Italy’s data protection authority has handed Poste Italiane and its payments subsidiary PostePay a combined fine of more than €12.5 million. The authority concluded that the companies unlawfully processed the personal data of millions of users through their mobile apps.
The Italian Data Protection Authority (GPDP) imposed a fine of €6,624,000 on Poste Italiane and €5,877,000 on PostePay for unlawfully processing the personal data of millions of users.
What the investigation found
GPDP’s decision followed an investigation launched in April 2024, after a wave of complaints from users of the BancoPosta and PostePay Android apps. At the centre of the case was how those apps handled access to data stored on users’ mobile devices.
The apps required users to authorise the monitoring of a series of data contained on their mobile devices, including installed and running applications, in an effort to identify malicious software. The regulator concluded that this approach was disproportionate. Beyond the intrusive anti-fraud features, the investigation identified gaps in transparency, the lack of an adequate data protection impact assessment, insufficient security measures, weak data retention practices, and governance issues around data controller roles.
Alongside the financial penalties, the Authority ordered both companies to cease the contested processing where it is still ongoing and to bring their data retention practices into line with legal requirements. They need to notify the regulator once those corrective actions have been completed.
Poste Italiane rejects the findings
Poste Italiane pushed back firmly against the decision. The company said it had accessed customers’ device data exclusively to activate anti-fraud and anti-malware protections. It also argued that such measures were required under European payment services rules, specifically the PSD2 Directive.
In its defence, the company also pointed to a related ruling from February 2026, in which the Lazio Regional Administrative Court annulled a separate sanction imposed by the Antitrust Authority over the same anti-fraud technology. This decision, the company said, recognised the full legitimacy of its conduct and the absence of any commercial intent. Poste Italiane said it intends to appeal to the Court of Rome, seeking annulment of the Garante’s ruling.
The case is not an isolated one. The action against Poste Italiane follows another high-profile enforcement decision earlier this year involving Intesa Sanpaolo, against which the regulator imposed a €31.8 million penalty after uncovering serious lapses in how customer data was protected. It included a case in which a single employee had accessed customer records more than 6,600 times without any legitimate business reason.
