Guidelines On The Processing Of Personal Data And Online Perprofilazione. (Resolution # 161).

Original Language Title: Linee guida in materia di trattamento di dati personali perprofilazione on line. (Delibera n. 161).

Read the untranslated law here: http://www.gazzettaufficiale.it/atto/serie_generale/caricaArticoloDefault/originario?atto.dataPubblicazioneGazzetta=2015-05-06&atto.codiceRedazionale=15A03333&elenco30giorni=false&atto.tipoProvvedimento=DECRETO

The AUTHORITY for the PROTECTION OF PERSONAL DATA at today's meeting, in the presence of Dr. Antonello Soro, President, dott.ssa Augusta Iannini, dott.ssa Giovanna Bianchi Clerici, the vice President and prof.ssa Licia Califano, components and Dr. Joseph Busia, Secretary General; Having regard to Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; Having regard to Directive 2009/136/EC of the European Parliament and of the Council of November 25, 2009 amending Directive 2002/22/EC on universal service and users ' rights relating to electronic communications networks and services, Directive 2002/58/EC and Regulation (EC) no 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws; Having regard to the personal data protection code (d.lgs. June 30, 2003, n. 196, code); Having regard to the Legislative Decree of April 9, 2003, n. 70, "implementation of Directive 2000/31/EC on certain legal aspects of information society services in the internal market, with particular reference to electronic commerce; Having regard to the Legislative Decree May 28, 2012, n. 69 "amendments to Legislative Decree June 30, 2003, no. 196, containing personal data protection code in 2009/136/EC directives on the processing of personal data and protection of privacy in the electronic communications sector, and 2009/140/EC on electronic communications networks and services and Regulation (EC) no 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws "; Having regard to the Court of Justice of the European Union of May 13, 2014, in case C-131/12; Having regard to the decision of Sponsor # 229, May 8, 2014 on "finding ways out simplified information and consent for the use of cookies", published in the Official Gazette No 126 of June 3, 2014 (www.garanteprivacy.it web; doc. # 3118884); Having regard to the decision of Sponsor # 353, July 10, 2014, against Google Inc. on "compliance to the code of personal data being processed on under the new privacy policy (web # 3283078); Having regard to the Opinion of the WP 29 # 04/2012 cookies Consent Exemption, adopted on June 7, 2012, and the Working Document of the same WP 29 # 02/2013 providing guidance on obtaining consent for cookies, adopted on October 2, 2013 (available to link http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation http://ec.europa.eu/justice/data-protection/article29/documentation/o pinionrecommendation 2012/wp194_en.pdf/files/and/files/2013/wp208_en.pdf); Having regard to the Opinion of the WP 29 # 2/2006 privacy aspects relating to e-mail screening services adopted on February 21, 2006 and available at the link http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp118_i t.pdf; Having regard to the Opinion of the WP 29 # 10/2004 on more harmonised information provisions adopted on November 25, 2004 and available at the link http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2004/wp100_i t.pdf # h2-11; Having regard to the Opinion of the WP 29 n. 9/2014 on the application of Directive 2002/58/EC to device fingerptinting adopted on November 25, 2014 and available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/wp224_en.pdf/2014; Having regard to the communication of the WP 29 of September 23, 2014 addressed to Google Inc. containing an indication of possible measures to be implemented to make the processing of data carried out by the company in accordance with the European regulatory framework for the protection of personal data, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/other-documents/files/2014/20140923_letter_on_google_privacy_policy_ap pendix.pdf; View the documentation in acts; Having regard to the observations of the Office, made by the Secretary-General in accordance with art. 15 of the Garante's Regulations No. 1/2000 of June 28, 2000; Speaker Dr. Antonello Soro;
Given: 1. Within the current information society operate different service providers identified pursuant to art. 2, d.lgs. April 9, 2003, n. 70, or otherwise defined as those individuals who still offer online services accessible to the public through electronic communications networks. You must first consider that, unlike for those not established on national territory, in respect of which only the most recent trends in interpretation made by the Court of Justice of the European Union have held, to resort to certain conditions, the full applicability of the regulatory framework for both European and national data protection, the service providers of the information society established on national territory, already are required, just by virtue of the direct applicability of the principle of establishment laid down in articles. 4 of Directive 95/46/EC, and 5, paragraph 1, of the code, in full compliance with the requirements and obligations under the aforementioned discipline. For this reason, consider the needs of protection of competition within the relevant market, by uniformity of treatment for all persons required to comply with by species, as well as their complexity, especially in an industry, such as that at issue, in which solutions are also very different developments applicable technologies function, the authority has determined the adoption of the present "guidelines on privacy for on-line profiling" (hereinafter the guidelines) with the intent of harmonizing, streamlining the different modalities through which it is possible to guarantee the compliance with the principles relating to the protection of personal data in the performance of activities that characterize the provision of online services. The authority intends to I mean provide, with these guidelines, rules of conduct, uniforms that implement those standards and those principles of simplification which constitute one of the goals of institutional action of the guarantor. 