Hospital – €200,000 Fine (Belgium, 2024)

€200,000Autorité de Protection des Données17 December 2024Belgium
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident, such as employee training and the implementation of a process for security updates of IT equipment.

GDPR Articles Cited

AI-verified

Art. 24 GDPR
Art. 32 GDPR
Art. 5(1)(f) GDPR
Art. 35(3) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 35(3) GDPR

Original data from scraper before AI verification against source document.

Reviewed AuthorityAPD
Source verified 6 March 2026
amount discrepancy
Belgium enforcementAutorité de Protection des Données actionsAll Hospital actions
Full Legal Summary

The Belgian DPA has fined a hospital EUR 200,000. The hospital had suffered a ransomware attack through a vulnerability in the server, which paralyzed parts of the computer system and affected about 300,000 individuals. During its investigation, the DPA found that the hospital had failed to carry out a data protection impact assessment. In addition, the DPA found that it did not have an adequate information security policy in place and failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident, such as employee training and the implementation of a process for security updates of IT equipment.

Related Enforcement Actions (0)

No other enforcement actions found for Hospital in BE

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 December 2024

Authority

Autorité de Protection des Données

Fine Amount

€200,000

Enforcement Tracker ID

ETid-2521

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hospital - Belgium (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: