Concerning the processing of personal data and the protection of privacy in the electronic communications sector, the Italian Code for the protection of personal data (hereinafter the “Code”), implementing Article 6(2) and (5) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002, sets out that providers shall be allowed to process traffic data that are strictly necessary for contracting parties’ billing and interconnection payments for a period not in excess of six months in order to provide evidence in case the bill is challenged or payment is to be pursued, subject to such additional retention as may be specifically necessary on account of a claim also lodged with judicial authorities. In addition, the Code states that processing of traffic data shall be restricted to persons in charge of the processing who act –pursuant to Section 30 of the Code – directly under the authority of the provider of a publicly available electronic communications service or, where applicable, the provider of a public communications network and deal with billing or traffic management, customer enquiries, fraud detection, marketing of electronic communications or the provision of value-added services. Processing shall be restricted to what is absolutely necessary for the purposes of such activities and must allow identification of the person in charge of the processing who accesses the data, also by means of automated interrogation procedures.
In this regard, it is interesting to point out that the European Court of Justice (Third Chamber, 2-11-2012, n. 119/12 (Josef Probst c. Mr.nexnet GmbH)) ruled that Article 6(2) and (5) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) must be interpreted as authorizing a provider of public communications networks and of publicly-accessible electronic communications services to pass traffic data to the assignee of its claims for payment in respect of the supply of telecommunications services for the purpose of recovery of those claims, and as authorizing that assignee to process those data on condition, first, that the latter acts under the authority of the service provider as regards the processing of those data and, second, that that assignee confines itself to processing the traffic data necessary for the purposes of recovering the claims assigned. Irrespective of the classification of the contract of assignment, the assignee is deemed to act under the authority of the service provider, within the meaning of Article 6(5) of Directive 2002/58, where, for the processing of traffic data, it acts exclusively on the instructions and under the control of that provider. In particular, the contract concluded between them must contain provisions capable of guaranteeing the lawful processing, by the assignee, of the traffic data and of enabling the service provider to ensure, at all times, that that assignee is complying with those provisions.
Hence, under the principles mentioned above, authorized Operators, which provide their electronic communication services in the Italian market are required to comply with article n.123 of the Code, that must be interpreted in accordance with the ruling of the European Court of Justice related to Article no 6 of the Directive 2002/58, which has inter alia the aim to harmonize the provisions of the Member States required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the European Union.