France

Doctor

6,000 €

GDPR enforcement action by French Data Protection Authority (CNIL) on 2020-12-17.

Rank · Sector

#170

of 270 in Health Care

Rank · France

#65

of 74

Rank · All fines

#1,608

of 3,050

Case details

Authority: French Data Protection Authority (CNIL)
Date: 2020-12-17
Controller / Processor: Doctor
Sector: Health Care
Quoted Articles: Art. 32 GDPR, Art. 33 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The French DPA (CNIL) fined a doctor EUR 6,000 for violations of Art. 32 GDPR and Art. 33 GDPR. The controller had stored medical image data such as MRI and X-ray images as well as personal data such as names, dates of birth and treatment data of his patients on a server in order to be able to access them from his home computer. A review of the controller's systems had revealed that access to the server was not properly secured. This would have allowed anyone to access his patients' data. Furthermore, the data leak had existed for about five years. The data protection authority therefore found that the doctor had failed to take adequate technical and organisational measures to ensure data security.

Open original source Links to the regulator's original publication or another source.