GIE INFOGREFFE – €250,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
GIE INFOGREFFE was fined for keeping user passwords in plain text and not deleting personal data when it was supposed to. This is important because it shows that companies must protect user information and follow their own privacy policies. Small businesses should regularly review their data handling practices to avoid similar issues.
What happened
GIE INFOGREFFE stored user passwords in plain text and kept personal data longer than allowed.
Who was affected
Users of the GIE INFOGREFFE website, including members and subscribers, were affected by the mishandling of their personal data.
What the authority found
The French DPA ruled that GIE INFOGREFFE violated GDPR by failing to delete personal data after the specified retention period and not securing passwords properly.
Why this matters
This ruling emphasizes that companies must implement strong data protection measures and adhere to their own data retention policies. It serves as a reminder for businesses to prioritize user privacy and security.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The French DPA has imposed a fine of EUR 250,000 on GIE INFOGREFFE. The portal operates a website where people can access legal information about companies and order documents certified by the commercial courts. As part of its investigation, the DPA found that the personal data of 25% of members and subscribers, such as bank details, surnames, first names, addresses and telephone numbers, were kept for longer than intended (36 months). The DPA considered this to be a violation of Art. 5 (1) e) GDPR. In addition, the DPA found that the portal did not require the use of a secure password when creating an account, resulting in 3.7 million accounts not having a sufficiently secure password. Furthermore, the portal transmitted passwords that allowed access to accounts unencrypted via email. Besides, the portal also stored the passwords and secret questions and answers used during the process of resetting passwords by users in a database without encryption. For this reason, the DPA found that the portal had failed to implement adequate technical and organizational measures to protect personal data.
Related Enforcement Actions (1)
Other enforcement actions involving GIE INFOGREFFE in FR
Details
Fine Date
13 September 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€250,000
Enforcement Tracker ID
ETid-1382
About this data
Cite as: Cookie Fines. GIE INFOGREFFE - France (2022). Retrieved from cookiefines.eu
Last updated: