Doctissimo – €380,000 Fine (France, 2023)

Doctissimo (controller) operates a website that offers articles, tests, quizzes and discussion forums about health and well-being. On 26 June 2020, Privacy International filed a complaint with the French DPA against the controller. This complaint concerned all the processing operations carried out by the controller on its website and, in particular, the use of cookies without consent, the legal basis for the processing related to online health tests, the obligation of transparency and data security. The DPA carried out several investigations, both online and at the controller's office. Since the controller operated cross-border processing operations but the controller's principal place of business was in France, in accordance with Article 56 GDPR, the French DPA informed other authorities of its competence as lead supervisory authority. No relevant and reasoned objection was raised by any authority. The investigation service noted various elements. In particular: (1) As regards the quizzes data, the controller outsourced this processing and stored the data, as well as the email address of the users, for 24 months. The controller explained that these data were kept for three purposes: communicating the result to the user, enabling the user to share the result and producing statistics. During the procedure, the controller changed the retention period to 3 months and asked their processor to anonymise the data. (2) On the retention period of accounts created by users of the website, the controller explained that data is anonymised when a user is inactive for three years. However, the investigation showed that it was still possible to individualise users indirectly. (3) Regarding consent to process special categories of personal data, the controller did not obtain specific consent to process health data. The controller explained that there was confusion about the definition of sensitive data. (4) There was no contract under Article 26 GDPR although the controller con