[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6euc9tErURXAj4tduByjLkWWkjjoHZfKr__MxNFCb9I":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"b686aaef-3bef-4dca-a3cb-9b598fb6f701","CNIL (France) - SAN-2026-008","cnil-france-san-2026-008-f6ca40","← Older revision Revision as of 11:54, 29 May 2026 Line 43: Line 43: |National_Law_Name_1=Article 66 of Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties |National_Law_Name_1=Article 66 of Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties |National_Law_Link_1=https:\u002F\u002Fwww.ssi.ens.fr\u002Ftextes\u002Fa78-17-text.html |National_Law_Link_1=https:\u002F\u002Fwww.legifrance.gouv.fr\u002Floda\u002Farticle_lc\u002FLEGIARTI000038888793 |National_Law_Name_2= |National_Law_Name_2= |National_Law_Link_2= |National_Law_Link_2= Line 89: Line 89: Regarding the EMR repository, the DPA found a breach of Article 66 of the French Data Protection Act. The controller had been authorised to create the EMR repository subject to specific conditions. However, the information notices provided to patients stated that their data would be retained for the duration of the studies and analyses conducted by the controller and its contractual partners, whereas the authorisation provided for retention in an active database for ten years before anonymisation or deletion. The DPA therefore considered that the information provided to patients was inaccurate. It also found that the controller had not ensured the effective exercise of patients’ right to object regarding data already collected in the EMR repository. Regarding the EMR repository, the DPA found a breach of Article 66 of the French Data Protection Act. The controller had been authorised to create the EMR repository subject to specific conditions. However, the information notices provided to patients stated that their data would be retained for the duration of the studies and analyses conducted by the controller and its contractual partners, whereas the authorisation provided for retention in an active database for ten years before anonymisation or deletion. The DPA therefore considered that the information provided to patients was inaccurate. It also found that the controller had not ensured the effective exercise of patients’ right to object regarding data already collected in the EMR repository. Regarding the LRX repository, the DPA found a breach of [[Article 14 GDPR|Article 14 GDPR]]. The controller relied on partner pharmacists to inform patients about the processing of their data. However, inspections at four pharmacies showed that patients were not provided with the required information notices and that the relevant information was not properly displayed. The DPA held that, irrespective of the practical channel used to provide the information, the obligation under [[Article 14 GDPR|Article 14 GDPR]] remained with the controller. The failure was particularly serious because patients had their health data processed without being aware of it and were therefore unable to exercise their rights. Regarding the LRX repository, the DPA found a breach of [[Article 14 GDPR]]. The controller relied on partner pharmacists to inform patients about the processing of their data. However, inspections at four pharmacies showed that patients were not provided with the required information notices and that the relevant information was not properly displayed. The DPA held that, irrespective of the practical channel used to provide the information, the obligation under [[Article 14 GDPR]] remained with the controller. The failure was particularly serious because patients had their health data processed without being aware of it and were therefore unable to exercise their rights. The DPA further found a breach of Article 66 of the French Data Protection Act concerning studies carried out by the controller using the LRX warehouse. The DPA held that the authorisation granted for the LRX repository covered the creation of the warehouse only, and not the subsequent studies conducted using that warehouse. Those studies constituted separate processing operations involving personal health data. Since they had not been specifically authorised and did not validly comply with the MR-004 reference methodology, in particular due to the lack of prior and individual information to patients, the DPA found that they were unlawful. The DPA further found a breach of Article 66 of the French Data Protection Act concerning studies carried out by the controller using the LRX warehouse. The DPA held that the authorisation granted for the LRX repository covered the creation of the warehouse only, and not the subsequent studies conducted using that warehouse. Those studies constituted separate processing operations involving personal health data. Since they had not been specifically authorised and did not validly comply with the MR-004 reference methodology, in particular due to the lack of prior and individual information to patients, the DPA found that they were unlawful. Finally, the DPA found a breach of [[Article 25 GDPR|Article 25 GDPR]]. The pharmacy software modules systematically extracted and transmitted patient data to the first trusted third party even where the pharmacy had chosen not to transmit patient data for the LRX panel. The DPA considered that this filtering should have occurred upstream, at the pharmacy software level, so that unnecessary patient data would not be extracted or transmitted in the first place. The controller had therefore failed to implement appropriate technical