INFOGREFFE fined 250,000 euros

13 September 2022

The CNIL has imposed an administrative of 250,000 euros on the economic interest group INFOGREFFE for having infringed several RGPD's obligations regarding the retention periods and security of personal data.

The context

Following a complaint, the CNIL carried out an online investigation of the website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal and official information publishing service on companies via the website.

During its investigations, the CNIL noted several infringements concerning the processing of personal data of the service's users (people who have created an account to view or order an act and subscribers with an annual subscription).

On the basis of these findings, the restricted committee (the CNIL body responsible for imposing sanctions) issued a fine of 250,000 euros on INFOGREFFE, and decided to make it public. This decision was taken in cooperation with the other European authorities concerned, as user accounts were created from all EU Member States.

Sanctioned breaches

Failure to comply with the obligation to keep data for a period of time proportionate to the purpose of the processing (Article 5.1.e of the GDPR)

The website provided that the personal data of members and subscribers (bank details, first and last names, postal and e-mail addresses, phone and mobile phone numbers, secret question and its answer) would be kept for 36 months from the last order for a service and/or document.

However, the CNIL found that the data of 25% of the service's users was kept beyond the decided retention periods. The manual anonymisation implemented, only on request from users, concerned a very small number of accounts.

The organisation indicated, during the procedure, that a purge of accounts that had been inactive for more than 36 months had been implemented since the investigations.

Failure to comply with the obligation to ensure the security of personal data (Article 32 of the GDPR)

The CNIL also found that the organisation did not require the use of a strong password when creating an account on its website and that it was impossible for the 3.7 million accounts to enter a secure password due to their limited size.

In addition, INFOGREFFE transmitted non-temporary passwords for access to accounts in clear text by e-mail and also kept passwords, secret questions and their answers used by users in the password reset procedure in clear text in its database.

Consequently, the CNIL considered that INFOGREFFE had not taken sufficient measures to guarantee the security of the data of the members and users concerned.

However, the organisation has implemented some actions during the procedure concerning the security of access to accounts and the identification of members and subscribers.