Italian DPA: ‘IO’ app: The controller (PagoPA) to implement the measures requested by the Italian SA to protect users

16 June 2021

After the Italian SA stepped in, the controller (PagoPA) developed several technical measures to protect the privacy of users of the ‘IO’ app. Those measures will be implemented in the new version of the app, soon to be released.

Taking account of the new measures the company is about to take, the Italian SA decided that the limitation of processing order it had issued could be lifted. The processing in question entailed interactions with Google and Mixpanel.

The decision was taken following the exchanges with PagoPA and the efforts made by the company to timely remedy the shortcomings the SA had highlighted recently, so as to comply with the measures imposed.

However, the processing will continue to be limited as for the data collected and stored by Mixpanel. Those data may not be used any longer and will only be stored by the company until the SA completes its investigations.

PagoPA committed themselves to minimizing user data that are transmitted to Mixpanel; in that respect, the dataset was already modified to prevent users’ tax IDs and other unnecessary information (concerning the ‘holiday bonus’ and ‘cashback’ initiatives) from being transferred to the US company. PagoPA will inform users adequately and request their prior consent to any data transfers to third countries; furthermore, several functions were deactivated as they allowed tracing user location via his or her IP address.
PagoPa deactivated unnecessary Google services and took steps to prevent the contents of user alerts from being disclosed to Google.

Additionally, users will be able from 9 July 2021 to select which services to activate on the IO app out of the over 12 thousand available ones – which so far were all activated by default. Any message received on the app will only be forwarded to the user’s email account if this is explictly requested by the user.
The Italian SA will monitor the implementation of those measures and reserves the right to further assess adequacy of the safeguards afforded by PagoPA for data transfers to third countries.

In the light of these new measures, the Italian SA will assess, jointly with the Ministry of Health, how to enable use of the IO app also for the purposes of the ‘green pass’.

You can find the original press release on the Italian DPA's website here.

For further information, please contact the Italian SA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.