Polish SA: administrative fine of 262 500 € for hidden video surveillance in neonatology department and failure to implement appropriate security measures

2 May 2025

Background information

  • Date of final decision: 17 January 2025
  • National case
  • Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data),  Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller),  Article 25 (Data protection by design and by default),  Article 32 (Security of processing)
  • Decision: administrative fine
  • Key words: administrative fine, sensitive data, data security, lawfulness of processing,  data subject rights

 

Summary of the Decision

Origin of the case  

Centrum Medyczne Ujastek Sp. z o.o. (hereinafter: Medical Centre), based in Krakow implemented monitoring between July 1 and 23, 2023, in the neonatology department, which recorded images showing both newborns and their mothers while performing intimate activities, such as feeding the babies or nursing them, among others. According to the explanations provided by the facility, the children whose images were captured on the recordings no longer required intensive care, so their health was not at risk.

At the same time, the Medical Centre notified to the President of the Personal Data Protection Office a breach involving the loss or theft of memory cards from the video recording devices in the 2 rooms of the neonatology department indicated above.

 

Key Findings

  1. Hidden video surveillance in neonatology department
    After analysing the legal grounds, the President of the Personal Data Protection Office found that the video surveillance implemented by the Medical Centre had been introduced in violation of the current regulations, and, moreover, was of a secret nature - neither the patients nor the facility's employees were informed about the ongoing image recording.
  2. Failure to implement appropriate measures
    After investigation, it was determined that the memory cards that contained the recordings had not been encrypted, and that the devices used for image recording had not been configured to meet the requirements of the facility. In addition, the risk analysis provided by the Medical Center did not cover the risks that were the cause of the incident and did not identify security measures that could have prevented the incident from occurring.

 

Decision

The President of the Personal Data Protection Office has imposed on Centrum Medyczne Ujastek Sp. z o.o. an administrative fine of 157 500 € for infringement of Article 6(1), 9(1) in relation with Article 13(1,2) of the GDPR and a fine of 105 000 € for infringement of Articles 24(1), 25(1,) and 32(1,2) of the GDPR. 

Total amount of imposed fine on Centrum Medyczne Ujastek Sp. z o.o. was 262 500 €.        

For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.