The CNIL fined DOCTISSIMO €380,000 because it failed to comply with obligations under the GDPR, in particular obtaining consent of individuals to the collection and use of their health data, and because it didn't comply with the rules on cookies.
Following a complaint by the PRIVACY INTERNATIONAL association, the CNIL carried out four investigations into DOCTISSIMO. The doctissimo.fr website mainly offers articles, tests, quizzes and discussion forums related to health and well-being for the general public.
During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the waycookies are deposited on the terminal of users.
Consequently, the restricted committee — the CNIL body responsible for imposing sanctions — imposed two fines against DOCTISSIMO:
- a fine of €280,000 for infringements of the General Data Protection Regulation (GDPR). This fine was taken in cooperation with all the CNIL’s European counterparts within the framework of the one-stop shop procedure, as the website has visitors from all the Member States of the European Union.
In order to determine the amount of the fine, the CNIL took into account the nature and seriousness of the breaches, the categories of personal data (health data) and the number of individuals concerned as well as the financial situation of the company. It also took into account the fact that, in view of its nature and business sector, i.e. the provision of digital health-related content, the company should have increased vigilance with regard to obtaining consent of individuals to collect their health data.
The CNIL has identified four infringements of the GDPR and an infringement of the French Data Protection Act by DOCTISSIMO.
Failure to store data for no longer than is necessary for the purposes for which they are processed; (Article 5.1(e) GDPR)
The company kept data relating to the tests carried out by Internet users for 24 months, then 3 months, from their completion. The CNIL considered that these retention periods are excessive, because they do not correspond to the strict need of the company, which collects data from the testsin order to allow the users to read their results, to share them and to produce aggregated statistics.
The data of users whose account had been inactive for more than three years was also kept, for example, without any anonymization procedure.
Failure to obtain consent from individuals to collect their health data (Article 9 GDPR)
Doctissimo did not provide for any special warning or consenting mechanism on its online tests, to ensure that the users were aware of the processing of their health data, which were considered particularly sensitive to the GDPR, and gave their consent.
According to the company, the collection of health data concerned about 5 % of the tests.
Failure to provide a formal legal framework for the processing operations carried out jointly with another data controller (Article 26 GDPR)
The company DOCTISSIMO implements processing of personal data with other companies, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any formalized document, such as a contract.
In particular, such a document must indicate the division of obligations between each controller.
Failure to ensure the security of personal data (Article 32 GDPR)
Until October 2019, the company used an “http” communication protocol, which is not secure and then exposed the data to a risk of computer attacks or data breach.
In addition, it kept users’ passwords in an insufficiently secure format, while they allowed access to the personal space containing, among others, the surname, first name, date of birth, e-mail address and gender of the individual concerned.
The CNIL has observed the deposit of an advertising cookie on the users’ terminal without their consent as soon as they arrive on the website, as well as the deposit of two advertising cookies after clicking on the button “REFUSE ALL”.
The CNIL considered that the lack of consent affected every visitor of the website, i.e. hundreds of millions of Internet users.
Since the company had taken measures to comply with all the infringements, the CNIL closed the procedure.
- Article 5 of the GDPR - Principles relating to processing of personal data
- Article 9 of the GDPR - Processing of special categories of personal data
- Article 26 of the GDPR - Joint controllers
- Article 32 of the GDPR - Security of processing
- Article 82 of the French Data Protection Act (in French) - Rules on cookies and other trackers