Dutch DPA Announces Fine on Hospital for Lack of Appropriate Security Measures
Time 1 Minute Read
Categories: Enforcement, European Union, International

On July 16, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”), announced that it had imposed a fine of €460,000 on a Dutch hospital, HagaZiekenhuis, for insufficient security measures under Article 32 of the EU General Data Protection Regulation (“GDPR”).

In particular, the Dutch DPA found that the hospital had not implemented appropriate security measures to prevent unnecessary access to patients’ records: the Dutch DPA found that the hospital had failed to (1) implement appropriate access controls, and (2) use an access system requiring at least two-factor authentication (i.e., the identity of a user must be verified using a combination of a password and a staff pass).

In addition to the fine, the Dutch DPA imposed a penalty of €100,000, due every two weeks with a maximum of €300,000, if the hospital does not remediate the situation and implement appropriate security measures by October 2, 2019.

The hospital can still appeal the Dutch DPA’s decision.

Read the press release, the decision and the investigation report, only available in Dutch.

Tags: GDPR, Netherlands, Penalty
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
FTC Takes Action Against Illusory Systems Over $186 Million Data Breach

On December 16, 2025, the Federal Trade Commission announced an enforcement action against Illusory Systems Inc., a Utah-based company doing business as Nomad, following a major data breach in which hackers stole $186 million from consumers.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 5 Minute Read
EU Digital Omnibus Introduces a Single Reporting Point for Cybersecurity Incidents

On November 19, 2025, the European Commission unveiled the much-anticipated digital omnibus legislative package (the “Digital Omnibus”), setting the stage for a new era of digital governance and regulatory simplification across the European Union. According to the Commission, this initiative is designed to enable European businesses to devote more energy to innovation and growth, rather than navigating complex compliance landscapes.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Council of the European Union Adopts New Rules to Boost Cross-Border GDPR Enforcement

On November 17, 2025, the Council of the European Union adopted new rules designed to strengthen cooperation among national data protection authorities, enhancing the enforcement of the EU General Data Protection Regulation.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page