Garante per la protezione dei dati personali (Italy) - 9668051

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9668051
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1) GDPR
Article 58(2)(d) GDPR
Article 58(2)(f) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 09.06.2021
Published:
Fine: None
Parties: Pago PA S.p.A
National Case Number/Name: 9668051
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Italian
Original Source: GDPD (in IT)
Initial Contributor: n/a

The Italian DPA temporarily restricted data processing by “PagoPA S.p.A” on its public services app, "app IO." It found that Google and Mixpanel Inc. were collecting and processing the data of identifiable users without obtaining their consent and without a legal basis. PagoPA S.p.A has thirty days to redesign the app to conform with the principles of Article 5(1) GDPR and to allow users to consent or object to the processing of their data.

English Summary[edit | edit source]

Facts[edit | edit source]

“IO” is an app run by the Italian public payment system “PagoPA S.p.A” (S.p.A is the Italian equivalent of PLC, Public Limited Company). The app IO offers access to all of the digital services of the Italian Public Administration, and has been downloaded by more than 11,5 million of users. It offers access to over 12,000 services, such as tax payment systems, which are provided by more than 5,000 national and local institutions.

The Italian DPA (Garante per la protezione dei dati personali) previously recognized some weaknesses in the IO app, in an opinion issued on June 12th, 2020 (9367375). For this reason, after the decree of May 31st, 2021—which established the digital COVID-19 Green Certifications— the Italian DPA reserved the right to conduct further investigation of the app IO, since citizens can use the app to receive and demonstrate their Green Certifications.

Through investigation, the Italian DPA detected some critical issues in the app’s interactions with Google LLC and Mixpanel Inc. These interactions include a tracking system that allows the app to link frequent behavioral patterns to certain identified (or identifiable) individuals while using the different services offered by the app IO. On the one hand, use of the app on an Android device automatically triggers Google's Firebase Analytics services, which allow Google to monitor installation of the app and to send push notifications. On the other hand, Mixpanel's tracking libraries, imbedded in the app IO, automatically sends data about a wide variety of app-based actions tied to a unique identified user back to Mixpanel systems. Both of these functions are triggered automatically during the user’s first access of the app IO, and it is up to the users themselves to disable the services if they are not interested in them.

Holding[edit | edit source]

The Italian DPA opined that data processing by Google and Mixpanel on the app IO do not conform to the principles of lawfulness, fairness and transparency, and the principles of purpose limitation, data minimization, and integrity, in accordance with Article 5(1) GDPR. It added that Google and Mixpanel had failed to make clear the purpose of data processing on the app, and that the forms of processing concerned are not strictly necessary for the purposes of "assistance, debugging and improvement of the App IO" declared by PagoPA.

Through the authority identified in Article 58(2)(f) GDPR, the Italian DPA imposed on PagoPA S.p.A the following limitations:

- Referring to Google LLC, the Italian DPA only allows data processing that is strictly necessary to send push notifications to app IO users who explicitly and freely activate this function for some services.

- Referring to Mixpanel Inc., the Italian DPA suspends data storage on user’s devices, access to data about app usage by identified users, and the collection of this data on Mixpanel’s systems; moreover, it suspends any other data processing concerning data that has already been sent to Mixpanel for purposes other than data retention, even by third parties.

In addition, through the authority identified in Article 58(2)(d) GDPR, the Italian DPA orders PagoPA S.p.A to adopt the appropriate technical measures to modify the activation terms of the available services in the app IO, the activation of push notifications, and the activation of forwarding functions linked to via-email, to guarantee the free, explicit, and specific consent of users to such data processing. The DPA PagoPA S.p.A to adopt these changes.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
















SEE ALSO

PRESS RELEASE OF 18 JUNE 2021

PRESS RELEASE OF 16 JUNE 2021

PRESS RELEASE OF 11 JUNE 202

PRESS RELEASE OF 10 JUNE 2021

PROVISION OF 17 JUNE 2021

PROVISION OF 16 JUNE 2021



[doc. web n. 9668051]

Corrective measure against PagoPA on the functioning of the IO App - 9 June 2021

Record of measures
n. 230 of 9 June 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation - hereinafter, Regulation);

GIVEN the legislative decree of 30 June 2003, n. 196, containing the Code regarding the protection of personal data (hereinafter, the Code);

GIVEN art. 64-bis of the legislative decree 7 March 2005, n. 82, (hereinafter, CAD), which, in paragraph 1, provides for public administrations "to make their services available online, in compliance with the Guidelines, through the electronic access point activated at the Presidency of the Council of Ministers";

GIVEN art. 8, paragraph 3, of the decree law 14 December 2018, n. 135, converted, with modifications, by the law 11 February 2019, n. 12, which provides that, for the design, development, management and implementation of the telematic access point referred to in the aforementioned art. 64-bis of the CAD, the Presidency of the Council of Ministers makes use of the company PagoPA S.p.a., established with d.P.C.M. 19 June 2019, pursuant to paragraph 1 of the same art. 8 of the d.l. 135/2018 (hereinafter, PagoPA or Company);

GIVEN the outline of the Guidelines referred to in art. 64-bis of the CAD, sent to the Guarantor by the Agency for Digital Italy (hereinafter, AgID) for the opinion required by art. 71 of the CAD - in an initial version being updated - on May 3, 2021, and the impact assessment on data protection, sent by the Company on June 26, 2020, relating to the characteristics of the illo tempore treatments carried out, in the testing phase;

NOTING that the aforementioned telematic access point consists of the App IO for mobile devices (which can be downloaded free of charge from the Apple and Google app stores) and the set of systems and technological components made available by PagoPA (hereinafter, in their entirety , Platform IO), and is integrated with the platform referred to in art. 5, paragraph 2, of the CAD (so-called "PagoPA Platform");

GIVEN the provision n. 102 of 12 June 2020 (web doc. No. 9367375), with which the Guarantor, in addition to issuing the opinion on the draft provision of the Director of the Revenue Agency adopted pursuant to art. 176 of the law decree of 19 May 2020, n. 34 - converted, with amendments, by law n. 77, on "holiday tax credit" (so-called holiday bonus) - has also authorized the Revenue Agency to use the IO Platform, pursuant to Articles 58, par. 3, lett. c), of the Regulation and 2-quinquiesdecies of the Code, in compliance with the following requirements:

the user must be informed of the possibility of deactivating push notifications and also on the treatments carried out in case of activation of the same, ensuring, in any case, that the content of the notifications is limited to warning the user of the need to consult the App , without providing detailed information on the sender and the content of the message subject of the notification (point 5.2 of the provision);

it is necessary to ensure that the aforementioned App does not provide for automatic subscription to all the services available there and the related messaging, adopting technical and organizational measures necessary to guarantee users the possibility of choosing the providers from which to receive the aforementioned messages (so-called opt -in), even in the experimental phase (point 5.3 of the provision);

the legitimacy of the transfer of personal data to third countries must be ensured, considering that, for the management of the IO Platform, PagoPA makes use of some suppliers (including Microsoft, Google, Instabug and Mixpanel) who carry out processing outside the Union European (point 5.4 of the provision);

HAVING REGARD, moreover, to provision no. 232 of 26 November 2020 (web doc. 9492345), with which the Guarantor expressed himself, pursuant to art. 58, par. 3, lett. c), of the Regulations and 2-quinquiesdecies of the Code, regarding the use of the IO App for the implementation of the interim cashback program referred to in art. 1, paragraphs from 288 to 290, of the law of 27 December 2019, n. 160, by the Ministry of Economy and Finance, recalling the aforementioned provisions and reserving any further evaluation of the outcome of the overall investigation regarding the treatments carried out within the App IO as a telematic access point pursuant to art . 64-bis of the CAD;

NOTING also that, most recently, art. 42, paragraph 2, of the decree law 31 May 2021, n. 77, established that “the COVID-19 green certifications referred to in article 9 of decree-law 22 n. 52 of 2021, are made available to the interested party […] also through the electronic access point referred to in Article 64-bis of Legislative Decree no. 82 ", and that the Guarantor, in giving its opinion with the provision adopted today, on the draft decree of the President of the Council of Ministers of implementation, which governs the treatments connected to the activation of the National Platform-DGC for the issue , the issue and verification of the Covid-19 green certifications, reserved the right to carry out further investigations on the use of the IO App;

CONSIDERING that the aforementioned telematic access point represents one of the so-called enabling platforms at the center of the digital transformation policies of the public administration and that the App IO, currently downloaded by about 11.5 million users, currently makes available over 12,000 services provided by more than 5,000 entities at national and local level ;

CONSIDERING, therefore, it is necessary to ensure that, pending the adoption of the aforementioned implementation guidelines of art. 64-bis of the DAC and the overall assessment of the Guarantor on the treatments that are intended to be carried out through the aforementioned telematic access point, the treatments of personal data currently in place, or that are intended to be launched shortly, through the IO Platform, take place in compliance with the Regulations and the Code;

CONSIDERING the recent investigations of a technical-legal nature carried out ex officio, for these reasons, based on the analysis of the source code of the App IO, of the documentation available on the network, also relating to the software libraries recalled within the App , as well as the observation of the behavior held by the same during its execution on a mobile device, with particular regard to its interactions with the services of Google LLC (hereinafter, Google), Mixpanel Inc. (hereinafter, Mixpanel) and Instabug Inc . (hereinafter, Instabug), companies established in the United States, responsible for the processing of PagoPA, which also make use of IT systems (processing and storage resources) located there and other suppliers also established in third countries;

