Note on data retention related aspect of this fine:
INFOGREFFE stored the data beyond what was said in the privacy notice.
Reminder: Always make sure that what you state in your privacy notice is true, as you will be checked against this!
“The infogreffe.fr website provided that the personal data of members and subscribers (bank details, first and last names, postal and e-mail addresses, phone and mobile phone numbers, secret question and its answer) would be kept for 36 months from the last order for a service and/or document.
However, the CNIL found that the data of 25% of the service’s users was kept beyond the decided retention periods. The manual anonymisation implemented, only on request from users, concerned a very small number of accounts.”
English Summary: https://www.cnil.fr/en/infogreffe-fined-250000-euros