CNIL (France) - SAN-2020-014

From GDPRhub
Revision as of 08:03, 21 December 2020 by Mh (talk | contribs)
CNIL - SAN-2020-014
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 9 GDPR
Article 32 GDPR
Article 33 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 07.12.2020
Published: 17.12.2020
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: SAN-2020-014
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (CNIL) imposed a €3000 fine on a private doctor for failing to comply with the security obligation. His patients' health data were freely accessible on the web in breach of Article 32 GDPR.

English Summary

Facts

Following the report made by a website, the CNIL carried out an online check in September 2019. On this occasion, the Commission found that thousands of medical images hosted on servers belonging to a private doctor were freely accessible on the Internet.

Dispute

  • Does opening all the ports of its internet box in order to be able to access remotely the health data of its patients constitute a breach of the security obligation of Article 32 GDPR?
  • Does the fact that this health data is not encrypted constitute a breach of the security obligation under Article 32 GDPR?
  • Does the fact that the data breach was brought to the doctor's attention by the CNIL's control department relieve the doctor of his obligation to notify a breach, as required by Article 33 GDPR?

Holding

During the hearing, the doctor said that in order to remotely access the medical images stored on the hard drive of the home computer, he opened the ports of his home internet box by activating the DMZ mode of the home computer in order to operate the VPN.

The CNIL pronounced an administrative fine of €3,000 and publicised the decision against a doctor whose patients' health data was freely accessible on the web. To base its decision, the French DPA found two breaches: failure to comply to comply to the security obligation, and failure to notify the breach to the CNIL.

On the failure to comply to the security obligation

After recalling the provisions of Article 32 GDPR, the CNIL retains several things:

  • The doctor had not taken care to limit the network functions to those strictly necessary for the functioning of the treatment.
  • Based on its Personal Data Security guide, the CNIL recommends providing encryption means for mobile workstations and mobile storage media, for example by encrypting the entire hard disk when the operating system offers it, encrypting file by file or creating encrypted containers (a file likely to contain several files). Similarly, the Practical Guide for Physicians encourages physicians to encrypt their patients' data with suitable software. In this case, the French DPA emphasizes that none of the data freely accessible on the Internet was encrypted.
  • The CNIL reminds that the data concerned are so-called sensitive data within the meaning of article 9 GDPR. The CNIL’s sub-commission thus recalls that the data concerned by the violation included, in addition to the medical images, the patient's surname, first names and date of birth, the date the examination was carried out, the name of the referring practitioner and the practitioner who carried out the examination, and the name of the establishment where the examination took place. In addition, the data were exposed for approximately 4 months.

Based on the evidence, the CNIL therefore concludes that there has been a breach of the obligation of security, as provided for in Article 32 GDPR.

On the failure to comply to the obligation to notify breaches to the DPA

In the present case, the doctor is accused of not having declared the data violation to the CNIL services, which the doctor refutes by stating that the need to notify the CNIL of the violation was never indicated to him.

Recalling the provisions of Article 33 GDPR, the CNIL emphasised that the fact that the data breach was brought to the doctor's attention by the CNIL's control department did not relieve him of this obligation to notify. Moreover, the Commission notes that the existence and nature of the obligation to notify appeared in the email of 8 October 2019 informing the doctor of the data breach. It therefore concludes that there has been a breach of Article 33 GDPR.

Comment

This decision is linked to decision SAN-2020-015 by which the the French DPA condemns a private doctor to a fine of €6,000 for having insufficiently protected the personal data of their patients and not having notified a data breach to the CNIL.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.