The French data pro­tec­tion regulator’s white paper

New infor­ma­ti­on on hand­ling bank and pay­ment data

In its new white paper published in Octo­ber 2021 (only in French), the French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), addres­ses digi­tal pay­ments from a data pro­tec­tion per­spec­ti­ve under the title, When trust pays off – cur­rent and future means of pay­ment and the chal­lenges of data protection.

This publi­ca­ti­on was moti­va­ted by the ste­adi­ly incre­asing use of digi­ta­li­sed pay­ment methods, such as tra­di­tio­nal card use (debit and cre­dit cards), but espe­ci­al­ly digi­tal wal­lets such as Goog­le Pay, Apple Pay, and offers from various fin­tech com­pa­nies such as PayPal.

In its white paper, CNIL pres­ents the data pro­tec­tion chal­lenges of digi­tal pay­ment methods and then pro­vi­des gui­dance and prac­ti­cal recom­men­da­ti­ons for action for play­ers invol­ved in digi­tal payments.

What are pay­ment data?

Accor­ding to the CNIL, the term “pay­ment data” or “pay­ment infor­ma­ti­on” includes pay­ment data in the strict sen­se, such as the means of pay­ment used or the amount of the tran­sac­tion, plus data rela­ted to the purcha­se its­elf, such as the cha­rac­te­ristics of the pro­duct purcha­sed or the place and time of the purcha­se, as well as con­tex­tu­al or beha­viou­ral data, such as geo­lo­ca­ti­on or cha­rac­te­ristics of the ter­mi­nal used for an online purchase.

Pay­ment data can thus be sum­ma­ri­sed, from CNIL’s per­spec­ti­ve, as all per­so­nal data used in the pro­vi­si­on of a pay­ment ser­vice to a natu­ral per­son, inclu­ding ancil­la­ry data such as geo­lo­ca­ti­on, con­tex­tu­al data and, if rele­vant, details of the purcha­se itself.

Num­e­rous chal­lenges for data protection

The cha­rac­te­ristics of digi­tal pay­ment tran­sac­tions pose signi­fi­cant chal­lenges to the pro­tec­tion of the data coll­ec­ted and processed.

The first chall­enge is the lar­ge num­ber of peo­p­le affec­ted. A vast majo­ri­ty of the popu­la­ti­on regu­lar­ly uses cashl­ess pay­ment methods, whe­ther for card pay­ments at their local depart­ment store or for online shop­ping, which is beco­ming incre­asing­ly popu­lar, not least due to the coro­na pandemic.

Ano­ther chall­enge cited by the CNIL is the man­da­to­ry sto­rage and tracea­bi­li­ty of the data for each pay­ment tran­sac­tion. The­se data must be docu­men­ted in order to store accounts, cus­to­mers and cre­dit balan­ces. At the same time, they also con­tain a gre­at deal of infor­ma­ti­on about each person’s actions, cha­rac­te­ristics and inte­rests. The­re is a risk that the­se data can be com­bi­ned with other infor­ma­ti­on to form “sen­si­ti­ve” data as defi­ned in Artic­le 9 GDPR, such as infor­ma­ti­on on poli­ti­cal opi­ni­ons, reli­gious beliefs or sexu­al orientation.

In addi­ti­on to the govern­ment moni­to­ring of digi­tal pay­ment tran­sac­tions, which has been well known sin­ce the NSA scan­dal, pay­ment ser­vices also use the data they pro­cess for addi­tio­nal ser­vices such as veri­fy­ing the trust­wort­hi­ness of the cus­to­mer or impro­ving the user expe­ri­ence. In the view of the CNIL, both are not unpro­ble­ma­tic from a data pro­tec­tion perspective.

Final­ly, the CNIL sees the ongo­ing deve­lo­p­ment of con­nec­ted pro­ducts (so-called “Inter­net of Things”) as posing fur­ther chal­lenges to per­so­nal data within the frame­work of auto­ma­ted and auto­no­mous pay­ment tran­sac­tions by indi­vi­du­al devices.

Recom­men­da­ti­ons for action by the CNIL

To address the­se chal­lenges, CNIL belie­ves that strict com­pli­ance with the pro­vi­si­ons of the GDPR is essential.

