DEDALUS BIOLOGIE – €1,500,000 Fine (France, 2022)

The French DPA (CNIL) has imposed a fine of EUR 1.5 million on DEDALUS BIOLOGIE. DEDALUS distributes software solutions for medical analysis laboratories. In February, the press revealed a data leak at DEDALUS that resulted in the leak of nearly 500,000 individuals' data. The leaked data included information on the surnames, first names, social security number, name of the treating physician, data on medical examinations and illnesses of the data subjects. During its investigation, the CNIL found several violations of the GDPR. Namely, DEDALUS had violated Art. 29 GDPR by extracting more data than required in the course of processing on behalf of two laboratories. In addition, the DPA found that DEDALUS had failed to implement appropriate technical and organizational measures to ensure the security of personal data. This constitutes a violation of Art. 32 GDPR. For example, no specific procedure for data migration operations had been implemented. Also, the leaked data had not been stored in encrypted form on the server. In addition, the DPA found that DEDALUS lacked authentication for access to the public area of the server. The absence of such security measures was one of the main causes of the data leak. Further, the DPA found that the contractual documents between DEDALUS and its customers did not comply with the requirements set forth in Art. 28 GDPR. The DPA took into aggravating consideration the seriousness of the violations committed, in particular the security breaches, as well as the large number of individuals affected, when imposing the fine.