What happened
Italy’s data protection regulator announced on Monday that it has fined Poste Italiane SpA and its digital payments subsidiary Postepay SpA a combined €12.5 million ($14.7 million) for illegally processing millions of users’ personal data. Poste Italiane received a €6.6 million fine and Postepay received €5.9 million.
The investigation centered on the Postepay app and a companion app operated by BancoPosta, the financial services division of Poste Italiane. Both apps required users to authorize monitoring of data stored on their mobile devices, including installed and running applications, which the companies said was necessary to identify malicious software and comply with payment services regulations. The regulator rejected that justification, finding the monitoring methods were excessively invasive and not required for fraud prevention purposes.
Beyond the device monitoring issue, the regulator found additional violations: users were not given adequate information about how their data was being processed, security safeguards were insufficient, and data was retained for longer than permitted under applicable privacy rules.
Who is affected
Users of the Postepay and BancoPosta mobile apps are directly affected. Given that Poste Italiane is Italy’s state-controlled national postal service with multiple financial subsidiaries and a large retail customer base, the number of individuals whose data was subject to the disputed processing is likely substantial, though the regulator has not specified the total number of affected users.
Why CISOs should care
This case draws a clear regulatory line on a practice that many financial services organizations have quietly adopted: broad device monitoring justified under fraud prevention or payment services compliance frameworks. The Italian regulator’s position is that necessity and proportionality apply to those justifications, and that monitoring installed apps at the device level goes beyond what fraud prevention actually requires.
For security and compliance leaders in financial services, particularly those operating under PSD2 or equivalent payment regulations, this ruling is a signal that mobile app data collection practices are under active scrutiny. The secondary violations around transparency, security safeguards, and retention periods compound the risk, as each represents an independent compliance failure that regulators can pursue.
3 practical actions
- Audit mobile app data collection practices against necessity and proportionality standards: Review what data your apps collect from user devices, specifically whether the scope of that collection can be clearly justified by the specific fraud prevention or compliance purpose cited, and document that justification thoroughly.
- Review user-facing disclosures for payment and financial apps: The regulator found that users were not adequately informed about data processing. Assess whether your app privacy notices clearly explain what device data is collected, why, how long it is retained, and what security measures protect it.
- Tighten data retention schedules for mobile-collected data: Retention violations are among the most common and most avoidable GDPR enforcement triggers. Confirm that data collected through mobile apps is subject to defined retention limits and that automated deletion or anonymization is in place and functioning.
Also in the news today:
- Dozens of Malicious Crypto Apps Land in Apple App Store
- Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
- New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
- Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
- NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023