Legal development

The French Data Protection Authority has fined CEGEDIM Santé 800,000 euros for the unauthorized process of health data

spiral background

    On September 5th 2024, the French Data Protection Authority (the CNIL) fined the French company CEGEDIM Santé 800 000 euros for failure to comply with data protection regulations. In this decision, the CNIL clarified the distinction between pseudonymized data (subject to the GDPR) and anonymized data (not subject to the GDPR).

    CEGEDIM Santé publishes and sells management software to physicians, to help them organize their calendar and patient files. The company offers physicians using its software to join an "observatory", a database created with the data collected that CEGEDIM Santé customers can use for research purposes.

    The CNIL found that the health data collected was not anonymized, but only pseudonymized. To reach its decision, the CNIL had to determine whether data subjects could be reidentified by reasonable means. Patient data collected by CEGEDIM Santé was numerous and included birth year, gender, socio-professional category, allergies, medical history, height, weight, diagnosis, medical prescriptions, sick leaves and analysis results. Each patient of the same doctor had a unique identifier connected to the data, allowing patients healthcare pathways to be reconstructed. Thus, an individual could be isolated within the database. Since the company had numerous and detailed information about patients, there was a risk of re-identification. The CNIL found this risk too high to consider that the data was anonymized.

    Since the data collected was not anonymized but pseudonymized, it was subject to data protection laws. The CNIL found CEGEDIM Santé in breach of two obligations :

    • The obligation to request the CNIL's authorization for processing data in the health sector (Article 66 of the French Data Protection Act)
    • The obligation to process data lawfully (Article 5.1.a of the GDPR). Indeed, the consultation of a teleservice set up by the French Health Insurance by a physician member of the "observatory" lead to the automatic collection of this data into the "observatory", with no possibility to consult the data without collecting it.

     

    Authors: Nicolas Quoy, Partner; Antoine Boullet, Senior Associate; Anne Wecxsteen, Trainee Solicitor

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.