GIE INFOGREFFE – €250,000 Fine (France, 2022)

GIE INFOGREFFE (controller) has a website which allows consultation of legal information on companies. This website also provides the possibility to order certain documents. In its "Confidentiality Charter" on its website, the controller made a distinction between two kinds of users: "members" and "subscribers". "Members" were users who could order a selected paid service on the website, for which they needed an account. "Subscribers" were users who had subscribed to an annual subscription of the website. A data subject filed a complaint at the DPA stating that he was able to get a password on the phone only by telling his name. The data subject also complained that the website stored user passwords in plain text. The DPA started an investigation into the website of the controller. On its website, the controller had stated in the "Confidentiality Charter" that the personal data of members and subscribers were kept for 36 months after the last order from a customer requesting service or documents. The DPA found in its investigation that no procedure for the automatic deletion of personal data was used by the controller and that personal data was kept for excessive periods of time in relation to the respective purpose and the own policy set by the controller. The controller admitted that personal data had been kept for longer than 36 months but stated that for purposes such as 'collection operations', it would be justified for certain data to be stored for a longer period of time. With regard to the manual anonymization of personal data upon requests of users, the controller admitted that 25% of accounts were kept for more than 36 months after the last order, formality or invoice, without being anonymized. The was also no automatic anonymization procedure implemented by the controller. The DPA held that the controller violated Article 5(1)(e) GDPR because personal data was kept for more than 36 months. First, the DPA held that purpose and the deletion perio