The Commission wants to define a code of conduct for digital payment players, while respecting the protection of personal data.

The National Commission for Informatics and Freedoms (Cnil) published a white paper on Wednesday, October 6, on new dematerialized means of payment, and in particular on the risks associated with payment data issued in this context.

Among the operations studied by the CNIL are contactless payments, online payments or even mobile payment with services offered, for example, by Apple Pay. These dematerialized services have exploded since the health crisis: they are part of the logic of respecting barrier gestures.

Sensitive data

Payment data represent “all the personal data used when delivering a payment service for a person”, explains the Cnil in the document.

This includes, “among other things: identifiers of the means of payment used, amount of the transaction, date and time of payment, identity and IBAN of the merchant and the beneficiary”, continues the Commission.





According to the latter, the management of this personal data may present a risk to the privacy of individuals. Indeed, access to this information makes it possible to retrace or locate the path of a person, and is therefore intended to be rigorously supervised.

A code of conduct to be observed

To better protect these new practices, the CNIL plans to define a “code of conduct” for payment service providers, in accordance with the GDPR. It proposes several crucial points, such as the official and concrete qualification of these actors, the anonymity of payment data, but also vigilance as to “the enrichment of reused payment data”, in particular for commercial purposes or in in the fight against fraud.

It also encourages the “tokenization” of transactions, that is to say their registration in a “chain of blocks”, which allows them to be encrypted and therefore secure. This is the technology used by cryptocurrency. The Commission indicates that it is in dialogue with the various market players in order to finalize this code of conduct.