This page has been automatically translated. Please refer to the page in French if needed.

Personal data

Online sites: credit card numbers can only be kept with the customer's consent

Publié le null - Directorate for Legal and Administrative Information (Prime Minister)

Cet article est ancien

L'information n'est peut-être plus exacte

In general, e-commerce businesses must have the customer's consent to keep their credit card number for future purchases. This has just been confirmed by the Conseil d'État, following the position of the CNIL (Commission nationale de l'Informatique et des Libertés), in its ruling of 10 December 2020.

According to a recommendation of the CNIL on the payment card for the sale of goods or the provision of services at a distance, merchants must obtain the consent of their customers to keep their banking data beyond a transaction, to facilitate their subsequent purchases. Only subscription waives this obligation because it enrolls the customer in a regular business relationship.

An e-commerce business asks the CNIL to modify its deliberation in order to be able to keep the bank card numbers of its non-subscribed customers beyond the transaction for which the data was collected. According to that business, such retention would facilitate their subsequent purchases by exempting them from entering that number again. In order to justify such retention, that business is based on its legitimate interest, as laid down in the General Data Protection Regulation (GDPR), which allows the data subject's consent to be dispensed with.

In assessing that legitimate interest, the CNIL weighs the legitimate interest pursued by the business concerned against the interest or fundamental rights and freedoms of the persons concerned. For this purpose, it takes into account the nature of the data processed, the purpose and modalities of the processing, but also the expectations that these persons may reasonably have regarding the absence of further processing of the collected data.

In this case, for the CNIL, the legitimate interest of this business cannot prevail over the interest of customers to protect their data, given in particular the sensitivity of the banking information and the harm that may result from misuse of this data. Furthermore, customers cannot reasonably expect such retention without their consent.

The Commercial business therefore asks the Conseil d'État to annul the CNIL's refusal decision.

The Conseil d'État follows the CNIL's position by dismissing the legitimate interest as a legal basis under the GDPR. According to the Council of State, the retention of bank card numbers of customers of e-commerce sites to facilitate subsequent purchases must be based on the explicit consent of the customer.

Additional topics

Protection of personal data
Service-Public.fr
Cookies: Refusing must be as easy as accepting
Service-Public.fr

Agenda

Apprentissage
Jusqu'au 17 mai 2024
La semaine de l'alternance du 13 au 17 mai 2024
Publié le 03 mai 2024
Déplacements
À partir du 1 mai 2024
Mai à vélo 2024 : un mois pour fêter et adopter la pratique du vélo !
Publié le 26 avril 2024
Impôts
À partir du 11 avr. 2024
Déclaration des revenus de 2023 : toutes les dates !
Publié le 11 avril 2024

Voir toutes les échéances