Editing CNIL - MED-2020-015

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 70: Line 70:
 
===Holding===
 
===Holding===
 
The CNIL held that, in the main, the application "StopCovid" complied with the applicable data protection laws. However, the authority revealed a failure to comply with some of the provisions of the GDPR and the "loi informatique et libertés".
 
The CNIL held that, in the main, the application "StopCovid" complied with the applicable data protection laws. However, the authority revealed a failure to comply with some of the provisions of the GDPR and the "loi informatique et libertés".
Regarding, on one hand, the violation of the GDPR, the CNIL reminded the Ministry of Health that data has to be processed lawfully, fairly and in a transparent manner in relation to the data subject (Art. 5(1)(a) GDPR). The fact that when the information given by the user, indicating they had been infected by the Covid-19, was transferred to all their contacts and not only to the contacts they had recently found themselves at proximity of, was a direct violation of the principle of lawfulness and the Art. 2(5) of the national decree relating to the data processing carried out through "StopCovid". Moreover, the privacy policy aiming to inform the users of the data processing lacked precision regarding categories of data being processed and recipients of the data. A data processor being involved in the processing, the authority also found that the contract required by Art. 28 GDPR was missing dispositions as to the rights and obligations of the Ministry, assistance with data subjects requests, security of processing, documentation of processing and audit. Furthermore, the data protection impact assessment was considered incomplete, the data processing caused by the use of the "Captcha" verification solution not having been part of the assessment.  
+
Regarding, on one hand, the violation of the GDPR, the CNIL reminded the Ministry of Health that data has to be processed lawfully, fairly and in a transparent manner in relation to the data subject (Art. 5(1)(e) GDPR). The fact that when the information given by the user, indicating they had been infected by the Covid-19, was transferred to all their contacts and not only to the contacts they had recently found themselves at proximity of, was a direct violation of the principle of lawfulness and the Art. 2(5) of the national decree relating to the data processing carried out through "StopCovid". Moreover, the privacy policy aiming to inform the users of the data processing lacked precision regarding categories of data being processed and recipients of the data. A data processor being involved in the processing, the authority also found that the contract required by Art. 28 GDPR was missing dispositions as to the rights and obligations of the Ministry, assistance with data subjects requests, security of processing, documentation of processing and audit. Furthermore, the data protection impact assessment was considered incomplete, the data processing caused by the use of the "Captcha" verification solution not having been part of the assessment.  
 
Regarding, on the other hand, the violation of the national data protection law, the CNIL pointed out that the Art. 82 of the "loi informatique et libertés" required that for any data processing resulting from the use of electronic services such as the Google Captcha solution, the user had to be informed and asked to give their consent prior to the processing. Yet neither were the users informed of the data processing by Google,  nor were they asked to give their consent.  
 
Regarding, on the other hand, the violation of the national data protection law, the CNIL pointed out that the Art. 82 of the "loi informatique et libertés" required that for any data processing resulting from the use of electronic services such as the Google Captcha solution, the user had to be informed and asked to give their consent prior to the processing. Yet neither were the users informed of the data processing by Google,  nor were they asked to give their consent.  
 
That is why CNIL summoned the Ministry of Health to address those violations within a month and report back to confirm the implementation of all corrective measures.
 
That is why CNIL summoned the Ministry of Health to address those violations within a month and report back to confirm the implementation of all corrective measures.

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: