The Italian Data Protection Authority (Garante) has recently approved a request of authorization, by means of a prior checking procedure, filed by a phone company having asked to be allowed to enrich its database containing personal data of its costumers without the prior consent of the interested persons.
Such an enrichment process would imply the collection and assessment of consumer habits and behavior of its clients as well as some statistics data about the area and context where they live and work.
The phone company stressed that such an operation was particularly important in order to elaborate a new commercial sales strategy and, at the same time, for the development of its communication network. The Garante, in turn, observed that, by crossing new data—collected without a prior consent—with some personal and statistics data, it could be, however, possible to track the user’s identity.
In order to avoid these consequences, the company shall adopt some specific security measures and precautions as duly prescribed by the authority.
The Garante set, in particular, that:
- The ID codes used for the management of telephone service must be different from those adopted for users’ profiling activities;
- All the collected data may be used only for the processing of new commercial sales;
- The data used for customers’ profiling and the so-called “data enriched” must be erased or irreversibly anonymised within 12 months since their collection;
- The phone company must update the information notice provided to users in order to inform on new processing;
- The company must send to the Garante a technical report and a legal one that shows the adoption of the measures indicated, and
- The company must submit a dossier to the Garante on marketing campaigns carried out with the new system over the past 12 months.