Akureyri Hospital – Complaint Upheld (Iceland, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Akureyri Hospital mistakenly sent a woman's and her child's medical records to the wrong address. This is significant because it highlights the importance of handling sensitive information carefully. The Icelandic DPA criticized the hospital for not ensuring the security of personal data, but no fine was imposed.
What happened
Akureyri Hospital sent medical records to the wrong address, compromising the security of sensitive information.
Who was affected
A woman and her child whose medical records were incorrectly mailed by Akureyri Hospital.
What the authority found
The Icelandic DPA found that the hospital failed to protect personal data adequately, violating privacy rules.
Why this matters
This case underscores the critical need for organizations to have strict procedures in place for handling sensitive data. It serves as a reminder to ensure that personal information is sent securely and to the correct recipients.
GDPR Articles Cited
On 11 May 2020 the DPA received a complaint from a woman whose hers and her child's medical records, which she had requested from the Akureyri Hospital, had been sent to the wrong address. Although she had specifically requested that the documents be sent to her, the letter had been sent to the address of her child, who is domiciled with her father. The data was sent by registered mail and returned to the Hospital in Akureyri unopened. At the hospital, they had been placed in another envelope and sent by registered mail to the complainant. The DPA held that, in view of the sensitive nature of the data in question, it was highly reprehensible that the Hospital in Akureyri did not ensure that the data was sent to the correct address. The procedures did not ensure adequate security of personal information according to Act no. 90/2018 on personal protection and the processing of personal information. In view of the above, the conclusion of the DPA is that the processing of the personal information of the complainant by the Hospital in Akureyri in the transmission of the complainant's and her child's medical records did not comply with Act no. 90/2018 on personal protection and processing of personal information. The DPA found no preconditions for imposing a fine.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Akureyri Hospital in IS
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Akureyri Hospital - Iceland (2021). Retrieved from cookiefines.eu
Last updated: