We analysed the privacy policies of the major phone companies in Italy, Spain, France and Germany (click on the links to access the country-specific articles, containing more details about each company's privacy policies).
As stipulated numerous times in the GDPR (recitals 39, 42, 58; Articles 7 and 12), information on any potential personal data processing must be provided in an easily accessible and understandable way. With this in mind, there is not much noticeable effort on the part of the companies under consideration to go beyond the so-called “wall of text” with, for example, layouts, language or graphical aids aimed at improving readability. Of course, this problem is hardly exclusive to telecommunications companies, as large-scale research and everyday user experience shows. Academic research has long hypothesised that icon-based graphical systems an optimal method for presenting information intuitively. None of the companies analysed adopt such methods. Nevertheless, approaches vary between those who simply publish a legal document in pdf format, without any particular attention to layout and readability, and those who go a step further in communicating their policies, for example with Q&A sections or pages that are almost like mini-websites . More can certainly be done, and perhaps greater homogeneity in the structure of policies across different companies would make comparison easier, to the benefit of transparency.
Categories of collected data and data processing
When it comes to the types of data considered in this study, the picture is fairly homogeneous from country to country. The overall trend is to collect location, navigation and behavioural data. Generally, the legal basis for collection is the user's consent, while some collect data regardless of consent, by invoking the legitimate interest clause. The situation with biometric data is more varied. In many cases, it is not specified whether biometric data is collected or not, but this could be due to the fact that they are merged into the other categories mentioned. Indeed, things like typing or scrolling styles can be defined as both biometric and behavioural data. However, biometric data also includes things like fingerprints or facial recognition, which are possible to record with any smartphone produced in recent years. For this reason, such data would be better specified separately.
As for profiling activities, i.e. analysing user data in order to improve the service, but also to create “tailor-made” commercial offers, asking for explicit consent seems to be the general approach. However, in some cases (e.g. Orange and Vodafone in Spain) it is said that profiling will take place anyway. The situation for Vodafone and Congstar GmbH customers in Germany (and to some extent Digi and the Yoigo app in Spain) is unclear, since, as far as we could verify, none of these companies explicitly mention the categories of data collected, nor whether or not they are used for profiling activities.
Transfer and deletion of data
All companies state that they will, under certain conditions, transfer personal data to third parties. In most cases this is for activities related to contract execution or assessment of customer solvency. In some cases explicit reference is made to commercial partners (sometimes affiliated with the operator) to whom, with the user's consent, data may be transferred for a wide range of purposes, including commercial proposals for goods or services completely unrelated to phones. The formulas used are sometimes very general, especially in the case of French (Orange, Bouygues Telecom) and German (Vodafone, O2, Congstar GmbH) companies. The same goes for the apps of these companies, as well as those of the Spanish Yoigo and the German Telekom, Aldi Talk and 1&1 Telecom GmbH.
For data retention, several companies adopt concise formulas to explain in a few lines that data will be retained “for a period of time not exceeding the achievement of the purposes for which they were collected or subsequently processed” (TIM Italia) and indicating a maximum time limit after which they will be deleted. Others take a more transparent approach and publish a table detailing retention periods for the various categories of data (Coop Voce, Ho., Vodafone and Wind Tre in Italy; Bouygues Telecom in France). In Germany, data is generally deleted within 12-14 months.
The two most relevant GDPR articles in the present context are 13 and 15 . As Stefano Rossetti, a lawyer with the noyb.eu team, explained to us, these articles regulate the two “moments” when personal data processing becomes an issue in the relationship between user and company.
As for the completeness of information provided, the new guidelines on the right to access data currently being drafted by the EDPB (European Data Protection Board) seem to leave a certain margin of “generality” to the data processor: “information [about the processing and on data subjects’ rights] can be based on what is already compiled in the controller’s record of processing activities (Art. 30) and the privacy notice (Art. 13 and 14). However, this general information may have to be updated to the time of the request or tailored to reflect the processing operations that are carried out in relation to the specific person making the request”.