Medical laboratory fined for several GDPR violations Summary Our remarks An individual filed a complaint against a medical • The case highlights a key aspect of the GDPR, analysis laboratory. The complainant alleged that the namely the accountability principle listed out in laboratory violated principles of confidentiality and GDPR, Articles 5(2) and 24 and the fundamental transparency. Specifically, the complainant argued that obligation of data controllers to clearly identify their the laboratory had not conducted a data protection responsibilities under the GDPR. If data controllers impact assessment, that inadequate information are not aware of the extent of their obligations, was provided to data subjects, and that sensitive the effective protection of data subjects will be personal data, namely health related information, was compromised. processed using an insecure website. • When special categories of information are The complainant had interacted with the laboratory processed, such as health data, appropriate multiple times for medical analyses and was informed technical and organizational measures should be that their doctor had electronic access to their test observed to protect the security and integrity of the results. However, the complainant discovered that the data. Complying with GDPR, Article 32, will require laboratory’s website, named ”Cyberlab,” had a page for additional measures in these situations, compared accessing medical analysis data using an unsecured to situations where sensitive data is not processed. HTTP protocol. Decision of the Belgian Data Protection Authority The DPA imposed a fine of 20,000 EUR on the medical laboratory for the following violations: • Failing to comply with the principles of confidentiality and integrity (GDPR, Article 5(1)(f)). • Not respecting the data subject’s right to information (GDPR, Articles 12-14). • Lacking adequate data security measures, such as two factor authentication (GDPR, Article 32). • Failing to carry out an impact assessment (GDPR, Articles 35(1) and (3)). Tags: 05 Data security Published: 19-08-2022 Journal number: DOS-2019-05244 96