On April 21, 2022, the CNIL issued an enforcement decision by which the company DEDALUS BIOLOGIE was fined 1.5 million euros.
On February 23, 2021, the company DEDALUS BIOLOGIE suffered a personal data breach concerning nearly 500,000 individuals. The personal data concerned, in particular, names, surnames, social security numbers, physician’s names, examination dates, but also and above all, medical information (HIV, cancers, genetic diseases, pregnancies, medications taken by the patient, or genetic data).
From February 24, 2021, the CNIL conducted several audits, including with the company DEDALUS BIOLOGIE, which markets software solutions for medical laboratories, as a subcontractor.
In parallel, the CNIL has seized the Paris City Court, which has blocked access to the website on which the data subject to the data breach was published. This decision of March 4, 2021, has allowed for a limitation of the consequences for the affected individuals.
Based on the findings made during its inspections, the CNIL considered that the company had failed to comply with several obligations provided for in the GDPR, in particular:
- In the context of a migration from one software to another tool requested by two laboratories, DEDALUS BIOLOGIE, acting as a subcontractor, failed to comply with the instructions of the latter and processed data beyond what was requested by the laboratories.
- DEDALUS BIOLOGIE did not sufficiently provide for measures to ensure the security of personal data. Specifically, there were no specific procedures for data migration operations, no method for encrypting personal data stored on the server, no automatic deletion of data after migration to the second software, no authentication procedure required from the internet to access the public zone of the server, no management of employee authorizations (multiple user accounts were shared between several employees on the private zone of the server), and no procedure for the management and escalation of security alerts on the server.
- In the course of its business activities, the company DEDALUS BIOLOGIE offered terms and conditions of sale which, according to the CNIL, did not include the mentions required by Article 28(3) of the GDPR.
What should be noted from this decision?
The matter of personal data security remains a key point of compliance with GDPR, as highlighted by the majority of CNIL decisions. It is a central point that must be taken into account and to which particular attention must be paid, all the more so as it can quickly damage a company’s reputation.Subcontracting remains a primary element of GDPR compliance and its regulation is necessary. It is important to have a precise and exhaustive “GDPR” clause while ensuring it is effective in practice.
