Share This Article
Mobile payments are now subject to more stringent privacy obligations as a consequence of the decision of the Italian Data Protection Authority subsequent to the consultationย previously covered.
The market of mobile payments is rapidly growing and the data published by the University of Milan reporting โฌ 1bn in volume might be already out of date. ย However such growth leads to more burdensome obligations on providers of mobile payments services. ย And, as part of such process, the decision of the Italian Data Protection Authority can be summarised as follows:
1. Applicable Entities
The decision is addressed to electronic communication providers, hubs and merchants offering digital contents and editorial services, multimedia products and games as well as any other entity providing mobile apps that charge the price of the purchase on the user’s mobile phone credit.
2. Privacy Information Notice
As prescribed by the recent guidelines on the usage of cookies, given the limited space on homepages there might two levels of privacy information notice for providers of mobile payments services. ย A first notice listing just the details of the data controller and the purposes of the processing placed on a dedicated section of the operator’s web page linking to a more detailed privacy information notice that shall list all the information required by Italian data protection law. ย And in particular the notice shall mention whether sensitive data are processed and that the mobile number provided is processed only for the purposes of providing customer support services.
3. Consentย
No data protection consent shall be required in order to process the data for the management of ย mobile payments themselves but an additional consent shall be required in case of processing for marketing or profiling purposes also as part of loyalty programs.
The processing of sensitive data will require an additional written consent and such requirement can be met also with a digital signature. ย This is a major issue in case of usage of mobile devices collecting sensitive personal data such as wearable technologiesย and remote patient monitoring systems since the requirement of the written consent for the processing of health related data risks to delay the growth of such kind of devices. ย However, the Italian Data Protection Authority declared to be open to assess types of signatures replacing the written signature.
4. Security Measures
Products and services purchased by users shall not be categorised on the basis of their contents, but of the category to which they belong unless there is a subscription service which requires to know the specific content/service purchased.
Specific measures shall be adopted to prevent the disclosure of information about users to the different entities involved in the purchase for instance in case this cannot be completed for different reasons. ย Access to users’ data shall be protected through strong security measures such as cryptographic keys and available only to the customer support officers following a strong authentication procedure able to track officers accessing to the data. ย Additional safeguards shall be in any case put in place to avoid the profiling of users by customer support officers just crossing the data from different sources.
5. Storage of Data
Collected personal data can be stored for no longer than 6 months while afterword can be kept only in order to bring a claim or defend in a potential dispute.
The above is just a snapshot of a quite complex decision and as usual if you want to discuss the above,ย feel freeย to contact me,ย Giulio Coraggio, to discuss. And follow me onย Twitter,ย Google+ย and become one of my friends onย LinkedIn.
