GIE INFOGREFFE – €250,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
GIE INFOGREFFE in France was fined for mishandling user data on their website, including storing passwords in plain text. They kept personal data longer than necessary, violating GDPR rules. This case stresses the importance of data security and proper data retention practices for businesses.
What happened
GIE INFOGREFFE stored user passwords in plain text and kept personal data for longer than allowed.
Who was affected
Users of the GIE INFOGREFFE website whose personal data and passwords were improperly handled.
What the authority found
The French DPA ruled that GIE INFOGREFFE violated GDPR by failing to delete personal data in a timely manner.
Why this matters
This case underscores the need for businesses to implement strong data protection measures and to adhere to data retention policies. It sets a precedent for holding companies accountable for data security practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
GIE INFOGREFFE (controller) has a website which allows consultation of legal information on companies. This website also provides the possibility to order certain documents. In its "Confidentiality Charter" on its website, the controller made a distinction between two kinds of users: "members" and "subscribers". "Members" were users who could order a selected paid service on the website, for which they needed an account. "Subscribers" were users who had subscribed to an annual subscription of the website. A data subject filed a complaint at the DPA stating that he was able to get a password on the phone only by telling his name. The data subject also complained that the website stored user passwords in plain text. The DPA started an investigation into the website of the controller. On its website, the controller had stated in the "Confidentiality Charter" that the personal data of members and subscribers were kept for 36 months after the last order from a customer requesting service or documents. The DPA found in its investigation that no procedure for the automatic deletion of personal data was used by the controller and that personal data was kept for excessive periods of time in relation to the respective purpose and the own policy set by the controller. The controller admitted that personal data had been kept for longer than 36 months but stated that for purposes such as 'collection operations', it would be justified for certain data to be stored for a longer period of time. With regard to the manual anonymization of personal data upon requests of users, the controller admitted that 25% of accounts were kept for more than 36 months after the last order, formality or invoice, without being anonymized. The was also no automatic anonymization procedure implemented by the controller. The DPA held that the controller violated Article 5(1)(e) GDPR because personal data was kept for more than 36 months. First, the DPA held that purpose and the deletion perio
Related Enforcement Actions (1)
Other enforcement actions involving GIE INFOGREFFE in FR
Details
Fine Date
8 September 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€250,000
GDPRhub ID
gdprhub-5259About this data
Cite as: Cookie Fines. GIE INFOGREFFE - France (2022). Retrieved from cookiefines.eu
Last updated: