Utilizziamo cookies e tecnologie similari per migliorare l’esperienza all’interno del sito e offrire all’utente un servizio di maggior valore. I cookie presenti su questo sito sono cookie tecnici per garantire il funzionamento del sito e cookie analitici, anche di terze parti, utilizzati da noi e dai nostri partner per misurare le performance del Sito e capire i contenuti che vi interessano. Per accettare i cookie clicca «accetta i cookie analitici». Per rifiutare i cookie clicca «rifiuta i cookie analitici». Per maggiori informazioni ti invitiamo a leggere la nostra Cookie Policy.

Personal data as a means of payment: focus on the Italian Legislative Decree no. 29 October 2021


published on 27 January 2022 | reading time approx. 5 minutes

With a Legislative Decree published on 29 October 2021, the Italian legal system has transposed the European Directive no. 2019/770 on the management of contracts for the supply of digital content and services. 

A number of new regulations have been included within the Italian Consumer Code, among which the new provision recognising the possibility of using personal data as a means of payment to purchase digital content and services.

The new rules provide the inclusion, within the regulations laid down by the Italian Consumer Code, of articles ranging from 135-octies to 135-vicies ter, which aim to achieve two main objectives: the innovation of the digital market through the implementation of new contractual models and the extension of consumer protection in negotiations concerning services of a digital nature, applying the typical guarantees of contractual liability.

With regard to the second circumstance, however, it should be noted that the Decree (as well as Directive no. 2019/770) does not define a detailed regulation of the new type of contract: it is limited exclusively to legitimising the exchange of digital services/products with personal data, referring, moreover, only in general terms to the Regulation on the protection of personal data (GDPR).

Recital 24 of Directive 2019/770 itself highlights certain personal data that could be used as payment instruments: for example, with reference to the name and email address provided by the consumer when creating a social account or the photographs and posts that the consumer publishes online and which are made available for processing for commercial purposes.

Analyzing the most interesting aspects of the decree, it is useful to focus on the following novelties:
  • it is established that, as of 1 January 2022, contracts for the provision of services and digital content will have to include clauses to ensure the conformity of the contracted goods. In fact, the obligation introduced by the rule provides that the services and digital content supplied to the consumer must be suitable to satisfy the uses intended by the consumer himself and that him has made known to the professional selling the service/product, guaranteeing in this sense all the accessories and instructions, including the installation and customer assistance provided for in the contract;
  • with the aim of maintaining the conformity of the product over time, Article 135-undecies provides for the professional vendor the obligation to keep the consumer informed of system and security updates as they become available. In this respect, however, it is specified that, where the consumer - previously informed in a proper manner - spontaneously decides not to install the reported updates, the vendor cannot be held liable for any lack of conformity that may arise due to the failure to install a necessary update. The vendor’s information obligation becomes such for the entire period of the contract in the case of a continuous supply, whereas it changes in the case of a single act or acts of supply: in this circumstance the consumer must be kept informed for the period of time that the it could be reasonably expect, taking into account the type and purpose of the digital product, as well as the circumstances and the nature of the signed contract;
  • the consumer has the right to the security of the digital goods he buys as well: providers must therefore guarantee “secure” services and products that do not expose consumers to cyber threats. The security obligations and related responsibilities are placed on the vendors of digital services and content, who will have to prove that they have provided the consumer with a good or service that does not undermine his position;
  • with reference to goods’ lack of conformity, Art. 135-quaterdecies states that in the case of single/multiple acts of supply, the vendor is liable for all defects that become apparent within a period of two years from the time of supply. On the other hand, in the case of a continuous relationship, the vendor is liable for defects that become apparent within the time period during which the product is to be supplied, as stipulated in the contract. Once the defect has been ascertained, the consumer is entitled to have the goods restored to conformity unless this is not possible or would entail disproportionate costs for the vendor (in line with the provision set out in the Italian Consumer Code); as a guarantee for the consumer, he is entitled to request from the vendor, alternatively, an appropriate reduction of the price - calculated in proportion to the seriousness of good’s defect - or the termination of the contract with the consequent refund of the amounts paid. The action aimed at revealing the defects, when not maliciously concealed by the vendor, can be pursued within 26 months from the last supply;
  • considering the supply chain of vendors, the Decree introduces the possibility for the final vendor to exercise a recourse action: in fact, once it has been ascertained that the defect of the goods (including that related to the safety of the same) is attributable to the action or the omission of one of the vendors involved in the various steps of the contractual distribution chain, the final vendor is entitled to exercise a recourse action against his predecessors of the supply chain;
  • regarding the court proceedings, the burden of proof falls entirely on the vendor. In the event of a dispute, he is required to prove the conformity of the digital product or the absence of defects in it by demonstrating that he has acted in accordance with the contract, with particular reference to those defects that become apparent within one year of the supply of the goods or, in the case of continuous supply, until the end of the contractual period. The only way out for the vendor could be find when the lack of conformity depends on the consumer's digital environment: in such a case, the consumer must prove that he has been correctly informed by the vendor about the necessary requirements (both objective and subjective) to ensure the functionality of the goods;
  • finally, the vendor is granted the possibility of modifying the digital content, as established by Article 135-vicies. It provides that the modification is possible, in addition to what is necessary to maintain the conformity of the digital content or service, when the following conditions are met:
  1. there is a contractual provision legitimising the change and there is a valid reason for it;
  2. the modification is carried out without any additional costs for the consumer;
  3. the consumer is informed of the change at a reasonable time and is also informed of the possibility of withdrawing from the contract.


Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, 
with a special focus on the GDPR. 


Contact Person Picture

Dott. Tommaso Mauri

+39 02 6328 841

Invia richiesta


​​​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu