On June 17, the DPA issued a decision (source document in Italian) in the Official Gazette setting out guidelines with respect to mobile payments. According to the DPA, express consent will be necessary not only to transmit the data to third parties but also if the information is processed by the same subject who acquires the data for purposes different from those strictly related to the payment, such as marketing. Data can be stored for no more than six months, and the IP address of the client must be automatically deleted after the completion of the transaction. Specific measures are required to be implemented in order to protect the confidentiality of the relevant data, including tracking access by employees of the operator and encryption. A detailed list of instructions also provides guidelines for phone operators, which have access to a wide range of information, to prevent cross-profiling of user preferences.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.