CNIL (France) - SAN-2022-009
CNIL (France) - SAN-2022-009 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 28 GDPR Article 29 GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 23.02.2021 |
Decided: | 15.04.2022 |
Published: | 21.04.2022 |
Fine: | 1500000 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2022-009 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | czapla |
The French data protection authority ('CNIL') imposed a fine of €1.5 million for violations of Articles 28, 29, and 32 of the GDPR on Dedalus Biologie, a software solutions provider for medical analysis laboratories. The fine was decided after the CNIL’s investigation into a data breach affecting two laboratories that were serviced by Dedalus Biologie. The breach was first revealed in the press on the 23 February 2021 and it affected personal data of nearly 500,000 individuals. The personal data included health data such as illnesses, genetic diseases, pregnancies, drug treatments, genetic data.
English Summary
Facts
The CNIL identified the following violations of the GDPR:
- A breach of the article 29 of the GDPR - Dedalus Biology processed data beyond the instructions given by the data controllers by extracting more data than it was necessary for the commissioned data migration from software to another tool.
- A breach of the article 32 of the GDPR - Many technical and organizational shortcomings in terms of security of operations to migrate the software to another, including:
• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• absence of authentication required from the internet to access the public area of the server;
• use of user accounts shared between several employees on the private zone of the server;
• lack of supervision procedure and security alert escalation on the server.
3. A breach of the article 28 of the GDPR - he general conditions of sale offered by Dedalus Biologie and the maintenance contracts did not contain the information provided for in article 28 (3) of the GDPR.
Holding
Based on the above findings, the CNIL imposed a fine of 1.5 million euros and decided to make its decision public. The amount of this fine was decided in view of the seriousness of the breaches identified but also taking into account the turnover of the company. At the same time, the CNIL seized the Paris court which blocked access to the site on which the leaked data was published. The court’s decision made possible to limit the consequences of the breach on affected individuals.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.