Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Belgium: Belgian DPA fines laboratory €20,000 for security, DPIA, and privacy policy violations

The Belgian data protection authority ('Belgian DPA') issued, on 19 August 2022, Decision No. 127/2022, in which it fined a medical analysis laboratory ('the Laboratory') €20,000 for violations of Articles 5(1)(f), 12, 13, 14, 32, 35(1), and 35(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the decision

In particular, the Belgian DPA outlined that a complaint was submitted to them about the Laboratory, alleging that they had failed to carry out a Data Protection Impact Assessment ('DPIA'), to inform data subjects correctly, and processed medical data via an unsecured webpage.

Findings of the Belgian DPA

Furthermore, the Belgian DPA determined that the Laboratory had violated the principle of integrity and confidentiality enshrined in Articles 5(1)(f) and 32 of the GDPR, due to the fact that the webpage allowed doctors to remotely consult the medical results of patients without employing any encryption. Moreover, the Belgian DPA found that Articles 35(1) and 35(5) of the GDPR had also been violated, as the Laboratory had failed to conduct a DPIA for the large-scale processing of health data. Specifically, the Belgian DPA stated that the Laboratory, in rejecting that the health data had been processed on a large-scale, had failed to clarify what criteria they were using to determine this.

In addition, the Belgian DPA found that the Laboratory had violated Articles 12, 13, and 14 of the GDPR due to a failure to include a privacy policy on their website. In this regard, the Belgian DPA rejected the argument that a privacy policy was not required as the website in question was a 'mere commercial showcase', due to the fact that medical results were maintained through it.

Outcomes

As a result of the above, the Belgian DPA fined the Laboratory €20,000.

You can read the decision, only available in French, here.