Italy’s Data Protection Authority Hits Poste Italiane and Postepay with €12.5M Fine Over Invasive App Monitoring

TheThe Italian data protection regulator, Garante per la protezione dei dati personali, imposed penalties totaling €12.5 million on Poste Italiane, the national postal service provider, and its digital payments subsidiary, Postepay. These fines stem from findings that the organizations engaged in privacy breaches through their mobile applications.

The regulator's investigation focused on the Postepay and BancoPosta apps, which required users to grant authorization for monitoring extensive data on their mobile devices. This data included lists of installed and running applications, a practice the authority deemed excessively invasive.

The regulator found that Poste Italiane and Postepay failed to adequately inform users about how their data would be processed. Additionally, the probe identified a lack of sufficient security safeguards for the collected data and a practice of retaining personal data for longer than necessary, all in violation of privacy laws. Poste Italiane received a €6.6 million fine, while Postepay incurred a €5.9 million penalty, totaling €12.5 million ($14.7 million).

This enforcement action underscores the critical need for organizations to implement robust data privacy frameworks, especially when collecting sensitive user information from personal devices. For security teams, it highlights the necessity of aligning data collection practices with legal requirements, ensuring transparency, and deploying proportionate security measures. This includes clearly articulating the purpose and scope of data processing, adhering strictly to data minimization principles—collecting only what is essential—and establishing definite data retention periods.

The ruling serves as a reminder to all organizations, particularly those operating mobile applications that request extensive device permissions, that their methods must be justifiable and transparent. Businesses operating in Europe should review their data collection and processing methodologies to ensure full compliance with stringent privacy regulations like the General Data Protection Regulation (GDPR). Watch for continued regulatory scrutiny of mobile app permissions and data handling practices across various sectors, signaling an ongoing trend towards stricter enforcement of data privacy rights.