The CNIL reminded Carrefour France that the appropriate data retention period should be determined based on the purpose of the processing and the specifics of the business sector of the data controller. For loyalty program members of a retail company, the CNIL recommends a maximum retention period of three years. The CNIL found that Carrefour violated Article 5(1)(e) GDPR by keeping a copy of a data subject's ID card for up to six years when dealing with data subjects' exercise of rights. The systematic request for an ID in order to exercise a right was also a violation, making the exercise of right harder than it should be, and Carrefour exceeded regularly the one-month delay to answer a request. Regarding the right to information, the CNIL found that the information provided to data subjects was not easily accessible and not clear, concise, and transparent as required by Articles 12 and 13 GDPR. The information was spread-out across several web pages and not organised nor prioritised, and several mandatory information were missing or incorrect.