On 15 November 2017 the CNIL created a special page on its website with a view to highlighting its 2013 guidelines on processing of payment card data for online transactions (The 2013 guidelines were modified in July 2017).
The guidelines highlight the following:
- The permitted purposes some of which have to be presented as separate to the data subject (e.g. retaining data for card fraud detection) or require a separate consent (e.g. retaining data or for future transaction),
- The necessary data (identity of the cardholder is not one of them, except for fraud prevention),
- The retention periods (in any event, the cryptogram cannot be retained after the transaction)
- Information of the data subjects
- Security measures