CNIL (France) - SAN-2023-006: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2023-006 |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047552103?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT |Original_Source_Language_1=French |Original_So...")
 
No edit summary
 
(One intermediate revision by one other user not shown)
Line 67: Line 67:
}}
}}


The French DPA fined Doctissimo €380,000 for several data protection violations, including the failure to obtain users' consent for the processing of health data, lack of security measures, violation of storage limitage and cookies related violations.
The French DPA fined Doctissimo €380,000 for several data protection violations, including failure to obtain users' consent for the processing of health data, lack of security measures, violation of storage limitation and setting cookies without consent.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Doctissimo (controller) operates a website that offers articles, tests, quizzes and discussion forums about health and well-being. On 26 June 2020, Privacy International filed a complaint with the French DPA against the controller. This complaint concerned all the processing operations carried out by the controller on its website and, in particular, the deposit of cookies, the legal basis for the processing resulting from the health tests, the obligation of transparency and data security.  
Doctissimo (controller) operates a website that offers articles, tests, quizzes and discussion forums about health and well-being. On 26 June 2020, Privacy International filed a complaint with the French DPA against the controller. This complaint concerned all the processing operations carried out by the controller on its website and, in particular, the use of cookies without consent, the legal basis for the processing related to online health tests, the obligation of transparency and data security.  


To investigate this complaint, the DPA carried out several checks, both online and at the controller's premises. Since the controller operates cross-border processing operations but the controller's principal place of business is in France, in accordance with [[Article 56 GDPR|Article 56 GDPR]], the French DPA informed the other authorities of its competence as lead supervisory authority. No relevant and reasoned objection was raised by any authority.  
The DPA carried out several investigations, both online and at the controller's office. Since the controller operated cross-border processing operations but the controller's principal place of business was in France, in accordance with [[Article 56 GDPR|Article 56 GDPR]], the French DPA informed other authorities of its competence as lead supervisory authority. No relevant and reasoned objection was raised by any authority.  


The investigation service noted various elements. In particular:
The investigation service noted various elements. In particular:


(1) As regards the quiz data, the controller sub-processed this processing and stored the data, as well as the email address of the users, for 24 months. The controller explained that these data were kept for three purposes: communicating the result to the user, enabling the user to share the result and producing statistics. During the procedure, the controller changed the retention period to 3 months and asked his processor to anonymise the data.
(1) As regards the quizzes data, the controller outsourced this processing and stored the data, as well as the email address of the users, for 24 months. The controller explained that these data were kept for three purposes: communicating the result to the user, enabling the user to share the result and producing statistics. During the procedure, the controller changed the retention period to 3 months and asked their processor to anonymise the data.


(2) On the retention period of accounts created by users of the website, the controller explained that data is anonymised when a user is inactive for three years. However, the investigation showed that it was still possible to individualise users indirectly.  
(2) On the retention period of accounts created by users of the website, the controller explained that data is anonymised when a user is inactive for three years. However, the investigation showed that it was still possible to individualise users indirectly.  
Line 84: Line 84:
(3) Regarding consent to process special categories of personal data, the controller did not obtain specific consent to process health data. The controller explained that there was confusion about the definition of sensitive data.
(3) Regarding consent to process special categories of personal data, the controller did not obtain specific consent to process health data. The controller explained that there was confusion about the definition of sensitive data.


(4) There was no contract under [[Article 26 GDPR|Article 26 GDPR]] although the controller considered that he was a joint controller with two entities.
(4) There was no contract under [[Article 26 GDPR|Article 26 GDPR]] although the controller considered that they were a joint controller with two entities.


(5) The controller's website used an http protocol, not https, and passwords were not securely hashed.
(5) The controller's website used an http protocol, not https, and passwords were not securely hashed.
Line 90: Line 90:
(6) Advertising cookies were set without prior consent and users' refusal was ineffective.  
(6) Advertising cookies were set without prior consent and users' refusal was ineffective.  


