The French Data Protection Authority has fined CEGEDIM Santé 800,000 euros for the unauthorized process of health data
14 October 2024
14 October 2024
On September 5th 2024, the French Data Protection Authority (the CNIL) fined the French company CEGEDIM Santé 800 000 euros for failure to comply with data protection regulations. In this decision, the CNIL clarified the distinction between pseudonymized data (subject to the GDPR) and anonymized data (not subject to the GDPR).
CEGEDIM Santé publishes and sells management software to physicians, to help them organize their calendar and patient files. The company offers physicians using its software to join an "observatory", a database created with the data collected that CEGEDIM Santé customers can use for research purposes.
The CNIL found that the health data collected was not anonymized, but only pseudonymized. To reach its decision, the CNIL had to determine whether data subjects could be reidentified by reasonable means. Patient data collected by CEGEDIM Santé was numerous and included birth year, gender, socio-professional category, allergies, medical history, height, weight, diagnosis, medical prescriptions, sick leaves and analysis results. Each patient of the same doctor had a unique identifier connected to the data, allowing patients healthcare pathways to be reconstructed. Thus, an individual could be isolated within the database. Since the company had numerous and detailed information about patients, there was a risk of re-identification. The CNIL found this risk too high to consider that the data was anonymized.
Since the data collected was not anonymized but pseudonymized, it was subject to data protection laws. The CNIL found CEGEDIM Santé in breach of two obligations :
Authors: Nicolas Quoy, Partner; Antoine Boullet, Senior Associate; Anne Wecxsteen, Trainee Solicitor
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.