If you are looking at the personal data breach through ISO 27001, a personal data breach is an information security incident. Looking at the 3 pillars of information security we know that information security stands on the following
Taking a risk perspective and starting from administrative fines issued by national supervisory bodies for personal data privacy it seems that the most important category of all special data categories "sensitive data" is personal data concerning the health of the data subject as described in Article 9.1. of GDPR. Analyzing the regulator's behavior with respect to data concerning health, the primary focus seems to be the prevention of unauthorized disclosure and penalization of not only disclosure but even a possibility of disclosure. Even though every country has other laws that regulate professional secrecy, GDPR Article 9.3. emphasizes that oath of secrecy and responsibility to keep data concerning health private.
With regard to health, personal data has at least double protection (it's protected by special laws in every Member State where every national lex specialis regulates the obligation to keep health data private (e.g. medical doctors are obliged to maintain doctor-patient confidentiality and in case of the breach they have moral accountability where they can be stripped of a license to practice medicine, minor infraction/misdemeanor responsibility where they can be fined to a criminal offense where they can be jailed - by unauthorized disclosure of confidential information, especially about children).
Depending on the EU Member State, special laws concerning the protection of rights of patients have proliferated which grant individuals (as data subjects) additional protection, with emphasis on the doctor-patient confidentiality, right of the patient to receive timely information, right of the patient to prohibit disclosure of data concerning health to identified individuals.
Medical doctors in all EU Member States are additionally regulated in terms of confidentiality by ethical codes, codes of conduct, and similar bylaws or standards.
The same goes for pharmacists who are obligated to maintain pharmacist-patient confidentiality either by laws or ethical codes of conduct where they can bear the consequences for even minor infringements. Nurses bear nearly the same responsibility. Needless to say, all laws, bylaws, and rules, even without GDPR in place, already grant personal data rights concerning health by members of the healthcare team, whereas others are governed by more general non-disclosure obligations.
With the implementation of GDPR, personal data concerning health is considered as a special category of data and enjoys special protection in general (e.g. employer may find out about employees terminal illness, addiction, or other health-related personal data if employees share, but also because that information is included in the sick leave notes issued by the primary healthcare professionals to employees so they can be paid during sick leave (regulations are different from Member State to Member State).
Not only that the employer is prohibited from making any decisions based on the documentation about sick leave, but that is punishable by penal provisions of GDPR because otherwise it would be considered as unlawful data processing. Because employers receive documentation (physical or digital), they are obligated to safeguard that data proportionate to its sensitivity and risk of the impact of its unauthorized disclosure, and that includes the data about sick leaves.
When technical and organizational measures are concerned following cases should be briefly analyzed
Analyzing above listed cases, it is important to note that managing the access rights to specific data records lays not only on the health institutions but to employers, too. Introducing access rights policies and technical measures to sensitive data categories seems to be of paramount importance to every organization, as failure to do so can easily lead to administrative fines.
There is no reason to assume that biometric data and genetic data is any less sensitive than personal data concerning health and that it should enjoy the same level of protection mandated by GDPR. Moreover, other special categories of data including religious or philosophical beliefs, affiliation to trade unions, racial or ethnic origin, data concerning an individual's sex life or sexual orientation should include treated the same way and be protected with technical and organizational measures proportionate to the risk they bear (if the processing of that data is lawful, at all) as per provisions of Article 9. of GDPR
Country |
Fined entity |
Basis for the fine |
Fine amount local currency |
Fine EUR |
Sensitive |
Poland |
Warsaw University of Life Sciences |
data breach occurred because of the theft of a laptop |
50.000 PLN |
11.200 EUR |
No |
Hungary |
Forbes |
failure to provide information to data subjects due to the fact that proper interest assessment wasn't carried out |
4.500.000 HUF |
12.600 EUR |
No |
Poland |
Surveyor General |
infringing principle of lawfulness, making personal data internationally available without legal basis |
100.000 PLN |
22.400 EUR |
No |
Belgium |
Proximus |
failure to act upon witdrawal of consent, failure to provide transparent information |
20.000 EUR |
20.000 EUR |
No |
Spain |
Tour & People Max S.L. |
failure to stop processing data by not complying to advertisment exclusion |
1.200 EUR |
