Recital 103

It is appropriate to lay down provisions enabling health data access bodies to apply administrative fines for certain infringements of this Regulation which should be considered under this Regulation to be serious infringements, such as the re-identification of natural persons, downloading personal electronic health data outside of the secure processing environment or processing of data for prohibited uses or uses not covered by a data permit. This Regulation should specify those infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent health data access body in each individual case, taking into account all the relevant circumstances of the specific situation, having due regard in particular to the nature, gravity and duration of the infringement and its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. For the purposes of the imposition of administrative fines under this Regulation, the concept of undertaking should be understood in accordance with Articles 101 and 102 TFEU. It should be for the Member States to determine whether and to what extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning should not affect the enforcement of other powers of the health data access bodies or of other penalties under this Regulation.