France: CNIL Has Published Guidelines for Data Processing in Pharmacies

The French Data Protection Authority (CNIL) released a GDPR guide tailored specifically for pharmacies (Guidelines). To ensure clients’ privacy is upheld while providing quality care, pharmacies must adhere to strict data protection requirements. For this, the newly released CNIL Guidelines may be helpful, highlighting the best practices and compliance measures for pharmacies.

What are the critical GDPR considerations?

Information Notices. The Guidelines emphasize the importance of information obligation. Whether informing pharmacy employees or clients, especially when processing personal data for monitoring client progress or transferring data to third parties (e.g., for COVID-19 test results), CNIL highlights the need for clear information. To help this, CNIL has provided a standardized information notice form to facilitate compliance, available for both employees and clients.

Video surveillance. The Guidelines also cover pharmacy video surveillance. They recommend placing signs at a reasonable distance for easy recognition and providing separate information notices for pharmacy employees. Instructions for notice placement, such as in-person delivery and accessibility at the pharmacy counter are included. The Guidelines also remind that continuous employee surveillance or monitoring of rest areas is prohibited and that a requirement for a Data Protection Impact Assessment (DPIA) may apply. The need for a DPIA depends on your supervisory authority, so reviewing their published list for further information is advisable.

Data Breaches. CNIL guides through examples, such as accidental health data modifications, visible client results, illness disclosure to a spouse, or loss/theft of prescription books. The Guidelines stress the obligation to maintain a data breach register, including breach nature, affected individuals’ categories and numbers, approximate records affected, mitigation measures, and contact details. It also outlines when to contact the Data Protection Authority and highlights the significance of a well-defined internal data breach procedure for prompt responses.

Right of Access and other data subjects’ rights. Pharmacies handle personal medical data under strict confidentiality obligations, making it essential to recognize individuals’ rights regarding their data. Clients, employees, and other data subjects whose personal data are processed by pharmacies possess rights that should be exercised. The Guidelines underscore the importance of pharmacies establishing procedures to respond to these requests within specific timeframes. The Guidelines also address the matter of obtaining data for deceased individuals and offer guidance on how to comply with requests in such cases.

Service providers and subcontractors. For personal data entrusted to service providers, pharmacies must include mandatory data protection clauses in agreements. The Guidelines offer a template for an annex with essential data protection provisions. They also recommend setting a 24–48-hour deadline to notify data security incidents and ensure proper data handling at the end of contracts.

Why is compliance relevant?

As demonstrated through examples within the Guidelines, failing to meet data protection requirements for pharmacies or similar entities can result in significant fines and other legal penalties. Notable examples include:

  • a EUR 1,500,000 fine imposed by CNIL in 2022 on DEDALUS BIOLOGIE due to security flaws leading to the exposure of medical data for nearly 500,000 individuals. This breach resulted in the public disclosure of their names, social security numbers, prescribing doctors’ names, examination dates, and crucial medical information such as HIV status, genetic diseases, pregnancies, and client drug therapy details
  • in 2019, CNIL issued a formal notice to an organization, compelling them to align their video surveillance system with GDPR due to constant employee monitoring
  • in 2020, CNIL imposed fines of EUR 3,000 and EUR 6,000 on two self-employed doctors for inadequate protection of clients’ personal data and their failure to report a breach
  • in 2019, the UK’s data protection authority fined a pharmacy GPB 275,000 for breaching GDPR by improperly disposing of 500,000 medical documents containing sensitive information in unlocked containers.

Is there a checklist for the main required Procedures and Policies?

Indeed, the Guidelines include a checklist for pharmacies to evaluate their compliance with key GDPR procedures and policies. These include:

1. records of Processing Activities (ROPA)

2. Data Protection Impact Assessments (DPIAs)

3. documentation for data transfers to third countries

4. consent forms for data subjects

5. information notices

6. data subjects’ rights procedures

7. DPAs with subcontractors and their compliance documentation

8. personal data security breach procedures and staff awareness

9. register of personal data breaches

By following these best practices and compliance measures, and ensuring that all necessary procedures and policies are implemented, pharmacies can safeguard clients’ data, maintain their reputation, and avoid legal consequences.

The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding a specific situation related to GDPR compliance or any other personal data protection question, please consult the experts of ECOVIS ProventusLaw.

This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior lawyer Julija Ginotytė

Newsletter SubscriptionGet in touch