1.200 EUR |
No |
Spain |
Vodafone |
failure to stop processing data after excercized right to erasure by sending customer promo SMS |
75.000 EUR |
75.000 EUR |
No |
Spain |
Xfera Moviles |
unauthorized disclosure of data to third party - infringing principle of confidentiality |
70.000 EUR |
70.000 EUR |
No |
Norway |
Rælingen municipality |
failure to conduct risk and data protection impact assessment - possiblity for unauthorised disclosure of health information of children |
47.500 EUR |
47.500 EUR |
Yes - Health |
Denmark |
PrivatBo |
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information |
150.000 DKK |
20.160 EUR |
No |
Netherlands |
Netional Credit Register |
creating obstacles for data subjects to access their personal data |
830.000 EUR |
830.000 EUR |
No |
Germany |
AOK Baden-Wuerttemberg |
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information - secure data processing |
1.240.000 EUR |
1.240.000 EUR |
No |
Italy |
Wind Tre SpA |
failure to obtain consent - unsolicited marketing activities, failure to act on excercised right to be forgotten - published personal information in public phone book after objections |
17.000.000 EUR |
17.000.000 EUR |
No |
Italiy |
Iliad |
unauthorized access to internet traffic by employees |
800.000 EUR |
800.000 EUR |
No |
Poland |
Non-public nursery and pre-school |
failure to cooperate to supervisory authority |
5.000 PLN |
1.100 EUR |
Yes |
Belgium |
Google Belgium |
failure to respect the right to be forgotten and lack of transparency in request forms to delist |
600.000 EUR |
600.000 EUR |
No |
Belgium |
data controller - undisclosed name |
failure to obtain consent prior to sending promotional messages and failure to respond to request to access |
10.000 EUR |
10.000 EUR |
No |
Spain |
Iberdrola |
failure to respond to request for information |
4.000 EUR |
4.000 EUR |
No |
Finland |
Posti Oy |
failure to notify subject of their rights, failure to conduct DPIA, excessive data collection of job applicants |
100.000 EUR |
100.000 EUR |
No |
Sweden |
Region Örebro County |
unauthorised disclosure of sensitve data - related to health - information on psychiatric patient published on web |
120.000 SEK |
11.000 EUR |
Yes |
Sweden |
National Government Service Centre |
failure to notify supervisory body about data breach |
200.000 SEK |
18.700 EUR |
No |
Sweden |
Google |
failure to fulfill obligations in respect to right to be forgotten |
75.000.000 SEK |
7.000.000 EUR |
No |
Iceland |
National Center of Addiction Medicine |
data breach - unauthorized disclosure of sensitive data - health - information about 252 patients |
3.000.000 ISK |
20.640 EUR |
Yes |
Iceland |
Breiðholt Upper Secondary School |
lack of appropriate measures to protect the personal data - 1 instance of dislosure of sensitive data - health related |
1.300.000 ISK |
8.900 EUR |
Yes |
Poland |
rimary School No. 2 in Gdansk |
collecting biometric data (fingerprints) without legal basis |
20.000 PLN |
4.500 EUR |
Yes |
Netherlands |
KNLTB - Tennis Association |
unlawfully providing personal data to unauthorised parties (sponsors) |
525.000 EUR |
525.000 EUR |
No |
Italy |
TIM SpA |
unlaful processing for marketing purposes - millions of individuals |
27.800.000 EUR |
27.800.000 EUR |
No |
Cyprus |
Louis Group of Companies |
lack of legal basis to process sensitive data - sickleaves scoring |
82.000 EUR |
82.000 EUR |
Yes |
Italy |
Eni Gas and Luce |
lack of legal basis to process - unlawful processing in connection - telemarketing, implement appropriate technical and organizational measures causing unauthorized disclosure of information |
11.500.000 EUR |
11.500.000 EUR |
No |
Greece |
ALLSEAS MARINE S.A |
illegal installation of CCTV and infringement of right to access |
15.000 EUR |
15.000 EUR |
Yes - Biometric |
United Kingdom |
Doorstep Dispensaree Ltd |
failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss - sensitive data - health related - medicail information and prescription data |
275.000 GBP |
297.000 EUR |
Yes - Health |
Sweden |
Mrkoll.se |
unauthorized public dislosure of data - credit information |
35.000 EUR |
35.000 EUR |
No |
Norway |
City of Oslo |
failure to protect sensitive data - health related - medical records |
49.300 EUR |
49.000 EUR |
Yes - Health |
Germany |
1&1 Telecom GmbH |
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information |
9.550.000 EUR |
9.550.000 EUR |
No |
Germany |
Facebook Germany GmbH |
failure to notify DPO |
51.000 EUR |
51.000 EUR |
No |
Data collected from EDPB website
|
Country:
Poland
Fined entity:
Warsaw University of Life Sciences
Basis for the fine:
data breach occurred because of the theft of a laptop
Fine amount local currency:
50.000 PLN
Fine EUR:
11.200 EUR
Sensitive:
No
Country:
Hungary
Fined entity:
Forbes
Basis for the fine:
failure to provide information to data subjects due to the fact that proper interest assessment wasn't carried out
Fine amount local currency:
4.500.000 HUF
Fine EUR:
12.600 EUR
Sensitive:
No
Country:
Poland
Fined entity:
Surveyor General
Basis for the fine:
infringing principle of lawfulness, making personal data internationally available without legal basis
Fine amount local currency:
100.000 PLN
Fine EUR:
22.400 EUR
Sensitive:
No
Country:
Belgium
Fined entity:
Proximus
Basis for the fine:
failure to act upon witdrawal of consent, failure to provide transparent information
Fine amount local currency:
20.000 EUR
Fine EUR:
20.000 EUR
Sensitive:
No
Country:
Spain
Fined entity:
Tour & People Max S.L.
