Digital Payments

Privacy, 12.5 million fine from the Garante to Poste Italiane

The Authority challenges the use of apps to access customer data on mobile phones. The reply: 'Correct behaviour, we will appeal'

20 April 2026

3' min read

Translated by AI

Versione italiana

Key points

Guarantor: overly invasive application on users
Society: processing required for payment regulations
In addition to sanctions requested to cease behaviour

3' min read

Translated by AI

Versione italiana

The Garante per la Privacy has imposed a total fine of EUR 12.5 million on the Poste Group, of which EUR 6.624 million on Poste Italiane and EUR 5.877 million on Postepay, for unlawfully processing the personal data of millions of users.

The case is the same from which a 4 million fine issued by the Antitrust Authority in June 2025 had originated, but was annulled this year by the Regional Administrative Court after an appeal by Poste. The investigation by the Garante per la Privacy had started following 140 reports and 12 complaints from April and May 2024 on the fact that users of the Bancoposta and PostePay apps had received messages inviting them to 'authorise the app to access their data in order to detect the presence of any malicious software'.

Authorisation was compulsory otherwise operations would have been inhibited. The authorisation allowed access to usage data, in order to monitor the apps used by customers, the frequency of use, and to identify telephone operators. These applications thus provided, as a mandatory condition for using the services, for users to grant authorisation to monitor a range of data contained in mobile devices, including installed and running applications, in order to identify any malicious software. The processing was carried out by means of ThreatMetrix, which in essence is a component of Poste's anti-fraud platform that allows real-time analysis of transactions carried out through the App and provides an index of the risk associated with those transactions.

The Garante: excessively invasive application on users

The measure adopted yesterday states that, after an initial phase of in-depth studies by the Garante, it concluded that 'the configuration of the ThreatMetrix application appeared excessively invasive of the legal sphere of the person concerned, since the albeit relevant objective of raising the level of computer security and of operating a greater anti-fraud control could have been usefully achieved by the companies through the use of tools, possibly also combined with each other, with less impact on the rights of end users'.

Society: processing needed for payment regulations

According to the companies, however, the processing steps taken were necessary to ensure the security of transactions and to comply with payment services regulations. In particular, Poste referred to the EBA regulations and the EU PSD2 directive. However, the Garante found that the methods adopted entailed an excessively invasive interference in the private sphere of users, as they were not strictly necessary in relation to the purpose of fraud prevention. The investigation also revealed several violations of data protection law, including deficiencies in the information provided to users, lack of an adequate data protection impact assessment (DPA), failure to adopt adequate security measures and appropriate data retention policies, and irregularities in the designation of the data controller.

In addition to sanctions, the cessation of behaviour is demanded

In addition to the sanctions, the Authority ordered the companies to cease processing the disputed data (even though 28 months have now passed and the two Apps no longer exist but have been merged into one large App) if they have not already done so, and to comply with the data retention requirements, notifying the Garante.

The company's reply was not long in coming. "Poste Italiane welcomes with amazement the measure with which the Privacy Guarantor has imposed a sanction for alleged unlawful processing of personal data of BancoPosta and PostePay users. A measure that, moreover, in addition to its merit, is also flawed from a procedural point of view, having been adopted in blatant delay with respect to the peremptory terms provided for by law for the exercise of the Guarantor's powers," reads a note issued by the group of addresses. "In this regard, it should be emphasised that on 2 February 2026, the Lazio Regional Administrative Court annulled the measure with which the Antitrust Authority had sanctioned Poste Italiane for an alleged unfair commercial practice relating to the same anti-fraud device that is the subject of today's censure by the Guarantor, recognising its full legitimacy and the absence of any commercial intent in Poste's conduct," it said.

Poste Italiane "rejects all charges and reiterates the correctness and transparency of its actions. In particular, as also recognised by the Bank of Italy, the Group has legitimately used access to the technical data of its customers' devices, as required by European legislation (PSD2 Directive), for the sole purpose of activating anti-fraud and anti-malaware safeguards, in order to fully protect the security of its users, in compliance with the payment services regulations'. Finally, the delivery group announces that it will 'file an appeal for the annulment of the measure with the Court of Rome'.