Administrative fine in the amount of 1,5 million euros applied by the French Lead Supervisory Authority to Dedalus Biologie for the infringement of articles 28, 29 and 32 of GDPR

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the administrative fine in the amount of 1,5 million euros applied by the French Lead Supervisory Authority (CNIL) to Dedalus Biologie for the infringement of articles 28, 29 and 32 of GDPR.

On February 23, 2021, a massive data breach regarding nearly 500,000 people was revealed in the press, involving the company Dedalus Biologie. The name, first name, social security number, name of the prescribing doctor, date of the examination, but also and above all medical information (HIV, genetic diseases, drug therapy or genetic data) of these people were thus released on the Internet.

The French Lead Supervisory Authority carried out several onsite and online investigations, in particular concerning the company Dedalus Biologie, which sells software solutions for medical analysis laboratories. Based on the elements collected during the investigations, CNIL identified three breaches. First, in the context of the migration of a software package to another tool, requested by two laboratories using the services of Dedalus Biologie, the latter extracted a larger volume of data than required. The company therefore processed data beyond the instructions given by the data controller and had failed to comply with Article 29 GDPR. Second, the company had not ensured security of personal data within the meaning of Article 32 GDPR. Numerous technical and organisational breaches in terms of security were found in the context of the migration of the software to another: lack of a specific procedure for data migration operations; lack of encryption of personal data stored on the problematic server; no automatic deletion of data after migration to the other software; no authentication required from the Internet to access the public area of the server; lack of a procedure for monitoring and reporting security alerts on the server. Furthermore, were also established that the general conditions of sale proposed by the company Dedalus Biologie and the contracts of maintenance transmitted to the CNIL did not contain the mentions provided for in Article 28 (3) GDPR.

In this context, CNIL imposed to the controller an administrative fine of 1.5 million euros for the non-compliance with Articles 28, 29, and 32 of GDPR and make the decision public.

 The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.