DETECTED the serious critical elements that emerged during the aforementioned investigations, which require an immediate examination by the Authority, due to the highly probable and serious risks they present for the rights and freedoms of the interested parties illustrated below:

A) the interactions of the App IO with the services of Google and Mixpanel: the App IO, upon first launch and during its execution on a user's device, stores certain information on the same and, in some cases, accesses to information already stored, to be transmitted to Google and Mixpanel. In particular:

with reference to the use of the Google software libraries, it emerged that the App IO, at its first start on an Android device, automatically initiates the Google Firebase services, thus creating a unique identifier associated with the installation of the App, which would be necessary, in the case in question, only for the purpose of sending push notifications by Google. This identifier is, on the other hand, generated, by default, in relation to the devices of all users of the IO App, regardless of the will of each to make use of this notification service, and is also used in the context of some interactions of the '' App with Google's Firebase Analytics services that allow, at least, to monitor the installations of the IO App on users' devices. This, without the purpose of this processing being clear and, moreover, without the user being adequately informed and being able to express, in a conscious way, the consent provided for by art. 122 of the Code;

with regard, instead, to the Mixpanel software libraries, it is noted that, as also highlighted by PagoPA in determining the purchase of this service, available on the Company's website, these represent a "tool for analyzing technological products aimed at understanding the behavior of users of individual products, to view, segment and analyze their data, in order to measure their success and dissemination and identify, along this path, areas for improvement "and" is able to offer detailed information in real time on how people interact with the App in order to focus on the features with the greatest impact and to innovate faster the digital services made available to citizens on the App ". The technical checks carried out have shown that the Mixpanel tracking libraries, present within the App IO, have been configured to automatically and systematically send data relating to a plurality of events (generated during the use of the app by part of the user) to Mixpanel systems, together with a unique user identifier. This, even in this case, without the user being adequately informed and being able to express the consent referred to in art. 122 of the Code. The information sent to Mixpanel concerns, among others, the holiday bonus of the Revenue Agency (e.g. events relating to the verification of the requirements for requesting the bonus and its generation), the cashback program of the Ministry of Economy and Finance (e.g. the list of transactions participating in the cashback program and the so-called hashpans of the users' electronic payment instruments,), as well as the use of the PagoPA Platform (e.g. the events relating to the addition of payment instruments to the wallet of the user and the execution of payments in favor of public administrations and managers of public services). In this regard, it should be borne in mind that the unique identifier used, based on its characteristics, can be qualified as personal data and can be used to create profiles of users of the IO App and identify them, being generated through a deterministic function, which is also made public. (see GitHub repository of the IO App), which, starting from a user's tax code, always produces the same identifier, even if a different mobile device is used, thus allowing the re-identification of the interested parties. This, since this identifier has a high degree of associability with the user's tax code, also taking into account that, in the case in question, the identifier is transmitted by the App IO to the Mixpanel systems together with the IP address of the device. 'user and other information relating to his device and the events being tracked;

B) the automatic activation of the services offered within the App IO: it is ascertained that, contrary to what is already prescribed by the Guarantor with the aforementioned provision of 12 June 2020, upon first access by the user, all the services made available by each entity present in the App IO, both nationally and locally, and those that will gradually become available, are already active, by default, and it is up to the user to promptly deactivate the services not of interest (so-called opt-out method), the number of which, which has recently increased exponentially, today is equal to over 12 thousand services referable to more than 5 thousand entities. Furthermore, a feature has not been implemented to allow the interested party to block all the services present in the App, nor to disable all the services offered by a single entity;

C) the use of push notifications: the use of these notifications to inform users of the receipt of a message within the App IO inevitably involves the processing of personal data by the operators of the operating systems of the devices used (Apple and Google). Furthermore, it has been ascertained that, for each active service, in addition to the forwarding of messages via e-mail, the functions relating to the sending of the aforementioned notifications are enabled by default, with the consequence that the unique identifier assigned from Google to users with Android devices (see letter A), point 1) is also generated if the data subject decides not to make use of this notification method;

CONSIDERING, in the light of the above, that, in particular:

the use of the Google and Mixpanel libraries involves, albeit to a different extent, a tracking that allows to trace, to specific identified or identifiable subjects, specific actions or behavioral patterns recurring in the use of the various services offered within the App IO, which is not strictly necessary to provide the services explicitly requested by a user within the App IO, nor, with reference to Mixpanel, is it necessary for the pursuit of the purposes of "assistance, debugging and improvement of the App IO "Declared by PagoPA (in the information provided to users and in the documentation provided to the Guarantor). This, however, without the purpose of the processing carried out through these tools being clear and without the user being adequately informed and therefore able to express with full awareness the consent, provided for by art. 122 of the Code, for storing information on your device and for accessing those already stored;

