Personal data: the CNIL carries out a series of investigations and sanctions – Alan Walter’s analysis

Having shown itself to be increasingly vigilant on these issues, the CNIL made public on April 21 a fine of 1.5 million euros against the company Dedalus Biologie, for “breach of the obligation to ensure the security of personal data“, considering that a flaw in its software security was the cause of medical data concerning nearly 500,000 French people being made freely available on the Internet.

This decision extends the list of companies sanctioned over the past two years, in France and in Europe. On March 15, Meta was fined 17 million euros by the Data Protection Commission, the “Irish CNIL”, following unauthorized access to the personal data of users of the Facebook platform. British Airways and Marriott were respectively fined 20 million pounds and 18.4 million pounds by the UK ICO in October 2020. In France, Slimpay paid a fine of 180,000 euros, at the end of December 2021, while Free Mobile paid 300,000 euros for the same reason.

In order to impose such sanctions, the CNIL, like its European counterparts, relies on Article 32 of the GDPR relating to the obligation of data security. In fact, the data protection authorities not only conduct investigations to ensure that the procedures implemented are adequate to prevent data leaks, but also examine whether there may be a breach of the obligation to notify the data breaches to the competent authorities and to inform the data subjects of such breaches, pursuant to Articles 33 and 34.

According to the penalties imposed regularly, no one can now ignore that the GDPR affects all professionals processing personal data, regardless of their size and business sector. This is evidenced in particular by the fines imposed at the end of 2020 by the CNIL on two French doctors, of 3,000 and 6,000 euros, on the pretext that the medical images they stored on servers were freely accessible on the Internet and were not systematically encrypted.

What’s more, the CNIL is multiplying its controls, to the extent that it pronounced half of its sanctions citing poor data security last year. In this context, we can only encourage all the professionals concerned to ensure their compliance with the GDPR in a preventive manner, by scrupulously checking that they have implemented systems that comply with legal obligations and above all… stick to them over time.