23 March 2018
The Italian Garante has issued new guidelines to clarify privacy requirements by which data controllers should abide in creating user profiles. These new guidelines have been effective since 6 May 2015, when they were published on the Official Gazette, and are addressed to private entities operating in Italy providing online services, such as search engines, electronic mail services, video streaming services, social networks and electronic payment services.
In particular, if they use personal data to profile users' habits on the web, such entities shall:
- provide an information notice set out in progressive levels, the first of which should be accessible on the home page;
- ask for and obtain the free and informed consent of data subjects before collecting and processing their data to make direct marketing more effective; and
- provide a storage timeframe, which is proportional to the scope for which the data has been collected.
Even if such guidelines do not introduce ground-breaking principles and are mainly addressed to professional service providers, it is worth noting that the Garante is issuing a number of guidelines providing practical instructions on how to organize websites to make them compliant with Italian data protection law.
In case of infringement of such guidelines, the Garante may fine the infringer with monetary sanctions, together with blocking data which is unlawfully collected and processed and, in certain cases, will pursue criminal sanctions.