French Data Protection Authority Fines Processor for Failing to Enter into Data Processing Agreement

France’s data protection authority, the Commission Nationale de Informatique et des Libertés (“CNIL”), has issued one of its highest General Data Protection Regulation (“GDPR”) sanctions to-date against Dedalus Biologie SAS (“Dedalus”), a software publisher that sells and services solutions for use by medical laboratories. Dedalus acts as a data processor on behalf of its clients.

In late April 2022, the CNIL announced a €1.5m fine against Dedalus for breaching articles 28(3), 29 and 32 of the GDPR. The triggering event was a personal data breach that led to the dissemination of sensitive health data (including medical conditions and treatments) and other personal data, such as identity, of almost 500,000 individuals. The leak, which was attributed to data exfiltration undertaken by unauthorized third parties from a poorly protected server, was first revealed publicly by a French newspaper in February 2021, but security concerns were raised by an employee almost a year prior, in March 2020. In November 2020, the French National Information Security Agency (“ANSSI”) alerted a medical laboratory that the personal data of its clients appeared for sale on the darknet. The medical laboratory in question immediately relayed the ANSSI findings to Dedalus.

Notable takeaways from the CNIL decision include:

1. When it comes to appropriate security measures, controllers and processors should “walk the walk”, not just “talk the talk”.

The CNIL’s decision identifies several security failings at Dedalus, including:

• A general failure to implement security procedures in relation to its data migration services, including an absence of data encryption.
• A failure to conduct sufficient investigations following the alerts it received in 2020.
• The absence of elementary security measures, including no encryption of sensitive personal data “at rest” on the compromised server.
• No automatic suppression of migrated data, leading to unwarranted retention.
• Accessibility of the server and laboratory data was possible without authentication from the internet.
• The absence of any supervision or security alert escalation procedures on the compromised server.

These security failings facilitated the personal data breaches (more than one breach was identified by the CNIL investigation), and that constituted a breach of Article 32 of the GDPR. Notwithstanding efforts by Dedalus to argue in its defense that it has since adopted more rigorous security processes, the CNIL’s decision does not focus on the written policies adopted by the company, nor on measures that were in place, but on the gaps in the existing security processes. This approach is similar to that taken by the Irish Data Protection Commissioner and the UK Information Commissioner in recent decisions (see our prior update on the decision in Ireland).

2. Processors may be held solely responsible for ensuring the existence of a contract or other legal act between it and the controller, as required by Article 28(3) of the GDPR.

The CNIL’s investigation of Dedalus revealed that the contractual documentation in place with its clients did not contain the mandatory contractual obligations required by Article 28 of the GDPR, either in the terms of sale or as part of its maintenance agreements.

The company sought to argue that the obligation under Article 28 to enter into an agreement lies equally with the controller and processor and that they should not be held solely responsible for the failure.

Article 28(3) of the GDPR does not clearly state whether one or both controller and processor are responsible for ensuring the existence of an agreement. The European Data Protection Board, in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR, provides that “both the controller and processor are responsible for ensuring that there is a contract or other legal act to govern the processing. Subject to the provisions of Article 83 of the GDPR, the competent supervisory authority will be able to direct an administrative fine against both the controller and the processor, taking into account the circumstances of each individual case.” Arguably this language suggests that both parties should be sanctioned in case of a breach of Article 28(3); it does not state that the supervisory authority may fine the controller or the processor, depending on the facts. A footnote in the guidance does provide that where the processor is the only party subject to the GDPR, then it alone will be responsible for ensuring the existence of a processing agreement.

The CNIL concluded that the controller’s obligation had no impact on the existence of a separate obligation for the processor. Consequently, the processor alone may be held responsible for the absence of a data processing agreement between it and the controller. This is probably the most effective outcome to achieve the objectives of the GDPR. In the facts at hand, it was Dedalus that provided its contractual documentation to its clients.

3. The CNIL’s assessment as to whether the company, as a processor, exceeded its clients’ instructions, adopts a narrow approach to controller instructions.

According to the decision, almost 3,000 private medical laboratories and between 30 to 50 public laboratories are equipped with the company’s software solutions.

For the two laboratory clients implicated in the breach, the CNIL investigation found that the company had extracted and migrated more personal data than required in the context of the data migration requested by the clients, and thus had exceeded its instructions. These findings were the result of a detailed review of documentation associated with the services performed by Dedalus and an audit of the two laboratory clients.

The company maintained that its clients validated the migration by means of “after-sales service tickets.” These tickets were the only evidence of client validation provided by Dedalus, and since they only provide an overview of measures taken by the company’s support team, they do not constitute a validation of processing Dedalus’ activities.

As a consequence, Dedalus was found to have breached Article 29 of the GDPR.

4. The amount of the sanction relative to revenues and profits is significant, reflecting the seriousness of the breach and the absence of measures taken by the company to prevent dissemination of the personal data.

The maximum fine that could have been imposed on Dedalus by the CNIL under the GDPR was 2% of global revenues or €10 million, whichever is greater.

The company had a revenue of €18.8m euros and €2,226,949 in net profit in 2019. In 2020, they had a revenue of €16.3m euros and a net profit of €1,437,017. The €1.5m sanction imposed by the CNIL is nearly 9% of its average revenue in 2019 and 2020.

Although Dedalus sought to highlight its cooperation with the investigation as a mitigating factor, the CNIL noted that the company did not actually take any specific measures to limit the dissemination of the personal data once it became aware of its availability online. Indeed, it was the CNIL that sought an injunction to block online access to the files containing patient data.

In addition, the CNIL held that due to the seriousness of the failings, in particular to the lack of security and the number of individuals concerned, publication of the decision with the name of the company was justified.

If you have questions about this update, or your company's data processing activities, please contact the authors of this update.