(022) 820 801 centru@datepersonale.md
DP header logo
img mobile menu img close mobile menu
ROENРу
ico search toggle
datepersonale.md
/
Comunicate
/
Administrative fine of €262,500 imposed by the Polish Data Protection Authority on a medical company for hidden video surveillance in neonatology department and failure to implement appropriate security measures

Administrative fine of €262,500 imposed by the Polish Data Protection Authority on a medical company for hidden video surveillance in neonatology department and failure to implement appropriate security measures

img 247 Views

The National Center for Personal Data Protection (NCPDP), for informational and practical purposes, reports on the administrative fine of €262,500 imposed by the Polish Data Protection Authority (SA) on the company Centrum Medyczne Ujastek Sp. z o.o. for violations of Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 13 (Information to be provided where personal data is collected from the data subject), Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), and Article 32 (Security of processing) of the GDPR.

Between July 1 and 23, 2023, Centrum Medyczne Ujastek Sp. z o.o., based in Krakow, carried out monitoring through video surveillance in the neonatology department, recording images of both newborns and their mothers engaged in intimate activities such as breastfeeding According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk. 

Following investigations, the Polish SA found that the video surveillance conducted by the medical center violated applicable regulations and was furthermore covert in nature—neither the patients nor the employees of the facility were informed about the continuous video recording. determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the medical center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring. 

In this context, the Polish SA has imposed an administrative fine of €157,500 for violations of Article 6(1), Article 9(1), and Article 13(1,2) of the GDPR, and an additional fine of €105,000 for violations of Article 24(1), Article 25(1), and Article 32(1,2) of the GDPR.

As the national supervisory authority for personal data processing, the NCPDP emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework on personal data protection and to ensure that personal data processing operations are carried out in accordance with the applicable legislation.

img
Curs de instruire în domeniul protecției datelor cu caracter personal organizat pentru reprezentanții Direcției Regionale Sud a IGPF

       La data de 14 mai 2026, Centrul Național pentru Protecția Datelor cu Caracter Personal (CNPDCP) a organizat un curs de instruire în domeniul protecției datelor cu caracter personal pentru reprezentanții Direcției Regionale Sud a Inspectoratului General al Poliției de Frontieră (IGPF). Evenimentul s-a desfășurat la sediul Direcției din municipiul Cahul.     […]

img 42 Views
The Republic of Moldova has signed the instrument of ratification for the Protocol amending Convention No. 108

       Today, May 15, 2026, in Chișinău, Deputy Prime Minister and Minister of Foreign Affairs of the Republic of Moldova, Mihai Popșoi, presented to the Secretary General of the Council of Europe the instrument of ratification of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of […]

img 21 Views
img Video gallery
img Information