CNIL (France) - SAN-2022-018: Difference between revisions

From GDPRhub
(Clarification of the short summary.)
mNo edit summary
 
Line 63: Line 63:
}}
}}


The French DPA fined GIE INFOGREFFE €250,000 for infringing Article 5(1)(e) GDPR. The company violated the provision by storing personal data for an excessive period of time and by lacking adequate security as passwords were stored without encryption and sent in plain text by email.
The French DPA fined a company €250,000 for infringing Article 5(1)(e) GDPR. It violated the provision by storing personal data for an excessive period of time and by lacking adequate security as passwords were stored without encryption and sent in plain text by email.


== English Summary ==
== English Summary ==

Latest revision as of 18:59, 21 September 2022

CNIL - SAN-2022-018
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 08.09.2022
Published: 13.09.2022
Fine: 250000 EUR
Parties: GIE INFOGREFFE
National Case Number/Name: SAN-2022-018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: juleso3

The French DPA fined a company €250,000 for infringing Article 5(1)(e) GDPR. It violated the provision by storing personal data for an excessive period of time and by lacking adequate security as passwords were stored without encryption and sent in plain text by email.

English Summary

Facts

GIE INFOGREFFE (controller) has a website which allows consultation of legal information on companies. This website also provides the possibility to order certain documents. In its "Confidentiality Charter" on its website, the controller made a distinction between two kinds of users: "members" and "subscribers". "Members" were users who could order a selected paid service on the website, for which they needed an account. "Subscribers" were users who had subscribed to an annual subscription of the website.

A data subject filed a complaint at the DPA stating that he was able to get a password on the phone only by telling his name. The data subject also complained that the website stored user passwords in plain text. The DPA started an investigation into the website of the controller.

On its website, the controller had stated in the "Confidentiality Charter" that the personal data of members and subscribers were kept for 36 months after the last order from a customer requesting service or documents. The DPA found in its investigation that no procedure for the automatic deletion of personal data was used by the controller and that personal data was kept for excessive periods of time in relation to the respective purpose and the own policy set by the controller. The controller admitted that personal data had been kept for longer than 36 months but stated that for purposes such as 'collection operations', it would be justified for certain data to be stored for a longer period of time.

With regard to the manual anonymization of personal data upon requests of users, the controller admitted that 25% of accounts were kept for more than 36 months after the last order, formality or invoice, without being anonymized. The was also no automatic anonymization procedure implemented by the controller.

Holding

The DPA held that the controller violated Article 5(1)(e) GDPR because personal data was kept for more than 36 months.

First, the DPA held that purpose and the deletion period stated by the controller could only concern the personal data of "subscribers" and not of "members", because "members" were paying immediately for a service or document. The DPA also held that some purposes were not identified by the controller, such as the purpose to provide a document for "members", accounting purposes and tax purposes.

The DPA held the retention of data could appear justified for the purposes of providing documents, accounting and tax purposes. However, according to the DPA, when relevant personal data had to be retained longer than the retention period, some extra measures needed to be implemented. The data had to be stored in a temporary separate storage location, for example in a dedicated archive database or in a separate part of an existing database. This data shouldn't be kept for a longer period then what's necessary for the respective purposes of the controller. The DPA also held that only authorized people should have access to this data. None of these described measures were implemented by the controller in this case.

The DPA also found that the manual anonymization procedure at the request of users concerned a small number of accounts. Anonymization was not implemented for 25% of accounts where this should have been the case. The DPA also held that no automatic anonymization procedure was implemented by the controller. Therefore, the controller was able to keep identifying data without any time limit. Because of these facts, the DPA held that Article 5(1)(e) GDPR had been breached, despite the fact that the controller had deleted inactive user-accounts during the procedure.

The DPA also held that article 32 GDPR was violated because of several security problems. The DPA discovered that the controller stored passwords in plain text in a database. Furthermore, users were not allowed to create a password of more than 8 characters, without any complexity requirements and other security measures. Passwords were also transmitted in plain text during email conversations with users. Finally, users were not warned when their password was being changed, thus not ensuring a safe level security protecting against identity theft.

Considering the high number of users (3.7 million) and the sensitivity of the data concerned (bank related, name, address, phone numbers etc.) the CNIL considered the infringement as 'serious' and enforced a €250,000 fine.

Comment

The CNIL recommends to enforce the délibération n° 2017-012 du 19 janvier 2017 of the CNIL regarding password security.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted committee no. SAN-2022-018 of September 8, 2022 concerning the GIE INFOGREFFE

The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr. Alexandre LINDEN, President, Mr. Philippe-Pierre CABOURDIN, Vice-President, Mrs. Christine MAUGÜÉ, Mr. Alain DRU and Mr. Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 as amended, taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties;

Having regard to decision n° 2021-032C of January 6, 2021 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a verification mission of any processing accessible from the site "infogreffe.fr" or relating to personal data collected from the latter;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated October 21, 2021;

Having regard to the report of Mr. François PELLEGRINI, reporting commissioner, notified to GIE INFOGREFFE on February 16, 2022;

Having regard to the written observations submitted by the GIE INFOGREFFE on April 15, 2022;

Having regard to the other documents in the file;

Were present at the restricted training session of May 12, 2022:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of GIE INFOGREFFE:

- […];

- […];

- […].

The GIE INFOGREFFE having had the floor last;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. Infogreffe (hereinafter "the body" or "the group"), whose registered office is located at 5, avenue de Paris in Vincennes (94300), is an economic interest group (GIE) of court registries of commerce of France which publishes since 1986 the service of diffusion of the legal and official information on the companies through several channels, in particular the Web site "infogreffe.fr" since 1996.

2. The "infogreffe.fr" website allows you to consult legal information on companies and to order documents certified by the registries of the commercial courts. Users wishing to view or order a paid act on the website must have an account and are designated by Infogreffe as "members". It is also possible for users to take out an annual subscription, in particular allowing "subscribers" to access certain services in the business consultation section. When creating an account, member or subscriber, the user must fill in the following mandatory fields: surname, first name, postal and electronic addresses, landline or mobile phone and choice of a secret question and its answer. The bank details of subscribers (IBAN and BIC) are also processed by Infogreffe.

3. For the year 2019, the organization achieved a turnover of […] euros, for a net result of […] euros. In 2020, it achieved a turnover of […] euros, for a net result of […] euros.

4. On December 12, 2020, the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission") received a complaint against the organization, a person stating that the "infogreffe.fr" website stores user passwords in plain text and that they were able to obtain their password over the phone simply by giving their name to the helpdesk contact telephone.

5. In application of decision n° 2021-032C of January 6, 2021 of the President of the CNIL, a control mission was carried out in order to verify the conformity of any processing accessible from the "infogreffe.fr" domain, or relating to personal data collected from the latter, to the provisions of law n ° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the law of January 6 1978 amended" or the "Data Protection Act") and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation" or the "GDPR").

6. Thus, an online check was carried out on March 4, 2021 on the "infogreffe.fr" site implemented by the group. The report n° 2021-032/1 drawn up at the end of the inspection was notified to the organization by registered mail, received on March 10, 2021.

7. The CNIL delegation has in particular endeavored to check the procedure for transmitting user passwords when creating an account or in the event of forgetting or losing the password.

8. By letters dated March 19, May 25 and June 24, 2021, the organization transmitted to the CNIL the elements requested by the report n° 2021-032/1 and responded to its requests for additional information sent by email on May 17 and June 18, 2021. The organization confirms in particular that it determines the purposes and methods of implementing the processing of personal data on the "infogreffe.fr" site. It also specifies the retention periods for the data it collects and the measures taken to ensure their security. Infogreffe also told the delegation that during the year 2020, the site was consulted by more than 24 million people worldwide and that, of the 3.7 million people with an account, more of 8,000 European accounts were not French.

