Background information
- Date of final decision: 5 September 2024
- National case
- Legal Reference (s): Article 5 (Principles relating to processing of personal data)
- Decision: Administrative fine
- Key words: Health records, Anonymisation, Lawfulness of processing
Summary of the Decision
Origin of the case
The French Supervisory Authority (SA) carried out investigations in 2021 which revealed, in connection with the use of one of its software products, that the company CEGEDIM SANTÉ had processed, without authorisation, non-anonymous health data, transmitted to its customers in order to carry out studies and produce statistics in the health sector.
As part of its business, the company offers a panel of doctors using one of these software packages the opportunity to join an "observatory". Data collected are then used by CEGEDIM SANTÉ's customers, in particular for research purposes.
Key Findings
Firstly, French SA's investigations revealed that data were not anonymous, but only pseudonymous, since it was technically possible to re-identify the people concerned.
As this involved the processing of personal data, the company should have obtained authorisation from the French SA to use them (Article 66.III of the French Data Protection Act).
To assess whether or not the data processed is anonymous, the restricted committee focused on determining whether the data subjects could be re-identified by reasonable means, as provided for by the case law of the Court of Justice of the European Union and the work carried out by data protection authorities at European level (Article 29 Working Party, Opinion 05/2014 on anonymization techniques of April 10, 2014).
Then, the French SA found two breaches:
- Failure to comply with the obligation to carry out prior formalities in the health sector regarding French law (Article 66 of the French Data Protection Act). The restricted committee considered that the company did not submit any request for authorisation to the French SA and didn’t send a declaration of compliance with one of its repositories to the French SA, even though it constituted a health data warehouse.
- Failure to comply with the obligation to process data lawfully (Article 5.1.a of the GDPR). The company used the “HRi” teleservice set up by the health insurance, which provides access to the history of health reimbursements made by the health insurance for a patient over the last twelve months. However, that consultation of the data from this teleservice by a doctor who was a member of the "observatory" automatically led to the data being downloaded into the electronic patient file, enabling the company to collect it at the same time. The restricted committee considered that, by not providing for the possibility of data simply being consulted by doctors without leading to automatic collection, the company had not processed the data lawfully.
Decision
The French SA imposed a fine of EUR 800 000 on CEGEDIM SANTÉ.
For further information: national press release, Données de santé : sanction de 800 000 euros à l’encontre de la société CEGEDIM SANTÉ (French), Health data: CEGEDIM SANTÉ fined €800,000 (English)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.