Since the entry into force of the GDPR in 2018, the Spanish authority has positioned itself as the most active in the number of sanctions filed with a total of 340 sanctions and an amount of €36,647,310. At a global level, 20% of the sanctions filed are due to insufficient technical and organizational measures that guarantee information security. The health sector is undoubtedly one of the main sectors that generates and manages specially protected data in its daily activity. Nymiz guarantees the protection of sensitive data while keeping the usefulness of the information intact.

Datos salud confidencial


Nymiz guarantees the protection and privacy of personal data in internal use cases at organizations:

  • Guarantee the protection of data contained in databases and structured documents to avoid exposure in the event of data leakage or human error (incorrectly
    destroyed, exposed to third parties or sent to wrong recipients).
  • Training: anonymization of documents, images, x-rays and databases used for training purposes.
  • Research: replacement by synthetic data for the information used in clinical studies (Big data).


Share information with collaborators and external research institutions in a safe way and guaranteeing privacy:

  • Combination of databases between collaborators for the development of clinical studies.
  • File sharing (scans, pdf, images, x-rays, etc.) with external collaborators.
  • Enable access to information to public bodies such as e.g. social Security.


The health sector is undoubtedly one of the most exposed sectors to reviews and therefore sanctions by the regulator due to the sensitive nature of the data generated in its activity. Although the protection of databases is a critical factor for organizations in the industry, mitigating the risks of data exposure in structured documents has become an increasingly relevant challenge. This need for protection is largely generated by the demands of the European authorities that are reflected in the sanctions imposed in the health sector.

Denmark – 16/07/2021

The Danish DPA (Datatilsynet) has fined the Syddanmark region EUR 67,900 for failing to comply with its obligation to implement adequate security measures in relation to PDF documents contained in a database maintained for the purpose of clinical studies. The database contained questionnaires with health information on more than 30,000 children receiving psychiatric care.

Holland – 11/02/2021

The Dutch DPA (AP) imposed a fine of 440,000 euros on the OLVG hospital in Amsterdam. The controller had not taken sufficient steps between 2018 and 2020 to prevent unauthorized employee access to medical records. This resulted, among other things, in working students and other employees being able to access patient files that also contained social security numbers, addresses, and phone numbers.

France – 11/02/2021

The French DPA (CNIL) fined a doctor EUR 6,000 for violating art. 32 GDPR and art. 33 GDPR. The doctor had stored medical imaging data such as MRI and X-ray images, as well as personal data such as names, dates of birth, and treatment data of his patients on a server without taking adequate technical and organizational measures to ensure the security of the data.