Basis for the fine:
failure to stop processing data by not complying to advertisment exclusion
Fine amount local currency:
1.200 EUR
Fine EUR:
1.200 EUR
Sensitive:
No
Country:
Spain
Fined entity:
Vodafone
Basis for the fine:
failure to stop processing data after excercized right to erasure by sending customer promo SMS
Fine amount local currency:
75.000 EUR
Fine EUR:
75.000 EUR
Sensitive:
No
Country:
Spain
Fined entity:
Xfera Moviles
Basis for the fine:
unauthorized disclosure of data to third party - infringing principle of confidentiality
Fine amount local currency:
70.000 EUR
Fine EUR:
70.000 EUR
Sensitive:
No
Country:
Norway
Fined entity:
Rælingen municipality
Basis for the fine:
failure to conduct risk and data protection impact assessment - possiblity for unauthorised disclosure of health information of children
Fine amount local currency:
47.500 EUR
Fine EUR:
47.500 EUR
Sensitive:
Yes - Health
Country:
Denmark
Fined entity:
PrivatBo
Basis for the fine:
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information
Fine amount local currency:
150.000 DKK
Fine EUR:
20.160 EUR
Sensitive:
No
Country:
Netherlands
Fined entity:
Netional Credit Register
Basis for the fine:
creating obstacles for data subjects to access their personal data
Fine amount local currency:
830.000 EUR
Fine EUR:
830.000 EUR
Sensitive:
No
Country:
Germany
Fined entity:
AOK Baden-Wuerttemberg
Basis for the fine:
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information - secure data processing
Fine amount local currency:
1.240.000 EUR
Fine EUR:
1.240.000 EUR
Sensitive:
No
Country:
Italy
Fined entity:
Wind Tre SpA
Basis for the fine:
failure to obtain consent - unsolicited marketing activities, failure to act on excercised right to be forgotten - published personal information in public phone book after objections
Fine amount local currency:
17.000.000 EUR
Fine EUR:
17.000.000 EUR
Sensitive:
No
Country:
Italiy
Fined entity:
Iliad
Basis for the fine:
unauthorized access to internet traffic by employees
Fine amount local currency:
800.000 EUR
Fine EUR:
800.000 EUR
Sensitive:
No
Country:
Poland
Fined entity:
Non-public nursery and pre-school
Basis for the fine:
failure to cooperate to supervisory authority
Fine amount local currency:
5.000 PLN
Fine EUR:
1.100 EUR
Sensitive:
Yes
Country:
Belgium
Fined entity:
Google Belgium
Basis for the fine:
failure to respect the right to be forgotten and lack of transparency in request forms to delist
Fine amount local currency:
600.000 EUR
Fine EUR:
600.000 EUR
Sensitive:
No
Country:
Belgium
Fined entity:
data controller - undisclosed name
Basis for the fine:
failure to obtain consent prior to sending promotional messages and failure to respond to request to access
Fine amount local currency:
10.000 EUR
Fine EUR:
10.000 EUR
Sensitive:
No
Country:
Spain
Fined entity:
Iberdrola
Basis for the fine:
failure to respond to request for information
Fine amount local currency:
4.000 EUR
Fine EUR:
4.000 EUR
Sensitive:
No
Country:
Finland
Fined entity:
Posti Oy
Basis for the fine:
failure to notify subject of their rights, failure to conduct DPIA, excessive data collection of job applicants
Fine amount local currency:
100.000 EUR
Fine EUR:
100.000 EUR
Sensitive:
No
Country:
Sweden
Fined entity:
Region Örebro County
Basis for the fine:
unauthorised disclosure of sensitve data - related to health - information on psychiatric patient published on web
Fine amount local currency:
120.000 SEK
Fine EUR:
11.000 EUR
Sensitive:
Yes
Country:
Sweden
Fined entity:
National Government Service Centre
