Blog
The Supreme Administrative Court recently issued a judgment confirming the fine for violation of the GDPR for the Hospital Tábor, a. s. The judgment is interesting because until now it was considered that hospitals owned by the region could not be fined.
In the Czech Republic, it is not possible to impose a fine on a public authority or public entity for a breach of the GDPR. Hospitals are often owned by the region, and this was not the case with Nemocnice Tábor a.s., whose sole shareholder is the South Bohemian Region. The Office for Personal Data Protection fined the Hospital Tábor a.s. for security deficiencies in logging into the hospital's computer system. The hospital defended itself on the grounds that it is a public entity and therefore cannot be fined under the GDPR. As part of its defence, the hospital exhausted all remedies and filed a cassation complaint with the Supreme Administrative Court. However, the Court did not defend it either. According to the Supreme Administrative Court, a public entity is an entity that is usually established by law and designated to perform tasks in the public interest and at the same time does not have its own assets but is financed from public budgets. The Tábor Hospital is a joint stock company and has its own property and management. The fact that the majority of its funding comes from payments made by insurance companies from public health insurance funds does not mean that the hospital is financed from public budgets. As a public limited company, the hospital receives funding for its operation and functioning in return for the provision of health services reported to health insurance companies, not directly from public funds. The fact that Hospital Tábor, a. s. is not a public entity within the meaning of the GDPR is not altered by the fact that it provides healthcare in the public interest.
What does the judgment say? The judgment clearly states that the mere fact that a business corporation is owned by a municipality, region or state does not mean that it is excluded from the system of imposing sanctions for violation of the GDPR. Therefore, other hospitals, but not only those, should also beware. The public entity definition applies regardless of the services the company provides to data subjects.
Want to know more about our data protection services? Contact us!
More articles:
Dietmar Repka
Dietmar Repka
"We express our recommendations for the law firm Holubova Advokati.
Holubova Advokati was able to resolve a project for us with confidence, composure, and perseverance that German experts had deemed hopeless.
About 80 years ago, my grandparents and my father had to leave their home. The property has now been returned to our family through the inheritance that was initiated, and thanks to the excellent work of the law firm.
During the two-and-a-half-year negotiations, there were no language problems; everyone was always well informed about the current status.
Keep up the good work, everyone."
Jan Divíšek
Jan Divíšek
"I want to thank everyone at Holubová advokáti s.r.o. for their legal services in handling my protection of personality rights lawsuit."
Denis Krytinář, M.A.
Denis Krytinář, M.A.
"What I appreciate most about working with Holubová Advokáti is their high level of expertise, clear guidance throughout the entire process, and their human approach. My case was complex and emotionally demanding, but Mrs. Dvořáková and Mr. Formánek treated me with the utmost care and sensitivity. Thanks to their precise work, we achieved a successful outcome, and I can therefore recommend this firm with complete confidence to anyone seeking legal representation of the highest standard."