Italy’s privacy watchdog has fined Poste Italiane and its digital payments arm Postepay more than €12.5 million ($14.7M) for unlawfully processing user data through their mobile apps.
The regulator found that anti-fraud measures embedded in the apps collected excessive device information and were imposed on users as a condition of service.
The decision, issued by the Garante per la protezione dei dati personali (The Italian Data Protection Authority), follows an investigation launched in April 2024 after a wave of complaints from users of the BancoPosta and Postepay Android apps. In total, the authority imposed a €6.6 million fine on Poste Italiane and €5.9 million on Postepay, citing multiple violations of the EU’s General Data Protection Regulation (GDPR).
Poste Italiane, Italy’s national postal service and a major financial services provider, serves millions of customers through its digital banking and payment platforms. Postepay, a subsidiary focused on prepaid cards and digital payments, is one of the country’s largest fintech operators.
Aggressive data collection
According to the Garante, the companies required users to grant access to “usage data” on their smartphones, including information about installed and running applications, to continue using core services. Users who declined were limited to three logins before being locked out of app functionality. The collected data was processed through the ThreatMetrix anti-fraud platform, which generated device risk profiles by analyzing signals such as app activity, device integrity, and potential malware presence.
While the companies argued that these measures were necessary to comply with PSD2 payment security requirements and prevent fraud, the authority disagreed. It concluded that the approach was disproportionately intrusive and not strictly necessary to achieve the stated security objectives, especially given the breadth of data collected and the lack of less invasive alternatives.
Garante’s investigation also found that the companies did not provide sufficiently clear or comprehensive privacy notices, failed to conduct an adequate Data Protection Impact Assessment (DPIA) before deploying the system, and implemented insufficient data security and retention policies. It also identified irregularities in how third-party processors were designated and managed.
Although the system primarily collected hashed identifiers (MD5) of running apps rather than plaintext names, the authority noted that such data could still be linked back to identifiable individuals and reveal sensitive behavioral patterns, including financial habits, health conditions, or personal interests. Investigators also discovered that backend systems storing transaction and device data retained certain information for up to 28 months in external analytics environments, significantly longer than initially disclosed.
During the proceedings, the companies defended their use of ThreatMetrix, emphasizing the growing scale of financial fraud and the need for proactive detection tools. They maintained that the data collection was pseudonymized, encrypted, and used exclusively for security purposes. They also argued that explicit consent was not required, framing the data access as a technical necessity rather than a legal basis for processing.
Italy’s data protection agency rejected these arguments, stressing that security measures must still comply with core GDPR principles, including data minimization, transparency, and proportionality. It also underscored that making invasive data collection a mandatory condition for service undermines the concept of freely given consent.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
