Italian Privacy Watchdog Levies Major Fines Against State-Linked Postal Entities
Italy's national data protection regulator announced on Monday that it has imposed a combined penalty of €12.5 million ($14.7 million) on two closely related Italian financial and postal organizations over serious data privacy violations. The fines target Poste Italiane SpA, the country's state-controlled but publicly traded national postal service provider, and Postepay SpA, its digital payments subsidiary.
Poste Italiane was fined €6.6 million ($7.8 million), while Postepay received a separate penalty of €5.9 million ($7 million). Both entities are accused of illegally processing the personal data of millions of users.
What Triggered the Investigation
The regulator's probe centered specifically on two mobile applications: the Postepay app and a companion app operated by BancoPosta, the financial services division of Poste Italiane. According to the regulator's press release, both apps required users to grant permission for the monitoring of data stored on their mobile devices — including information about which applications were installed and actively running on those devices.
The stated purpose of this surveillance-style data collection was to identify potentially malicious software and protect users from fraud. The companies defended the practice by arguing it was necessary to secure financial transactions and to comply with applicable payment services regulations.
Regulator Rejects the Fraud Prevention Justification
Italy's data protection authority was not persuaded by those arguments. The regulator concluded that the monitoring methods employed were "excessively invasive" and went well beyond what could be reasonably justified for fraud prevention purposes. In other words, even if the goal of protecting users from malicious software was legitimate, the means used to achieve that goal were deemed disproportionate under European privacy law.
Additional Privacy Violations Identified
Beyond the invasive monitoring, the regulator identified several other areas where the organizations fell short of their legal obligations under data privacy rules:
- Insufficient transparency: Users were not given adequate information explaining how their personal data was being collected, processed, or used by the apps.
- Inadequate security safeguards: The companies failed to implement security measures that would have been sufficient to protect user data.
- Excessive data retention: Personal data was held for longer than legally permitted, in violation of data minimization and storage limitation principles.
About the Organizations Involved
Poste Italiane SpA occupies a unique position in the Italian economy. Although it is state-controlled, the company is also publicly traded and operates a broad range of subsidiaries beyond its core postal functions. These include financial services, insurance, and digital payment platforms. Postepay SpA is among the most prominent of these subsidiaries, offering digital payment cards and an app widely used across Italy for everyday financial transactions.
The involvement of BancoPosta — the banking arm of Poste Italiane — in the investigation underscores how deeply integrated financial services have become within what was once purely a postal infrastructure. Both the Postepay app and the BancoPosta app serve large numbers of Italian consumers, making the scale of the alleged data violations particularly significant.
Broader Implications
This enforcement action reflects the continued willingness of European data protection authorities to scrutinize how financial and technology companies collect behavioral and device-level data from users in the name of security. While fraud prevention is a recognized and legitimate interest under frameworks such as the General Data Protection Regulation (GDPR), regulators across Europe have consistently held that such justifications do not grant organizations unlimited latitude to conduct invasive data collection. The methods used must be proportionate and necessary — standards that Italy's regulator concluded were not met in this case.
The fines against Poste Italiane and Postepay serve as a reminder that even state-linked entities with broadly accepted security purposes remain subject to strict privacy obligations when handling the personal data of millions of citizens.
Source: The Record