9. In accordance with Article 56 of the GDPR, the CNIL has informed all the European supervisory authorities of its competence to act as lead supervisory authority concerning the cross-border processing implemented by Infogreffe, resulting from that the sole establishment of the grouping is in France. After discussion between the CNIL and the European data protection authorities within the framework of the one-stop-shop mechanism, these are all concerned by the processing since user accounts have been created by residents of all the Member States of the Union. European.

10. For the purposes of examining these elements, the President of the Commission, on October 21, 2021, appointed Mr François PELLEGRINI as rapporteur on the basis of Article 22 of the law of January 6, 1978 as amended, and in informed the organization by letter dated October 26, 2021.

11. On December 2, 2021, the rapporteur asked the organization to provide its last three balance sheets, which the organization did by letter dated December 15, 2021.

12. At the end of his investigation, the rapporteur, on February 16, 2022, had the organization notified of a report detailing the breaches of the GDPR that he considered constituted in this case, accompanied by a notice to attend the meeting. of the restricted training of April 21, 2022. The letter notifying the report indicated to the organization that it had a period of one month to communicate its written observations in response, in accordance with article 40 of decree no. 2019-536 of May 29, 2019 amended.

13. This report proposed to the restricted formation of the Commission to impose an administrative fine with regard to the breaches of Articles 5, paragraph 1, e) and 32 of the GDPR. He also proposed that this decision be made public, but that it would no longer be possible to identify the organization by name after the expiry of a period of two years from its publication.

14. On February 22, 2022, the organization requested an extension of the one-month deadline to produce observations in response to the sanction report. On February 25, 2022, the Chairman of the Restricted Committee granted this request and postponed the Restricted Committee meeting.

15. On April 15, 2022, the body produced its observations in response to the sanction report and requested that the restricted committee session be held in camera. This request was rejected by the president of the restricted committee, the organization being notified by letter dated April 21, 2022.

16. The organization and the rapporteur presented oral observations during the session of the Restricted Committee.

II. Reasons for decision

17. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the Restricted Committee was sent to all European data protection authorities on July 19, 2022.

18. As of August 16, 2022, no supervisory authority had raised any relevant and reasoned objection to this draft decision, so that, pursuant to Article 60(6) of the GDPR, the latter are deemed to have approved it.

A. On the breach of the obligation to retain the data for a period proportionate to the purpose of the processing pursuant to Article 5, paragraph 1, e) of the GDPR

19. According to Article 5, paragraph 1, e) of the GDPR, personal data must be kept in a form allowing the identification of the data subjects for a period not exceeding that necessary for the purposes for which they are processed.

20. As part of the check, the delegation noted that the "Confidentiality Charter" of the "infogreffe.fr" website provides that the personal data of members and subscribers are kept for 36 months from the last order of service and/or documents.

21. However, the organization provided the CNIL delegation with a spreadsheet file from which it appears that as of May 1, 2021, it retained the personal data of 946,023 members and 17,558 subscribers, including the last order, the last formality or even the last invoice for subscribers dates back more than 36 months, without the organization being able to justify recent contact with said members or subscribers.

22. The rapporteur notes that no procedure for the automatic deletion of personal data has been put in place by the organization and that the data were kept for excessive periods of time in relation to their purpose and the own policy set by the 'organization.

23. In defence, the organization admits that personal data have been kept for longer than the duration indicated in its Charter but contests the fact that the duration indicated in this Charter is taken as the only reference whereas with regard to other purposes, such as those relating to recovery operations, it would be justified for certain data to be kept for a period of more than 36 months. With regard to the anonymization of personal data, the organization admits that 25% of accounts were kept for more than 36 months after the last order, formality or invoice, without being anonymized. He also admits the delay in automating anonymization but disputes the fact that there was no anonymization of accounts.

