Health data and use of cookies: French SA fines DOCTISSIMO

17 May 2023

Background information

  • Date of decision: 11/05/2023
  • Cross-border case or national case: Cross-border case
  • Controller: DOCTISSIMO
  • Legal references: Article 5 (1)(e)(Principles relating to processing of personal data: storage limitation), Article 9 (Processing of special categories of personal data), Article 26 (Joint controllers), Article 32 (Security of processing)
  • Decision: Administrative fine
  • Key words: Health records, Sensitive data, Data security,
    Data retention, Consent


Summary of the Decision


Origin of the case

Following a complaint by the PRIVACY INTERNATIONAL association, the CNIL carried out four investigations into DOCTISSIMO. The website mainly offers articles, tests, quizzes and discussion forums related to health and well-beingt for the general public.

During its investigations, the CNIL noted several infringements, in particular concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on the terminal of users.


Key Findings

The French SA has identified four breaches of the GDPR and a breach of the French Data Protection Act by DOCTISSIMO:

  • A failure to store data for no longer than is necessary for the purposes for which they are processed (Article 5.1(e) GDPR)
  • Failure to obtain consent from individuals to collect their health data (Article 9 GDPR)

  • Failure to provide a formal legal framework for the processing operations carried out jointly with another data controller (Article 26 GDPR)

  • Failure to ensure the security of personal data (Article 32 GDPR)

  • Failure to comply with obligations related to the use of cookies (Article 82 of the Data Protection Act)



The French SA imposed two fines on DOCTISSIMO:

  • A fine of EUR 280 000 regarding GDPR infringements. This fine was taken in cooperation with all the CNIL’s European counterparts within the one-stop shop procedure, as the website has visitors from all the Member States of the European Union.
  • A second fine of EUR 100 000 regarding French Data Protection Act rules on cookies and other trackers.


For further information:

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.