CNIL (France) - SAN-2022-009: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2022-009 |ECLI=...")
 
m (changes in punctuation)
Line 59: Line 59:
=== Facts ===
=== Facts ===
The CNIL identified the following violations of the GDPR:
The CNIL identified the following violations of the GDPR:
A breach of the article 29 of the GDPR
Dedalus Biology processed data beyond the instructions given by the data controllers by extracting more data than it was necessary for the commissioned data migration from software to another tool
A breach of the article 32 of the GDPR
Many technical and organizational shortcomings in terms of security of operations to migrate the software to another, including:
    • lack of specific procedure for data migration operations;
    • lack of encryption of personal data stored on the problematic server;
    • absence of automatic deletion of data after migration to the other software;
    • absence of authentication required from the internet to access the public area of ​​the server;
    • use of user accounts shared between several employees on the private zone of the server;
    • lack of supervision procedure and security alert escalation on the server.


A breach of the article 28 of the GDPR
# A breach of the article 29 of the GDPR - Dedalus Biology processed data beyond the instructions given by the data controllers by extracting more data than it was necessary for the commissioned data migration from software to another tool.
The general conditions of sale offered by Dedalus Biologie and the maintenance contracts did not contain the information provided for in article 28 (3) of the GDPR.
# A breach of the article 32 of the GDPR - Many technical and organizational shortcomings in terms of security of operations to migrate the software to another, including:
 
• lack of specific procedure for data migration operations;
 
• lack of encryption of personal data stored on the problematic server;
 
• absence of automatic deletion of data after migration to the other software;
 
• absence of authentication required from the internet to access the public area of ​​the server;
 
• use of user accounts shared between several employees on the private zone of the server;
 
• lack of supervision procedure and security alert escalation on the server.
 
3. A breach of the article 28 of the GDPR - he general conditions of sale offered by Dedalus Biologie and the maintenance contracts did not contain the information provided for in article 28 (3) of the GDPR.


=== Holding ===
=== Holding ===

Revision as of 13:33, 25 April 2022

CNIL (France) - SAN-2022-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 28 GDPR
Article 29 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.02.2021
Decided: 15.04.2022
Published: 21.04.2022
Fine: 1500000 EUR
Parties: n/a
National Case Number/Name: SAN-2022-009
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: czapla

The French data protection authority ('CNIL') imposed a fine of €1.5 million for violations of Articles 28, 29, and 32 of the GDPR on Dedalus Biologie, a software solutions provider for medical analysis laboratories. The fine was decided after the CNIL’s investigation into a data breach affecting two laboratories that were serviced by Dedalus Biologie. The breach was first revealed in the press on the 23 February 2021 and it affected personal data of nearly 500,000 individuals. The personal data included health data such as illnesses, genetic diseases, pregnancies, drug treatments, genetic data.

English Summary

Facts

The CNIL identified the following violations of the GDPR:

  1. A breach of the article 29 of the GDPR - Dedalus Biology processed data beyond the instructions given by the data controllers by extracting more data than it was necessary for the commissioned data migration from software to another tool.
  2. A breach of the article 32 of the GDPR - Many technical and organizational shortcomings in terms of security of operations to migrate the software to another, including:

• lack of specific procedure for data migration operations;

• lack of encryption of personal data stored on the problematic server;

• absence of automatic deletion of data after migration to the other software;

• absence of authentication required from the internet to access the public area of ​​the server;

• use of user accounts shared between several employees on the private zone of the server;

• lack of supervision procedure and security alert escalation on the server.

3. A breach of the article 28 of the GDPR - he general conditions of sale offered by Dedalus Biologie and the maintenance contracts did not contain the information provided for in article 28 (3) of the GDPR.

Holding

Based on the above findings, the CNIL imposed a fine of 1.5 million euros and decided to make its decision public. The amount of this fine was decided in view of the seriousness of the breaches identified but also taking into account the turnover of the company. At the same time, the CNIL seized the Paris court which blocked access to the site on which the leaked data was published. The court’s decision made possible to limit the consequences of the breach on affected individuals.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.