Fine for the infringement of GDPR
The National Supervisory Authority finalised in November 2021 an investigation at the controller Societatea Civilă Medicală Policlinica Tommed following which it was found that the provisions of Article 5 paragraph (1) letters a), b) and f) and paragraph (2), corroborated with Article 9 of the General Data Protection Regulation were infringed.
Therefore, the controller was sanctioned with a fine in amount of Lei 9,898 (the equivalent of Eur 2,000).
The investigation was started following a complaint through which it was claimed that Societatea Civilă Medicală Policlinica Tommed disclosed certain personal data, including health data, of a natural person to another controller.
Within the performance of the investigation it was found that the controller disclosed that personal data without observing the processing principles and without observing the legal conditions for personal data processing, including the health data, and without the prior information of the involved person (patient of the controller).
At the same time, the corrective measure to ensure the conformity with the GDPR of the subsequent collecting and processing of the personal data, so that it avoids the disclosure of the personal data processed, with the breach of the legal conditions, that implies inclusively the application of appropriate security and confidentiality measures, through the periodically training of the persons that process data under the authority of the controller and the corresponding implication of the data protection officer, in accordance with Articles 37-39 of the GDPR was applied to the controller.
Legal and Communication Department