CNIL (France) - SAN-2022-009

From GDPRhub
Revision as of 16:34, 25 April 2022 by Kc (talk | contribs) (moved content from short summary to facts and from facts to holding; added some merit to summary)
CNIL (France) - SAN-2022-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 28 GDPR
Article 29 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.02.2021
Decided: 15.04.2022
Published: 21.04.2022
Fine: 1500000 EUR
Parties: n/a
National Case Number/Name: SAN-2022-009
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: czapla

The French DPA imposed a fine of €1,500,000 for violations of Articles 28, 29, and 32 GDPR on Dedalus Biologie, a software solutions provider acting as a processor for medical analysis laboratories after a data breach.

English Summary

Facts

In February 2021, a press article was published that revealed that confidential information of 500,000 French patients had been stolen from laboratories and disseminated online. The French DPA subsequently carried out an investigation, finding that the personal data of 491,840 patients had been published, including sensitive data such as health data.

Dedalus Biologie is a software solutions provider for those medical analysis laboratories involved in the data breach.

Holding

The DPA imposed a fine of €1,500,000.

First, the DPA found that Dedalus Biologie was the processor pursuant to Article 4(8) GDPR to the extent that it provides laboratories with the tools to facilitate the implementation of processing and only acts in the name and under the responsibility of the laboratories.

Consequently, the DPA held that the processor had violated Article 28(3) GDPR because the contracts between it and the controllers did not provide the necessary information.

Then, the DPA found a breach of Article 29 GDPR. The processor had processed data beyond the instructions given by the data controllers by extracting more data than necessary for the commissioned data migration from software to another tool.

Finally, the DPA held that the processor had violated Article 32 GDPR due to many technical and organisational shortcomings in terms of security of operations to migrate the software to another, including:

• lack of specific procedure for data migration operations;

• lack of encryption of personal data stored on the problematic server;

• absence of automatic deletion of data after migration to the other software;

• absence of authentication required from the internet to access the public area of ​​the server;

• use of user accounts shared between several employees on the private zone of the server;

• lack of supervision procedure and security alert escalation on the server.

Based on the seriousness of the breaches identified and also taking into account the turnover of the company, the DPA decided on the high fine. At the same time, it seized the Paris court which blocked access to the site on which the leaked data was published. The court’s decision made possible to limit the consequences of the breach on affected individuals.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.