iubenda blog


Violation of Health Data

🖋 This article has recently been posted/updated: June

The French Data Protection Authority (CNIL) has penalized Dedalus Biologie 1.5 million euros for violating health data.

Violation of Health Data

The massive data breach affected nearly 500,000 people, including their personal information and, above all, their medical information (HIV, cancers, genetic diseases, pregnancies, drug therapy of patients, or genetic data) of these people.

The Case’s Background

Dedalus Biologie provides laboratories with tools, specifically computer software, to facilitate processing implementation.
A data breach from two laboratories serviced by Dedalus Biologie was revealed in the press. The data breach affected nearly 500,000 individuals and affected various data types, including personal medical information (illnesses, genetic diseases, pregnancies, drug treatments, etc), and was subsequently investigated by CNIL.

What CNIL found

CNIL determined that Dedalus Biologie violated Article 28(3) of the GDPR since the commercial papers established between Dedalus Biologie and its clients did not include the information required under the above-indicated clause.
CNIL discovered that as part of the data migration from one tool to another (as requested by two laboratories using Dedalus Biologie’s services). One extracted a larger volume of data than required and thus processed data beyond the instructions given by the data controllers, violating GDPR Article 29.
Finally, CNIL discovered many flaws in technological and organizational procedures to safeguard the exposed data mentioned above, including:

  1. a lack of a standardized protocol for data migration procedures;
  2. a lack of encryption of personal data kept on the server;
  3. a lack of data erasure the following transfer to other software;
  4. a lack of authentication required to access the server’s public area; use of user accounts shared by several employees on the server’s private zone; and
  5. a lack of supervision procedure and security alert escalation on the server.

As a result, CNIL determined that Dedalus Biologie violated Article 32 of the GDPR.

Outcome

In light of the previous, and considering the violation of affected data subjects’ privacy to be harmful due to the specific type of data in question, as well as Dedalus Biologie’s multiple and serious negligences, CNIL decided to impose the fine as mentioned above and publish the decision.


Privacy policy for stickers and iMessage extensionsPrivacy Policy for KISSmetricsMobile app privacy policy for auto-renewable subscriptions?

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now