Italy’s Privacy Regulator Hits Poste Italiane & Postepay with €12.5 Million Fine Over App Data Practices

Key Takeaways

• Major GDPR Penalties: Poste Italiane and Postepay were fined a combined €12.5 million by the Italian Data Protection Authority for unlawful data processing.
• Intrusive App Monitoring: The BancoPosta and Postepay apps required users to grant access to device-level data, including installed and running applications, as a condition of use.
• Disproportionate Data Use: Regulators found the monitoring practices excessively invasive and not strictly necessary for fraud prevention or transaction security.
• Wider Compliance Failures: The investigation identified gaps in transparency, lack of an adequate DPIA, insufficient security measures, weak data retention practices, and governance issues around data controller roles.
• Corrective Orders Issued: The companies must stop the contested processing where ongoing, align with data retention requirements, and report back to the Authority.

Deep Dive

Italy’s data protection watchdog has handed down more than €12.5 million in fines to Poste Italiane and its digital payments arm Postepay, concluding that the companies unlawfully processed the personal data of millions of users through their mobile applications.

The decision from the Italian Data Protection Authority follows an investigation that began in April 2024 after a steady stream of complaints from users. At the center of the case were the BancoPosta and Postepay apps and how they handled access to data stored on customers’ mobile devices.

According to the Authority, users were required, effectively as a condition of using the apps, to authorize the monitoring of information on their devices, including details about installed and active applications. The companies maintained that this level of access was necessary to detect malicious software, protect transactions, and comply with obligations tied to payment services.

But regulators found that explanation did not hold up.

In its findings, the Authority concluded that the data collection methods went beyond what was necessary, describing the approach as an overly intrusive interference in users’ private lives. While fraud prevention and transaction security are legitimate aims, the regulator determined that the scope and nature of the data processing were disproportionate to those objectives.

The investigation also uncovered a broader set of compliance failures that extended beyond the apps themselves. The companies were found to have provided insufficient information to users about how their data was being processed, failed to carry out an adequate Data Protection Impact Assessment, and did not implement appropriate security measures or data retention policies. Regulators also pointed to irregularities in how data controller roles were defined.

Taken together, those shortcomings painted a picture not just of a single misstep, but of systemic gaps in how data protection requirements were being applied.

Alongside the financial penalties, €6,624,000 for Poste Italiane and €5,877,000 for Postepay, the Authority ordered both companies to cease the contested processing where it is still ongoing and to bring their data retention practices into line with legal requirements. They must also notify the regulator once those corrective actions have been completed.

The case reflects a broader tension playing out across Europe’s digital economy, where companies increasingly rely on device-level data to strengthen security controls. Regulators, however, are drawing firmer boundaries around what qualifies as necessary and proportionate, signaling that even well-intentioned security measures must be carefully calibrated to avoid overreach.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.