Doctor

Description

The French DPA (CNIL) fined a doctor EUR 6,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data such as MRI and X-ray images as well as personal data such as names, dates of birth and treatment data of his patients on a server in order to be able to access them from his home computer. A review of the controller's systems had revealed that access to the server was not properly secured. This would have allowed anyone to access his patients' data. Furthermore, the data leak had existed for about five years. The data protection authority therefore found that the doctor had failed to take adequate technical and organisational measures to ensure data security.