Italian regulator fines Poste Italiane and Postepay €12.5 million for invasive app monitoring

Poste Italiane is Italy’s state‑owned postal service that also operates financial services through subsidiaries such as Postepay and BancoPosta. The investigation examined the Postepay app and a companion app from BancoPosta, which asked users to grant permission for the apps to scan device data in order to detect malicious software.

The regulator levied €6.6 million against Poste Italiane and €5.9 million against Postepay, totaling €12.5 million ($14.7 million). It alleged the companies processed millions of users’ personal data without sufficient notice, failed to implement adequate security safeguards, and retained the information longer than necessary for fraud prevention.

For security and privacy teams, the decision signals that broad device‑level monitoring—even when framed as anti‑fraud—must be narrowly tailored, clearly disclosed, and limited to what is strictly necessary. Organizations that collect similar telemetry should review consent mechanisms, conduct data‑protection impact assessments, and ensure retention schedules align with the specific purpose.

Implement privacy‑by‑design: limit app permissions to only the data needed for fraud detection, provide granular opt‑in choices, and delete logs after a defined short period. Conduct regular DPIAs and maintain records of processing activities to demonstrate compliance. Use monitoring tools that flag excessive permission requests and enforce least‑privilege principles on mobile‑app SDKs.

Watch for further guidance from the European Data Protection Board on mobile‑app telemetry and potential follow‑up actions against other financial‑service apps that employ similar device‑scanning tactics.