and organisational measures to ensure data protection by design and by default. Finally, the DPA found a breach of [[Article 25 GDPR]]. The pharmacy software modules systematically extracted and transmitted patient data to the first trusted third party even where the pharmacy had chosen not to transmit patient data for the LRX panel. The DPA considered that this filtering should have occurred upstream, at the pharmacy software level, so that unnecessary patient data would not be extracted or transmitted in the first place. The controller had therefore failed to implement appropriate technical and organisational measures to ensure data protection by design and by default. The DPA imposed a fine of €5,000,000 on the controller for breaches of Article 66 of the French Data Protection Act and Articles 14 and 25 GDPR. It also ordered the controller to bring its processing into compliance, including by providing accurate information to EMR patients, ensuring the effective exercise of the right to object, ensuring that pharmacy patients are informed of the transfer of their data, ceasing unauthorised studies from the LRX warehouse, and preventing pharmacy software modules from extracting patient data where the pharmacist had refused such transmission. The order was subject to a daily penalty of €10,000 after six months. The decision was published, with the controller’s name to be removed after two years. The DPA imposed a fine of €5,000,000 on the controller for breaches of Article 66 of the French Data Protection Act and Articles 14 and 25 GDPR. It also ordered the controller to bring its processing into compliance, including by providing accurate information to EMR patients, ensuring the effective exercise of the right to object, ensuring that pharmacy patients are informed of the transfer of their data, ceasing unauthorised studies from the LRX warehouse, and preventing pharmacy software modules from extracting patient data where the pharmacist had refused such transmission. The order was subject to a daily penalty of €10,000 after six months. The decision was published, with the controller’s name to be removed after two years.","France's CNIL (Data Protection Authority) issued a €5 million fine against a healthcare data controller for multiple GDPR and French Data Protection Act violations. Violations included failing to provide accurate information notices to patients in the EMR repository, not ensuring patients' right to object, failing to inform pharmacy patients about data transfers (Article 14 GDPR breach), conducting unauthorised studies on health data, and implementing insufficient data protection by design in pharmacy software that systematically extracted patient data without consent.","CNIL fines healthcare data controller €5M for GDPR breaches in EMR and pharmacy repositories.","Help CNIL (France) - SAN-2026-008: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:51, 29 May 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0] Latest revision as of 11:54, 29 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 editsTag: Visual edit Line 43: Line 43: |National_Law_Name_1=Article 66 of Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties|National_Law_Name_1=Article 66 of Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties |National_Law_Link_1=https:\u002F\u002Fwww.ssi.ens.fr\u002Ftextes\u002Fa78-17-text.html|National_Law_Link_1=https:\u002F\u002Fwww.legifrance.gouv.fr\u002Floda\u002Farticle_lc\u002FLEGIARTI000038888793 |National_Law_Name_2=|National_Law_Name_2= |National_Law_Link_2=|National_Law_Link_2= Line 89: Line 89: Regarding the EMR repository, the DPA found a breach of Article 66 of the French Data Protection Act. The controller had been authorised to create the EMR repository subject to specific conditions. However, the information notices provided to patients stated that their data would be retained for the duration of the studies and analyses conducted by the controller and its contractual partners, whereas the authorisation provided for retention in an active database for ten years before anonymisation or deletion. The DPA therefore considered that the information provided to patients was inaccurate. It also found that the controller had not ensured the effective exercise of patients’ right to object regarding data already collected in the EMR repository.Regarding the EMR repository, the DPA found a breach of Article 66 of the French Data Protection Act. The controller had been authorised to create the EMR repository subject to specific conditions. However, the information notices provided to patients stated that their data would be retained for the duration of the studies and analyses conducted by the controller and its contractual partners, whereas the authorisation provided for retention in an active database for ten years before anonymisation or deletion. The DPA therefore considered that the information provided to patients was inaccurate. It also found that the controller had not ensured the effective exercise of patients’ right to object regarding data already collected in the EMR repository. Regarding the LRX repository, the DPA found a breach of [[Article 14 GDPR|Article 14 GDPR]]. The controller relied on partner pharmacists to inform patients about the processing of their data. However, inspections at four pharmacies showed that patients were not provided with the required information notices and that the relevant information was not properly displayed. The DPA held that, irrespective of the practical channel used