The French Authority for Data Protection (CNIL) has imposed one of its highest General Data Protection Regulation (“GDPR”) sanctions to date against Dedalus Biologie SAS (“Dedalus”), an application software editor that sells and services solutions for use by medical laboratories.
Following a colossal health data breach disclosed in the press concerning nearly 500,000 individuals in February last year, CNIL has fined the company Dedalus Biologie 1.5 million euros mainly for failure to comply with its data security obligation.
CNIL Findings
The amount of the fine was determined with regard to the seriousness of the breaches, especially taking into account the fact that health personal data had been disclosed. CNIL found Dedalus Biologie to be in breach of Article 28(3) of the GDPR, given that the contractual documents concluded between Dedalus Biologie and its customers did not provide the information stipulated under the aforementioned provision.
As part of the migration of data from one tool to another, as requested by two laboratories using the services of Dedalus Biologie, CNIL found that the latter extracted a larger volume of data than required including health personal data (e.g., health issues, infertility etc.)., and therefore processed data beyond the instructions given by the data controllers, in breach of Article 29 of the GDPR.
Additionally, CNIL discovered a breach of the obligation to ensure the security of personal data (art 32 GDPR), due to technical breaches, such as:
• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• lack of authentication required to access the public area of the server;
• use of user accounts shared between several employees on the private zone of the server; and
• absence of supervision procedure and security alert escalation on the server.
To counter data breaches in the future, Dedalus Biologie asserted its willingness to attain the highest level of security and GDPR compliance, by strengthening its IT infrastructures, enhancing its internal and external procedures, and appointing additional DPO and IT information services managers.