Mobile payments update


Any mobile payment this summer?

As you probably know, this is an ever growing market. According to a study of the Politecnico of Milan, the new “Mobile and App Economy” was worth 25.4 billion euro in 2013 and can reach 40 billion euro in the next years. A survey carried out in collaboration with Doxa (institute specialized in market research and statistical analysis) in 2014, shows that 67% of Italian citizens is aware of the opportunities offered by mobile remote payments and that 20% of the population has made a purchase through mobile phone. This confirms the trends that we addressed during our #Fashionline event.

And what about the current Italian regulations?

After a public consultation, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Authority”) issued its decision on the processing of personal data related to mobile remote payments.

The regulation, as discussed during the consultation, is only addressed to electronic communication providers (the “providers”), hubs offering products and digital services (the “hubs”) and merchants offering digital contents and editorial services, multimedia products and games (the “merchants”).

Pursuant to the regulation, at the purchase of the prepaid card or at the subscription of a telephone contract, providers and merchants – in their capacity of data controllers – are required to provide the users with an adequate information notice which can be split in two, with a first summarized notice that includes a second and more complete notice (a solution that the Authority also adopted with regard to the cookies, as discussed here).

The information notice shall also be provided by hubs exclusively if they act as autonomous data controllers (directly offering the digital content to the user, guaranteeing assistance further to the sale, as well as managing promotional and marketing communications on digital contents). However, the Authority underlines that should hubs act as managers of the technical platforms used to offer the digital contents to users, they shall be appointed as external data processors. In such case, the information notice shall be provided by providers and merchants listing the hubs as data processors.

The regulation also underlines that consent is generally not required in order to provide the service; however as a general principle, a specific consent is required should providers, merchants or hubs carry out marketing activities or profiling the users.

The Authority urges providers, hubs and merchants to protect personal data collected through the mobile remote payments implementing adequate security measures, guaranteeing an adequate protection also for sensitive data.

Finally, while IP addresses must be erased by the merchants once the purchase procedure concerning the digital content is completed, other personal data cannot be retained for more than 6 months from the collection (with particular attention to the fact that should the purchase of the digital content be carried out by the user during the subscription of a telephone contract – instead of being a one-shot purchase – the data retention period shall be calculated from the expiry of the subscription).

There are still no sufficient precedents as to how providers, merchants and hubs will concretely addressed the new provisions, and how the DPA will enforce them.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:


DLA Piper on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.