Time is up for companies operating in the mobile payments’ arena, as from April 1, 2015 the new set of rules issued by the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Italian DPA”) with its Resolution of May 22, 2014 are fully applicable.

As already pointed out in Giulia’s post, the Resolution is addressed to mobile payment services’ main players, such as electronic communication operators (which provide customers with electronic payment services via mobile phone, through prepaid cards or subscriptions), aggregators or hubs (which provide and manage the platforms for the supply of digital products and services), and merchants (which offer digital contents, sell publishing services, multimedia products, games and other services.)

The main features of the Resolution are the following:

  • Privacy Information Notice: at the purchase of the prepaid card or subscription of a telephone contract, operators and merchants, in their capacity of data controllers, shall provide users with a prior information notice pursuant to Section 13 of the Italian Data Protection Code, providing information on the personal data to be collected from the user and the purposes of the processing. The Regulation allows operators and merchants to adopt the “layered” approach, by giving a first short information notice, with a link to an extended information notice.
  • Hub: the relevant details of the hub, when acting as external data processor, shall be indicated in the privacy information notice released by the operator or merchant. Should the hub directly offer digital contents to customers (with collateral activities, such as ensuring post-sale assistance, promotional and marketing communications, etc.), it will be an autonomous data controller and, accordingly, will be required to provide customers with an information notice pursuant to the above mentioned Section 13 of the Italian Data Protection Code.
  • Consent: in general consent is not required; however, a specific consent is required should operators, merchants or hubs carry out marketing or profiling activities, communicate personal data to third parties or process sensitive data.
  • Security Measures: operators, hubs and merchants shall take specific measures to ensure the confidentiality of the data collected, including, for instance, personnel’s authentication systems for the access to personal data, specific procedures to track access and transactions, coding criteria for products and services, and cryptographic systems.
  • Data Storage: users’ data, including mobile messages of activation and deactivation of the service, shall be retained for a maximum of 6 months, while IP addresses must be erased by the merchants once the purchase procedure concerning the digital content is completed.

The Resolution is not addressed to mobile proximity payments, i.e. payments carried out by approaching the mobile device equipped with a NFC – Near Field Communication – to a special POS reader located at the operator’s store. The Italian DPA specifically stated that it will further regulate such payments in the near future.

Hopefully the new rules will increase the trust over remote payments, thus increasing the appeal of digital market places (and the sale of online digital products, newspapers, e-books, etc.).