The CNIL had announced that the protection of health data was a priority area for controls in 2020, 2021, and 2023.
By deliberation of the Restricted Committee of May 11, 2023, the CNIL imposes two fines on DOCTISSIMO (1):
- €280,000 for breaches of the GDPR;
- €100,000 for breaches relating to the use of cookies.
More specifically, the CNIL noted:
1/ A breach of the obligation to keep the data for a period limited to the objective sought (article 5, paragraph 1) e) GDPR).
The CNIL considered that retention periods of 24 months and 3 months of data relating to tests carried out by Internet users (collection of test responses and associated IP addresses) are excessive because they do not correspond to the strict need of the society.
2/ A breach of the obligation to obtain the consent of Internet users to collect their health data (article 9 GDPR). The online tests did not include any warning or mechanism to collect the user's consent to the processing of their health data.
3/ A breach of the obligation to regulate by contract the processing carried out with another data controller (article 26 GDPR).
4/ A breach of the obligation to ensure the security of personal data (article 32 GDPR). The company used an insecure communication protocol until 2019 and passwords were stored in an insufficiently secure format.
5/ A breach of the obligations related to the use of cookies (article 82 of the Data Protection Act). Advertising cookies were placed even after clicking on the "refuse all" button.
It should also be noted that on a certain number of breaches of the GDPR the company brought itself into compliance during the procedure, so that injunctions are not addressed to the company on these points, the CNIL reminds however, this does not absolve the company of its responsibility for the past.
(1) Deliberation of the restricted committee no SAN-2023-066 of May 11, 2023 concerning the company DOCTISSIMO
Comments