24. Firstly, the Restricted Committee notes that the purpose relating to collection operations, cited by the organization, and the related retention period could a priori only concern the data of subscribers and not of members, the latter paying immediately in exchange for receipt of a deed. In addition, the Restricted Committee notes that, for this purpose as for accounting and tax purposes, the organization had not identified these purposes and the corresponding durations in its Confidentiality Charter on the date of the inspection. In any case, the Restricted Committee notes that while the retention of certain data for these purposes may appear justified, it requires that various actions be carried out. Thus, the Restricted Committee recalls that once the purpose of the processing has been achieved, the retention of certain data for compliance with legal obligations or for pre-litigation or litigation purposes is possible, but the data must then be placed in intermediate archiving, to a duration not exceeding that necessary for the purposes for which they are kept, in accordance with the provisions in force. Only the relevant data must be placed in intermediate archiving, either in a dedicated archive database, or by performing a logical separation within the active database, allowing only authorized persons to access it. The Restricted Committee notes that on the day of the inspection, none of these actions had been implemented by the organisation.

25. Secondly, the Restricted Committee notes that the manual anonymization implemented by the organization at the request of users only concerned a very small number of accounts since on the day of the online check, 25% of accounts n were not anonymized when they should have been. The Restricted Committee notes that no automatic anonymization procedure was implemented on the day of the online check, the organization thus retaining identifying data without time limit in the absence of an anonymization request from the users.

26. Consequently, the Restricted Committee considers that the aforementioned facts constitute a structural breach of Article 5, paragraph 1, e) of the GDPR.

27. The Restricted Committee notes that the organization indicated, during the procedure, that a purge of accounts inactive for more than 36 months had been implemented since the audit, but retains that the breach remains characterized for the past.

B. On breaches of the obligation to ensure the security of personal data (Article 32 GDPR).

28. Article 32 of the GDPR provides that "1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree of probability and seriousness varies, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, including between others, as needed:

a) pseudonymization and encryption of personal data;

b) the means to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c) the means to restore the availability of personal data and access to them within an appropriate period of time in the event of a physical or technical incident;

d) a procedure for regularly testing, analyzing and evaluating the effectiveness of the technical and organizational measures to ensure the security of the processing. "

29. The rapporteur notes, firstly, that the delegation found that the passwords for connecting users to their accounts, accessible from the organization's website, are insufficiently robust in that they are limited to eight characters, without any complexity criteria, and are not associated with any additional security measures. In addition, the rapporteur notes that on the day of the findings, it was impossible for all users or subscribers of the "infogreffe.fr" website, i.e. for more than 3.7 million accounts, to enter a password secure password due to the limitation of their size to 8 characters maximum.

30. The rapporteur notes, secondly, that the organization sends non-temporary passwords in plain text by email allowing access to the accounts.

31. The rapporteur points out, thirdly, that the organization also keeps in plain text in its database the passwords as well as the secret questions and answers used during the password reset procedure by users.

32. Finally, the rapporteur notes that the organization does not confirm to the user the modification of his password either. The rapporteur considers that the user who is not alerted in the event of an unauthorized modification is therefore not protected against attempts to usurp his account.

33. In view of these elements, the rapporteur considers that the various security measures put in place by the organization are insufficient with regard to Article 32 of the GDPR.

34. In defence, the organization argues that the security obligation is an obligation of means which must be assessed in concreto and that its non-performance must be established by a finding of the ineffectiveness of the measures implemented, having led to unauthorized access, which is not the case here. He stresses that the recommendation relating to passwords mentioned by the rapporteur constitutes flexible law, that it is not a question of mandatory rules, applicable in abstracto, independently of any context and non-compliance with which would, in itself, even, such as to justify an administrative sanction. In addition, the organization specifies that the impact analysis relating to data protection revealed a low risk for personal data in the event of unauthorized access since for member accounts, representing the majority of accounts, bank details are not recorded, unlike subscriber accounts and an unauthorized third party will not be able to take any action other than the purchase of documents and the sending of formalities in place of the account holder. Finally, the organization emphasizes that the information accessible by logging into a user's account is essentially personal data present in the K or KBIS extracts and the other acts that can be ordered, except for the accounts created by non-professionals whose identification and location data are not public.

