Stichting Bravis Ziekenhuis (hospital) – Court Ruling (Netherlands, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Dutch court found that a hospital failed to protect a patient's medical records from unauthorized access by an employee. The employee, who was the patient's ex-partner's new partner, accessed the records and published them in a book. This case highlights the importance of hospitals having strong data protection measures in place.
What happened
A hospital employee accessed a patient's medical records without permission and published the information in a book.
Who was affected
The patient whose medical records were accessed and published without consent.
What the authority found
The court ruled that the hospital did not have adequate security measures to protect the patient's data, violating Article 32 of the GDPR.
Why this matters
This ruling emphasizes the need for healthcare providers to implement robust data protection policies. It serves as a warning that failing to monitor employee access to sensitive data can lead to serious privacy breaches.
GDPR Articles Cited
National Law Articles
The data subject went through a turbulent divorce with her ex-partner. Afterwards, her ex wrote a book about it. Some parts of the book contained information on the data subject’s medical status. Coincidentally, the publisher of the book used to worked at the hospital (the controller) where the data subject was a patient. On top of that, the publisher was the ex’s new partner. After the book was published, the data subject requested the controller for access to the logging data of her patient record. The logging data revealed that her ex’s new partner frequently accessed her patient file for four years. The data subject therefore filed a complaint with the controller, to which the controller replied in a letter. The controller stated that the ex's new partner's employment had been terminated. However it could not establish that she was the reason that the data subject's medical information was published in the book. The data subject was not satisfied with the content of the response and took the case to court. The data subject claimed that the controller was liable for the (non-material) damages that she suffered because (1) the controller took insufficient measures to protect her medical data and (2) insufficiently investigated the data breach. In addition, the data subject argued that the controller was liable for damages caused by its employee (the ex’s new partner/publisher) who accessed her medical records and subsequently published those in the book. The Court held that the controller's monitoring policy did not meet the necessary standard, as it was non-existent. As a result, logging by employees with unrestricted access (like the present case) was not monitored at all and only two patient files were randomly checked every month. The Court found that this fell short, given the amount of personal data processed by the controller. It therefore held that the controller violated Article 32 GDPR, as no appropriate measures were taken to protect the data subject'
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Stichting Bravis Ziekenhuis (hospital) in NL
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Stichting Bravis Ziekenhuis (hospital) - Netherlands (2022). Retrieved from cookiefines.eu
Last updated: