To print this article, all you need is to be registered or login on Mondaq.com.
At the end of February 2021, the French Data Protection
Authority (CNIL) found out via the media about a massive personal
data breach involving health-related data of about 500,000 French
patients. After more than a year of investigation, CNIL has
published its decision (available in French only)
imposing a fine of 1.5 million euros against DEDALUS BIOLOGIE, a
company processing the data on behalf of medical analysis
laboratories. The company has not appealed, but the CNIL’s
decision indicates that a processor can be sanctioned for the lack
of a data processing agreement incorporating Article 28 General
Data Protection Regulation (GDPR) provisions with the controller.
In addition, a processor can be sanctioned for failure to abide
with the controller’s instructions and for insufficient
The personal data leaked in the breach included the following
categories of personal data:
- Identification data, such as social security number (SSN),
surname, first name, gender, postal address, telephone number,
email address, date of last medical visit and date of birth.
- Information relating to patients’ pathologies (i.e., HIV,
cancers, genetic diseases), pregnancy status, drug treatments
followed by the patient or genetic data.
- Identification data relating to the physician.
According to the CNIL’s preliminary findings issued in
February 2021, this breach appeared to be “of a particularly
large and serious scale.” The controllers involved in this
leak were medical analysis laboratories, although the CNIL has not
publicly disclosed the identity of these companies. As of February
24, 2021, the CNIL has carried out several controls, in particular
with the company that markets software solutions for such medical
analysis laboratories. More precisely, the processor provides the
laboratories with tools to facilitate the implementation of the
treatments. The CNIL’s decision establishes the role of the
company as a processor, as it acts on behalf and under the
responsibility of the laboratories for the maintenance of the
software and, if necessary, the migration toward another
Based on the findings of its investigation, the CNIL considered
the processor to have failed to comply with several obligations
under the GDPR, in particular the obligation to ensure the security
of personal data. The three sanctioned breaches are listed
1. Failure of the processor to comply with the instructions of
the controllers (Article 29 GDPR)
In the context of the migration of the service provider’s
software to another updated tool, which was requested by two
laboratories using its services, the software provider extracted a
volume of data greater than what was requested by the controllers.
The company therefore processed data beyond the instructions given
by the data controllers.
2. Failure to ensure the security of personal data (Article 32
The CNIL pointed out numerous security loopholes within the
framework of the operations of migration of one software toward
- Absence of a specific procedure for the operations of data
- Absence of encryption of personal data stored on the server at
- Absence of automatic deletion of the data after migration to
the other software.
- No authentication required from the internet to access the
public area of the server.
- User accounts shared by several employees in the private area
of the server.
- Lack of supervision and security alerts on the server.
As a result of such failures, the investigation revealed that
unauthorized third parties gained access to the personal data
concerned, which resulted in the disclosure on forums of the file
containing the medico-administrative data of the affected data
3. Failure to implement a data processing agreement (Article 28
Processors and controllers have an obligation to enter into a
data processing agreement (DPA). The general terms of service of
the processor and the related maintenance contracts did not contain
a DPA, resulting in a breach of Article 28 GDPR.
- Failure to implement a DPA can be held against a
processor. The service provider has been sanctioned as a
processor for its failure to implement a DPA. The CNIL did not take
into account the processor’s arguments that the conclusion of a
DPA constitutes an obligation for both the data controller and the
processor, which was used to justify that it should not be held
solely responsible for this failure. Indeed, the CNIL noted the
fact that the obligation resulting from Article 28 GDPR is
incumbent on both the controller and the processor.
- Failure at a privacy by design stage by the processor
can result in a failure to comply with the controller’s
instructions. The concept of privacy by design requires
controllers to consider privacy concerns at the outset of data
processing practices, rather than applying features retroactively.
The CNIL could not accuse the processor of having failed to
implement privacy by design requirements in its tool. However, the
CNIL’s decision shows that DEDALUS BIOLOGIE’s tool was not
designed in a way that would have allowed the company to comply
with the controllers’ instructions. Indeed, in the context of
migrations, the tool only allowed a total extraction of the patient
file of the concerned laboratory, without the possibility of adding
filters on the fields to be exported in order to extract only those
requested in accordance with the controller’s instructions.
This failure led to a breach of Article 29 GDPR by the
- Processors also can be subject to a significant fine
for their own failures. Insofar as the company had been
found in breach of Articles 28, 29 and 32 GDPR, the maximum fine
that could be imposed was the higher of 10 million euros or 2% of
annual worldwide turnover. As the company reported revenues of 16.3
million euros in 2020, the CNIL based its sanction on the maximum
fine of 10 million euros, rather than the 2% of annual turnover
threshold (which should not have exceeded 326,000 euros).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States