Starting from April 1, 2015, companies operating in the mobile payment area must adopt the requirements provided by the Italian Data Protection Authority (the “Garante”).

In particular (i) the telephone companies providing services of mobile payment, (ii) the companies providing a technological interface, (iii) the companies offering digital contents and services, as well as (iv) all the other parties involved in the transaction process (such as those the ones that, also via app, allow customers to access the digital market), must comply with the provisions set forth under the resolution issued by the Garante on May, 22, 2014 (see doc. web n. 3161560).

As a consequence, the users of payment services through smartphones, tablets and personal computers shall have the right to receive complete information about the modalities of the data processing, upon the execution of the relevant payment service. Moreover, users’ personal data must be kept for a maximum of six months and cannot be used for other purposes, such as marketing or profiling, without the previous specific consent of the relevant users. At the end of the purchase process the users’ IP addresses must be deleted. 

Furthermore, appropriate security measures must be adopted in order to guarantee the privacy as well as to prevent the telephone operator to integrate different types of data for the purpose of users’ cross profiling without having their specific consent.

Finally, in order to guarantee the privacy of the transaction process made by the users, the sellers can disclose to telephone operators only the categories of the purchased products/services. The information related to the specific purchased product/service shall not be disclosed to the telephone operators, unless it is necessary for the provision of subscription services.