CNIL (France) - MEDP-2021-001

From GDPRhub
CNIL (France) - MEDP-2021-001
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 32 GDPR
Art. 20 de la loi n° 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés
Type: Other
Outcome: n/a
Decided: 11.10.2021
Published: 14.10.2021
Fine: None
Parties: Francetest
National Case Number/Name: MEDP-2021-001
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: n/a

The French DPA (CNIL) decided that the publication of its decision against the company 'Francetest' was justified given the sensitivity of the data processed and the need to ensure that all individuals concerned, as well as organisations using such services, are fully aware of the existence of persistent data security breaches.

English Summary[edit | edit source]

Facts[edit | edit source]

Francetest.fr is a website operated by a French company (hereafter 'Francetest') for the management of antigenic testing against COVID-19. In particular, data subjects can register themselves and receive the results of their antigenic tests via this website.

On 27 August 2021, following an anonymous report, the CNIL checked for potential data security issues on the website "francetest.fr". Those checks confirmed the existence of a data breach. A few days later, on 9 September 2021, auditors fro the CNIL carried out an on-site check at Francetest to verify that the processing of personal data was carried out in accordance with the GDPR and the French law n°78-17 of 6 January 1978 implementing the GDPR (hereinafter: the Information Technology and Freedoms Act). During this audit, it was found that several security shortcomings persisted, despite Francetest having already taken several measures after becoming aware of the data breach. These deficiencies were posing a risk to the confidentiality of the personal data processed via the website.

By a decision dated 4 October 2021 (the Decision), the President of the CNIL delivered an injunction against Francetest to put an end to the data breach within two months, in application of Article 32 GDPR and Article 20 of the Information Technology and Freedoms Act.

Subsequently, pursuant to Article 20, last paragraph of the Information Technology and Freedoms Act, a commission was convened by the President of the CNIL on 11 October 2021 to rule on the publication of the decision (hereinafter, the Commission).

Holding[edit | edit source]

The Commission considered that the publication of the Decision was justified in view of the sensitivity of the data processed (i.e. health data) and the need to ensure that all persons involved in the processing operations concerned, including the organisations using the services, would be fully informed of the existence of persistent data breaches.

The Commission emphasised that, in addition to the results of antigenic tests taken by data subjects, Francetest was also processing large amount of other personal data which enable to directly identify the data subjects, including social security numbers.

The Commission also emphasised that the publication of the Decision was also justified based on the need to alert all actors in the healthcare sector, including other controllers or processors that may be offering or using similar services, on the importance to remain vigilant in ensuring the security of personal data.

Finally, the Commission found that the publication of the Decision is also in line with the CNIL's priorities listed in its 2021 audit strategy. Consequently, the Commission decided to publish on its website the Decision, as well as the deliberations of the Commission reaching that conclusion.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

MEDP-2021-001 deliberation of October 11, 2021
National Commission for Informatics and Freedoms

    Legal status: In force

    Publication date on Légifrance: Thursday, October 14, 2021

Deliberation of the office of the National Commission for Informatics and Freedoms n ° MEDP-2021-001 of October 11, 2021 deciding to make public the formal notice n ° MED-2021-093 of October 4, 2021 taken against the company FRANCETEST

The office of the National Commission for Informatics and Freedoms, meeting on October 11, 2021 under the chairmanship of Mrs. Marie-Laure DENIS;

In addition to the President of the Commission, there were Mrs Sophie LAMBREMON, Deputy Vice-President, and Mr François PELLEGRINI, Vice-President;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

Considering the amended law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its article 20;

Having regard to Decree No. 2019-536 of May 29, 2019 issued for the application of Law No. 78-17 of January 6, 1978 as amended relating to information technology, files and freedoms;

Having regard to deliberation No. 2013-175 of July 4, 2013 establishing the internal regulations of the National Commission for Informatics and Freedoms;

Considering the decision n ° MED-2021-093 of October 4, 2021 of the President of the Commission giving formal notice to the company FRANCETEST;

Has adopted the following deliberation:

Following an anonymous report to the CNIL services on August 27, 2021 reporting a security breach affecting the "francetest.fr" website, online checks carried out the same day revealed the existence and extent of the data breach. On September 9, 2021, a delegation carried out an on-site check on the premises of the company FRANCETEST (hereinafter, "the company") in order to verify the compliance of the processing of personal data implemented by this last with Regulation No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data (hereinafter, the "RGPD") and Law No. 78-17 of January 6, 1978 modified relating to data processing, files and freedoms (hereinafter, the law "Informatique et Libertés").

The control delegation noted that although the company took certain measures when it became aware of the data breach, the Francetest service still suffered from several security deficiencies which continued to pose a risk to data confidentiality. of a personal nature processed.

By decision of October 4, 2021, the President of the Commission, on the basis of article 20 of the amended law of January 6, 1978, gave notice to the company FRANCETEST, located at 6, boulevard de la Marne, in Strasbourg (67000 ), to put an end within a period of two (2) months to the failure to ensure the security of personal data provided for in Article 32 of the GDPR.

Pursuant to the last paragraph of II of article 20 of the law of January 6, 1978 as amended, the President of the CNIL regularly convened the committee of the Commission for the purpose of ruling on her request to make her decision public.

The bureau was convened for this purpose on October 11, 2021.

After deliberation, the office considers that the publication of the formal notice decision is justified in particular because of the sensitivity of the data processed and the need to ensure the full information of all the people concerned by the processing. involved, as well as organizations using the services of the company FRANCETEST, on the existence of persistent breaches of data security.

The office stresses that in addition to the results of the people concerned with antigenic tests for SARS-CoV-2, and which therefore make it possible to know whether a person is a carrier or not of this virus, the company FRANCETEST processes a large number of directly identifying data, including the social security number (NIR), data of a highly personal nature.

The office stresses that the publicity of the formal notice decision is also justified to alert all actors in the world of health, whether they are data controllers or subcontractors, of the need to ensure as much as possible. security of the data they process and the risks that a lack of vigilance on their part can pose to this data.

The office recalls in this regard that among the priorities identified by the CNIL for its control strategy for the year 2021, the processing of health data and, more particularly, the measures implemented to ensure their security.

Consequently, the office of the National Commission for Informatics and Freedoms decides to make public decision n ° MED-2021-093 of the President of the CNIL putting FRANCETEST in default.

The Bureau recalls that this formal notice does not have the character of a sanction. If the company fully complies with the requirements of the formal notice within the time limit set, it will be the subject of a closure which will also be made public.

Finally, both the aforementioned formal notice and this deliberation will no longer make it possible to identify the company by name after the expiration of a period of two years from their publication.

The president

Marie-Laure DENIS