The Barreiro Hospital is appealing one of the first publicly-announced fines issued since the new regulations came into force

The Portuguese data watchdog applied a €400,000 fine on a Portuguese hospital in July for two violations of the EU’s General Data Protection Regulation (GDPR).

The Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital had granted nine social workers access to patients’ clinical data, while 985 users were registered for doctor-level access despite only 296 physicians working at the hospital.

The hospital is appealing the fine, issued on 17 July but not publicly announced at the time, and may even launch a judicial challenge, according to Portuguese publication Publico.

Two separate penalties were imposed after the data watchdog inspected the hospital in early July, with a €300,000 fine applied for failing to respect patient confidentiality, and limiting inappropriate access to patient data. The second fine of €100,000 was imposed for the hospital’s inability to ensure the integrity of data security in their system.

“The Centro Hospital Barreiro Montijo (CHBM) does not follow the assumptions and understanding of the National Data Protection Commission (CNPD) on this matter,” the hospital’s board of directors said. “We are currently preparing a judicial challenge.”

The regulator explained that an audit showed a test profile on the hospital’s system granted “unrestricted” access to clinical data for patients.

According to the CNPD the hospital acknowledged the existence of unused profiles on the system, but said they were “temporary profiles” for doctors working on a contractual basis.

The fine represents one of the first publicly-announced GDPR fines issued since the regulations came into force on 25 May this year.

The figure is small against the €20 million (or 4% of global annual turnover) maximum that can be levied against an organisation, but indicates regulators may take a measured approach to enforcing GDPR.