Public Hospital – €400,000 Fine (Portugal, 2018)

€400,000Comissão Nacional de Proteção de Dados17 July 2018Portugal
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

A Portuguese hospital was fined €400,000 for allowing too many staff members to access patient data without proper controls. The hospital had more user profiles than actual doctors, and staff could view all patient records, which violated data protection rules. This case highlights the importance of restricting access to sensitive information to only those who need it.

What happened

The hospital allowed staff to access patient data through false profiles, with more profiles than actual doctors and unrestricted access to all patient files.

Who was affected

Patients whose medical records were accessed by hospital staff without proper authorization.

What the authority found

The Portuguese data protection authority found that the hospital failed to protect patient data by allowing excessive and unrestricted access, violating GDPR's security requirements.

Why this matters

This case underscores the need for healthcare providers to implement strict access controls and regularly audit user permissions. It serves as a warning that failing to secure sensitive data can result in significant fines.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Portugal enforcementComissão Nacional de Proteção de Dados actionsAll Public Hospital actions
Full Legal Summary
Detailed

Investigation revealed that the hospital’s staff, psychologists, dietitians and other professionals had access to patient data through false profiles. The profile management system appeared deficient – the hospital had 985 registered doctor profiles while only having 296 doctors. Moreover, doctors had unrestricted access to all patient files, regardless of the doctor’s specialty.

Related Enforcement Actions (0)

No other enforcement actions found for Public Hospital in PT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 July 2018

Authority

Comissão Nacional de Proteção de Dados

Fine Amount

€400,000

Enforcement Tracker ID

ETid-45

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Public Hospital - Portugal (2018). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: