France: CNIL fined Nexpublica EUR 1'700'000 for failing to secure PCRM software

On 22 December 2025, the French data protection authority (CNIL) fined Nexpublica France EUR 1'700'000 for failing to implement sufficient security measures for its PCRM software. Nexpublica specialises in software and computer design. The PCRM software is a tool for social workers to manage client relationships, and is used, for example, by departmental houses serving disabled people. The decision followed data breach notifications in late November 2022, where users gained access to third-party documents. CNIL audits identified inadequate technical and organisational measures contributing to the data breach. The restricted panel determined that Nexpublica had not complied with Article 32 of the General Data Protection Regulation (GDPR) concerning security of processing. The vulnerabilities were attributed to a lack of understanding of basic safety principles and were known to the company from previous audit reports. Corrective actions were only implemented after the data breaches occurred. According to CNIL, the fine amount was determined after taking into account the company's financial capacity, the extensive nature of the security weaknesses, the number of individuals affected, and the sensitivity of the processed data, which included information on disabilities.