FrEnCookies manager
FrEnCookies manager
  1. Home
  2. Data security: NEXPUBLICA FRANCE fined €1,700,000

Data security: NEXPUBLICA FRANCE fined €1,700,000

24 December 2025

On 22 December 2025, the CNIL fined NEXPUBLICA FRANCE €1,700,000 for failing to implement sufficient security measures for its PCRM software, a user relationship management tool in the social services sector.

Background information

NEXPUBLICA FRANCE (formerly INETUM SOFTWARE FRANCE), a company specialising in the design of IT systems and software, develops a software package called PCRM, which is a user relationship management tool in the field of social action, in particular used by Departmental Houses for the Disabled ("Maisons départementales des personnes handicapées" or "MDPH" in French) in some departments.

At the end of November 2022, customers of NEXPUBLICA notified the CNIL of personal data breaches, as users of the portal reported having access to documents concerning third parties. The CNIL then carried out investigations on the company, which revealed that the technical and organisational measures implemented by the latter to ensure the security of data processed through the PCRM software were insufficient. 

As a consequence, the restricted committee – the CNIL body responsible for issuing sanctions – imposed a fine of €1,700,000 on NEXPUBLICA FRANCE, taking into account the company's financial capacity, its lack of knowledge of basic security principles, the number of people affected and the sensitivity of the data processed (in particular revealing a disability).

A breach of the obligation to ensure the security of personal data (Article 32 of the GDPR)

Article 32 of the GDPR provides that the data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons.

The restricted committee considered that the company had not complied with these requirements in implementing its PCRM, given the general weakness of the information system and the negligence it had shown in allowing structural security problems to persist.

Indeed, it considered that the vulnerabilities identified in the PCRM:

  • were mostly due to a lack of knowledge of the state of the art and basic security principles;
  • were known and identified by the company through several audit reports.

Despite these factors, the flaws were only corrected after the data breaches.

These circumstances are aggravated because of the activity of the company, which is specialized in IT systems and software consulting.

The restricted committee did not issue a compliance order as the company had taken the necessary corrective measures following the data breaches.

Texte reference

The decision (in French)

Texte reference

Official texts

Texte reference

Read more

This can also interest you ...

Data breach: MOBIUS SOLUTIONS LTD fined €1 million

19 December 2025

 Sanctions
FantomApp: The CNIL mobile app helps 10- to 15-year-olds to protect themselves on social media

16 December 2025

 Mobiles applications
Everything to know about FantomApp
The FantomApp mobile app helps you maintain control over your social media data through practical ...

16 December 2025

 Mobiles applications