2. The range of services offered on the market and on the basis of current technology, it is certainly broad. The different functions that you reference can vary from search engine on the web to e-mail, from maps on line marketing of advertising space, from social networks to handling online payments, virtual shops for buying apps, music, movies, books and magazines, searching, viewing, and broadcast videos, from storage, sharing services and proofreading image viewing software, or used to manage diaries and calendars, from functionality to control and manage user profiles, storage (cloud services/storage), statistical analysis tools and website visitor tracking and so on. It is, mostly, of functionality offered free of charge to end users, since the business model of the company involved in the provision of these services is based often on business models that make full use of revenue they derive from advertising. In a considerable number of cases, the data collected is used for profiling purposes, namely for analyzing and processing information related to users or clients in order to divide stakeholders into "profiles", i.e. in homogeneous groups for more specific characteristics or behavior, with the aim of achieving the unequivocal identification of the individual user (cd single out) or of the Terminal and , through him, even the profile of one or more users of that device. The categorization is usually instrumental to both the provision of services more and more targeted and conformed to the specific needs of the user, is the provision of customized advertising, which therefore have a chance of success (but at the same time also a level of pervasivita ') much more than generic promotional messages, both the analysis and monitoring of the conduct of website visitors both the commercial exploitation of the profiles obtained, which may have a significant market value because of their ability to provide information about the propensities to the consumption of goods and services. Users of features taken into account can be distinguished according to whether they have an account created as a result of a registration procedure for access "authenticated" to services (authenticated users, such as for email service), which means that they use the same functionality without prior authentication (unauthenticated user). The investigation of the investigation conducted by the Office character, as well as the overall subject of study, they identified several areas with regard to which it seems appropriate to recall the parties involved-both those already present and active in the market, and those who intend to undertake an activity related to the provision of data processing services on line-a timely compliance with legal requirements for data processing While considering the specificity of the contexts in which these entities operate and, therefore, taking into account possible, particular modalities to guarantee the necessary protection of users. Among them: A) method and content of the information provided to the parties concerned, including in relation to the clarification of the different purposes and methods of processing of their personal data (art. 13 of the code);
B) request of consent for purposes of profiling, as well as respect for the right of opposition of concerned (arts. 7, 23, 24 and 122 of the code). Profiling is in question can be made essentially by: a) treatment, in automated mode, authenticated users ' personal data in connection with your use of the service for sending and receiving emails;
b) intersection of personal data collected in connection with the provision and use of more functionality different from those made available to the user;
c) with the exception of using cookies (which makes explicit reference, besides the disciplinary law, the requirements made by the authority with the measure # 229, May 8, 2014 on "finding ways out simplified information and consent for the use of cookies", in Official Gazette No 126 of June 3, 2014), using other identifiers (authentication credentials , fingerprinting, etc), necessary to relate to certain subjects, identified or identifiable, specific actions or recurring behavioural patterns in the use of functionality offers (pattern);
C) observance of the principle of finality in the preservation of users ' personal data (article 11, paragraph 1, letter e), of the code). 3. with regard to the letter A) of the previous paragraph concerning obligations under art. 13 of the code, the authority intends to put emphasis on the fact that the statement to be made to users, and thus their prior knowledge about the possible uses of their information related, is the inescapable premise to allow interested parties to express themselves or not consent to the processing of data relating to them, following the necessary and personal assessment on the impact that such treatments can have on their right to protection of personal data. It is therefore appropriate to remind all holders which constitutes a definite obligation and a condition of compliance with laws ensure that the information to make its users is easily accessible, for example with a single click from the page of the domain where the user logs on, formulated in a clear, complete and exhaustive. As it is necessary that, for any updates or changes to this document, interested parties are able to understand and evaluate the changes made, including by means of comparing the different versions of this statement possibly following one another over time. In this regard, and with particular reference to the requirements of accessibility and effectiveness of disclosure, who must be able to comply with the recommendations made by the WP 29 in Opinion No 10/2004 on more harmonised information provisions, adopted on November 25, 2004, and collaborate with you on multiple levels, because: "The multilayer warnings can help improve the quality of information on the protection of data; each layer focuses on the information necessary for the person to understand their position and make decisions. In case of communication space/time limited, multi-layered formats can improve the readability of the warnings ". It's well made clear, however, that such an architecture