The Polish SA imposes an administrative fine on the University Clinical Center of the Medical University of Warsaw

The Polish Supervisory Authority (SA) has fined the University Clinical Center of the Medical University of Warsaw for do not order to communicate the breach to the data subjects.

According to the information published on the EDPB website:

The Polish SA has received information from the Commissioner for Patients' Rights about a possible personal data breach at the University Clinical Center of the Medical University of Warsaw.

One of the patients received a referral from a doctor to a specialty care clinic containing personal information about another person.

The controller classified the incident as a security incident, it concluded that the incident did not have significant consequences for the rights and freedoms of the data subject. Therefore, the controller decided not to notify the personal data breach the Supervisory Authority, as well as failed to communicate the personal data breach to the data subject.

The Polish SA imposed an administrative fine of PLN 10,000 on the University Clinical Center of the Medical University of Warsaw.

In the opinion of the Polish SA, the controller knowingly failed to notify the personal data breach to the supervisory authority and to the data subject, despite becoming aware of the incident from the Commissioner for Patients' Rights and in spite of letters addressed to him by the DPA, indicating the possibility of high risk to the rights or freedoms of the data subject affected in the present case.

In addition, it should be pointed out that disclosure to an unauthorized recipient of another person's personal data, due to the fact that the controller's doctor gave him or her a referral to a specialty care clinic with inappropriate data, also constitutes a violation of medical confidentiality.

You can reach the full text of the press release here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr