The Italian Data Protection Authority has imposed significant fines on Poste Italiane and its subsidiary Postepay, totaling over €12.5 million, for unlawful processing of personal data. This action comes after an investigation revealed that the companies engaged in excessive data collection practices through their mobile applications, affecting millions of users. The fines are part of a broader regulatory effort to enforce stricter data protection standards in the financial sector in Italy.

The investigation, initiated in April 2024, was prompted by user complaints about how their data was being handled. Regulators found that the BancoPosta and Postepay apps required users to permit monitoring of information stored on their devices, including details about installed and active applications. While the companies claimed this was necessary for malware detection and fraud prevention, the regulator determined that the data collection was disproportionate and overly intrusive.

In addition to the intrusive data collection, the investigation uncovered multiple compliance failures. These included a lack of transparency in informing users about data collection practices and the absence of a comprehensive Data Protection Impact Assessment, which is mandatory for high-risk data processing activities. The companies also faced criticism for weak security measures, unclear data retention policies, and irregularities in defining data controller responsibilities.

As a result of these findings, Poste Italiane and Postepay have been ordered to halt the disputed data processing practices if they are still ongoing. They must also ensure their data retention policies comply with regulatory requirements and report their compliance status to the Authority. This enforcement action is part of a trend of increased regulatory scrutiny in the financial sector, emphasizing the need for balanced fraud prevention and user privacy.

The case against Poste Italiane and Postepay follows a similar enforcement action earlier this year against Intesa Sanpaolo, which was fined €31.8 million for failing to protect customer data adequately. These cases highlight the growing pressure on financial institutions to improve their data governance frameworks and demonstrate that both excessive data collection and insufficient monitoring can have severe financial and reputational consequences.

Source: https://www.gpdp.it/home/docweb/-/docweb-display/docweb/10241568