First of all, this requi­res com­pli­ance with the prin­ci­ples for pro­ces­sing per­so­nal data based on Artic­le 5 GDPR, such as pur­po­se limi­ta­ti­on and data eco­no­my. Here, the CNIL recom­mends a pri­or spe­ci­fic limi­ta­ti­on and defi­ni­ti­on of this pur­po­se in a pro­ces­sing direc­to­ry that records all pro­ces­sed data. With regard to the pur­po­se limi­ta­ti­on, it must be ensu­red that the respec­ti­ve pur­po­se is actual­ly requi­red for pay­ment pro­ces­sing. From the CNIL’s point of view, during a pay­ment tran­sac­tion with a cre­dit card, only the respec­ti­ve card num­ber, expi­ra­ti­on date and, if appli­ca­ble, cryp­to­gram of the card are necessary.

In this con­text, the CNIL also empha­si­s­es that, in addi­ti­on to com­pli­ance with the lega­li­ty of pro­ces­sing under Artic­le 6 GDPR, it is essen­ti­al to assign the respec­ti­ve func­tion of con­trol­ler, pro­ces­sor or joint con­trol­ler to the respec­ti­ve actors invol­ved in a pay­ment tran­sac­tion in order to ensu­re a clear allo­ca­ti­on of roles and unam­bi­guous respon­si­bi­li­ties in this regard and also to docu­ment them.

To ans­wer the ques­ti­on in which cases a data pro­tec­tion impact assess­ment is requi­red pur­su­ant to Artic­le 35 GDPR, CNIL has drawn up a list of pro­ces­sing activities.

The CNIL also pro­vi­des con­cre­te recom­men­da­ti­ons for action regar­ding the dura­ti­on of the sto­rage of per­so­nal data in con­nec­tion with pay­ment transactions:

  • The data coll­ec­ted for the rea­li­sa­ti­on of a pay­ment tran­sac­tion may only be stored until the com­ple­ti­on of the pay­ment or until receipt of the item or ser­vice; in the case of sub­scrip­ti­on, until after the last pay­ment installment.
  • Accor­ding to the CNIL, the data coll­ec­ted for com­plaint manage­ment may be kept for 13 months from the date of debit (15 months in the case of debit cards with defer­red payment).
  • Any cryp­to­gram on a pay­ment card, on the other hand, may be kept only until the tran­sac­tion is completed.

In addi­ti­on, the CNIL empha­si­s­es that any other use of the infor­ma­ti­on obtai­ned in the cour­se of a pay­ment tran­sac­tion, par­ti­cu­lar­ly for com­mer­cial pur­po­ses, is pro­hi­bi­ted. For exam­p­le, an email address coll­ec­ted for the pur­po­se of sen­ding a sales receipt or pay­ment may not be used for adver­ti­sing pur­po­ses wit­hout the customer’s con­sent. Also, bank data may not be stored by the mer­chant for sub­se­quent purcha­ses wit­hout the customer’s con­sent. The only excep­ti­on to this may be the legi­ti­ma­te inte­rest of the mer­chant in the case of a sub­scrip­ti­on by the cus­to­mer or in the case of a regu­lar busi­ness rela­ti­onship with the customer.

War­ning of rising crime rela­ted to pay­ment data

The gro­wing popu­la­ri­ty of digi­tal pay­ment tran­sac­tions is also having an impact on crime sta­tis­tics: In addi­ti­on to the chal­lenges descri­bed abo­ve, the CNIL warns of an ever-increasing level of crime invol­ving pay­ment data, par­ti­cu­lar­ly through ran­som­wa­re. The use of ran­som­wa­re allows cri­mi­nals to encrypt the hard dri­ves of tho­se affec­ted and only decrypt them again by pay­ing a ran­som. Pay­ment data of all kinds is the focus of extor­tio­nists due to the importance of the data for mer­chants and customers.

To com­bat this, the CNIL recom­mends the use of so-called “tokens”. In this pro­cess, sen­si­ti­ve pay­ment data, such as an account num­ber (IBAN) or a bank card num­ber, are repla­ced by a ran­dom­ly gene­ra­ted, single-use data ele­ment (token). In the event of a hacker attack, no par­ti­cu­lar­ly sen­si­ti­ve data will fall into the hands of cri­mi­nals in this way.


Ban­king and pay­ment data pose a data pro­tec­tion chall­enge. This makes it all the more important for com­pa­nies invol­ved in pay­ment tran­sac­tions to inform them­sel­ves in due time about their own obli­ga­ti­ons and to take appro­pria­te mea­su­res to pro­tect sen­si­ti­ve data. Fail­ure to do so can result in nega­ti­ve public press as well as hea­vy fines in the event of damage.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.