Cegedim – €800,000 Fine (France, 2024)

Cegedim is a company providing IT products and services for healthcare professionals, inter alia, a software enabling doctors to manage patients’ data (basic identification data, as well as health history, diagnoses, prescribed medicines or procedures; and the data coming from third-parties, including HRI system, i.e. the national health identifier system). The users of the software were offered an option to enrol for research (health-sector studies and statistics) performed by Cegedim and their business partners. In exchange for access to patients’ data, the software users received a discount on the license and access to statistics created by Cegedim. To enable the transfer of data from the users’ software, Cegedim encrypted patient data and assigned each patient an unique identifier. The identifier informed about the category of doctor visited which made a cross-doctor data examination possible every time the patient visited a same kind of doctor, regardless its location. The patients’ data collected by Cegedim was stored for three months and then transferred to Cegedim business partners. According to Cegedim, since the patients’ data was anonymised, the GDPR was no longer applicable to the processing at hand. The French DPA (CNIL) initiated ex officio investigation to examine the practices of Cegedim. The DPA rejected Cegedim interpretation suggesting they processed anonymised data. Under Recital 26 GDPR, quoted by Cegedim, the pseudonymised data was still personal data covered by the GDPR. It was clear for the DPA that Cegedim processed personal data which were only pseudonymised. That was because the identifiers assigned to patients’ data allowed Cegedim to identify each patient. Also, as proved during the investigation, it was possible to re-identify a patient using reasonable means and data processed by Cegedim, even without access to additional information. Hence, Cegedim failed to assess the risk of re-identification. Regarding the nature of Cegedim