GDPR Shot: “Poisonous” fine for careless pharmacy

Originally published: www.ethemis.gr (in Greek)
Date: 30/12/2019

Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)

On December 20, 2019, the first fine imposed by the United Kingdom Data Protection Authority (ICO) for breaches of the GDPR amounting to 275,000 pounds (approximately 320,000 euros) was announced. The facts which took place in Old Albion teach us the value of keeping personal data in locked containers and taking (self-evident?) measures to protect them from the elements of nature. In fact, they are strongly reminiscent of those reported in the summer of 2019 with respect to a large Greek hospital, in the corridors and on the stairs of which personal data of a many patients were stacked in cardboard boxes, exposed to public view. The Greek Personal Data Protection Authority then limited itself to publishing a press release calling on hospitals to appoint Data Protection Officers without delay. Returning to the case at hand, a London-based pharmacy left about 500,000 documents in unlocked boxes, exposed in a backyard of its premises. The documents contained personal data such as names, addresses, dates of birth, insurance numbers, medical data, etc. of an indefinite number of persons. Some of them were even destroyed as a result of their exposure to water! ICO, upon receipt of the relevant tip off via e-mail, carried out the relevant audit. In view of the above, the competent authority of the United Kingdom imposed the abovementioned fine, in particular for breach of Articles par. 1 indent (f) (principles relating to processing of personal data), 24 par. 1 (responsibility of the controller) and 32 (security of processing) of the GDPR, due to the pharmacy’s failure to implement appropriate organizational measures to ensure the appropriate level of security of personal data, as well as to process them in a safe manner.