During the proceedings, the controller changed its practices to comply with the allegations.
During the proceedings, the controller changed its practices to improve compliance with the GDPR.


=== Holding ===
=== Holding ===
The French DPA took a position on each point raised by the investigation.
The French DPA considered on each point raised by the investigation:


(1) Regarding quiz data, the DPA considered that the retention of quiz answers for 24 months did not appear necessary for the purposes put forward by the controller. The DPA also noted that according to the contract between the controller and the processor, IP addresses were not to be collected for "sensitive" anonymous quizzes. However, the processor provided the controller with tables containing the quiz answers and pseudonymised IP addresses. As for the controller's defence, the DPA considered that it was his responsibility to ensure compliance with the protection of personal data and that he was therefore responsible for monitoring the performance of his processor. Accordingly, the DPA held that there was a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] until the controller complied during the proceedings.  
(1) Regarding quizzes data, the DPA considered that the retention of quiz answers for 24 months did not appear necessary for the purposes put forward by the controller. The DPA also noted that according to the contract between the controller and the processor, IP addresses were not to be collected for "sensitive" anonymous quizzes. However, the processor provided the controller with tables containing the quiz answers and pseudonymised IP addresses. The DPA considered that it was the controller's responsibility to ensure compliance with the protection of personal data and that the controller was therefore responsible for monitoring the performance of his processor. Accordingly, the DPA held that there was a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] before the controller complied during the proceedings.  


(2) The DPA considered that prior to the proceedings, the controller did not anonymise the data but pseudonymised it. This meant that with additional information it was possible to individualise a user. This constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] until the controller complied during the proceedings.  
(2) The DPA considered that prior to the proceedings, the controller did not anonymise the data but pseudonymised it. This meant that with additional information it was possible to individualise a user. This constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] before the controller complied during the proceedings.  


(3) The DPA qualified the data collected during certain tests as health data and considered that the controller should obtain specific consent. It therefore found a breach of Article 9(2) until the controller complied during the proceedings.  
(3) The DPA qualified the data collected during certain tests as health data and considered that the controller should obtain specific consent. It therefore found a violation of [[Article 9 GDPR|Article 9(2) GDPR]] before the controller complied during the proceedings.  


(4) The DPA found that at the time of the investigation there was no contract under [[Article 26 GDPR|Article 26 GDPR]], which constituted a breach of that article.
(4) The DPA found that at the time of the investigation there was no contract under [[Article 26 GDPR|Article 26 GDPR]], which constituted a violation of that article.


(5) The DPA considered the use of https and the secure storage of passwords to be basic security measures. In view of the compliance during the procedure, it found a breach of [[Article 32 GDPR|Article 32 GDPR]] for the past.  
(5) The DPA considered the use of https and a secure storage of passwords to be basic security measures. In view of the compliance during the procedure, it found a breach of [[Article 32 GDPR|Article 32 GDPR]] for the past.  


(6) By failing to receive prior consent for the deposit of advertising cookies and by not allowing the user to effectively refuse the cookies, the controller violated Article 82 of the Data Protection Act until compliance was achieved.  
(6) By failing to obtain prior consent for the use of advertising cookies and by not allowing the user to effectively refuse the cookies, the controller violated Article 82 of the French Data Protection Act. During the proceedings the controller complied .  


In view of the breaches of Articles 5(1)(e), 9(2), 26 and 32 GDPR and Article 82 of the Data Protection Act and the compliance in progress, the DPA imposed a total fine of €380,000.
In view of the breaches of Articles [[Article 5 GDPR|5(1)(e)]], [[Article 9 GDPR|9(2)]], [[Article 26 GDPR|26]] and [[Article 32 GDPR|32 GDPR]] and Article 82 of the French Data Protection Act and the compliance in progress, the DPA imposed a total fine of €380,000.


