After a public consultation, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Authority”) issued its decision on the processing of persona data related to mobile remote payments.

The regulation, as discussed during the consultation, is only addressed to electronic communication providers (the “providers”), hubs offering products and digital services (the “hubs”) and merchants offering digital contents and editorial services, multimedia products and games (the “merchants”).

Pursuant to the regulation, at the purchase of the prepaid card or at the subscription of a telephone contract, providers and merchants – in their capacity of data controllers – are required to provide the users with an adequate information notice which can be split in two, with a first summarized notice that includes a second and more complete notice (a solution that the Authority also adopted with regard to the cookies, as discussed here).

The information notice shall also be provided by hubs exclusively if they act as autonomous data controllers (directly offering the digital content to the user, guaranteeing assistance further to the sale, as well as managing promotional and marketing communications on digital contents). However, the Authority underlines that should hubs act as managers of the technical platforms used to offer the digital contents to users, they shall be appointed as external data processors. In such case, the information notice shall be provided by providers and merchants listing the hubs as data processors.

The regulation also underlines that consent is generally not required in order to provide the service; however as a general principle, a specific consent is required should providers, merchants or hubs carry out marketing activities or profiling the users.

The Authority urges providers, hubs and merchants to protect personal data collected through the mobile remote payments implementing adequate security measures, guaranteeing an adequate protection also for sensitive data.

Finally, while IP addresses must be erased by the merchants once the purchase procedure concerning the digital content is completed, other personal data cannot be retained for more than 6 months from the collection (with particular attention to the fact that should the purchase of the digital content be carried out by the user during the subscription of a telephone contract – instead of being a one-shot purchase – the data retention period shall be calculated from the expiry of the subscription).

According to the Authority the regulation should ensure more protection for users personal data, also with regard to all operators involved in the revenue chain. The impact of the new regulation however will mostly depend upon how providers, merchants and hubs will concretely implement the new provisions.