On April 21, 2022, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced its decision to fine medical software company Dedalus Biologie €1.5 million following a data breach that exposed health information of nearly 500,000 people. The CNIL noted the company violated several GDPR obligations, including implementing appropriate security measures, entering into compliant data processing agreements with customers and processing personal data according to customers’ instructions.
The significance of the decision lies in the message that data protection authorities can fine directly processors who are subject to the GDPR for their own violations. Processors cannot shield themselves behind a controller’s failure to comply or to provide clear processing instructions.
The CNIL launched an investigation against the software provider following news reports concerning a massive data breach that affected nearly 500,000 individuals, whose personal data was processed through the company’s software for medical analysis laboratories. Identification data and health data (including medical conditions and treatments) were released on the Internet.
Failure to enter into GDPR compliant DPAs with customers.
Based on a factual analysis of the processing activities associated with the services, the CNIL determined that the software provider should be regarded as a processor on behalf of medical laboratory customers using its services.
The CNIL found that the company’s standard service agreement provided to customers did not contain any of the mandatory data processing provisions required by Article 28(3) of the GDPR.
The company sought to argue that the obligation under Article 28 to enter into a data processing agreement lies equally with the controller and the processor and that the company should not be held solely responsible for the failure.
The CNIL concluded that the controller’s obligation had no impact on the existence of a separate, independent obligation for the processor. Consequently, the CNIL determined that the company in its role as a processor should alone be held responsible for the lack of a compliant data processing agreement with customers/controllers.
Processing of personal data beyond customers’ instructions.
In the context of the migration of a software package to another software tool, requested by two customers of the company, the CNIL’s investigation found that the company exceeded the customers’ instructions by extracting and migrating more personal data than required.
The company argued that its customers validated the migration by means of “after-sales service tickets.” However, the CNIL found that those tickets only provided a description of measures taken by the company’s support team and did not provide sufficient evidence of compliance with customers’ instructions nor constituted a validation of the company’s processing activities.
As a consequence, the CNIL determined that the company breached Article 29 of the GDPR, which prohibits the processor from processing personal data except on instructions from the controller.
Interestingly, the CNIL’s decision does not address the possibility that the company acted as a controller in its own right by exceeding the customers’ instructions or not obtaining sufficient validation regarding the data migration activities. The absence of data processing agreements with customers (as noted above) should also have been taken into account.
Failure to adopt appropriate security measures.
The CNIL next found that the company failed to implement appropriate security measures within the meaning of Article 32 GDPR, including encrypting sensitive personal data on a compromised server, conducting sufficient investigations following security concerns raised by a company employee in 2020, implementing appropriate data deletion protocols after migration, and requiring authentication from the Internet to access the public area of the server.
The CNIL also noted that the seriousness of the violations, the number of individuals affected, and the risks those individuals face due to their sensitive data potentially being in the hands of cybercriminals warranted a significant financial penalty and the publication of the CNIL’s decision. The CNIL has not indicated if any customers of the company are under investigation.
TAKEAWAYS FOR BUSINESSES
Processors are widely considered to have a subordinated role to controllers under the GDPR and, to date, fines against processors have been limited. However, the CNIL’s decision is a wake-up call for software providers and other processors who are subject to the GDPR to be prepared for EU authorities’ investigations in relation to their activities.
Processors should also consider making sure there is appropriate documentation regarding the controllers’ instructions for the specific processing activities carried out on their behalf. Regulators may scrutinize this documentation to confirm processors’ compliance with the controllers’ instructions.