the systematic collection and subsequent processing of the aforementioned information, of an extremely personal nature (e.g. economic transactions and hashpan of users' payment instruments, processed by PagoPA as part of the cashback program as data processor on behalf of the Ministry of the Economy and finance) and referring to millions of interested parties, on Mixpanel systems, do not comply, as well as with the principles of lawfulness, correctness and transparency and purpose limitation, also with the principles of minimization and integrity and confidentiality (the latter with particular with regard to the failure to adopt adequate measures to guarantee the confidentiality of the hashpans of the users' payment instruments) pursuant to art. 5, par. 1, of the Regulations;

the use of the services offered by Google, Mixpanel and Instabug, which in turn make use of numerous suppliers established outside the European Union, inevitably involves the transfer of the data described above to third countries (e.g. United States, India, Australia), in relation to which the adoption of adequate guarantees pursuant to art. 44 and ss. of the Regulation. This, also taking into account that, regardless of the place where the computer systems on which the personal data of users of the App IO are located, remote access to these processing systems by subjects established outside the European Union, however, configures a transfer of data to third countries (see, on this point, the "Recommendations 01/2020 relating to the measures that integrate the transfer tools in order to ensure compliance with the level of data protection", adopted by European Data Protection Board on 10 November 2020, spec. Notes 22 and 27);

the activation, by default, of all the services available within the IO App (over 12 thousand), with the described automatic enabling of the receipt of push notifications and forwarding via e-mail, does not allow users the possibility to choose the entities and services for which to receive the aforementioned notifications and messages in opt-in mode, an element that must be considered necessary, in the present case, also in consideration of the failure to adopt simplified procedures for the deactivation of the same by users , therefore, in contrast with the principles of proportionality and privacy by design and by default;

CONSIDERING, on this basis, the need to intervene urgently on these aspects to protect the rights and freedoms of the interested parties, pending the conclusion of the investigations in progress, due to the fact that, as represented above, the treatments in question involve millions of interested and refer to an increasing number of services offered by public administrations and managers of public services through the IO App, which also concern particularly delicate data (e.g. economic transactions and payment instruments) and health, taking into account that it was recently also proposed the use of the IO App to make Covid-19 green certifications available to users;

CONSIDERING, therefore, urgently - being the notification referred to in art. 166, paragraph 5, of the Code incompatible with the nature and purpose of this provision - to have to adopt the following measures:

1) to impose on PagoPA, pursuant to art. 58, par. 2, lett. f) of the Regulations, the provisional limitation - to be made operational without undue delay, and in any case no later than seven days from the receipt of this provision - of the treatments carried out through the IO App which involve interaction with:

a) Google services, allowing only the processing necessary for sending push notifications to users of the IO App who have explicitly and freely activated this functionality;

b) the Mixpanel services, suspending the storage of data on users' devices, access to such data and the collection of the same on Mixpanel systems, as well as interrupting any other further processing of data, already sent to Mixpanel, carried out for purposes other than the mere conservation of the same;

2) to order PagoPA, pursuant to art. 58, par. 2, lett. d), of the Regulations, to adopt, within thirty days of receipt of this provision, technical and organizational measures necessary to modify the methods of activating the services available within the App IO and the related push notification and forwarding functions. e-mail messages, guaranteeing all interested parties the possibility of a free, explicit and specific choice in relation to each service or services offered by a specific body (so-called opt-in method), as well as those necessary to ensure the same guarantees towards those who are already users of the App in relation to the automatically activated services;

3) to order PagoPA, pursuant to art. 157 of the Code, to provide the Authority:

a) within thirty days of receipt of this provision, adequately documented feedback on the measures that it intends to adopt in order to make the processing carried out through the IO App which provide for the interactions referred to in compliance with the regulations on personal data protection in the previous point 1), lett. a) and b);

b) within forty days of receipt of this provision, an adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 2) above;

RESERVED any other determination, including sanctions, to be adopted against the subjects involved in various capacities in the processing of personal data carried out through the IO Platform, on the basis of subsequent investigations and discussions with the Company;

TAKING INTO ACCOUNT that: non-compliance with a provisional limitation order of the processing adopted by the Guarantor is subject to the criminal sanction pursuant to art. 170 of the Code and the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e), of the Regulations; non-compliance with an order adopted by the Guarantor pursuant to art. 58, par. 2, of the Regulations is subject to the pecuniary administrative sanction provided for by art. 83, par. 6, of the Regulations; failure to respond to a request for information pursuant to art. 157 of the Code, is subject, pursuant to art. 166, paragraph 2, of the Code, to the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulations;

CONSIDERING that the conditions set out in art. 17 of regulation no. 1/2019 of the Guarantor concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor;

