GIE INFOGREFFE: Insufficient technical and organisational measures to ensure information security

The French DPA has imposed a fine of EUR 250,000 on GIE INFOGREFFE. The portal operates a website where people can access legal information about companies and order documents certified by the commercial courts. As part of its investigation, the DPA found that the personal data of 25% of members and subscribers, such as bank details, surnames, first names, addresses and telephone numbers, were kept for longer than intended (36 months). The DPA considered this to be a violation of Art. 5 (1) e) GDPR. In addition, the DPA found that the portal did not require the use of a secure password when creating an account, resulting in 3.7 million accounts not having a sufficiently secure password. Furthermore, the portal transmitted passwords that allowed access to accounts unencrypted via email. Besides, the portal also stored the passwords and secret questions and answers used during the process of resetting passwords by users in a database without encryption. For this reason, the DPA found that the portal had failed to implement adequate technical and organizational measures to protect personal data.

GDPR Articles: Art. 5 (1) e) GDPR, Art. 32 GDPR
Industry: Public Sector and Education