Ida-Tallinna Keskhaigla – Court Ruling (Estonia, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A court in Estonia ruled that Ida-Tallinna Keskhaigla, a central hospital, could not be punished for a data breach involving health data thrown in a public bin. This ruling is significant because it shows how legal responsibility can be complicated, especially when actions are taken by individuals within an organization.
What happened
The hospital was initially fined for unlawfully disclosing health data, but the court found it could not be held liable due to the circumstances of the incident.
Who was affected
Patients whose health data was improperly discarded were affected by this incident.
What the authority found
The court decided that the hospital could not be punished because the misconduct did not meet the legal criteria for liability under Estonian law.
Why this matters
This case highlights the complexities of liability for data breaches and suggests that organizations need to ensure their staff understand data protection rules. It also indicates that legal systems can vary significantly in how they handle such cases.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 13 February 2023, the DPA imposed a fine of € 200,000 EUR to Ida Tallina Central Hospital (‘controller’) for the unlawful disclosure of health data within the meaning of Article 9(1) GDPR. A member of the management board threw them into an open bin outside of the hospital and open to public access. With this conduct, the controller violated the requirements of Article 32(1)(b) GDPR to ensure the confidentiality of the services processing personal data. Pursuant to Article 62 PDPA, the controller committed a misdemeanour. The decision of the DPA was appealed by the controller. On 31 August 2023, the Harju County Court (‘first instance court’) annulled the decision of the DPA and ruled that the controller could not be punished for committing a misdemeanour because of the principle of derivative liability applied. According to this principle: 1) a legal person, such as a hospital, can only be liable for an offence if the conduct of its body, member, manager, or competent representative met all the elements of a tort or delict, and 2) if the act was committed in the interests of the legal person. In this case, the violation was attributed to a member of the management board, but the misconduct did not meet all the legal elements of the offense to be done in the interest of the hospital. Since this was not the case, the hospital could not be held liable for the alleged infringement. On 21 December 2023, an appeal against the decision of the first instance court was filed by an out of court proceeding by the data subject which sought the annulment of the above decision. The controller argued in the appeal proceeding that the misdemeanour proceedings should be terminated as the offence is time-barred according to 29(1)(5) Code of Misdemeanour Procedure (‘VTMS’). The Supreme Court clarified that in Estonia, due to the unique structure of their legal system, fines for GDPR violations are imposed through misdemeanour procedures by a supervisory authority. The sam
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Ida-Tallinna Keskhaigla in EE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ida-Tallinna Keskhaigla - Estonia (2024). Retrieved from cookiefines.eu
Last updated: