The Danish Data Protection Agency reports Capio A/S to the police for failing to supervise data processors. The private hospital is recommended to pay a fine of no less than DKK 1,500,000.
The Danish Data Protection Agency has conducted an investigation of GHP Gildhøj Privathospital ApS’ (now Capio A/S) supervision of data processors. In this connection, the Danish Data Protection Agency randomly selected three of the private hospital’s data processors as the subject of the investigation.
The investigation of Capio A/S’ supervision of the three data processors showed that the private hospital had not supervised the data processors. The first supervision of each data processor was not carried out until the Danish Data Protection Agency initiated its investigation of the private hospital.
On this basis, the Danish Data Protection Agency has decided to report Capio A/S to the police for not having acted in accordance with the data protection law principle of accountability. It is thus the Danish Data Protection Agency’s assessment that the private hospital has not been able to ensure and demonstrate that personal data is processed for lawful and reasonable purposes and in a manner that ensures adequate security for the personal data concerned. This applies even if the private hospital asked another party (a data processor) to process the data on its behalf.
Why report to the police?
The Danish Data Protection Agency always makes a specific assessment of the seriousness of the case pursuant to Article 83(2) of the General Data Protection Regulation when assessing which sanction is, in the opinion of the Data Protection Agency, the correct one.
In its assessment, the Danish Data Protection Agency has, among other things, emphasised that the data processors were not supervised for several years. In addition, the data processors processed information about a large number of data subjects. The authority also emphasised that the data processors processed special categories of personal data (sensitive data) and other personal data worthy of protection.