- Date of final decision: 8 September 2022
- Cross-border case or national case: Cross-border case
- If cross-border, LSA: France
- and CSAs: every other SA
- Controller: the economic interest group INFOGREFFE
- Legal Reference: data retention periods (Article 5.1.e of the GDPR), security of personal data (Article 32 of the GDPR)
- Decision: infringement of the GDPR, Administrative fine
- Key words: website, data retention periods, security
Summary of the Decision
Origin of the case
Following a complaint, the CNIL, French Supervisory Authority, carried out an online investigation of the infogreffe.fr website, which allows users to consult legal information on companies and order documents certified by the commercial court registries. The investigations focused in particular on the data retention periods defined and the security measures implemented by the economic interest group INFOGREFFE, which provides the legal and official information publishing service on companies via the website.
- Failure to comply with the obligation to keep data for a period of time proportionate to the purpose of the processing (Article 5.1.e of the GDPR)
- Failure to comply with the obligation to ensure the security of personal data (Article 32 of the GDPR)
On the basis of these findings, the restricted committee (the CNIL body responsible for imposing sanctions) issued a fine of 250 000 euros on INFOGREFFE, and decided to make it public. This decision was taken in cooperation with the other European authorities concerned, as user accounts were created from all EU Member States.
For further information: decision in national language "Délibération SAN-2022-018 du 8 septembre 2022"
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.