Fine imposed on doctor for personal data protection violations
The State Data Protection Inspectorate (SDPI) has imposed a fine of EUR 1,153 on a medical doctor for violations related to the processing of personal data.
SDPI launched an investigation in December 2024 after receiving a personal data breach notification from the Public Institution Šakiai Primary Health Care Centre. Following its investigation into the incident, SDPI identified indications that physician Reda Naujokaitienė may have unlawfully processed patients' personal data. Consequently, in August 2025, the Inspectorate initiated a formal inspection into the doctor‘s conduct.
The investigation established that, despite knowing that her employment with the healthcare institution was coming to an end, doctor Naujokaitienė repeatedly accessed the information system of the Šakiai Primary Health Care Centre, most often during evening hours. During these sessions, she viewed the personal data of 1,231 patients and subsequently used that information to send emails and SMS messages informing patients that she would no longer be working at the institution and inviting them to "continue the relationship" at another healthcare provider.
An administrative fine was imposed for infringements of Article 5(1)(a), Article 6(1), and Article 9(2) of the General Data Protection Regulation (GDPR). In determining the amount of the fine, SDPI took into account aggravating circumstances identified during the inspection. No mitigating circumstances were found.
The decision may be appealed before a court within one month of the date of its service.