GIE INFOGREFFE – €250,000 Fine (France, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
GIE INFOGREFFE was fined for keeping personal data longer than allowed and for storing passwords insecurely. This is important because it shows that companies must have clear rules for how long they keep personal information. Small businesses should regularly review their data retention policies to avoid similar issues.
What happened
GIE INFOGREFFE stored user passwords in plain text and kept personal data for longer than 36 months without proper procedures.
Who was affected
Users of the GIE INFOGREFFE website, including members and subscribers, were affected by the mishandling of their personal data.
What the authority found
The French data protection authority ruled that GIE INFOGREFFE violated GDPR by retaining personal data for excessive periods without a proper deletion process.
Why this matters
This ruling emphasizes the need for businesses to implement strict data retention and deletion policies. It serves as a reminder that companies can face significant penalties for failing to protect user data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
GIE INFOGREFFE (controller) has a website which allows consultation of legal information on companies. This website also provides the possibility to order certain documents. In its "Confidentiality Charter" on its website, the controller made a distinction between two kinds of users: "members" and "subscribers". "Members" were users who could order a selected paid service on the website, for which they needed an account. "Subscribers" were users who had subscribed to an annual subscription of the website. A data subject filed a complaint at the DPA stating that he was able to get a password on the phone only by telling his name. The data subject also complained that the website stored user passwords in plain text. The DPA started an investigation into the website of the controller. On its website, the controller had stated in the "Confidentiality Charter" that the personal data of members and subscribers were kept for 36 months after the last order from a customer requesting service or documents. The DPA found in its investigation that no procedure for the automatic deletion of personal data was used by the controller and that personal data was kept for excessive periods of time in relation to the respective purpose and the own policy set by the controller. The controller admitted that personal data had been kept for longer than 36 months but stated that for purposes such as 'collection operations', it would be justified for certain data to be stored for a longer period of time. With regard to the manual anonymization of personal data upon requests of users, the controller admitted that 25% of accounts were kept for more than 36 months after the last order, formality or invoice, without being anonymized. The was also no automatic anonymization procedure implemented by the controller. The DPA held that the controller violated Article 5(1)(e) GDPR because personal data was kept for more than 36 months. First, the DPA held that purpose and the deletion perio
Related Enforcement Actions (0)
No other enforcement actions found for GIE INFOGREFFE in FR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
8 September 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€250,000
Enforcement Tracker ID
ETid-1382
GDPRhub ID
gdprhub-5259About this data
Cite as: Cookie Fines. GIE INFOGREFFE - France (2022). Retrieved from cookiefines.eu
Last updated: