Poste Italiane and Postepay Fined €12.5M for Excessive Data Monitoring of Millions

Poste Italiane and Postepay Fined €12.5M for Excessive Data Monitoring of Millions

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed fines totaling over €12.5 million on Poste Italiane and Postepay for unlawful processing of personal data, affecting millions of users. This enforcement action highlights increasing scrutiny over data privacy practices within the financial sector.

The Italian regulator levied a €6.6 million fine against Poste Italiane and a €5.8 million penalty on Postepay. The investigation, which began in April 2024, was initiated following numerous complaints from users regarding how their data was managed through mobile applications.

Intrusive App Monitoring Under Scrutiny

The fines stem from the methods employed by the BancoPosta and Postepay applications to collect user data. Users were required to allow monitoring of information stored on their devices, including details about installed and active applications. The companies defended this practice, claiming it was necessary for detecting malware and preventing fraud, in line with payment security protocols. However, the Italian Data Protection Authority found the extent of this monitoring to be excessive and unjustifiable.

The regulator stated that the data collection methods used by these companies were disproportionate, resulting in significant intrusions into users’ private lives. The ruling emphasized that efforts to prevent fraud cannot justify unrestricted access to personal device data.

Compliance Failures Highlighted

The investigation uncovered broader compliance failures beyond the immediate data collection issues. The Italian Data Protection Authority noted a lack of transparency regarding how users were informed about data collection practices. Additionally, the companies did not conduct adequate Data Protection Impact Assessments, which are required when processing activities pose high risks to individual privacy.

Concerns also included insufficient security measures, unclear data retention policies, and inconsistencies in defining the responsibilities of data controllers. These shortcomings raised alarms about the internal governance of user data.

As part of the enforcement action, both Poste Italiane and Postepay have been ordered to halt the disputed data processing practices if they are still in effect. They must also align their data retention policies with regulatory requirements and report their compliance to the Authority.

A Shift Towards Stricter Enforcement

This action reflects a broader trend of heightened enforcement by the Italian Data Protection Authority across the financial sector. The fines against Poste Italiane and Postepay follow another significant enforcement action earlier this year involving Intesa Sanpaolo, which faced a €31.8 million penalty for serious lapses in customer data protection. This case involved unauthorized access to sensitive information of over 3,500 customers over a two-year period.

Investigators found that a single employee accessed customer records more than 6,600 times without any legitimate business justification. The breach went unnoticed for months, exposing weaknesses in the bank’s internal monitoring systems.

Insider Risks and Monitoring Gaps

The Intesa Sanpaolo case highlighted a critical issue distinct from that of Poste Italiane and Postepay. While the latter were penalized for excessive data collection, Intesa Sanpaolo faced consequences for failing to detect the misuse of legitimate access. The Italian Data Protection Authority noted that the bank’s monitoring systems were not designed to identify slow, repeated misuse of access over time, allowing unauthorized activities to continue without triggering alerts, even involving high-risk individuals.

Regulators concluded that existing controls were insufficiently aligned with the risks associated with broad internal access to sensitive financial data. This case raised concerns regarding insider threats and the effectiveness of current detection mechanisms within financial institutions.

Increasing Pressure on Financial Services

These developments reflect a tightening regulatory environment in Italy, where financial institutions are being held accountable for both overreach and underperformance in data protection. The fines imposed on Poste Italiane and Postepay underscore the need for a balanced approach to fraud prevention measures while respecting user privacy. Security controls must be proportionate, transparent, and supported by thorough risk assessments.

At the same time, the Intesa Sanpaolo breach illustrates that inadequate monitoring can be equally damaging, particularly when insider threats remain undetected for extended periods.

As enforcement actions increase in scale and frequency, organizations in the financial sector are under growing pressure to reassess their data governance frameworks. Recent decisions from the Italian Data Protection Authority indicate that both excessive data collection and insufficient oversight can lead to significant financial and reputational repercussions.

For further insights into data protection and compliance trends, as reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section.

Published on 2026-04-22 07:15:00 • By FAME Delivered News Desk

Poste Italiane and Postepay Fined €12.5M for Excessive Data Monitoring of Millions

Poste Italiane and Postepay Fined €12.5M for Excessive Data Monitoring of Millions

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed fines totaling over €12.5 million on Poste Italiane and Postepay for unlawful processing of personal data, affecting millions of users. This enforcement action highlights increasing scrutiny over data privacy practices within the financial sector.

The Italian regulator levied a €6.6 million fine against Poste Italiane and a €5.8 million penalty on Postepay. The investigation, which began in April 2024, was initiated following numerous complaints from users regarding how their data was managed through mobile applications.

Intrusive App Monitoring Under Scrutiny

The fines stem from the methods employed by the BancoPosta and Postepay applications to collect user data. Users were required to allow monitoring of information stored on their devices, including details about installed and active applications. The companies defended this practice, claiming it was necessary for detecting malware and preventing fraud, in line with payment security protocols. However, the Italian Data Protection Authority found the extent of this monitoring to be excessive and unjustifiable.

The regulator stated that the data collection methods used by these companies were disproportionate, resulting in significant intrusions into users’ private lives. The ruling emphasized that efforts to prevent fraud cannot justify unrestricted access to personal device data.

Compliance Failures Highlighted

The investigation uncovered broader compliance failures beyond the immediate data collection issues. The Italian Data Protection Authority noted a lack of transparency regarding how users were informed about data collection practices. Additionally, the companies did not conduct adequate Data Protection Impact Assessments, which are required when processing activities pose high risks to individual privacy.

Concerns also included insufficient security measures, unclear data retention policies, and inconsistencies in defining the responsibilities of data controllers. These shortcomings raised alarms about the internal governance of user data.

As part of the enforcement action, both Poste Italiane and Postepay have been ordered to halt the disputed data processing practices if they are still in effect. They must also align their data retention policies with regulatory requirements and report their compliance to the Authority.

A Shift Towards Stricter Enforcement

This action reflects a broader trend of heightened enforcement by the Italian Data Protection Authority across the financial sector. The fines against Poste Italiane and Postepay follow another significant enforcement action earlier this year involving Intesa Sanpaolo, which faced a €31.8 million penalty for serious lapses in customer data protection. This case involved unauthorized access to sensitive information of over 3,500 customers over a two-year period.

Investigators found that a single employee accessed customer records more than 6,600 times without any legitimate business justification. The breach went unnoticed for months, exposing weaknesses in the bank’s internal monitoring systems.

Insider Risks and Monitoring Gaps

The Intesa Sanpaolo case highlighted a critical issue distinct from that of Poste Italiane and Postepay. While the latter were penalized for excessive data collection, Intesa Sanpaolo faced consequences for failing to detect the misuse of legitimate access. The Italian Data Protection Authority noted that the bank’s monitoring systems were not designed to identify slow, repeated misuse of access over time, allowing unauthorized activities to continue without triggering alerts, even involving high-risk individuals.

Regulators concluded that existing controls were insufficiently aligned with the risks associated with broad internal access to sensitive financial data. This case raised concerns regarding insider threats and the effectiveness of current detection mechanisms within financial institutions.

Increasing Pressure on Financial Services

These developments reflect a tightening regulatory environment in Italy, where financial institutions are being held accountable for both overreach and underperformance in data protection. The fines imposed on Poste Italiane and Postepay underscore the need for a balanced approach to fraud prevention measures while respecting user privacy. Security controls must be proportionate, transparent, and supported by thorough risk assessments.

At the same time, the Intesa Sanpaolo breach illustrates that inadequate monitoring can be equally damaging, particularly when insider threats remain undetected for extended periods.

As enforcement actions increase in scale and frequency, organizations in the financial sector are under growing pressure to reassess their data governance frameworks. Recent decisions from the Italian Data Protection Authority indicate that both excessive data collection and insufficient oversight can lead to significant financial and reputational repercussions.

For further insights into data protection and compliance trends, as reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section.

Published on 2026-04-22 07:15:00 • By FAME Delivered News Desk

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.