CNIL (France) - SAN-2024-013

From GDPRhub
Revision as of 07:49, 23 September 2024 by Wp (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2024-013 |ECLI= |Original_Source_Name_1=LEGIFRANCE (France) |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050202759?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT. |Original_Source_Language_1=French |O...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2024-013
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(a) GDPR
Article 66 Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (Law no. 78-17 of January 6, 1978 on data processing, data files and individual liberties)
Type: Investigation
Outcome: Violation Found
Started:
Decided: 05.09.2024
Published:
Fine: 800,000 EUR
Parties: Cedegim
National Case Number/Name: SAN-2024-013
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: LEGIFRANCE (France) (in FR)
Initial Contributor: wp

The DPA fined a company €800,000 for violation of Article 5(1)(a) GDPR and Article 66 of French Data Protection Act. The company unlawfully processed patients’ data, collected by doctors using the company’s software.

English Summary

Facts

Cedegim is a company providing IT products and services for healthcare professionals, inter alia, a management software, enabling doctors to manage patients’ data (basic identification data, as well as health history, diagnoses, prescribed medicines or procedures; and the data coming from third-parties, including HRI system).

The software users were offered an option to enrol for research (health-sector studies and statistics) performed by Cedegim and their business partners. In exchange for access to patients’ data, the software user received a license discount and access to statistics created by Cedegim.

To enable the transfer of the data from users’ software, Cedegim encrypted patient data and assigned each patient unique identifier. The identifier was linked to the category of the practitioner visited, which made a cross-doctor data examination possible every time the patient visited particular kind of practitioner. The patients’ data collected by Cedegim was stored for three months and then transferred to Cedegim business partners.

According to Cedegim, since the patients’ data was anonymised, the GDPR was no longer applicable to the processing at hand. The French DPA (CNIL) initiated ex officio investigation to examine the practices of Cedegim.

Holding

The DPA rejected Cedegim interpretation suggesting they processed anonymised data. Under Recital 26 GDPR, quoted by Cedegim, the pseudonymised data was still personal data covered by the GDPR. It was clear for the DPA that Cedegim processed personal data which were only pseudonymised. That was because the identifiers assigned to patients’ data allowed Cedegim to identify each patient. Also, as proved during the investigation, it was possible to re-identify a patient using reasonable means and data processed by Cedegim, even without access to additional information. Hence, Cedegim failed to assess the risk of re-identification.

Regarding the nature of Cedegim business activities, the DPA found it was a health database (data warehouse as understood by French doctrine). Furthermore, for the DPA Cedegim was a data controller. Cedegim determined the means and purposes of data processing also in reference to business relations with healthcare professionals.

The aforementioned facts of the case led confirmed Cedegim violated Article 66 of French Data Procection Act (). Cedegim was obliged to get prior authorization from the DPA to run a health database (data warehouse). Also, Cedegim duty was to obtain patients’ consent for data processing including its transmission and processing within the database. Nevertheless, Cedegim failed to fulfil both duties.

Moreover, Cedegim violated Article 5(1)(a) GDPR collecting patients’ data from HRI system. Cedegim software automatically integrated data form the HRI system with patients’ data, giving Cedegim direct access to data process in HRI system. As a result, Cedegim was also in breach of Article L. 162-4-3 and R. 162-1-10 of the French Social Security Code and article R. 1111-8-6 of the French Public Health Code, prohibiting private entities from direct access to HRI system.

Consequently, Cedegim was fined €800,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.