Service public fédéral Santé publique, Administration de l'Expertise médicale (Medex) – Complaint Upheld (Belgium, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 24 August 2022 and 28 August 2023 three data subjects filed complaints with the Belgian DPA (APD) against the Medical Assessment Department of the Federal Public Health Service (MEDEX) (the controller). The complaints were joined together by the DPA. The data subjects complained about the controller losing or misplacing their medical records in connection with their applications for disability pensions for military staff. The files had to be physically transferred from the regional centre where they were created to the central centre in Brussel. During transportation the files were temporarily misplaced or permanently lost. On 2 August 2022, the controller notified the DPA about the loss of the files of data subjects (2) and (3) but did not report the loss of the data subject (1)’s file. The DPA noted that medical confidentiality may have been breached when the medical records were lost or misplaced and that unauthorised parties may have had access to the data subjects’ files. It found that the controller may have violated Article 5(1)(f) GDPR (i.e. the principle of data integrity and confidentiality) and Article 32 GDPR by losing and misplacing the medical records of the data subjects. Furthermore, the DPA found an infringement of Article 5(2) GDPR (i.e. the principle of accountability) and Article 24 GDPR for not being able to demonstrate compliance with the principle of data integrity and confidentiality by implementing appropriate technical and organisational measures. Moreover, the DPA found that the controller may have breached Article 33(1) GDPR by failing to notify the DPA of the loss of the data subject (1)’s file. Therefore, the DPA issued a warning to the controller to ensure that the transmission and archiving of medical files was subject to technical and organizational measures appropriate to the risks inherent in the processing of health data, as well as to ensure the carrying out of notifications of data breaches to the DPA.
GDPR Articles Cited
On 24 August 2022 and 28 August 2023 three data subjects filed complaints with the Belgian DPA (APD) against the Medical Assessment Department of the Federal Public Health Service (MEDEX) (the controller). The complaints were joined together by the DPA. The data subjects complained about the controller losing or misplacing their medical records in connection with their applications for disability pensions for military staff. The files had to be physically transferred from the regional centre where they were created to the central centre in Brussel. During transportation the files were temporarily misplaced or permanently lost. On 2 August 2022, the controller notified the DPA about the loss of the files of data subjects (2) and (3) but did not report the loss of the data subject (1)’s file. The DPA noted that medical confidentiality may have been breached when the medical records were lost or misplaced and that unauthorised parties may have had access to the data subjects’ files. It found that the controller may have violated Article 5(1)(f) GDPR (i.e. the principle of data integrity and confidentiality) and Article 32 GDPR by losing and misplacing the medical records of the data subjects. Furthermore, the DPA found an infringement of Article 5(2) GDPR (i.e. the principle of accountability) and Article 24 GDPR for not being able to demonstrate compliance with the principle of data integrity and confidentiality by implementing appropriate technical and organisational measures. Moreover, the DPA found that the controller may have breached Article 33(1) GDPR by failing to notify the DPA of the loss of the data subject (1)’s file. Therefore, the DPA issued a warning to the controller to ensure that the transmission and archiving of medical files was subject to technical and organizational measures appropriate to the risks inherent in the processing of health data, as well as to ensure the carrying out of notifications of data breaches to the DPA.
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Service public fédéral Santé publique, Administration de l'Expertise médicale (Medex) in BE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Service public fédéral Santé publique, Administration de l'Expertise médicale (Medex) - Belgium (2025). Retrieved from cookiefines.eu
Last updated: