NEXTPUBLICA France – €1,700,000 Fine (France, 2025)

Nextpublica, a software consulting company (the processor) provided the Maison Départementale pour les Personnes Handicapées MDPH, a public interest group (the controller), with software for processing files relating to persons with disabilities. This software enabled users (data subjects) to upload their files and track their progress via an online portal. On 2 November and 10 November 2022, data subjects using the portal reported to the controller that they had access to files relating to other data subjects. On 22 November 2022, the controller notified the data breach to the DPA. The breach was found to be due to a configuration mistake, made by the processor. After an on-site inspection, the DPA opened an investigation. The dispute related to the processor’s responsibility for implementing adequate security measures, under Article 32 GDPR. On the fairness of the procedure: At first, the DPA rejected the argument based on a violation of Article 6 ECHR. The DPA pointed out that the right not to incriminate oneself is not incompatible with the sharing of the complainant’s internal reports, even under coercive measures. What’s more, the disclosed reports are evidence on which the DPA can base its argument. About responsibilities: The DPA jointly appreciated article 4(8) GDPR, article 28 (3)(a) GDPR and article 32 GDPR. The DPA noted that the contract binding the processor and the controller, as well as the processor’s expertise as a software consulting company, show that the processor was responsible for ensuring data security. As a result, the processor was also responsible for its sub-processors compliance to GDPR, especially when they introduced a block of computer code on the software’s code. On the violation of article 32 GDPR: The DPA recalled that the definition of security measures must take into account the state of art, the cost of such measures, but also the risks of the processing and the category of personal data processed. The rapporteur n