Medicals Nordic I/S
Non-compliance with general data processing principles
Decision Date
July 9, 2021
Authority
Danish Data Protection Authority (Datatilsynet)
DK
Sector
Health Care
Country
DK
Law
GDPRStatus
FINALDescription
The Danish DPA (Datatilsynet) has fined Medicals Nordic I/S EUR 80,700. In January 2021, the DPA became aware that Medicals Nordic was using WhatsApp to transmit confidential information and health data about citizens being tested in the company's test centres. All employees working in a test centre were invited to a WhatsApp group associated with the test centre. The members of these WhatsApp groups received all the messages transmitted by other employees in the groups. The employees shared confidential information about citizens to the company's central administration through those WhatsApp groups. This meant that employees who, did not have a work-related need to process information - which other employees had to transmit to the central administration - nevertheless received the information, which included, inter alia, personal identity numbers and health data of citizens.