Privacy Advisor

ITALY—DPA Resolution Provides More Protection for Traffic Data

December 17, 2013

By Rocco Panetta

With many concerns about the management of both telephone traffic data and electronic communication traffic data retained for justice purposes, by means of a first resolution, the Italian Data Protection Authority (Garante) has forbidden certain unlawful data processing to a foreign company by prescribing to the latter a set of technical and organizational measures.

Traffic data stored for justice purposes—such as telephone number, date, time, call duration, e-mail address, mobile phone location and so on—always allow to know both relationships and habits of individuals. Therefore, this information needs to be protected by means of proper security measures, cannot be used for marketing and/or profiling purposes and cannot be retained longer than is established by the applicable law.

Having said that, the company is required to control the accesses to the traffic data with strong authentication systems (also based on the biometric data’s use), keep an ad hoc register to take note of every single access, only allow authorized persons to process the data, separate the data retained, encrypt and protect the data and so on. Moreover, once the retention period is elapsed, personal data shall be cancelled. Finally, by means of a second resolution, the IDPA has also ordered the company to amend the users’ information notice and reformulate the forms used for the users’ consent acquisition.

Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.