Hospital – €190,000 Fine (Croatia, 2024)

The Croatian DPA (AZOP) has imposed a fine of EUR 190,000 on a hospital. The hospital had suffered a data breach in which radiological image files were irrevocably lost. AZOP had received several complaints from data subjects whose personal data, including medical images, could not be provided. The investigation revealed that the hospital failed to implement appropriate technical measures to safeguard personal data, as no backups of the affected data were made (violation of Art. 32 (1) b) GDPR). Moreover, the hospital did not report the incident within the required 72 hours after becoming aware of it (violation of Art. 33 (1) GDPR). The hospital had also failed to enter into a data processing agreement with the service provider responsible for implementing and maintaining the system (violation of Art. 28 (3) GDPR). Further violations included the unclear definition of retention periods for personal data from recorded telephone conversations (violation of Art. 5 (1) e) GDPR) and the unlawful recording of conversations lacking a legal basis (violation of Art. 6 (1) GDPR). Additionally, the clinic did not inform patients in clear and plain language about the processing of their personal data when they called the call center, nor did it provide all the necessary information about the collection of personal data through the recording of these conversations (violation of Art. 12 (1) GDPR, Art. 13 (1) c) GDPR and Art. 13 (2) a), b) GDPR. Finally, AZOP found that the data protection officer was not involved in the development or adaptation of data protection guidelines and in questions regarding the recording and storage of telephone conversations (Art. 38 (1) GDPR).