New regulation on mobile remote payments!


After a public consultation, the Italian Data Protection Authority (Garante per la protezione dei dati personali, the “Authority”) issued its decision on the processing of persona data related to mobile remote payments.

The regulation, as discussed during the consultation, is only addressed to electronic communication providers (the “providers”), hubs offering products and digital services (the “hubs”) and merchants offering digital contents and editorial services, multimedia products and games (the “merchants”).

Pursuant to the regulation, at the purchase of the prepaid card or at the subscription of a telephone contract, providers and merchants – in their capacity of data controllers – are required to provide the users with an adequate information notice which can be split in two, with a first summarized notice that includes a second and more complete notice (a solution that the Authority also adopted with regard to the cookies, as discussed here).

The information notice shall also be provided by hubs exclusively if they act as autonomous data controllers (directly offering the digital content to the user, guaranteeing assistance further to the sale, as well as managing promotional and marketing communications on digital contents). However, the Authority underlines that should hubs act as managers of the technical platforms used to offer the digital contents to users, they shall be appointed as external data processors. In such case, the information notice shall be provided by providers and merchants listing the hubs as data processors.

The regulation also underlines that consent is generally not required in order to provide the service; however as a general principle, a specific consent is required should providers, merchants or hubs carry out marketing activities or profiling the users.

The Authority urges providers, hubs and merchants to protect personal data collected through the mobile remote payments implementing adequate security measures, guaranteeing an adequate protection also for sensitive data.

Finally, while IP addresses must be erased by the merchants once the purchase procedure concerning the digital content is completed, other personal data cannot be retained for more than 6 months from the collection (with particular attention to the fact that should the purchase of the digital content be carried out by the user during the subscription of a telephone contract – instead of being a one-shot purchase – the data retention period shall be calculated from the expiry of the subscription).

According to the Authority the regulation should ensure more protection for users personal data, also with regard to all operators involved in the revenue chain. The impact of the new regulation however will mostly depend upon how providers, merchants and hubs will concretely implement the new provisions.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© DLA Piper | Attorney Advertising

Written by:


DLA Piper on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.