35. First of all, the Restricted Committee recalls that, pursuant to Article 32 of the GDPR, to ensure the protection of personal data, it is the responsibility of the data controller to take "appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk". The Restricted Committee considers that the use of a short or simple password without imposing specific categories of characters and without additional security measures, can lead to attacks by unauthorized third parties, such as "brute force" attacks " or " by dictionary ", which consist in successively and systematically testing many passwords and thus lead to a compromise of the associated accounts and the personal data they contain. It notes, in this respect, that the need for a strong password is recommended both by the National Agency for the Security of Information Systems (ANSSI) and by the Commission in its deliberation No. 2017-012 of 19 January 2017. In this case, the Restricted Committee notes that the passwords in question are limited to eight characters without any complexity criterion, and are not associated with any additional security measure. The Restricted Committee considers that the risk run by the persons concerned is real: a third party having had access to the password could not only access all the personal data present in the account of the person concerned, but also consult the history of its orders, download its invoices and/or change the password of the account and the contact information without the knowledge of the user.

36. In addition, the Restricted Committee considers that the procedures for the transmission and storage of passwords implemented by the organization are not appropriate with regard to the risk that the capture of their identifier and password would pose to the person concerned. their password by a third party. Indeed, the transmission, in plain text, of a password which is neither temporary nor for single use and whose renewal is not imposed, makes it easily and immediately usable by a third party who would have improper access. to the message that contains it. The Restricted Committee recalls that a simple handling error can lead to the disclosure of personal data to unauthorized recipients and thus infringe the right to privacy of individuals. Finally, the Restricted Committee considers that the user who is not alerted in the event of an unauthorized modification is therefore not protected against attempts to usurp his account.

37. Therefore, taking into account these risks for the protection of personal data and the privacy of individuals leads the Restricted Committee to consider that the measures deployed to guarantee data security in this case are insufficient.

38. Next, the Restricted Committee specifies that if deliberation no. 2017-012 of January 19, 2017, the CNIL guide relating to the security of personal data and the ANSSI technical note relating to the passwords cited in the rapporteur's writings are certainly not imperative, they nevertheless set out the basic safety precautions corresponding to the state of the art. Therefore, the Restricted Committee recalls that it retains a breach of the obligations arising from Article 32 of the GDPR and not the non-compliance with the recommendations, which moreover constitute relevant insight for assessing the risks and the state of the art in personal data security.

39. In addition to these recommendations, the Restricted Committee stresses that it has, on several occasions, adopted financial penalties where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. , and not just the result of the existence of a personal data breach. Deliberations No. SAN-2019-006 of June 13, 2019 and No. SAN-2019-007 of July 18, 2019 relate in particular to the insufficient robustness of passwords as well as their transmission to the organization's customers by email, in plain text. , after creating the account.

40. Under these conditions, in view of the risks incurred by individuals, mentioned above, as well as the volume and nature of the personal data which may be contained in more than 3.7 million accounts (banking data subscriber accounts, surname, first name, postal and electronic address, landline or mobile telephone numbers, secret question and its answer for all the accounts), the Restricted Committee considers that the organization has breached its obligations under of Article 32 of the GDPR.

41. The Restricted Committee notes that in the context of this procedure the organization has taken certain measures to ensure the security of the data processed. Nevertheless, it considers that, since the implementation of its password policy in 2002 and until June 2021, the security measures put in place by the organization did not allow it to ensure a level of sufficient security of the personal data processed and that, therefore, a breach of the obligations of Article 32 of the Regulation has been constituted.

III. On corrective measures and their publicity

42. Under the terms of III of article 20 of the amended law of 6 January 1978:

"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law, the President of the National Commission for Computing and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, one or more of the following measures: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of of a company, 2% of the total worldwide annual turnover of the previous financial year, whichever is higher In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 thousand lion euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "

43. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that administrative fines imposed under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive”, before specifying the elements to be taken into account to decide whether to impose an administrative fine and to decide on the amount of this fine.

44. Firstly, on the principle of imposing a fine, the organization insists in defense on the contractual liability of its subcontractor with regard to the instructions that had been given to it concerning the security and anonymization of the data to be personal nature, on the prioritization of other legal and regulatory projects in relation to its compliance with the GDPR, on its significant cooperation with the CNIL and the significant efforts made since the start of the control.

