Following a personal data breach that led to the disclosure of sensitive health data of almost 500,000 individuals, the French Data Protection Authority (“CNIL“) issued a substantial fine (1.5M EUR) against Dedalus Biologie SAS (“Dedalus”) mainly for failure to comply with its data security and contractual obligations as a data Processor.
This matter is brought to you as this is one of the highest GDPR sanctions issued to-date by the CNIL, and the highest against a data Processor (as opposed to a data Controller).
The CNIL found that Dedalus’ agreements with its clients – the data Controllers – where lacking mandatory obligations as required under Article 28(3) of the GDPR, hence a data processing agreement “DPA” was not properly implanted between.
Takeaway #1: The responsibility for ensuring the existence of a contract between the controller and the processor could rest solely with the latter. The controller’s obligation under Article 28 does not impact the processor’s obligation. Processors must therefore ensure that their Data Processing Agreements are in line with the requirements of the GDPR, even if there are provisions that are less permissive
Furthermore, the CNIL’s investigation revealed that Dedalus had extracted and migrated a large amount of personal data more than required in the context of the data migration requested by the laboratories, including sensitive health data (e.g. health issues, infertility etc.). Since this personal data was not mentioned in the contractual documents, the CNIL concluded that Dedalus had exceeded its instructions, contrary to Article 29 of the GDPR.
Takeaway #2: The CNIL adopts a narrow approach to Controller instructions when assessing whether the Processor, exceeded these instructions. In view of this interpretation, Processors must clearly delineate which categories of processing may be processed.
Lastly, the CNIL concluded that Dedalus, which sells health and diagnosis e-management tools for biomedical analysis laboratories, is in breach of Article 32 of the GDPR, since it has failed to implement basic security procedures in relation to its data migration services. These security failings, such as the absence of encryption of sensitive data at rest, the lack of automatic deletion of migrated data stored on the server, or the lack of supervision and security alerts on the server, and the failure to conduct sufficient investigations following earlier alerts Dedalus received, facilitated the personal data breaches.
Takeaway #3: The CNIL’s decision underlines the importance of existing security and operational processes over the written policies adopted by the company.
For more information we will be happy to assist.
APM Privacy and Cyber Team.
