Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
News
Legal news

DATA PROTECTION

Belgian Data Protection Authority: the GDPR also applies to the personal data of unborn children.

On 18 December 2025, the Belgian Data Protection Authority (decision no. 146/2024) issued a formal reprimand against a hospital for violations of the General Data Protection Regulation (GDPR) following unauthorised access to patients’ electronic medical records.

The case arose from an incident in which a physiotherapist, working as an independent contractor, accessed a patient’s medical file without an ongoing therapeutic relationship. The unlawful access was uncovered in the context of a WhatsApp exchange referring to sensitive medical information, including data relating to an unborn child.

While acknowledging the individual responsibility of the physiotherapist for the unauthorised access, the Belgian Authority also held the hospital accountable, finding that it had failed to implement adequate technical and organisational measures to prevent such conduct. In particular, although the hospital had put in place contractual clauses, internal policies and access profiles within its IT systems, it had relied excessively on staff good faith and ex post controls. According to the Authority, there were no effective technical safeguards capable of preventing unauthorised access, nor was there a system of random audits of access logs.

Of particular significance is the Authority’s clarification concerning the personal scope of the GDPR. Under Belgian law, GDPR protections may extend to data relating to an unborn child, provided that the child is subsequently born alive and viable. In the present case, that condition was met, and the child was therefore recognised as a data subject within the meaning of the GDPR, rendering the complaint admissible.

The infringements identified concerned, in particular, Articles 5(1)(f), 5(2), 24 and 32 GDPR, relating to the principles of integrity and confidentiality, accountability, the controller’s responsibility and security of processing.

In addition to the reprimand, the Belgian Data Protection Authority imposed a number of corrective measures, including:

  • enhanced transparency towards patients, including the right to request information on access logs relating to their medical records;

  • the implementation of more granular, role-based access controls;

  • the introduction of a “Break the Glass” mechanism for exceptional access, subject to justification and logging;

  • the performance of random audits of access logs and the establishment of clear escalation procedures in the event of anomalies.

The decision serves as a further reminder to healthcare organisations of the need for substantive, not merely formal, data governance, particularly in high-risk environments involving large volumes of sensitive data. In such contexts, effective access control and continuous monitoring are essential prerequisites for GDPR compliance.

Stampa la pagina