Joris DeeneThe Belgian Data Protection Authority (DPA) published a decision on April 1, 2025 (64/2025) that offers interesting insights into the question of responsibility in cases of unauthorized access to medical records by executives. This case deserves special attention from all professionals involved in data protection (AVG/GDPR) in the healthcare industry.
The facts
The case involves a hospital employee who discovered that her supervisor had accessed her medical records without consent. This consultation took place on March 2, 2020 at 10:50 p.m., outside normal working hours. The following day, the employee was fired.
According to the supervisor, the file had been consulted to verify that the employee was in an appropriate state of health to learn of the discharge. The supervisor admitted this was an error, and the hospital initiated internal disciplinary proceedings.
Crucial question: who is the controller?
A key question in this case was: is the hospital, as the employer, responsible for this unauthorized processing of personal data?
The GBA ruled that the executive in this case was considered as sole controller had acted and gone beyond the authority entrusted to it. Thus, the hospital could not be held responsible for the unlawful consultation itself.
Relevant elements that led to this conclusion:
- The consultation took place outside normal working hours
- The supervisor did not act on instructions from the hospital
- The supervisor acknowledged her mistake
- The hospital initiated disciplinary proceedings
Data breach notification requirement continues to apply
Although the hospital was not responsible for the unauthorized access, the GBA ruled that the hospital was, in principle, required to report this data breach to the GBA. The arguments that:
- the breach involved only one person
- disciplinary proceedings had been initiated
- the supervisor had no malicious intentions
were according to the GBA insufficient to release the hospital from the reporting requirement.
Yet the GBA did not hold the hospital liable for failure to report, given the timing of the events (early 2020s). The GDPR was less than two years in effect at the time, and comprehensive guidance on data breaches did not yet exist. However, the GBA noted that for similar events that would occur today, notification would be required.
Technical and organizational measures in healthcare facilities
The GBA recognized the complexity of access management in hospitals. The workforce is multidisciplinary, and continuity of care may require that a broad group of health care providers have access to medical records.
As positive measures for future implementation, the GBA cited:
- An alert window at each access request to confirm the existence of a therapeutic relationship
- The requirement to provide justification when administrative personnel request access
- A mandatory justification when accessing a staff member's file
- Information on the last five accesses to the file
- Regular awareness-raising measures (newsletters and mandatory e-learning)
Conclusion for practice
This decision offers important insights for employers, especially in the healthcare industry:
- Employers are not automatically responsible for all data processing by their employees, especially when it acts outside their authority
- The data breach notification requirement applies even if only one person is involved in a medical data breach
- Access control to medical data requires a careful balancing act between data protection and the need for continuity in care delivery
- Regular staff sensitization remains essential
Dutch 
English