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

WHEREAS, THE GUARANTOR

1) pursuant to art. 58, par. 2, lett. f), of the Regulation, requires PagoPA S.p.A. (CF / VAT number 15376371009) the temporary limitation - to be made operational without undue delay, and in any case no later than seven days from the receipt of this provision - of the treatments carried out through the IO App which involve interaction with:

a) the services of Google LLC, allowing only the processing necessary for sending push notifications to users of the IO App who have explicitly and freely activated this functionality for certain services;

b) the services of Mixpanel Inc., suspending the storage of data on users' devices, access to such data and the collection of the same on Mixpanel systems, as well as interrupting any further processing of data already sent to Mixpanel carried out, also by other subjects, for purposes other than the mere conservation of the same;

2) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders PagoPA S.p.A. to adopt, within thirty days of receipt of this provision, technical and organizational measures necessary to modify the methods of activating the services available within the App IO and the related push notification and forwarding of messages via e-mail, guaranteeing all interested parties the possibility of a free, explicit and specific choice in relation to each service or services offered by a specific body (so-called opt-in method), as well as ensuring the same guarantees towards those for whom, being already users of the IO App, unsolicited services have been automatically activated in a free, explicit and specific way;

3) pursuant to art. 157 of the Code, to order PagoPA S.p.A. to provide the Authority with:

a) within thirty days of receipt of this provision, an adequately documented feedback on the measures it intends to adopt in order to make the processing carried out through the IO App that provide for interactions compliant with the regulations on the protection of personal data referred to in the previous point 1), lett. a) and b);

b) within forty days of receipt of this provision, an adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 2) above;

4) arranges for the transmission of this provision also to the Presidency of the Council of Ministers, the Ministry of Economy and Finance, the Ministry of Health, the Revenue Agency and the AgID for the relevant assessments;

5) provides for the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself.

Rome, June 9, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }






SEE ALSO

PRESS RELEASE OF 18 JUNE 2021

PRESS RELEASE OF 16 JUNE 2021

PRESS RELEASE OF 11 JUNE 202

PRESS RELEASE OF 10 JUNE 2021

PROVISION OF 17 JUNE 2021

PROVISION OF 16 JUNE 2021



[doc. web n. 9668051]

Corrective measure against PagoPA on the functioning of the IO App - 9 June 2021

Record of measures
n. 230 of 9 June 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation - hereinafter, Regulation);

GIVEN the legislative decree of 30 June 2003, n. 196, containing the Code regarding the protection of personal data (hereinafter, the Code);

GIVEN art. 64-bis of the legislative decree 7 March 2005, n. 82, (hereinafter, CAD), which, in paragraph 1, provides for public administrations "to make their services available online, in compliance with the Guidelines, through the electronic access point activated at the Presidency of the Council of Ministers";

GIVEN art. 8, paragraph 3, of the decree law 14 December 2018, n. 135, converted, with modifications, by the law 11 February 2019, n. 12, which provides that, for the design, development, management and implementation of the telematic access point referred to in the aforementioned art. 64-bis of the CAD, the Presidency of the Council of Ministers makes use of the company PagoPA S.p.a., established with d.P.C.M. 19 June 2019, pursuant to paragraph 1 of the same art. 8 of the d.l. 135/2018 (hereinafter, PagoPA or Company);

GIVEN the outline of the Guidelines referred to in art. 64-bis of the CAD, sent to the Guarantor by the Agency for Digital Italy (hereinafter, AgID) for the opinion required by art. 71 of the CAD - in an initial version being updated - on May 3, 2021, and the impact assessment on data protection, sent by the Company on June 26, 2020, relating to the characteristics of the illo tempore treatments carried out, in the testing phase;

NOTING that the aforementioned telematic access point consists of the App IO for mobile devices (which can be downloaded free of charge from the Apple and Google app stores) and the set of systems and technological components made available by PagoPA (hereinafter, in their entirety , Platform IO), and is integrated with the platform referred to in art. 5, paragraph 2, of the CAD (so-called "PagoPA Platform");

GIVEN the provision n. 102 of 12 June 2020 (web doc. No. 9367375), with which the Guarantor, in addition to issuing the opinion on the draft provision of the Director of the Revenue Agency adopted pursuant to art. 176 of the law decree of 19 May 2020, n. 34 - converted, with amendments, by law n. 77, on "holiday tax credit" (so-called holiday bonus) - has also authorized the Revenue Agency to use the IO Platform, pursuant to Articles 58, par. 3, lett. c), of the Regulation and 2-quinquiesdecies of the Code, in compliance with the following requirements:

the user must be informed of the possibility of deactivating push notifications and also on the treatments carried out in case of activation of the same, ensuring, in any case, that the content of the notifications is limited to warning the user of the need to consult the App , without providing detailed information on the sender and the content of the message subject of the notification (point 5.2 of the provision);

it is necessary to ensure that the aforementioned App does not provide for automatic subscription to all the services available there and the related messaging, adopting technical and organizational measures necessary to guarantee users the possibility of choosing the providers from which to receive the aforementioned messages (so-called opt -in), even in the experimental phase (point 5.3 of the provision);

the legitimacy of the transfer of personal data to third countries must be ensured, considering that, for the management of the IO Platform, PagoPA makes use of some suppliers (including Microsoft, Google, Instabug and Mixpanel) who carry out processing outside the Union European (point 5.4 of the provision);

