GDPR: outpatient clinic fined 50,000 euros

The Austrian Data Protection Authority (DPA) highlighted in their latest newsletter a decision from 16 November 2019 concerning an outpatient clinic for diagnosis and therapy of allergic diseases. The clinic was fined 50,000 euro for

  1. not having appointed a data protection officer although it employs 17 doctors,
  2. requesting “irrevocable” consents of patients based on unclear information and for a lower data security level (transfer of medical data by non-encrypted emails),
  3. relying on Art 6 GDPR as legal basis (instead of Art 9(2) GDPR only) and providing accurate information to patients, and
  4. having not undertaken privacy impact assessments for various processing activities.

The decision is in contrast to the Austrian Supreme Court’s view that the requirements of of Art 9(2) GDPR need to be fulfilled in addition to those under Art 6(1) GDPR (6Ob45/19i of 24 July 2019). It also clearly dismissed the clinic’s defense of having relied on incorrect information on GDPR requirements of professional representation bodies.

It also shows that the DPA takes a strict view and does not primarily issue a warning.