4 Min Read Italy’s data protection authority has hit Poste Italiane and its payments subsidiary Postepay with a combined €12.5 million fine for forcing millions of users to grant excessive access to their mobile devices. The Italian Data Protection Authority “has imposed a fine of €6,624,000 on Poste Italiane S.p.A. and €5,877,000 on Postepay S.p.A. for unlawfully processing the personal data of millions of users,” according to the regulator’s statement on Sunday.
The fines target the operating methods of the BancoPosta and Postepay mobile applications which the regulator found “entailed excessively invasive interference in users’ privacy as they were not strictly necessary for the purposes of fraud prevention.” Users were effectively forced to authorize monitoring of device-level data including installed and running applications as a condition of using the apps.
The Apps Monitored More Than They Needed
According to the Authority, users were required, effectively as a condition of using the apps, to authorize the monitoring of information on their devices including details about installed and active applications. Users who declined were limited to three logins before being locked out of app functionality.
The collected data was processed through the ThreatMetrix anti-fraud platform which generated device risk profiles by analyzing signals such as app activity, device integrity and potential malware presence. While Poste Italiane and Postepay argued this was necessary for PSD2 compliance and fraud prevention, the authority disagreed.
The regulator’s position is that even well-intentioned security measures must be proportionate. Although the system primarily collected hashed identifiers (MD5) of running apps rather than plaintext names, the authority noted that such data could still be linked back to identifiable individuals and reveal sensitive behavioral patterns, including financial habits, health conditions or personal interests.
Poste Italiane Is Fighting Back
Poste Italiane has announced it will challenge the decision calling it both procedurally flawed and substantively wrong. Poste, which offers financial and payment services beyond its traditional postal services, rejected in a statement all allegations and reaffirmed “correctness and transparency of its actions.”
The company has form in these disputes. The company said that on 2 February 2026 the Tar del Lazio annulled a ruling for an alleged unfair commercial practice relating to the same anti-fraud device, subject of today’s censures from the Guarantor. That administrative court ruling found the measures legitimate and without commercial intent.
Poste replied by saying it had lawfully accessed technical data from customers’ devices in accordance with payment services legislation, “for the sole purpose of activating anti-fraud and anti-malware safeguards.” The company maintains its actions were required under European payment services directives.
The Investigation Started With User Complaints
The decision from the Italian Data Protection Authority follows an investigation that began in April 2024 after a steady stream of complaints from users. The Guarantor’s investigation for Privacy started following 140 reports and 12 complaints starting from April and May 2024 on the fact that users of the Bancoposta and PostePay Apps had received invitation messages to “authorize the App to access data to detect the presence of any malicious software.”
The investigation identified gaps in transparency, lack of an adequate DPIA, insufficient security measures, weak data retention practices and governance issues around data controller roles. Investigators also discovered that backend systems storing transaction and device data retained certain information for up to 28 months in external analytics environments, significantly longer than initially disclosed.
This enforcement action sits within a broader pattern of Italian GDPR enforcement. The regulator has been increasingly active with recent actions including a €31.8 million penalty against Intesa Sanpaolo and smaller fines against other financial institutions.
References
- Italian data protection authority fines Poste Italiane and Postepay over €12.5 million
- Italy’s Privacy Regulator Hits Poste Italiane & Postepay with €12.5 Million Fine
- Italy fines national postal service $14.7M over invasive data collection
- Italy’s privacy watchdog fines Poste Italiane more than
- Italian regulator fines national postal service orgs $15 million for data privacy violations
This post is also available in:
Svenska
Related News
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026 