== Comment ==
== Comment ==

Latest revision as of 10:19, 23 May 2023

CNIL - SAN-2023-006
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 9(2) GDPR
Article 26 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.06.2020
Decided: 11.05.2023
Published:
Fine: 380,000 EUR
Parties: Doctissimo
National Case Number/Name: SAN-2023-006
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: n/a

The French DPA fined Doctissimo €380,000 for several data protection violations, including failure to obtain users' consent for the processing of health data, lack of security measures, violation of storage limitation and setting cookies without consent.

English Summary

Facts

Doctissimo (controller) operates a website that offers articles, tests, quizzes and discussion forums about health and well-being. On 26 June 2020, Privacy International filed a complaint with the French DPA against the controller. This complaint concerned all the processing operations carried out by the controller on its website and, in particular, the use of cookies without consent, the legal basis for the processing related to online health tests, the obligation of transparency and data security.

The DPA carried out several investigations, both online and at the controller's office. Since the controller operated cross-border processing operations but the controller's principal place of business was in France, in accordance with Article 56 GDPR, the French DPA informed other authorities of its competence as lead supervisory authority. No relevant and reasoned objection was raised by any authority.

The investigation service noted various elements. In particular:

(1) As regards the quizzes data, the controller outsourced this processing and stored the data, as well as the email address of the users, for 24 months. The controller explained that these data were kept for three purposes: communicating the result to the user, enabling the user to share the result and producing statistics. During the procedure, the controller changed the retention period to 3 months and asked their processor to anonymise the data.

(2) On the retention period of accounts created by users of the website, the controller explained that data is anonymised when a user is inactive for three years. However, the investigation showed that it was still possible to individualise users indirectly.

(3) Regarding consent to process special categories of personal data, the controller did not obtain specific consent to process health data. The controller explained that there was confusion about the definition of sensitive data.

(4) There was no contract under Article 26 GDPR although the controller considered that they were a joint controller with two entities.

(5) The controller's website used an http protocol, not https, and passwords were not securely hashed.

(6) Advertising cookies were set without prior consent and users' refusal was ineffective.

During the proceedings, the controller changed its practices to improve compliance with the GDPR.

Holding

The French DPA considered on each point raised by the investigation:

(1) Regarding quizzes data, the DPA considered that the retention of quiz answers for 24 months did not appear necessary for the purposes put forward by the controller. The DPA also noted that according to the contract between the controller and the processor, IP addresses were not to be collected for "sensitive" anonymous quizzes. However, the processor provided the controller with tables containing the quiz answers and pseudonymised IP addresses. The DPA considered that it was the controller's responsibility to ensure compliance with the protection of personal data and that the controller was therefore responsible for monitoring the performance of his processor. Accordingly, the DPA held that there was a violation of Article 5(1)(e) GDPR before the controller complied during the proceedings.

(2) The DPA considered that prior to the proceedings, the controller did not anonymise the data but pseudonymised it. This meant that with additional information it was possible to individualise a user. This constituted a breach of Article 5(1)(e) GDPR before the controller complied during the proceedings.

(3) The DPA qualified the data collected during certain tests as health data and considered that the controller should obtain specific consent. It therefore found a violation of Article 9(2) GDPR before the controller complied during the proceedings.

(4) The DPA found that at the time of the investigation there was no contract under Article 26 GDPR, which constituted a violation of that article.

(5) The DPA considered the use of https and a secure storage of passwords to be basic security measures. In view of the compliance during the procedure, it found a breach of Article 32 GDPR for the past.

(6) By failing to obtain prior consent for the use of advertising cookies and by not allowing the user to effectively refuse the cookies, the controller violated Article 82 of the French Data Protection Act. During the proceedings the controller complied .

In view of the breaches of Articles 5(1)(e), 9(2), 26 and 32 GDPR and Article 82 of the French Data Protection Act and the compliance in progress, the DPA imposed a total fine of €380,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.