to provide the information, the obligation under [[Article 14 GDPR|Article 14 GDPR]] remained with the controller. The failure was particularly serious because patients had their health data processed without being aware of it and were therefore unable to exercise their rights.Regarding the LRX repository, the DPA found a breach of [[Article 14 GDPR]]. The controller relied on partner pharmacists to inform patients about the processing of their data. However, inspections at four pharmacies showed that patients were not provided with the required information notices and that the relevant information was not properly displayed. The DPA held that, irrespective of the practical channel used to provide the information, the obligation under [[Article 14 GDPR]] remained with the controller. The failure was particularly serious because patients had their health data processed without being aware of it and were therefore unable to exercise their rights. The DPA further found a breach of Article 66 of the French Data Protection Act concerning studies carried out by the controller using the LRX warehouse. The DPA held that the authorisation granted for the LRX repository covered the creation of the warehouse only, and not the subsequent studies conducted using that warehouse. Those studies constituted separate processing operations involving personal health data. Since they had not been specifically authorised and did not validly comply with the MR-004 reference methodology, in particular due to the lack of prior and individual information to patients, the DPA found that they were unlawful.The DPA further found a breach of Article 66 of the French Data Protection Act concerning studies carried out by the controller using the LRX warehouse. The DPA held that the authorisation granted for the LRX repository covered the creation of the warehouse only, and not the subsequent studies conducted using that warehouse. Those studies constituted separate processing operations involving personal health data. Since they had not been specifically authorised and did not validly comply with the MR-004 reference methodology, in particular due to the lack of prior and individual information to patients, the DPA found that they were unlawful. Finally, the DPA found a breach of [[Article 25 GDPR|Article 25 GDPR]]. The pharmacy software modules systematically extracted and transmitted patient data to the first trusted third party even where the pharmacy had chosen not to transmit patient data for the LRX panel. The DPA considered that this filtering should have occurred upstream, at the pharmacy software level, so that unnecessary patient data would not be extracted or transmitted in the first place. The controller had therefore failed to implement appropriate technical and organisational measures to ensure data protection by design and by default.Finally, the DPA found a breach of [[Article 25 GDPR]]. The pharmacy software modules systematically extracted and transmitted patient data to the first trusted third party even where the pharmacy had chosen not to transmit patient data for the LRX panel. The DPA considered that this filtering should have occurred upstream, at the pharmacy software level, so that unnecessary patient data would not be extracted or transmitted in the first place. The controller had therefore failed to implement appropriate technical and organisational measures to ensure data protection by design and by default. The DPA imposed a fine of €5,000,000 on the controller for breaches of Article 66 of the French Data Protection Act and Articles 14 and 25 GDPR. It also ordered the controller to bring its processing into compliance, including by providing accurate information to EMR patients, ensuring the effective exercise of the right to object, ensuring that pharmacy patients are informed of the transfer of their data, ceasing unauthorised studies from the LRX warehouse, and preventing pharmacy software modules from extracting patient data where the pharmacist had refused such transmission. The order was subject to a daily penalty of €10,000 after six months. The decision was published, with the controller’s name to be removed after two years.The DPA imposed a fine of €5,000,000 on the controller for breaches of Article 66 of the French Data Protection Act and Articles 14 and 25 GDPR. It also ordered the controller to bring its processing into compliance, including by providing accurate information to EMR patients, ensuring the effective exercise of the right to object, ensuring that pharmacy patients are informed of the transfer of their data, ceasing unauthorised studies from the LRX warehouse, and preventing pharmacy software modules from extracting patient data where the pharmacist had refused such transmission. The order was subject to a daily penalty of €10,000 after six months. The decision was published, with the controller’s name to be removed after two years. Latest revision as of 11:54, 29 May 2026 CNIL - SAN-2026-008 Authority: CNIL (France) Jurisdiction: France Releva","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CNIL_(France)_-_SAN-2026-008&diff=51769&oldid=51768","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fthumb\u002F0\u002F0f\u002FLogoFR.png\u002F1200px-LogoFR.png","2026-05-29T11:54:48+00:00","2026-05-29T12:00:16.08147+00:00",8,[18],{"name":19,"type":20},"CNIL (Commission Nationale de l'Informatique et des Libertés)","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,32,37],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]