Italy’s data protection authority has fined two postal service companies more than €12.5 million after determining that their mobile applications collected user data in a way that violated privacy regulations.
The penalties were issued to Poste Italiane SpA, a state-controlled postal and financial services provider, and its digital payments subsidiary Postepay SpA. Poste Italiane was fined €6.6 million, while Postepay received a €5.9 million penalty following an investigation into its data processing practices.
The inquiry began in April 2024 after authorities received complaints about how the companies’ mobile applications operated. The investigation focused on apps used for financial services, including BancoPosta and Postepay, which are widely used for payments and account management in Italy.
According to the regulator, the applications required users to allow monitoring of data stored on their mobile devices as a condition of accessing services. This included information about installed and running applications, as well as other device-related data used to assess potential security risks.
The companies stated that these measures were intended to detect malicious software and prevent fraud, citing compliance with payment service regulations. However, the Italian data protection authority found that the level of monitoring went beyond what was necessary for security purposes.
Regulators described the data collection methods as excessively intrusive and determined that they did not meet the requirements of proportionality under data protection laws. The authority also stated that users were not provided with sufficient information about how their data was being processed.
Additional findings included failures to implement adequate security safeguards and the retention of collected data for longer than permitted under applicable regulations.
Separate analysis of the system indicated that the apps could collect identifiers linked to installed applications and device behaviour, which could be used to infer detailed information about users. The regulator concluded that such data processing could involve sensitive personal information and required stricter controls.
The enforcement action is among the larger penalties issued by Italy’s data protection authority in recent years. Authorities have not indicated whether additional sanctions or corrective measures will follow.