Blog
Even hospitals can be fined for GDPR violations, court confirms
The Supreme Administrative Court recently issued a judgment confirming the fine for violation of the GDPR for the Hospital Tábor, a. s. The judgment is interesting because until now it was considered that hospitals owned by the region could not be fined.
In the Czech Republic, it is not possible to impose a fine on a public authority or public entity for a breach of the GDPR. Hospitals are often owned by the region, and this was not the case with Nemocnice Tábor a.s., whose sole shareholder is the South Bohemian Region. The Office for Personal Data Protection fined the Hospital Tábor a.s. for security deficiencies in logging into the hospital's computer system. The hospital defended itself on the grounds that it is a public entity and therefore cannot be fined under the GDPR. As part of its defence, the hospital exhausted all remedies and filed a cassation complaint with the Supreme Administrative Court. However, the Court did not defend it either. According to the Supreme Administrative Court, a public entity is an entity that is usually established by law and designated to perform tasks in the public interest and at the same time does not have its own assets but is financed from public budgets. The Tábor Hospital is a joint stock company and has its own property and management. The fact that the majority of its funding comes from payments made by insurance companies from public health insurance funds does not mean that the hospital is financed from public budgets. As a public limited company, the hospital receives funding for its operation and functioning in return for the provision of health services reported to health insurance companies, not directly from public funds. The fact that Hospital Tábor, a. s. is not a public entity within the meaning of the GDPR is not altered by the fact that it provides healthcare in the public interest.
What does the judgment say? The judgment clearly states that the mere fact that a business corporation is owned by a municipality, region or state does not mean that it is excluded from the system of imposing sanctions for violation of the GDPR. Therefore, other hospitals, but not only those, should also beware. The public entity definition applies regardless of the services the company provides to data subjects.
Want to know more about our data protection services? Contact us!
More articles:
Who Is Responsible for Safety in the Mountains – Yourself, Friends, or a Professional...
When we venture into the mountains, we always take on a certain level of risk. However, the legal responsibility for the consequences of potential accidents varies significantly depending on whether we go alone, with friends, or under ... → continue
Jasper Brinkman
Jasper Brinkman
"Following a devastating hotel fire in Prague, the law firm Holubová advokáti, led by attorney Klara Dvorakova, successfully represented our extended family as a group of victims. The firm navigated complex international insurance and compensation laws to defend our rights.
I would like to acknowledge the extraordinary efforts the firm had to make to bring our case to a successful compensation under extremely difficult circumstances."
Stewarts
Stewarts
"A visit to her daughter in London turned Eva's life upside down when she says she stepped into a crossing on a green light but was hit by a car. Despite her remarkable bravery, she faced a long treatment due to fractures in her pelvis, and the associated limitations and pain are likely to persist for the rest of her life. Regular headaches and impaired concentration compound her challenges.
Eva contacted us through an organization temporarily helping her manage her difficult living situation. At that time, she was destitute, relying only on subsistence payments. We were able to assist her because we specialize in personal injury and have contacts with proven colleagues abroad.
We worked with Stewarts, a UK law firm, on this case. Attorneys Klára Dvořáková and Rebecca Huxford helped Eva with the documentation in her case, explaining her options and the differences between the Czech and British systems of healthcare and social benefits reimbursement. Within a few months, thanks to the professional cooperation between the two offices, an offer of compensation from the insurance company of approximately CZK seven million was achieved. The client accepted this settlement because she did not want to deal with courts in the United Kingdom.
Subsequently, we assisted the client with related tax issues and contacted Auditone, a tax consultancy firm, which arranged for the filing of a tax return. Compensation for lost income is taxable, unlike most personal injury compensation.
'No one has done as much for me as you,' Eva said.
The fact that we were able to help Eva gives our work meaning and brings us great joy. We are very happy that, thanks to our many years of active involvement in the international professional organization PEOPIL, we can cooperate on such cases."