CNIL (France) - MEDP-2021-001

From GDPRhub
Revision as of 13:24, 12 November 2021 by Crabbe (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=MEDP-2021-001 |ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL (France) - MEDP-2021-001
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 32 GDPR
Art. 20 de la loi n° 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés
Type: Other
Outcome: n/a
Started:
Decided: 11.10.2021
Published: 14.10.2021
Fine: None
Parties: Francetest
National Case Number/Name: MEDP-2021-001
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: n/a

CNIL considers that the disclosure of its decision is justified in view of the sensitivity of the data processed and the need to ensure that all persons concerned, as well as organisations using the services, are fully aware of the existence of persistent data security breaches.


English Summary

Facts

Online checks, initiated following an anonymous report to CNIL on 27 August 2021 regarding a data breach on the "francetest.fr" website, confirmed the existence and extent of a data breach. A few days later, on 9 September 2021, auditors carried out an on-site check at Francetest to verify that the processing of personal data was carried out in accordance with GDPR legislation as well as law n° 78-17 of 6 January 1978 modified relating to data processing, files and freedoms (hereinafter: Information Technology and Freedoms Act). During this audit, it was found that the company took measures when it became aware of the data breach, but several security shortcomings still exist. These deficiencies pose a risk to the confidentiality of the personal data processed. By a decision dated 4 October 2021, the President of CNIL, pursuant to Art. 20 Information Technology and Freedoms Act, formally served a notice on the company to put an end to its failure to ensure the security of personal data as per Art. 32 GDPR within two months. Subsequently, pursuant to art. 20, last paragraph of the Information Technology and Liberties Act, a Commission was convened by the President of the CNIL on 11 October 2021 to rule on the publication of the decision (hereinafter: the Bureau).

Holding

The Bureau considers that the publication of its Decision No MED-2021-093 is justified in view of the sensitivity of the data processed and the need to ensure that all persons involved in the processing operations concerned, as well as organisations using the services, are fully informed of the existence of persistent breaches of data security. The Bureau emphasised that, in addition to the results of the SARS-CoV-2 antigen tests of the persons concerned, which are used to determine whether a person is a carrier of the virus, the company FRANCETEST processes a large amount of directly identifying data, including social security number (NIR). The Bureau also emphasises that the publication of the decision to issue a formal notice is also justified in order to alert all actors in the health sector, be they data controllers or sub-contractors, to the need to properly secure the data they process and to the risks that a lack of vigilance on their part could pose to this data. The disclosure is also in line with the CNIL's priorities listed in its 2021 audit strategy. Consequently, the CNIL Office decides to make public the CNIL President's Decision No. MED-2021-093 to issue a formal notice to the company FRANCETEST.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

MEDP-2021-001 deliberation of October 11, 2021
National Commission for Informatics and Freedoms

    Legal status: In force

    Publication date on Légifrance: Thursday, October 14, 2021

Deliberation of the office of the National Commission for Informatics and Freedoms n ° MEDP-2021-001 of October 11, 2021 deciding to make public the formal notice n ° MED-2021-093 of October 4, 2021 taken against the company FRANCETEST

The office of the National Commission for Informatics and Freedoms, meeting on October 11, 2021 under the chairmanship of Mrs. Marie-Laure DENIS;

In addition to the President of the Commission, there were Mrs Sophie LAMBREMON, Deputy Vice-President, and Mr François PELLEGRINI, Vice-President;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

Considering the amended law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its article 20;

Having regard to Decree No. 2019-536 of May 29, 2019 issued for the application of Law No. 78-17 of January 6, 1978 as amended relating to information technology, files and freedoms;

Having regard to deliberation No. 2013-175 of July 4, 2013 establishing the internal regulations of the National Commission for Informatics and Freedoms;

Considering the decision n ° MED-2021-093 of October 4, 2021 of the President of the Commission giving formal notice to the company FRANCETEST;

Has adopted the following deliberation:

Following an anonymous report to the CNIL services on August 27, 2021 reporting a security breach affecting the "francetest.fr" website, online checks carried out the same day revealed the existence and extent of the data breach. On September 9, 2021, a delegation carried out an on-site check on the premises of the company FRANCETEST (hereinafter, "the company") in order to verify the compliance of the processing of personal data implemented by this last with Regulation No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data (hereinafter, the "RGPD") and Law No. 78-17 of January 6, 1978 modified relating to data processing, files and freedoms (hereinafter, the law "Informatique et Libertés").

The control delegation noted that although the company took certain measures when it became aware of the data breach, the Francetest service still suffered from several security deficiencies which continued to pose a risk to data confidentiality. of a personal nature processed.

By decision of October 4, 2021, the President of the Commission, on the basis of article 20 of the amended law of January 6, 1978, gave notice to the company FRANCETEST, located at 6, boulevard de la Marne, in Strasbourg (67000 ), to put an end within a period of two (2) months to the failure to ensure the security of personal data provided for in Article 32 of the GDPR.

Pursuant to the last paragraph of II of article 20 of the law of January 6, 1978 as amended, the President of the CNIL regularly convened the committee of the Commission for the purpose of ruling on her request to make her decision public.

The bureau was convened for this purpose on October 11, 2021.

After deliberation, the office considers that the publication of the formal notice decision is justified in particular because of the sensitivity of the data processed and the need to ensure the full information of all the people concerned by the processing. involved, as well as organizations using the services of the company FRANCETEST, on the existence of persistent breaches of data security.

The office stresses that in addition to the results of the people concerned with antigenic tests for SARS-CoV-2, and which therefore make it possible to know whether a person is a carrier or not of this virus, the company FRANCETEST processes a large number of directly identifying data, including the social security number (NIR), data of a highly personal nature.

The office stresses that the publicity of the formal notice decision is also justified to alert all actors in the world of health, whether they are data controllers or subcontractors, of the need to ensure as much as possible. security of the data they process and the risks that a lack of vigilance on their part can pose to this data.

The office recalls in this regard that among the priorities identified by the CNIL for its control strategy for the year 2021, the processing of health data and, more particularly, the measures implemented to ensure their security.

Consequently, the office of the National Commission for Informatics and Freedoms decides to make public decision n ° MED-2021-093 of the President of the CNIL putting FRANCETEST in default.

The Bureau recalls that this formal notice does not have the character of a sanction. If the company fully complies with the requirements of the formal notice within the time limit set, it will be the subject of a closure which will also be made public.

Finally, both the aforementioned formal notice and this deliberation will no longer make it possible to identify the company by name after the expiration of a period of two years from their publication.

The president

Marie-Laure DENIS