Even hospitals can be fined for GDPR violations, court confirms

The Supreme Administrative Court recently issued a judgment confirming the fine for violation of the GDPR for the Hospital Tábor, a. s. The judgment is interesting because until now it was considered that hospitals owned by the region could not be fined.


In the Czech Republic, it is not possible to impose a fine on a public authority or public entity for a breach of the GDPR. Hospitals are often owned by the region, and this was not the case with Nemocnice Tábor a.s., whose sole shareholder is the South Bohemian Region. The Office for Personal Data Protection fined the Hospital Tábor a.s. for security deficiencies in logging into the hospital's computer system. The hospital defended itself on the grounds that it is a public entity and therefore cannot be fined under the GDPR. As part of its defence, the hospital exhausted all remedies and filed a cassation complaint with the Supreme Administrative Court. However, the Court did not defend it either. According to the Supreme Administrative Court, a public entity is an entity that is usually established by law and designated to perform tasks in the public interest and at the same time does not have its own assets but is financed from public budgets. The Tábor Hospital is a joint stock company and has its own property and management. The fact that the majority of its funding comes from payments made by insurance companies from public health insurance funds does not mean that the hospital is financed from public budgets. As a public limited company, the hospital receives funding for its operation and functioning in return for the provision of health services reported to health insurance companies, not directly from public funds. The fact that Hospital Tábor, a. s. is not a public entity within the meaning of the GDPR is not altered by the fact that it provides healthcare in the public interest.

What does the judgment say? The judgment clearly states that the mere fact that a business corporation is owned by a municipality, region or state does not mean that it is excluded from the system of imposing sanctions for violation of the GDPR. Therefore, other hospitals, but not only those, should also beware. The public entity definition applies regardless of the services the company provides to data subjects.

Want to know more about our data protection services? Contact us!


'No one has done as much for me as you,' Eva said.

Livingstone, Tour Operator

Thank you again for your valuable advice. I breathe better when I know who to turn to.

Jitka Popelková, Managing Director

Anders Thorsen Advokatanpartsselskab

It has been an absolute pleasure to work with you.

Anders Thorsen, Partner, Advocate

Contact form