Francetest – Violation Found (France, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Francetest faced scrutiny for not securing users' personal data on their COVID-19 testing website. The French authority found ongoing security issues that risked data confidentiality. This case emphasizes the need for strong data protection measures, especially for sensitive health information.
What happened
Francetest's website had security flaws that risked exposing users' personal and health data.
Who was affected
People using Francetest's website to manage their COVID-19 antigen tests were at risk of having their data exposed.
What the authority found
The CNIL found Francetest's security measures inadequate, violating GDPR's requirement to protect personal data.
Why this matters
This case highlights the critical importance of robust data security, especially for health-related services. Companies must regularly review and strengthen their security practices to protect sensitive information and comply with regulations.
GDPR Articles Cited
National Law Articles
Francetest.fr is a website operated by a French company (hereafter 'Francetest') for the management of antigenic testing against COVID-19. In particular, data subjects can register themselves and receive the results of their antigenic tests via this website. On 27 August 2021, following an anonymous report, the CNIL checked for potential data security issues on the website "francetest.fr". Those checks confirmed the existence of a data breach. A few days later, on 9 September 2021, auditors fro the CNIL carried out an on-site check at Francetest to verify that the processing of personal data was carried out in accordance with the GDPR and the French law n°78-17 of 6 January 1978 implementing the GDPR (hereinafter: the Information Technology and Freedoms Act). During this audit, it was found that several security shortcomings persisted, despite Francetest having already taken several measures after becoming aware of the data breach. These deficiencies were posing a risk to the confidentiality of the personal data processed via the website. By a decision dated 4 October 2021 (the Decision), the President of the CNIL delivered an injunction against Francetest to put an end to the data breach within two months, in application of Article 32 GDPR and Article 20 of the Information Technology and Freedoms Act. Subsequently, pursuant to Article 20, last paragraph of the Information Technology and Freedoms Act, a commission was convened by the President of the CNIL on 11 October 2021 to rule on the publication of the decision (hereinafter, the Commission). The Commission considered that the publication of the Decision was justified in view of the sensitivity of the data processed (i.e. health data) and the need to ensure that all persons involved in the processing operations concerned, including the organisations using the services, would be fully informed of the existence of persistent data breaches. The Commission emphasised that, in addition to the results of antigenic
Outcome
Violation Found
The DPA found a violation but did not impose a fine.
Related Enforcement Actions (0)
No other enforcement actions found for Francetest in FR
This is the only recorded action for this entity in this jurisdiction.
Details
Decision Date
11 October 2021
Authority
Commission Nationale de l'Informatique et des Libertés
GDPRhub ID
gdprhub-4327About this data
Cite as: Cookie Fines. Francetest - France (2021). Retrieved from cookiefines.eu
Last updated: