Poste Italiane and Postepay Hit with €12.5M Fine for Unlawful Data Processing of Millions

The Italian Data Protection Authority (Garante per la protezione dei dati personali) has levied fines exceeding €12.5 million against Poste Italiane and Postepay for the unlawful processing of personal data affecting millions of users. This significant enforcement action underscores the growing scrutiny of data privacy practices within the financial sector.

In detail, the Italian regulator imposed a €6.6 million penalty on Poste Italiane and a €5.8 million fine on Postepay. The investigation, initiated in April 2024, was prompted by numerous user complaints regarding the handling of their data through mobile applications.

Intrusive App Monitoring Under Scrutiny

The core of the fines relates to how the BancoPosta and Postepay applications collected user data. Users were compelled to permit monitoring of information stored on their devices, including details about installed and active applications. The companies defended this practice by asserting that such access was essential for detecting malware and preventing fraud, aligning with payment security protocols. However, the Italian Data Protection Authority determined that the extent of this monitoring was excessive and unjustifiable.

The regulator stated that the data collection methods employed by these companies were disproportionate, leading to significant intrusions into users’ private lives. The ruling emphasized that fraud prevention efforts cannot serve as a blanket justification for unrestricted access to personal device data.

Compliance Failures Highlighted

The investigation revealed broader compliance failures beyond the immediate data collection issues. The Italian Data Protection Authority identified a lack of transparency in how users were informed about data collection practices. Furthermore, the companies failed to conduct adequate Data Protection Impact Assessments, which are mandated when processing activities pose high risks to individual privacy.

Additional concerns included inadequate security measures, unclear data retention policies, and inconsistencies in defining the responsibilities of data controllers. These deficiencies raised alarms about the internal governance of user data.

As part of the enforcement action, both Poste Italiane and Postepay have been ordered to cease the disputed data processing practices if they are still in effect. They must also align their data retention policies with regulatory requirements and report their compliance to the Authority.

A Shift Towards Stricter Enforcement

This action reflects a broader trend of heightened enforcement by the Italian Data Protection Authority across the financial sector. The fines imposed on Poste Italiane and Postepay follow another significant enforcement action earlier this year involving Intesa Sanpaolo, which faced a €31.8 million penalty for serious lapses in customer data protection. This case involved unauthorized access to sensitive information of over 3,500 customers over a two-year period.

Investigators discovered that a single employee had accessed customer records more than 6,600 times without any legitimate business justification. The breach went unnoticed for months, highlighting weaknesses in the bank’s internal monitoring systems.

Insider Risks and Monitoring Gaps

The Intesa Sanpaolo case brought to light a critical issue distinct from that of Poste Italiane and Postepay. While the latter were penalized for excessive data collection, Intesa Sanpaolo faced consequences for failing to detect the misuse of legitimate access. The Italian Data Protection Authority noted that the bank’s monitoring systems were not designed to identify slow, repeated misuse of access over time, allowing unauthorized activities to continue without triggering alerts, even involving high-risk individuals.

Regulators concluded that the existing controls were insufficiently aligned with the risks associated with broad internal access to sensitive financial data. This case has raised concerns regarding insider threats and the effectiveness of current detection mechanisms within financial institutions.

Increasing Pressure on Financial Services

These developments reflect a tightening regulatory environment in Italy, where financial institutions are being held accountable for both overreach and underperformance in data protection. The fines imposed on Poste Italiane and Postepay highlight the need for a balanced approach to fraud prevention measures while respecting user privacy. Security controls must be proportionate, transparent, and backed by thorough risk assessments.

Simultaneously, the Intesa Sanpaolo breach illustrates that inadequate monitoring can be equally damaging, especially when insider threats remain undetected for extended periods.

As enforcement actions grow in scale and frequency, organizations in the financial sector are under increasing pressure to reassess their data governance frameworks. The recent decisions from the Italian Data Protection Authority make it clear that both excessive data collection and insufficient oversight can lead to significant financial and reputational repercussions.

For further insights into data protection and compliance trends, refer to the original reporting source: thecyberexpress.com.

Related

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.