CNIL (France) - SAN-2023-006

From GDPRhub
CNIL - SAN-2023-006
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 9(2) GDPR
Article 26 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.06.2020
Decided: 11.05.2023
Fine: 380,000 EUR
Parties: Doctissimo
National Case Number/Name: SAN-2023-006
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: n/a

The French DPA fined Doctissimo €380,000 for several data protection violations, including failure to obtain users' consent for the processing of health data, lack of security measures, violation of storage limitation and setting cookies without consent.

English Summary


Doctissimo (controller) operates a website that offers articles, tests, quizzes and discussion forums about health and well-being. On 26 June 2020, Privacy International filed a complaint with the French DPA against the controller. This complaint concerned all the processing operations carried out by the controller on its website and, in particular, the use of cookies without consent, the legal basis for the processing related to online health tests, the obligation of transparency and data security.

The DPA carried out several investigations, both online and at the controller's office. Since the controller operated cross-border processing operations but the controller's principal place of business was in France, in accordance with Article 56 GDPR, the French DPA informed other authorities of its competence as lead supervisory authority. No relevant and reasoned objection was raised by any authority.

The investigation service noted various elements. In particular:

(1) As regards the quizzes data, the controller outsourced this processing and stored the data, as well as the email address of the users, for 24 months. The controller explained that these data were kept for three purposes: communicating the result to the user, enabling the user to share the result and producing statistics. During the procedure, the controller changed the retention period to 3 months and asked their processor to anonymise the data.

(2) On the retention period of accounts created by users of the website, the controller explained that data is anonymised when a user is inactive for three years. However, the investigation showed that it was still possible to individualise users indirectly.

(3) Regarding consent to process special categories of personal data, the controller did not obtain specific consent to process health data. The controller explained that there was confusion about the definition of sensitive data.

(4) There was no contract under Article 26 GDPR although the controller considered that they were a joint controller with two entities.

(5) The controller's website used an http protocol, not https, and passwords were not securely hashed.

(6) Advertising cookies were set without prior consent and users' refusal was ineffective.

During the proceedings, the controller changed its practices to improve compliance with the GDPR.


The French DPA considered on each point raised by the investigation:

(1) Regarding quizzes data, the DPA considered that the retention of quiz answers for 24 months did not appear necessary for the purposes put forward by the controller. The DPA also noted that according to the contract between the controller and the processor, IP addresses were not to be collected for "sensitive" anonymous quizzes. However, the processor provided the controller with tables containing the quiz answers and pseudonymised IP addresses. The DPA considered that it was the controller's responsibility to ensure compliance with the protection of personal data and that the controller was therefore responsible for monitoring the performance of his processor. Accordingly, the DPA held that there was a violation of Article 5(1)(e) GDPR before the controller complied during the proceedings.

(2) The DPA considered that prior to the proceedings, the controller did not anonymise the data but pseudonymised it. This meant that with additional information it was possible to individualise a user. This constituted a breach of Article 5(1)(e) GDPR before the controller complied during the proceedings.

(3) The DPA qualified the data collected during certain tests as health data and considered that the controller should obtain specific consent. It therefore found a violation of Article 9(2) GDPR before the controller complied during the proceedings.

(4) The DPA found that at the time of the investigation there was no contract under Article 26 GDPR, which constituted a violation of that article.

(5) The DPA considered the use of https and a secure storage of passwords to be basic security measures. In view of the compliance during the procedure, it found a breach of Article 32 GDPR for the past.

(6) By failing to obtain prior consent for the use of advertising cookies and by not allowing the user to effectively refuse the cookies, the controller violated Article 82 of the French Data Protection Act. During the proceedings the controller complied .

In view of the breaches of Articles 5(1)(e), 9(2), 26 and 32 GDPR and Article 82 of the French Data Protection Act and the compliance in progress, the DPA imposed a total fine of €380,000.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.