The Commissioner imposed an administrative fine of €20,000 on a private clinic

07 April 2025

The Commissioner received a complaint regarding the unlawful processing and disclosure of personal data by the controller. The complainant alleged that the controller failed to update her residential address, resulting in the disclosure of her sensitive health data to third parties. She also questioned how the controller accessed her personal data despite having no prior relationship with her.

Following an investigation, the Commissioner found that the controller had collected and processed the complainant’s personal data from the Electoral Register without a legal basis and without informing her of its source, violating article 5(1)(a), article 6(1) and article 14 GDPR. Additionally, despite multiple notifications, the controller failed to rectify the complainant’s personal data, breaching article 16 GDPR. It also neglected to take reasonable steps to ensure the accuracy of the data, as required under article 5(1)(d) GDPR. Furthermore, as a healthcare provider processing large-scale special category data, the controller was obligated to appoint a Data Protection Officer under article 37(1)(c) GDPR but failed to do so.

In light of these findings, the Commissioner issued a reprimand pursuant to article 58(2)(b) GDPR, for  the unlawful processing of personal data obtained from a publicly available source, the failure to rectify inaccurate data in a timely manner and failure to take every reasonable step to ensure compliance with the accuracy principle, and the lack of compliance with the requirement to appoint a Data Protection Officer. Furthermore, the Commissioner issued corrective measures under article 58(2)(d) GDPR, ordering the controller to rectify the complainant’s personal data without undue delay, to erase all personal data that had been unlawfully obtained from the Electoral Register and to appoint a Data Protection Officer in line with GDPR obligations.

Additionally, the Commissioner imposed three administrative fines under article 58(2)(i) GDPR, amounting to a total of €20,000. Specifically, a fine of €12,500 was issued for the breach of article 5(1)(a), article 6(1) and article 14; a fine of €5,000 was imposed for the violation of article 16 GDPR; and a further fine of €2,500 for the failure to appoint a Data Protection Officer as required under article 37(1)(c) GDPR.

To read more about this decision click here