The Italian Data Protection Authority (Garante per la protezione dei dati personali, the “DPA”) just issued new Guidelines on online profiling aimed at further clarifying the privacy-related obligations for internet service providers in case of profiling of the users. The Guidelines apply to any processing of personal data collected by way of any device (e.g. mobile, tablets, computers, portable devices, TV plug-ins).
The Guidelines confirmed that data controllers, prior to any processing of data aimed at profiling the user, are required to:
- provide the user with an adequate information notice;
- collect the user consent to any profiling activity;
- apply an adequate retention policy.
The DPA confirmed a position already undertaken with regard to cookies (see our post here and here): in fact pursuant to the Guidelines data controllers can (but are not obliged to) provide users with a layered information notice. In such a case the first layer shall contain the description of the processing carried out by the data controller, the categories of data collected (for instance localization data and IP addresses), the data controller details as well as the details of the data processors, if any, and the way the data subjects can exercise the access right and the other rights granted pursuant to Section 7 of the Privacy Code with regard to their personal data.
As to the second level of the information notice – accessible by way of a link in the first layer – the DPA suggested to point out the specific functionalities of the processing and to provide users with examples on the processing in order to guarantee a better comprehension of processing.
Also, although not mandatory, the DPA suggested for the second layer of information notice to contain previous versions of information notice. In the DPA opinion, such layer would allow the data subjects whose data are collected to be aware of any change in the documentation (and consequently in the processing of their data).
Data subject consent
The DPA further emphasized that, in order to carry out any profiling activity, the data subject consent shall always be collected.
With this regard, the DPA highlighted that profiling could be carried out by the data controller by way of:
- automated systems in relation to the use of email services: in such a case the consent exception (as per Section 24 letter b) of the Privacy Code) does not apply, as the processing of personal data would not be carried out by the data controller in order to provide a service or perform a contractual obligation;
- crossing data collected during the use of different functionalities of the same product provided by the data controller: also in this case no exception to the collection of consent would apply;
- through a number of techniques (for instance authentication credentials or fingerprinting). However cookies are not to be considered as included in such “techniques” (as the ad hoc regulation on cookie shall apply).
Authenticated users or non-authenticated users
Also specific structures shall be organized by the data controllers in case the collected data concern authenticated or non-authenticated users.
With particular attention to non-authenticated users, the DPA underlined that they shall be particularly protected in their web-surfing experience. In this regard, the DPA clarified that such users shall be:
- informed on the profiling activity carried out;
- provided with a link to the information notice described above;
- provided with a further link by which they can deny their consent to the profiling activity;
- informed that the access to the other areas of the website implies the provision of consent to the profiling activity.
Retention policy and other remarks
Finally, the DPA emphasized that data shall not be retained for longer than necessary as per Section 11 of the Privacy Code.
Furthermore, it is worth noting that the Guidelines do not make any reference to the duty of notification to the DPA in case of processing involving profiling activity (set forth under Section 37 of the Privacy Code). However, such omission should not imply any derogation to the abovementioned provision.
The Guidelines do not seem to dramatically change the existing scenario for online profiling; however they provide some useful clarifications on the DPA view, including with regard to the compliance with the Privacy Code in case of authenticated or non-authenticated users.
The Guidelines will no doubt be an useful tool for any internet service provider when a profiling activity is carried out, being such processing particularly sensitive for the DPA.