In June 2026, Lithuania's State Data Protection Authority fined a general practitioner €1,153 after she accessed the records of 1,231 patients during a period of sick leave. The doctor had been logging into her employer's patient management system multiple times to send emails and text messages to her patients, informing them that she was leaving her current practice and advertising her services elsewhere. As a result, the doctor was fined.
It was the regulator's decision to treat the doctor as an independent data controller - the authority found that the doctor had acted for her own professional and commercial purposes, exceeding the authority granted to her by the healthcare centre. The clinic itself escaped liability because the Lithuanian DPA found it had indeed implemented appropriate security measures, with clear internal policies, and staff were adequately trained with instructions not to access to patient data inappropriately.
The case serves as an important reminder that simply because an employee can access information it does not mean that they are entitled to use it for their own interests - data usage has to be linked to a clear - and legal - purpose. Failure to do so means employees can become personally liable under the GDPR when they process data outside the scope of their authorised duties.
