In 2013, the Italian Data Protection Authority (hereinafter “Authority”) strengthened its inspections of MVNOs, regarding the application of security measures to process telephone and internet traffic data.

The processing of telephone and internet traffic data carries specific risks for fundamental rights and freedoms and data subjects’ dignity. Traffic data stored for investigation and prosecution of crimes – such as, called numbers; date, time, and call duration; location of mobile phone; e-mail addresses; date, time, and duration of access to the network – allow to know and rebuild relations of a person and his habit even if they do not relate to the content . The inappropriate use of the information in question may considerably affect individuals’ private sphere or breach specific secrets in connection with certain activities, relationships and/or professions.

Therefore, the Italian Data Protection Code (hereinafter the “Code”) does not allow electronic communication operators, such as MVNO, to keep them longer than 2 years for telephone traffic data and 1 year for internet traffic data.

On October 3, 2013, the Authority issued two resolutions against Lycamobile S.r.l., a MVNO, which was providing – at the time of the inspection – its mobile communication services in Italy under the agreement singed with H3G.Actually, this MVNO is providing its services under the agreement signed with Vodafone Omnitel NV.

The Authority imposed Lycamobile to retain telephone and internet traffic data under section 132 of the Code, in accordance with specific arrangements and measures to safeguard data subjects.

This MVNO was required to adopt authentication systems (biometrics and/or strong authentication mechanisms, audit log) that must be applied to all technical staff (system administrators, network administrators, database managers) that can access the traffic data kept by the virtual mobile operator; and ensure separation between technical functions consisting in allocation of authentication credentials and identification of authorisation profiles and, on the other hand, technical management of systems and database.

In addition, this MVNO was required to:

  • separate retention of the data: traffic data that are retained exclusively for the purpose of detecting and suppressing criminal offences must be processed with the help of IT systems that are physically different from those used to manage traffic data for other purposes. This applies to both processing and storage components;
  • appoint persons in charge of the processing: the persons in charge of the processing that access traffic data stored for the purposes set forth in section 132 of the Code – also where this is aimed at allowing exercise of the rights mentioned in section 7 of the Code – must be appointed on purpose with regard to the data in question;
  • delete the data: upon expiry of the terms set out in the legislation in force, traffic data must be made unavailable to processing and retrieval by IT systems; they must also be deleted or made anonymous without delay, within a time limit that must be technically compatible with implementation of the relevant IT procedures – this applies both to the databases and processing systems used for processing and to the backup and disaster recovery systems and media, also pursuant to the measures set out in the legislation in force. The operations in question must be documented by no later than thirty days as from expiry of the terms mentioned in section 132 of the Code.

Finally, the Authority imposed to the MVNO to integrate the communication to the public regarding the processing of personal data and forbade the use of data processed and collected illegally for marketing and profiling activity.