On 1 February 2024, the Danish Data Protection Agency announced that it reported the private hospital HP Gildhøj Privathospital ApS’s (Capio A/S) to the Danish police and recommended imposing a fine of not less than DKK 1,500,000 (over 200.000 euros). In their investigation, the Danish Data Protection Agency found that the hospital had failed to effectively supervise the data processors they used for the processing of large amounts of patients’ sensitive  personal data.

Facts: The investigation found that three randomly selected data processors engaged by Capio A/S had not, for several years, been supervised by the hospital as to whether these processors comply with the GDPR requirements outlined in the data protection agreements with those processors.

Why is this important: This enforcement action highlights that the data protection authorities in the EU are actively focussing on the way data controllers effectively control and supervise how their data processors comply with the GDPR. Based on the available information, it appears that the actions taken by the Danish Data Protection authority emphasise that effective supervision of data processors goes beyond entering into a data protection agreement and requires active post-signing monitoring, including the audits explicitly provided for in the GDPR.