HAVING REGARD, moreover, to provision no. 232 of 26 November 2020 (web doc. 9492345), with which the Guarantor expressed himself, pursuant to art. 58, par. 3, lett. c), of the Regulations and 2-quinquiesdecies of the Code, regarding the use of the IO App for the implementation of the interim cashback program referred to in art. 1, paragraphs from 288 to 290, of the law of 27 December 2019, n. 160, by the Ministry of Economy and Finance, recalling the aforementioned provisions and reserving any further evaluation of the outcome of the overall investigation regarding the treatments carried out within the App IO as a telematic access point pursuant to art . 64-bis of the CAD;

NOTING also that, most recently, art. 42, paragraph 2, of the decree law 31 May 2021, n. 77, established that “the COVID-19 green certifications referred to in article 9 of decree-law 22 n. 52 of 2021, are made available to the interested party […] also through the electronic access point referred to in Article 64-bis of Legislative Decree no. 82 ", and that the Guarantor, in giving its opinion with the provision adopted today, on the draft decree of the President of the Council of Ministers of implementation, which governs the treatments connected to the activation of the National Platform-DGC for the issue , the issue and verification of the Covid-19 green certifications, reserved the right to carry out further investigations on the use of the IO App;

CONSIDERING that the aforementioned telematic access point represents one of the so-called enabling platforms at the center of the digital transformation policies of the public administration and that the App IO, currently downloaded by about 11.5 million users, currently makes available over 12,000 services provided by more than 5,000 entities at national and local level ;

CONSIDERING, therefore, it is necessary to ensure that, pending the adoption of the aforementioned implementation guidelines of art. 64-bis of the DAC and the overall assessment of the Guarantor on the treatments that are intended to be carried out through the aforementioned telematic access point, the treatments of personal data currently in place, or that are intended to be launched shortly, through the IO Platform, take place in compliance with the Regulations and the Code;

CONSIDERING the recent investigations of a technical-legal nature carried out ex officio, for these reasons, based on the analysis of the source code of the App IO, of the documentation available on the network, also relating to the software libraries recalled within the App , as well as the observation of the behavior held by the same during its execution on a mobile device, with particular regard to its interactions with the services of Google LLC (hereinafter, Google), Mixpanel Inc. (hereinafter, Mixpanel) and Instabug Inc . (hereinafter, Instabug), companies established in the United States, responsible for the processing of PagoPA, which also make use of IT systems (processing and storage resources) located there and other suppliers also established in third countries;

DETECTED the serious critical elements that emerged during the aforementioned investigations, which require an immediate examination by the Authority, due to the highly probable and serious risks they present for the rights and freedoms of the interested parties illustrated below:

A) the interactions of the App IO with the services of Google and Mixpanel: the App IO, upon first launch and during its execution on a user's device, stores certain information on the same and, in some cases, accesses to information already stored, to be transmitted to Google and Mixpanel. In particular:

with reference to the use of the Google software libraries, it emerged that the App IO, at its first start on an Android device, automatically initiates the Google Firebase services, thus creating a unique identifier associated with the installation of the App, which would be necessary, in the case in question, only for the purpose of sending push notifications by Google. This identifier is, on the other hand, generated, by default, in relation to the devices of all users of the IO App, regardless of the will of each to make use of this notification service, and is also used in the context of some interactions of the '' App with Google's Firebase Analytics services that allow, at least, to monitor the installations of the IO App on users' devices. This, without the purpose of this processing being clear and, moreover, without the user being adequately informed and being able to express, in a conscious way, the consent provided for by art. 122 of the Code;

with regard, instead, to the Mixpanel software libraries, it is noted that, as also highlighted by PagoPA in determining the purchase of this service, available on the Company's website, these represent a "tool for analyzing technological products aimed at understanding the behavior of users of individual products, to view, segment and analyze their data, in order to measure their success and dissemination and identify, along this path, areas for improvement "and" is able to offer detailed information in real time on how people interact with the App in order to focus on the features with the greatest impact and to innovate faster the digital services made available to citizens on the App ". The technical checks carried out have shown that the Mixpanel tracking libraries, present within the App IO, have been configured to automatically and systematically send data relating to a plurality of events (generated during the use of the app by part of the user) to Mixpanel systems, together with a unique user identifier. This, even in this case, without the user being adequately informed and being able to express the consent referred to in art. 122 of the Code. The information sent to Mixpanel concerns, among others, the holiday bonus of the Revenue Agency (e.g. events relating to the verification of the requirements for requesting the bonus and its generation), the cashback program of the Ministry of Economy and Finance (e.g. the list of transactions participating in the cashback program and the so-called hashpans of the users' electronic payment instruments,), as well as the use of the PagoPA Platform (e.g. the events relating to the addition of payment instruments to the wallet of the user and the execution of payments in favor of public administrations and managers of public services). In this regard, it should be borne in mind that the unique identifier used, based on its characteristics, can be qualified as personal data and can be used to create profiles of users of the IO App and identify them, being generated through a deterministic function, which is also made public. (see GitHub repository of the IO App), which, starting from a user's tax code, always produces the same identifier, even if a different mobile device is used, thus allowing the re-identification of the interested parties. This, since this identifier has a high degree of associability with the user's tax code, also taking into account that, in the case in question, the identifier is transmitted by the App IO to the Mixpanel systems together with the IP address of the device. 'user and other information relating to his device and the events being tracked;

B) the automatic activation of the services offered within the App IO: it is ascertained that, contrary to what is already prescribed by the Guarantor with the aforementioned provision of 12 June 2020, upon first access by the user, all the services made available by each entity present in the App IO, both nationally and locally, and those that will gradually become available, are already active, by default, and it is up to the user to promptly deactivate the services not of interest (so-called opt-out method), the number of which, which has recently increased exponentially, today is equal to over 12 thousand services referable to more than 5 thousand entities. Furthermore, a feature has not been implemented to allow the interested party to block all the services present in the App, nor to disable all the services offered by a single entity;

C) the use of push notifications: the use of these notifications to inform users of the receipt of a message within the App IO inevitably involves the processing of personal data by the operators of the operating systems of the devices used (Apple and Google). Furthermore, it has been ascertained that, for each active service, in addition to the forwarding of messages via e-mail, the functions relating to the sending of the aforementioned notifications are enabled by default, with the consequence that the unique identifier assigned from Google to users with Android devices (see letter A), point 1) is also generated if the data subject decides not to make use of this notification method;

CONSIDERING, in the light of the above, that, in particular:

the use of the Google and Mixpanel libraries involves, albeit to a different extent, a tracking that allows to trace, to specific identified or identifiable subjects, specific actions or behavioral patterns recurring in the use of the various services offered within the App IO, which is not strictly necessary to provide the services explicitly requested by a user within the App IO, nor, with reference to Mixpanel, is it necessary for the pursuit of the purposes of "assistance, debugging and improvement of the App IO "Declared by PagoPA (in the information provided to users and in the documentation provided to the Guarantor). This, however, without the purpose of the processing carried out through these tools being clear and without the user being adequately informed and therefore able to express with full awareness the consent, provided for by art. 122 of the Code, for storing information on your device and for accessing those already stored;

the systematic collection and subsequent processing of the aforementioned information, of an extremely personal nature (e.g. economic transactions and hashpan of users' payment instruments, processed by PagoPA as part of the cashback program as data processor on behalf of the Ministry of the Economy and finance) and referring to millions of interested parties, on Mixpanel systems, do not comply, as well as with the principles of lawfulness, correctness and transparency and purpose limitation, also with the principles of minimization and integrity and confidentiality (the latter with particular with regard to the failure to adopt adequate measures to guarantee the confidentiality of the hashpans of the users' payment instruments) pursuant to art. 5, par. 1, of the Regulations;

the use of the services offered by Google, Mixpanel and Instabug, which in turn make use of numerous suppliers established outside the European Union, inevitably involves the transfer of the data described above to third countries (e.g. United States, India, Australia), in relation to which the adoption of adequate guarantees pursuant to art. 44 and ss. of the Regulation. This, also taking into account that, regardless of the place where the computer systems on which the personal data of users of the App IO are located, remote access to these processing systems by subjects established outside the European Union, however, configures a transfer of data to third countries (see, on this point, the "Recommendations 01/2020 relating to the measures that integrate the transfer tools in order to ensure compliance with the level of data protection", adopted by European Data Protection Board on 10 November 2020, spec. Notes 22 and 27);

the activation, by default, of all the services available within the IO App (over 12 thousand), with the described automatic enabling of the receipt of push notifications and forwarding via e-mail, does not allow users the possibility to choose the entities and services for which to receive the aforementioned notifications and messages in opt-in mode, an element that must be considered necessary, in the present case, also in consideration of the failure to adopt simplified procedures for the deactivation of the same by users , therefore, in contrast with the principles of proportionality and privacy by design and by default;

CONSIDERING, on this basis, the need to intervene urgently on these aspects to protect the rights and freedoms of the interested parties, pending the conclusion of the investigations in progress, due to the fact that, as represented above, the treatments in question involve millions of interested and refer to an increasing number of services offered by public administrations and managers of public services through the IO App, which also concern particularly delicate data (e.g. economic transactions and payment instruments) and health, taking into account that it was recently also proposed the use of the IO App to make Covid-19 green certifications available to users;

