Practice intelligence Current as of Jun 21, 2026
OlenderFeldman

PracticeGDPR

Irish DPC \u2014 Final Decision, Midlands Regional Hospital Tullamore Inquiry (GDPR)

eu Jun 21, 2026

What the law is now

The Irish Data Protection Commission announced a final decision in its inquiry into Midlands Regional Hospital Tullamore. The decision concerns GDPR compliance in a health-sector data-processing context. Tracked as a net-new GDPR enforcement precedent relevant to EU-facing data controllers and processors. [UNVERIFIED — infringed GDPR articles, penalty amount, and corrective measures not confirmed from source text.]

What just shifted

What this adds: The Irish DPC's final decision against Midlands Regional Hospital Tullamore adds a confirmed GDPR enforcement precedent in the health-sector data-processing context, signaling active regulatory attention to how health-data controllers and processors structure their compliance obligations under the GDPR.

What this puts in question: The decision puts in question whether EU-facing organizations handling health or sensitive personal data have sufficiently operationalized their GDPR obligations at the processing level, particularly where institutional data governance may lag behind formal policy commitments.

What clients should weigh

·Can you identify every category of sensitive personal data your systems process on behalf of EU individuals, and do your data processing agreements with controllers or processors reflect the specific obligations the GDPR imposes on each party?
·Do your internal data governance practices — access controls, retention schedules, breach response procedures — match what your privacy policies and DPAs represent to regulators and counterparties?
·If this entity appears in M&A diligence, does your target assessment process surface health-sector or special-category data exposure, and have you mapped any regulatory findings or open inquiries against the target's data infrastructure?
·This addresses GDPR compliance obligations in a health-sector processing context. It does not reach the specific articles found to be infringed, the penalty amount, or the corrective measures ordered, all of which remain unverified from the source text.
Data Protection Commission (Ireland), final decision, Midlands Regional Hospital Tullamore inquiry (2026)

Ready to use

To-be-edited before sending to a client.

Client alert

Watch item — no client alert until confirmed operative.

Blog post

Watch item — no blog post until confirmed operative.

LinkedIn

This corpus reflects one attorney's personal review. It is not a comprehensive survey. Verify scope and currency before relying on it for any matter.