CNIL (France) - SAN-2022-009
CNIL (France) - SAN-2022-009 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 28 GDPR Article 29 GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 23.02.2021 |
Decided: | 15.04.2022 |
Published: | 21.04.2022 |
Fine: | 1500000 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2022-009 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | czapla |
The French DPA imposed a fine of €1,500,000 for violations of Articles 28, 29, and 32 GDPR on Dedalus Biologie, a software solutions provider acting as a processor for medical analysis laboratories after a data breach.
English Summary
Facts
In February 2021, a press article was published that revealed that confidential information of 500,000 French patients had been stolen from laboratories and disseminated online. The French DPA subsequently carried out an investigation, finding that the personal data of 491,840 patients had been published, including sensitive data such as health data.
Dedalus Biologie is a software solutions provider for those medical analysis laboratories involved in the data breach.
Holding
The DPA imposed a fine of €1,500,000.
First, the DPA found that Dedalus Biologie was the processor pursuant to Article 4(8) GDPR as it provides laboratories with the tools to facilitate the implementation of processing and only acts in the name and under the responsibility of the laboratories.
Consequently, the DPA held that the processor had violated Article 28(3) GDPR because the contracts between it and the controllers did not provide the necessary information.
Then, the DPA found a breach of Article 29 GDPR. The processor had processed data beyond the instructions given by the data controllers by extracting more data than necessary for the commissioned data migration from software to another tool.
Finally, the DPA held that the processor had violated Article 32 GDPR due to many technical and organisational shortcomings in terms of security of operations to migrate the software to another, including:
• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• absence of authentication required from the internet to access the public area of the server;
• use of user accounts shared between several employees on the private zone of the server;
• lack of supervision procedure and security alert escalation on the server.
Based on the seriousness of the breaches identified and also taking into account the turnover of the company, the DPA decided on the high fine. At the same time, it seized the Paris court which blocked access to the site on which the leaked data was published. The court’s decision made possible to limit the consequences of the breach on affected individuals.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.