should be configured avoiding excessive fragmentation in too many levels, otherwise the dispersal of information made that obviously it would compromise the usability. If, therefore, in which to use a statement structure over several levels, the Ombudsman considers that the information is distributed in accordance with the following criteria: a first level immediately accessible (with a single click from the visited page) within which accommodate all general information of major importance for users, relating inter alia to the processing of personal data carried out , to the types of personal information processed, even for categories (i.e., if applicable, location data of user terminals and WiFi access point, IP addresses, MAC addresses, data on financial transactions and so on), the status of holder and its identity as an indication of any responsible and an address at which users can exercise their rights easily. In this first level of disclosure must be given at least an indication of purpose of profiling pursued, where appropriate, through the different methods used by the holder. In line with the mentioned purpose of profiling and the modalities through which the proprietor the pursues, the first level must also indicate in detail the methods of obtaining the consent to the treatment, if necessary. At the point you come back later. The second level, accessible from the first, can be designed to contain the information on the specific functionality that is several examples to clarify the methods of processing of personal information. In this second level may also be stored any prior versions of this privacy statement, even ' no longer in force, an indication of the specific risks which may arise for those concerned by the use of the services (such as choice of password does not sufficiently safe because of easy identification, etc.) and other particulars of detail such as to allow the more effective exercise of the rights granted to users. The rules that determine the effectiveness and correctness of the information provided to the user must be applied identically for each type of Terminal (mobile, tablet, desktop computers, mobile devices and TV plug-ins) and for every application made available to the users. 4. as regards paragraph 2 (B)), it is necessary first to recall the general principle of art. 23 of the code, under which "The processing of personal data by private parties ... it is permitted only with the express consent of the data subject"; Moreover this consent is valid only if "it is expressed freely and specifically in reference to a clearly identified, treatment if it is documented in writing, and if it were made to the interested party the information referred to in art. 13. " The following art. 24 discipline, then, a number of assumptions considered equivalent to consent, the use of which the treatment can be carried out even without it. These include, without limitation, the fulfillment of legal obligations, enforcement of contractual obligations, the pursuit of a legitimate interest of the holder or a third party recipient of the data etc. The general scope of this principle is then specification in art. 122 contained in the special part of the code, under which "storing information in the terminal equipment of a contractor or user or access to information already stored are only allowed provided the contractor or the user has given consent after being informed with the simplified mode under art. 13, paragraph 3. This shall not prevent any technical storage or access to information already stored if aimed solely to make the transmission of a communication over an electronic communications network, or as strictly necessary for the service provider of the information society explicitly required by the contractor or by the user to provide such service. " 4.1. If you look at the specific activities of providing email service for sending and receiving messages, referred to case a), (B)), paragraph 2) that precedes it, if it takes that suppliers of such functionality perform activities of processing, automated mode, personal data of authenticated users that use the service; and this for different purposes. Some of them, even of a strictly technical nature, are directly related to the provision of the service in question according to specific modalities, such as the use of spam filters, virus detection, the possibility, guaranteed to the user, perform text searches, use spell check, use selective forwarding of messages or automatic responses in the event of absence, manage preferences and creating rules for the award of certain folders message based on its content make use of flags for marking messages marked by urgency, voice messages be read for the physically impaired, converting incoming email in text messages to mobile phones etc. In this case, the processing of data of data subjects for callbacks purpose-made probably in an automated manner and therefore without human intervention-as well as to safeguard the security of the services offered to the user, and, in accordance with directives 95/46/CE and 2002/58/EC before, and then subtracted to the requirement of prior consent, since it falls within the exemption concerning hypothesis to fulfill obligations arising from the contract of delivery of e-mail service. For the achievement, however, any profiling purposes, more than those directly and closely related to the provision of the specific functionality of the e-mail service, in particular for viewing by the authenticated user, text messages aimed at providing customized behavioral advertising, it is necessary that the owners should gain the prior and informed consent of its members. In this regard, we recall the conclusions of 29 WP in its opinion No 2/2006 privacy aspects inherent to screening services of e-mail messages, of February 21, 2006 which, in inquiring the delicate balance between the need to protect the confidentiality of communications and the provision of services associated with the use of e-mail , and in line with the stated goal of "promoting technologies that integrate the requirements of data protection and privacy in the provision of infrastructure and information systems, including terminal equipment," he expressly asked operators to "designing and developing systems respectful of privacy, minimising the processing of personal data and limiting it to what is strictly necessary and proportionate to the purpose of processing". In the same Opinion the Group has, however, also expressed as to the possibility of seeking a line between data processing activities carried out for the purposes of managing the service or network security, which do not need to be authorized by the person concerned, and those aimed at the achievement of purpose further, establishing that when treatment doesn't find legitimacy in the necessity of safeguarding the security of the service provider by virtue of art. 5, paragraph 1 of the e-privacy directive, is to be considered prohibited to proceed in other processing operations "without users consent." That outlined the legal framework if it induces then that, for the activities of profiling by treatment, in automated mode, authenticated users ' personal data in connection with your use of the service for sending and receiving e-mail messages, it is necessary, it reaffirms that the holder shall obtain the prior and informed consent. With reference to the use of the specific e-mail functions, the Authority reserves the adoption of any initiative deemed appropriate for the protection of the persons concerned. 4.2. as regards as the sub b), point B) of paragraph 2) above, it is necessary to consider the possibility that the owners make the intersection of personal data of the persons concerned also about using more features different from those made available. Even such conduct must be assessed in the light of the legal framework and, in this regard, it should be clarified that the processing operations aimed at user profiling made also through the intersection of data collected in relation to different functions, not falling under any of the exemptions from the requirement of obtaining the consent referred to in art. 24 of the code, may only be carried out with the express manifestation of will by the user. Nor is it sufficient, for this purpose, the mere mention of this purpose between those parties concerned the information provided to exempt holders from the obligation to acquire a valid consent. 4.3. as regards, next, the activities carried out by the owners and recalled c)) (B) of sub paragraph 2) above (using other identifiers other than cookies such as authentication credentials, fingerprinting, etc.), it is noted that the use of such identification techniques is based on the treatment, by the holders of personal data or information or pieces of information (which are not or not yet personal data but in association with each other or with other information, may be one), with the aim of achieving the unequivocal identification of the Terminal (single out) and, through him, even the profile of one or more users of that device. This technique, called fingerprinting, used to achieve the same purpose of profiling, is also covered, as well as the use of cookies, by art. 122 of the code; with every reflection regarding the obligation of prior consent of the person concerned, except for the exemptions provided for (in this case, the transmission of a communication over an electronic communications network or service provision at the request of the user). The only appreciable difference, on which the authority intends to still focus, between the use of cookies and fingerprinting, consists in the fact that while in the first case the user who does not wish to be profiled, in addition to the legal safeguards related to the exercise of the right of opposition, it also has the possibility to directly remove cookies, pragmatic as stored in your device with respect to fingerprinting the only instrument in its availability is the chance to address a specific request to the data controller, trusting that it will be upheld. What as the fingerprinting does not reside in the user's terminal, but at the provider's systems, to which the person concerned has not, of course, free and direct access. Ultimately, it appears evident that, in order for the processing of data carried out for purposes of profiling, also made with different modalities, meet the requirements of articles. 23, 24 and 122 of the code, the consent of the data subject. This consent must also respond, in order to be valid, legal requirements and therefore must be free, acquired as a precautionary measure with respect to the handling thereof, referring to treatments that are pursuing explicit and specific purposes, informed and documented in writing. It is, therefore, as necessary, to that effect, its expression is an unequivocal manifestation of will on the part of the person concerned. 5. The addressees of this decision, in their entrepreneurial autonomy and the status of data controllers who determines, among other things, "the decisions regarding ... methods of processing of personal data" (article 4, paragraph 1, lett. f) of the code), they can choose the criteria and the measures to be taken in order to ensure the necessary compliance with user data law aimed at their profiling , however made. Considered however the specificity of services offered by those parties, the guarantor has however, also in accordance with the mentioned purpose of simplification, a solution of online consent such as to satisfy the aforementioned requirements of existing provisions, in particular articles. 