The CNIL fined DOCTISSIMO €380,000 because it failed to comply with obligations under the GDPR, in particular obtaining consent of individuals to the collection and use of their health data, and because it didn’t comply with the rules on cookies.
Background information
Following a complaint by the PRIVACY INTERNATIONAL association, the CNIL carried out four investigations into DOCTISSIMO. The doctissimo.fr website mainly offers articles, tests, quizzes and discussion forums related to health and well-being for the general public.
During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the way cookies are deposited on the terminal of users.
Consequently, the restricted committee — the CNIL body responsible for imposing sanctions — imposed two fines against DOCTISSIMO:
- a fine of €280,000 for infringements of the General Data Protection Regulation (GDPR). This fine was taken in cooperation with all the CNIL’s European counterparts within the framework of the one-stop shop procedure, as the website has visitors from all the Member States of the European Union.
- a fine of €100,000 for non-compliance relating to the use of cookies (Article 82 of the French Data Protection Act). In this case, the CNIL has the jurisdiction to act alone.
In order to determine the amount of the fine, the CNIL took into account the nature and seriousness of the breaches, the categories of personal data (health data) and the number of individuals concerned as well as the financial situation of the company. It also took into account the fact that, in view of its nature and business sector, i.e. the provision of digital health-related content, the company should have increased vigilance with regard to obtaining consent of individuals to collect their health data.
Read more at CNIL.