Centro Hospitalar Barreiro Montijo, EPE – €400,000 Fine (Portugal, 2018)

€400,000Commission Nationale pour la Protection des Données9 October 2018Portugal
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Centro Hospitalar Barreiro Montijo in Portugal was fined €400,000 for letting too many staff access patient records without proper controls. The hospital had more doctor profiles than actual doctors, and staff could access all patient files, violating GDPR. This case shows the need for strict data access controls in healthcare settings.

What happened

The hospital allowed excessive and inappropriate access to patient records by staff, with more user profiles than actual doctors.

Who was affected

Patients whose sensitive health data was accessed by hospital staff without proper authorization.

What the authority found

The Portuguese data protection authority determined that the hospital failed to limit access to patient data, violating GDPR's data protection principles.

Why this matters

This case highlights the critical need for healthcare institutions to enforce strict access controls and maintain accurate user profiles to protect sensitive data. It warns of the consequences of inadequate data security practices.

GDPR Articles Cited

AI-verified

Art. 5(1)(c) GDPR
Art. 5(1)(f) GDPR
Art. 32(1)(b) GDPR
Art. 32(1)(d) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 5(1)(c) GDPR
Art. 32(1)(b) GDPR
Art. 32(1)(d) GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
scope corrected
Portugal enforcementCommission Nationale pour la Protection des Données actionsAll Centro Hospitalar Barreiro Montijo, EPE actions
Full Legal Summary
Detailed

The case involved unauthorized access to electronic patient records, unrelated to cookies or consent mechanisms.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Centro Hospitalar Barreiro Montijo, EPE in PT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

9 October 2018

Authority

Commission Nationale pour la Protection des Données

Fine Amount

€400,000

GDPRhub ID

gdprhub-2221

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Centro Hospitalar Barreiro Montijo, EPE - Portugal (2018). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: