PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Finnish SA: Administrative fine imposed on medical clinic for shortcomings in implementing rights of a data subject

Posted on March 16, 2022June 24, 2025 by Dissent

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) has taken more than 20 enforcement actions concerning patients’ rights to timely access to their medical records from their provider.  Those enforcement actions and their monetary penalties can be found linked from here.

For comparison purposes between the GDPR and HIPAA, here is the summary of a recent enforcement action from Finland, below. As seen on EDPB:

Background information

Date of final decision: 16 December 2021
Cross-border case or national case: National case
Legal Reference: Right of access (Article 15), Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13)
Decision: Infringement of the GDPR, administrative fine and reprimand

Summary of the Decision

Origin of the case

The customer of the medical clinic who complained to the Office of the Data Protection Ombudsman stated that they had not received their patient records from the clinic. The Office of the Data Protection Ombudsman requested information from the clinic on which authority it deemed to be the data controller for patient records with respect to medical appointments of the clinic’s owner. The clinic did not, however, provide an appropriate statement regarding the matter.

Key Findings

The Deputy Data Protection Ombudsman considers that the clinic failed to implement the customer’s right to inspect their own data in accordance with the GDPR or to give a reason for restricting this right. The clinic also failed to inform its customers in an adequate manner about the processing of personal data, or to what extent it acted as the controller for patient records generated in its operations.

Decision

The Deputy Data Protection Ombudsman issued the company a reprimand for violating the GDPR and ordered it to change its procedure to comply with the data protection regulations on informing data subjects and implementing their rights. The Sanctions Board imposed an administrative fine of EUR 5,000 on the company. The Board considers the company’s practice to be systematic, in addition to which the violation was long standing and affected a large number of data subjects.

For further information:

  • Decisions of the Deputy Data Protection Ombudsman and Sanctions Board in Finnish in Finlex
  • Press release in English: Administrative fine imposed on medical clinic for shortcomings in implementing rights of a data subject

EDPB has a disclaimer on their site as follows:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.

Related posts:

  • California fines hospitals for breaches of medical privacy
Category: BreachesHealthcareNon-U.S.

Post navigation

← Ireland’s privacy watchdog sued for inaction over ‘massive Google data breach’
Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People
  • Searches of Your Private Data in the Cloud Amount to Illicit State Action

RSS Recent Posts on DataBreaches.net

  • Oklahoma Substantially Amends Its Data Breach Notification Statute
  • Hackers leak purported Aeroflot data as Russia denies breach
  • Palo Alto Networks investigating ransomware threat related to SharePoint exploitation
  • Six months after discovering an attack, Northwest Radiologists notifies almost 350,000 Washington State residents
  • As ransomware gangs threaten physical harm, ‘I am afraid of what’s next,’ ex-negotiator says
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy