The U.K. Information Commissioner’s Office (ICO) on Friday announced a £275,000 (U.S. $356,000) fine levied against London-based pharmacy Doorstep Dispensaree for violations of the EU’s General Data Protection Regulation.

The fine is the first the ICO has handed out under the GDPR, despite making headlines earlier this year with record-setting penalties against British Airways and Marriott. Both companies were issued notices of intention in July regarding their respective fines; the ICO has until six months from the date the notices were submitted to issue a final penalty notice, which can be appealed.

During the six-month period, British Airways and Marriott were each given 21-day windows to make representations to the ICO to fight their respective penalties. An ICO spokesperson recently told Compliance Week both cases are still ongoing.

In the case of Doorstep Dispensaree, the ICO cites failing to ensure the security of special category data as reason for the fine. The ICO said the pharmacy “left approximately 500,000 documents in unlocked containers at the back of its premises” and that the documents included names, addresses, dates of birth, National Health Service (NHS) numbers, medical information, and prescriptions belonging to an unknown number of people.

Further, the documents, dated between June 2016 and June 2018, were exposed to the elements the way they were stored and subsequently water damaged. Failing to process data in a way that ensures protection against such damages is a violation of the GDPR.

“The careless way Doorstep Dispensaree stored special category data failed to protect it from accidental damage or loss,” Steve Eckersley, director of investigations at the ICO, said in a news release. “This falls short of what the law expects and it falls short of what people expect.”

Despite the two years the documents were allegedly stored improperly, the ICO said it only considered wrongdoing from May 25, 2018, on—the day the GDPR took effect. The ICO was alerted to the violations by the Medicines and Healthcare Products Regulatory Agency, which was carrying out a separate probe into Doorstep Dispensaree.

The ICO has ordered the pharmacy to improve its data protection practices within three months and said failure to do so could result in further enforcement action.