Created in 2001, the infogreffe.fr site provides access to legal and economic data collected in the 141 commercial court registries in order to find out about the structures registered in the Trade and Companies Register (RCS) and facilitate access to corporate administrative documents. Following a complaint, the Cnil, policeman for the safety of French people on the Internet, conducted an investigation: “The checks focused in particular on the retention periods defined and the security measures implemented by infogreffe.fr”we read in the Cnil report.
The specialized site has been found guilty of breaches of two articles of the GDPR (General Data Protection Regulation). First of all, the data was kept longer than what infogreffe.fr declared. Normally, they should be kept until 36 months after the last activity, “the Cnil found that the data of 25% of users of the service were subject to a retention period beyond the deadlines provided”.
The other shortcoming concerns the very security of the stored data. It was impossible for the 3.7 million accounts listed on the site to create a strong password because of the size imposed on it. Added to this is the fact that the organization communicated account passwords by email. The database then kept clear each of the sesames, but also each of the secret questions commonly used in case of forgetfulness. Infogreffe.fr has since taken care to better secure access to accounts and the identification of members and subscribers, specifies the commission.