The Italian Data Protection Authority fined Poste Italiane €6.6 million and Postepay €5.8 million—over €12.5 million in total—after finding unlawful processing of millions of users’ personal data via intrusive app monitoring. Regulators found disproportionate device-data collection, insufficient transparency and governance, and ordered the firms to stop the practices and align retention and compliance, joining tougher enforcement actions such as the Intesa Sanpaolo case. #PosteItaliane #Postepay #IntesaSanpaolo
Keypoints
- The Italian Data Protection Authority fined Poste Italiane (€6.6M) and Postepay (€5.8M) for unlawful processing affecting millions of users.
- BancoPosta and Postepay apps collected intrusive device data, including installed and active app lists, claiming it was for malware detection and fraud prevention.
- Regulators ruled the monitoring was disproportionate, ordered the cessation of the practices, and required corrected data retention and compliance reporting.
- Investigators found multiple compliance failures: poor transparency, missing Data Protection Impact Assessments, weak security, and unclear controller responsibilities.
- The decision signals stronger enforcement in Italy’s financial sector, highlighted alongside the Intesa Sanpaolo €31.8M case over undetected insider access.
Read More: https://thecyberexpress.com/italian-data-protection-authority-fine/