Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Poland: UODO fines Medical University of Warsaw PLN 10,000 for breach notification failures
The Polish data protection authority ('UODO') announced, on 1 August 2022, decision DKN.5131.34.2021, as issued on 6 July 2022, in which it fined the University Clinical Centre of the Medical University of Warsaw PLN 10,000 (approx. €2,120), for violations of Articles 33(1) and 34(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following receipt of information about a security incident.
Background to the decision
In particular, the UODO outlined that they received information about a possible data breach from the Patient's Rights Ombudsman, whereby an individual received a referral from a doctor which contained the personal data of another patient, including health data. Moreover, the UODO highlighted that, following this incident, the doctor did not notify either the UODO or the affected individual about this incident, as they believed the personal data in the referral related to a person who did not exist in reality. Furthermore, the UODO noted that while the Medical University of Warsaw qualified this as a security incident after the Ombudsman brought it to their attention, they did not consider it to have a significant impact on the rights or obligations of the data subject and so did not notify either the UODO or the patient in question.
Findings of the UODO
In relation to the above, the UODO disregarded the notion that the incident technically concerned a non-existent person due to an error in the patient information. Specifically, the UODO stated that while the referral contained a typo on behalf of the patient, other personal data such as name, address, and PESEL number meant that they could easily be identified.
In addition, the UODO determined that there was in fact a high risk to the rights of the data subject, due to the presence of health data. Moreover, the UODO added that the disclosure of the personal data of the patient to an unauthorised person was a breach of medical confidentiality. Furthermore, the UODO concluded that the Medical University of Warsaw deliberately failed to notify both them and the affected individual, despite both the Ombudsman and the UODO contacting them in regards to the incident.
Outcomes
As a result of the above, the UODO issued a fine of PLN 10,000 (approx. €2,120) against the Medical University of Warsaw and also ordered the same to notify the affected individual about the breach within three days from the decision becoming final.
You can read the press release here and the decision here, both only available in Polish.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