7, 23 and 122 of the code, on the assumption of course that such consent has not been otherwise acquired based on more traditional methods (eg. coupons, online form, paper forms etc.). In this perspective, it is believed that must necessarily exist a stadium or a moment, during the user's browsing experience and obviously prior to the use of the function, in which he is in fact allowed to choose between more, different alternatives. Considered on the other hand the distinction, invoked in the introduction, between authenticated users and unauthenticated, forms of acquisition of such consent will consequently be varied precisely in relation to the type of user. 5.1. To that effect, in particular with regard to unauthenticated users, you should investigate whether at a particular moment of enjoyment of one or more different physical or virtual space exists, functionality, capable of enabling them, on the one hand, to give its consent for treatment as identified above; from each other and at the same time the holder to take note and keep track of the choices shown. If the answer is negative, it is therefore necessary that the holder must implement such a mechanism, such as causing the unauthenticated user accesses to your homepage (or other page) of the web site, you see immediately in the foreground an area of suitable dimensions, that is large enough to constitute a noticeable discontinuity in the use of the content of the web page you are visiting containing at least the following particulars: i) that the site carries out data processing activities for purposes of profiling by treatment of personal data according to the specifications selected mode (eg. via crossover data between different functions or using other identifiers other than cookies also to send advertising messages in line with the preferences expressed by you in the use of the functionality of browsing the net as well as for the purpose of analysis and monitoring of the conduct of visitors to websites or even, for authenticated users, in connection with your use of the service for sending and receiving e-mail messages, etc.);
II) the link to this statement, where provides all the particulars specified in paragraph 3);
III) the link to a further area in which you can opt out of profiling or, where applicable, select, so exhaustively analytical, only the (or the) functionality and methods in connection with the use of which the user chooses to be profiled;
IV) an indication that the continuation of navigation using access or selecting an item below or otherwise outside the region featured (for example, a search form, a map, an image or a link) will give consent profiling. The mentioned area should be an integral part of a suitable mechanism to allow the expression of a positive action which takes the form of the consent of the person concerned. In other words, it must lead to a discontinuity, albeit minimal, of the browsing experience: moving beyond the presence of the area displayed should I be possible only through active intervention of the user (through the selection of an item on the page below the same area). And it's evident that both from a legal point of view, both from a technical point of view, it won't be possible to attribute the same meaning or action, alternative, which is embodied in the access to additional area in which modulate the choices or to selection, through the link, the page that contains the statement. It should be noted that each of the possible actions in the availability of the user generates a specific computer event which, for the described features, and is therefore inequivocamente recognizable from the service provider who can so easily keep track of it. If the user has consented to the use of their data for the purposes spelled out, doing so will then fully the requirement of art. 23 of the code which requires that the case consensus is "not evidenced in writing". The presence of such "documentation" of acquisition of consent will then the service provider does not propose any form of discontinuities in navigation at more visits, you use the same terminal, on or about domains in your title, without prejudice of course the possibility for the latter to opt-out and/or modify, at any time and easily , your own options (see article 7, paragraph 4, of the code). To enable the effectiveness of that right, the right to self-determination, it is then also required that all webpages losses arising from its holder carry a link to dedicated area within which the user can fully exercise their rights. If, instead, you are limited Select the link to the right for further information in order to make choices even more aware, the mechanism has to be rescheduled to the first action following that examination, to allow it to express its consent or refusal to treatment. Where, finally, has chosen to go to the area dedicated to the possible modulation of choices, because even this action, like the selection of links to informative-it is still early, the supplier does not equate to consent-must register it, incorporating then that information with those, additional, related to the specific choices made by the user, even so in detail. To make tracing the actions and choices, even of detail (expression or denial in whole or in part of consent, as well as the exercise of the right to opposition to profiling) remitted to the person concerned, the holder could avail or special technical cookies (to that effect, see also recital 25 of Directive 2002/58/EC), or other identifiers other than cookies. With the obvious, further warning however that if the mentioned "documentation" has been established through use of cookies, if you choose, as it is in its availability, to remove all those installed on your device, including the mentioned "technical" marker, since this operation, not involving the owner, does not amount to the exercise of the right of objection, these should again, even in this case, recourse to the consent mechanism over represented. If, however, we have made use of other identifiers other than cookies, and thus not stored within the device in the user's availability, but at servers in the availability of suppliers, to changing preferences expressed by the person concerned, essentially always revocable, you're going to have to do further recourse to the mechanism of revival of discontinuities, but upgrading, right, of the indications already recorded. 5.2. The mechanism described intends to create a physical space that is responsible for the collection and management of the virtual consensus of unauthenticated users. Even authenticated users must of course be guaranteed the same protections; and it's appropriate that, with the aim of ensuring equal enjoyability of browsing experience (user experience), those who have an account or have already registered as a user of the services of a particular supplier are placed in a position to use the mechanisms of expression, denial and revocation of consent already described regarding the unauthenticated users. The main differences between these types of direct or indirect riconducibilita interested in ' the choices you make to subjects belonging to one or the other category, being the authenticated user, so to speak, already fully identified in re ipsa and the chance to enjoy all or just some of the services provided, considering that some of them (such as e-mail) are not necessarily reserved exclusively to users who have a specific account. It is necessary to consider also that even authenticated users-be who is about to create a new account and who already has and is going, in the first session, to receive functionality by using authentication and its typing credentials-must necessarily go through a phase of navigation in which, precisely in advance with respect to the account or to the authenticated access to functionality , they are still not recognized by the system. It seems so appropriate that, precisely in this preliminary phase, they, like the unauthenticated proposed the same consent mechanism as above suggested; except, however, that if those users are willing to continue with navigation and therefore express their consensus overcoming the artificially induced to discontinuities, alternately, or to the account creation page (for new authenticated) which is the one that displays the screen for you to type the authentication credentials (for those who already have an account) this stage of navigation, which is the typical moment in which the system is able, directly and unambiguously, to attribute behaviors and choices to certain subjects, not be burdened by additional complexity. Also in line with the principle of purpose which is governed by the code, it is therefore considered that in the outlined situation further step, taking the form of the previous specification description object, it can be handled by annexing a priority importance to the choices already consciously expressed by unauthenticated user and thus extending the validity of those same wishes even when, logically and chronologically after, in which he undergoes a change in status not authenticated to authenticated; the dual, strict conditions, however, that on the one hand you are made fully aware of the rules ', as indicated, confirming the manifestations of will's already expressed in a non-authenticated user and the fact that, since certain functionality related exclusively to an authenticated user, its choices are thus in the exclusive availability of the latter. On the other hand, which are always fully guaranteed both the right of revocation (of consent or refusal expressed above) is to integrate your preferences with respect to the functionality available only by an authenticated user (for example, email); and that through the provision of relevant and visible link to the dedicated area in which exercise these rights, even exhaustively analytical; including, therefore, in that area, even a list of functionality that, being just usable only with the signature of the account, may be the subject of choosing the only authenticated user. It is understood that the choices regarding the processing of their data for profiling purposes expressed by a user unauthenticated, why not related to an account, they will have validity only with reference to the specific device being used, both in the first as in subsequent sessions, until a possible revocation; not as much can be said, however, for the manifestation of will expressed by the authenticated user, which, essentially, mentioned the direct characteristic of riconducibilita ' choices to a person identified in re ipsa, is meant to extend its validity even if the authenticated user has access to the functionality and services by using more, different devices. In other words, while documenting the choices expressed by the user is not authenticated and is effective only with respect to the device used, that related to the choices of those who have an account persists, even if that person uses more than one device. While reaffirming the right for suppliers to adopt the technical procedure they consider desirable to ensure the conformity of the personal data being processed on the applicable rules, the Authority considers, even bearing in mind the often invoked needs of simplification for the solution qualifies as one that presents, in current technology on the internet, the lower level of discontinuity in the browsing experience. All that being said, the guarantor in accordance with art. 154, comma 1, lett. h) of the code shall act to adopt these guidelines so that all providers of information society services under art. 2, Legislative Decree of April 9, 2003, n. 70, as well as all those that still offer their users online services accessible to the public through electronic communications networks, in particular with regard to the processing of personal data relating to your use of the features offered, taking into account the indications and simplifications outlined; in particular, with regard to: the information to interested parties under art. 13 of the Act (as referred to in paragraph 3 of these guidelines);
the prior consent of users, both authenticated and unauthenticated, in relation to the treatment, for the purposes of online profiling, information concerning them, even resulting, depending on the case, treatment and in automated mode, authenticated users ' personal data in connection with your use of the service for sending and receiving e-mail messages through the intersection of personal data collected in connection with the provision and use of more functionality from those made available as well as to use other identifying information other than cookies, pursuant to arts. 23 and 122 of the code (according to the criteria and rules referred to in paragraph 4);
respect for the right of opposition referred to in art. 7 of the code;
the adoption of a data retention policy that conforms to the principle of purpose under art. 11 of the code. You have the transmission of a copy of these guidelines to the Department of Justice-Office publication laws and decrees, for their publication in the official journal of the Italian Republic.
Roma, March 19, 2015 President and Rapporteur: Soro the Secretary-General: Busia