45. The Restricted Committee recalls that it must take into account, for the pronouncement of an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, gravity and duration of the violation, the number of persons affected, the measures taken by the controller to mitigate the damage suffered by the persons concerned, whether the breach was negligent, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.

46. The Restricted Committee firstly considers that although the organization gave specific instructions on anonymization and security to its subcontractor, it appears that it did not follow the execution of these instructions. and has not exercised satisfactory and regular control over the technical and organizational measures implemented by its subcontractor to ensure compliance with the GDPR and, in particular, to ensure the anonymization and security of the personal data processed.

47. The Restricted Committee also considers that it is necessary to take into account the nature of the actor concerned, bringing together the clerks of the commercial courts, who are public and ministerial officers responsible for the performance of public service missions. As such, the Restricted Committee considers that the organization should therefore have shown particular rigor in respecting all of its legal and regulatory obligations. However, it results from the debates that the organization has postponed the implementation of projects relating to the anonymization and security of personal data in order to respond, without increasing its available resources, to other obligations of compliance that were not related to data protection.

48. The Restricted Committee then notes that the alleged breaches are breaches of key principles of the GDPR which were not introduced by this text but pre-existed in the "Informatique et Libertés" law. The Restricted Committee also stresses that these shortcomings cannot be regarded as an isolated incident. With regard to the breach relating to the retention period, the Restricted Committee recalls that the organization had itself set a retention period for personal data which it did not respect and that this breach concerns more than one million user, member and subscriber accounts. With regard to the breach relating to data security, the Restricted Committee considers that the extreme weakness of the password complexity rules, as well as the security measures for the communication, storage and renewal of passwords, in force since 2002, made all the accounts vulnerable.

49. Finally, the Restricted Committee notes that the compliance measures put in place following the notification of the sanction report do not exonerate the organization from its liability for the breaches observed.

50. Consequently, the Restricted Committee considers that an administrative fine should be imposed with regard to the breaches of Articles 5, paragraph 1, e) and 32 of the GDPR.

51. Secondly, with regard to the amount of the fine, the organization insists in defense on the isolated nature of the complaint at the origin of the control and the absence of financial gain derived from the breaches.

52. The Restricted Committee recalls that administrative fines must be both dissuasive and proportionate. It considers that the origin of the control, which took place following a single complaint, cannot minimize the seriousness of the shortcomings which, moreover, turned out to be structural. In this case, the Restricted Committee finds, with regard to the breach relating to the retention period of personal data, that the organization has shown gross negligence relating to a fundamental principle of the GDPR and that this breach concerns more 25% of accounts. With regard to the breach relating to security, the Restricted Committee notes that given the accumulation of security flaws, the facts observed are particularly serious, especially since they have reported all the accounts vulnerable. The Restricted Committee then recalls that the organization has postponed its compliance with the GDPR in favor of other legal and regulatory priorities. Finally, the restricted training takes into account the activity of the organization and its financial situation. It also records the efforts made by the organization to comply throughout this procedure.

53. In view of these elements, the Restricted Committee considers that the imposition of an administrative fine of two hundred and fifty thousand euros appears justified.

54. Finally, with regard to the publicity of the sanction, the organization maintains that such a measure would be disproportionate in view of the harm it would cause.

55. The Restricted Committee considers that the publicity of the sanction is justified in view of the seriousness of the breaches noted, the nature of the actor concerned who, given its size and activity, has the human, financial and techniques to enable it to ensure a satisfactory level of protection of personal data and the strong reputation enjoyed by the website in terms of commercial data.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• impose an administrative fine on GIE INFOGREFFE in the amount of 250,000 (two hundred and fifty thousand) euros for breaches of Articles 5, paragraph 1, e) and 32 of the GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the organization by name at the end of a period of two years from its publication.

President

Alexander LINDEN

This decision may be appealed to the Council of State within two months of its notification.