Private hospital Capio A/S recommended for DKr1.5m fine

The Danish private hospital failed to supervise its data processors and keep sensitive data secure.

The private hospital Capio A/S in Denmark has been reported to the police by Datatilsynet, the Danish Data Protection Authority, for failing to have supervised data processors required by the data protection legal principle of accountability. Datatilsynet is also recommending a fine of no less than DKr1,5m ($219,234).

In Datatilsynet’s investigation, it randomly selected one out of three of Gildhøj Privathospital ApS’s (now Capio A/S) data processors, and found that the private hospital had not supervised them for several years. The hospital only started supervising the processors after the investigation had begun.

The data processors processed information about a large number of data subjects, including special categories of personal and sensitive data, and other personal data which the authority called “worthy of protection”.

By the lack of supervision, Datatilsynet says that the Capio A/S failed to guarantee and demonstrate that personal data was processed for legal and reasonable purposes. The private hospital also failed to ensure adequate security for personal data.