CONSIDERING, therefore, urgently - being the notification referred to in art. 166, paragraph 5, of the Code incompatible with the nature and purpose of this provision - to have to adopt the following measures:

1) to impose on PagoPA, pursuant to art. 58, par. 2, lett. f) of the Regulations, the provisional limitation - to be made operational without undue delay, and in any case no later than seven days from the receipt of this provision - of the treatments carried out through the IO App which involve interaction with:

a) Google services, allowing only the processing necessary for sending push notifications to users of the IO App who have explicitly and freely activated this functionality;

b) the Mixpanel services, suspending the storage of data on users' devices, access to such data and the collection of the same on Mixpanel systems, as well as interrupting any other further processing of data, already sent to Mixpanel, carried out for purposes other than the mere conservation of the same;

2) to order PagoPA, pursuant to art. 58, par. 2, lett. d), of the Regulations, to adopt, within thirty days of receipt of this provision, technical and organizational measures necessary to modify the methods of activating the services available within the App IO and the related push notification and forwarding functions. e-mail messages, guaranteeing all interested parties the possibility of a free, explicit and specific choice in relation to each service or services offered by a specific body (so-called opt-in method), as well as those necessary to ensure the same guarantees towards those who are already users of the App in relation to the automatically activated services;

3) to order PagoPA, pursuant to art. 157 of the Code, to provide the Authority:

a) within thirty days of receipt of this provision, adequately documented feedback on the measures that it intends to adopt in order to make the processing carried out through the IO App which provide for the interactions referred to in compliance with the regulations on personal data protection in the previous point 1), lett. a) and b);

b) within forty days of receipt of this provision, an adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 2) above;

RESERVED any other determination, including sanctions, to be adopted against the subjects involved in various capacities in the processing of personal data carried out through the IO Platform, on the basis of subsequent investigations and discussions with the Company;

TAKING INTO ACCOUNT that: non-compliance with a provisional limitation order of the processing adopted by the Guarantor is subject to the criminal sanction pursuant to art. 170 of the Code and the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e), of the Regulations; non-compliance with an order adopted by the Guarantor pursuant to art. 58, par. 2, of the Regulations is subject to the pecuniary administrative sanction provided for by art. 83, par. 6, of the Regulations; failure to respond to a request for information pursuant to art. 157 of the Code, is subject, pursuant to art. 166, paragraph 2, of the Code, to the pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulations;

CONSIDERING that the conditions set out in art. 17 of regulation no. 1/2019 of the Guarantor concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor;

GIVEN the documentation in the deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

SPEAKER Prof. Ginevra Cerrina Feroni;

WHEREAS, THE GUARANTOR

1) pursuant to art. 58, par. 2, lett. f), of the Regulation, requires PagoPA S.p.A. (CF / VAT number 15376371009) the temporary limitation - to be made operational without undue delay, and in any case no later than seven days from the receipt of this provision - of the treatments carried out through the IO App which involve interaction with:

a) the services of Google LLC, allowing only the processing necessary for sending push notifications to users of the IO App who have explicitly and freely activated this functionality for certain services;

b) the services of Mixpanel Inc., suspending the storage of data on users' devices, access to such data and the collection of the same on Mixpanel systems, as well as interrupting any further processing of data already sent to Mixpanel carried out, also by other subjects, for purposes other than the mere conservation of the same;

2) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders PagoPA S.p.A. to adopt, within thirty days of receipt of this provision, technical and organizational measures necessary to modify the methods of activating the services available within the App IO and the related push notification and forwarding of messages via e-mail, guaranteeing all interested parties the possibility of a free, explicit and specific choice in relation to each service or services offered by a specific body (so-called opt-in method), as well as ensuring the same guarantees towards those for whom, being already users of the IO App, unsolicited services have been automatically activated in a free, explicit and specific way;

3) pursuant to art. 157 of the Code, to order PagoPA S.p.A. to provide the Authority with:

a) within thirty days of receipt of this provision, an adequately documented feedback on the measures it intends to adopt in order to make the processing carried out through the IO App that provide for interactions compliant with the regulations on the protection of personal data referred to in the previous point 1), lett. a) and b);

b) within forty days of receipt of this provision, an adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 2) above;

4) arranges for the transmission of this provision also to the Presidency of the Council of Ministers, the Ministry of Economy and Finance, the Ministry of Health, the Revenue Agency and the AgID for the relevant assessments;

5) provides for the annotation of this provision in the internal register of the Authority, provided for by art. 57, par. 1, lett. u), of the Regulations, violations and measures adopted in compliance with art. 58, par. 2, of the Regulation.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code and 10 of the legislative decree 1 September 2011, n. 150, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself.

Rome, June 9, 2021

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei