GDPR Fines for non compliance

GDPR fines for non compliance are also applicable for small companies. Your business like lots of other businesses are likely to be using online registration forms for client onboarding, appointments, support and other communications.

When your business handles sensitive information, you must be extra careful. The Dutch DPA fined an unnamed orthodontic practice €12,000 for failing to implement appropriate technical and organisational measures to secure personal data, including that belonging to children, on its website.

GDPR Fines for non compliance – example

The registration form on the orthodontic practice’s website was requesting personal data, including name, address, date of birth, telephone number, and social security number as well as health data from patients. The DPA technically determined that communication by the patient with the website, including the sending of a completed registration form, took place over a non-encrypted and therefore unsecured connection.

Pursuant to Article 32(1) of the GDPR, businesses are obliged to take appropriate technical and organisational measures to protect the processing of personal data against the loss or unlawful processing of the data. These measures must guarantee an appropriate level of security. Taking into account the state of the art and the costs of implementation, the risks involved and the nature of the data, the implementation costs, the risks involved in the processing and the nature of the data to be protected.

Therefore, make sure whenever capturing personal data that you have appropriate security measures in place. Naturally, when sensitive data, such as medical data is involved, the security measures must be of a high standard. Failure to meet these standards can result in a hefty fine for GDPR non compliance.

Additionally, check our free to access GDPR knowledge base on the topic of data and system security. You will find real practical guides including a list of questions you can put to your website builder or IT implementation partner.

Fine for GDPR non compliance – sources

You can find more information about the specific Dutch case bij following this link :
https://edpb.europa.eu/news/national-news/2021/dutch-dpa-orthodontic-practice-fined-unsecured-patient-website_en