Basis for the fine:
failure to notify supervisory body about data breach
Fine amount local currency:
200.000 SEK
Fine EUR:
18.700 EUR
Sensitive:
No
Country:
Sweden
Fined entity:
Google
Basis for the fine:
failure to fulfill obligations in respect to right to be forgotten
Fine amount local currency:
75.000.000 SEK
Fine EUR:
7.000.000 EUR
Sensitive:
No
Country:
Iceland
Fined entity:
National Center of Addiction Medicine
Basis for the fine:
data breach - unauthorized disclosure of sensitive data - health - information about 252 patients
Fine amount local currency:
3.000.000 ISK
Fine EUR:
20.640 EUR
Sensitive:
Yes
Country:
Iceland
Fined entity:
Breiðholt Upper Secondary School
Basis for the fine:
lack of appropriate measures to protect the personal data - 1 instance of dislosure of sensitive data - health related
Fine amount local currency:
1.300.000 ISK
Fine EUR:
8.900 EUR
Sensitive:
Yes
Country:
Poland
Fined entity:
rimary School No. 2 in Gdansk
Basis for the fine:
collecting biometric data (fingerprints) without legal basis
Fine amount local currency:
20.000 PLN
Fine EUR:
4.500 EUR
Sensitive:
Yes
Country:
Netherlands
Fined entity:
KNLTB - Tennis Association
Basis for the fine:
unlawfully providing personal data to unauthorised parties (sponsors)
Fine amount local currency:
525.000 EUR
Fine EUR:
525.000 EUR
Sensitive:
No
Country:
Italy
Fined entity:
TIM SpA
Basis for the fine:
unlaful processing for marketing purposes - millions of individuals
Fine amount local currency:
27.800.000 EUR
Fine EUR:
27.800.000 EUR
Sensitive:
No
Country:
Cyprus
Fined entity:
Louis Group of Companies
Basis for the fine:
lack of legal basis to process sensitive data - sickleaves scoring
Fine amount local currency:
82.000 EUR
Fine EUR:
82.000 EUR
Sensitive:
Yes
Country:
Italy
Fined entity:
Eni Gas and Luce
Basis for the fine:
lack of legal basis to process - unlawful processing in connection - telemarketing, implement appropriate technical and organizational measures causing unauthorized disclosure of information
Fine amount local currency:
11.500.000 EUR
Fine EUR:
11.500.000 EUR
Sensitive:
No
Country:
Greece
Fined entity:
ALLSEAS MARINE S.A
Basis for the fine:
illegal installation of CCTV and infringement of right to access
Fine amount local currency:
15.000 EUR
Fine EUR:
15.000 EUR
Sensitive:
Yes - Biometric
Country:
United Kingdom
Fined entity:
Doorstep Dispensaree Ltd
Basis for the fine:
failing to process data in a manner that ensures appropriate security against unauthorised or unlawful processing and accidental loss - sensitive data - health related - medicail information and prescription data
Fine amount local currency:
275.000 GBP
Fine EUR:
297.000 EUR
Sensitive:
Yes - Health
Country:
Sweden
Fined entity:
Mrkoll.se
Basis for the fine:
unauthorized public dislosure of data - credit information
Fine amount local currency:
35.000 EUR
Fine EUR:
35.000 EUR
Sensitive:
No
Country:
Norway
Fined entity:
City of Oslo
Basis for the fine:
failure to protect sensitive data - health related - medical records
Fine amount local currency:
49.300 EUR
Fine EUR:
49.000 EUR
Sensitive:
Yes - Health
Country:
Germany
Fined entity:
1&1 Telecom GmbH
Basis for the fine:
failure to implement appropriate technical and organizational measures causing unauthorized disclosure of information
Fine amount local currency:
9.550.000 EUR
Fine EUR:
9.550.000 EUR
Sensitive:
No
Country:
Germany
Fined entity:
Facebook Germany GmbH
Basis for the fine:
failure to notify DPO
Fine amount local currency:
51.000 EUR
Fine EUR:
51.000 EUR
Sensitive:
No