller processed a data subject's personal data, obtained from the public electoral register, and combined it with health data. However, the controller had no legal basis to process data from the public electoral register, and failed to ensure that the data was correct. This resulted in different datasets being wrongfully combined, meaning that health data was sent to unauthorised third parties. The controller also failed to adequately respond to the data subject's requests to exercise their rights and to appoint a DPO.

Related Enforcement Actions (0)

No other enforcement actions found for Hospital in MT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

2 April 2025

Authority

Information and Data Protection Commissioner

Fine Amount

€20,000

Enforcement Tracker ID

ETid-1278

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hospital - Malta (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: