Cashback: PagoPA guarantees for privacy on the IO app

In light of the doubts (mostly perceived, but not too argued) relating to possible tracking problems related to the IO app, PagoPA wanted to publish an in-depth analysis that offers the necessary guarantees to users who fear an excessively indiscreet eye on their own cards. credit or consumption habits. According to PagoPA, in fact, the privacy of citizens is to be considered as an "indispensable value", an "essential element of digitization in the Public Administration".

Privacy, Cashback and IO

In short, no compromise on this issue and maximum fidelity to the provisions of the General Data Protection Regulation (GDPR). The company also specifies how the Guarantor has provided a positive opinion on the project, regulating in detail the processing of data and evaluating a priori every process upstream of the publication of the cashback procedures.

The privacy of citizens is an essential value and indispensable. The @IOitaliait system:

- does not involve any profiling or geolocation

- does not store the data of the added cards

- does not transfer the data of the payment https://t.co/PjBPMFMkBI

- PagoPA SpA (@PagoPA) December 11, 2020



PagoPA also provides some specific clarifications regarding the use of the IO app:

The system underlying the App IO does not involve any user profiling or geolocation. In the specific case of Cashback, the system does not record either the type of purchase or the place where the purchases are made by the user, but only stores: an irreversibly encrypted code (technically called "PAN hash") that corresponds to the payment instrument registered for the purposes of the program; date, time and amount of the purchase made through that payment instrument, solely to make the transactions that allow the calculation of the refund for Cashback purposes visible to the user.

And again: no storage of card data credit (managed by SIA according to the PCI DSS standard and stored on Italian servers); no data on payment systems transferred abroad; no personal data managed outside the European Union. All within the EU, then? Not exactly, but these aspects are also transparently described:

We use some non-EU suppliers for marginal or residual services and always, in any case, in full compliance with the Italian legislation on the protection of personal data. In particular, we use foreign suppliers only for a service that helps us manage user reports and for a tool that collects data on the use of the app and that we use for debugging purposes (identification and correction of technical problems), incident response (management of IT incidents), technical assistance and improvement of the App.

Each supplier used is indicated on a special list, so that every aspect can be verified. And finally, an appeal goes to users to stimulate a constructive supervision on the procedures put in place, so that any smudging can be reported and work can be done constructively for the common good: "we renew and extend the invitation to contribute and to report any improvement proposals to make IO more secure and respectful of citizens' privacy ".

Source: PagoPA