Analysing the first GDPR fine in Portugal (issued against the Centro Hospitalar Barreiro Montijo -Hospital- for three violations).

In Portugal, the Centro Hospitalar Barreiro Montijo has been fined 400,000 euros for violating the EU General Data Protection Regulation.


The country’s supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), fined the hospital for failure to ensure the continued confidentiality of data, as well as failure to ensure a level of security adequate the risks of its data processing.

The hospital argues CNPD cannot be considered a SA under Article 51 GDPR as it had not yet been formally appointed.

An interesting article by Ana Menezes Monteiro on this matter is available here.