Garante per la protezione dei dati personali (Italy) - 10241537

Summary

Italy's Data Protection Authority (Garante) issued a €12.5M fine against Poste Italiane S.p.a. (€6.624M) and PostePay S.p.a. (€5.877M) for multiple GDPR breaches related to unauthorized collection of personal data from user devices via the ThreatMetrix application. The violations included unlawful access to device data, inadequate legal basis under Article 6, failure to provide transparent information about data processing and third-party sub-processors, improper data processor agreements, and excessive data retention beyond declared periods.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10241537: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 15:05, 27 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators378 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 15:05, 27 April 2026 Garante per la protezione dei dati personali - 10241537 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 25 GDPR Article 32 GDPR Article 35 GDPR Article 122 Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 Type: Investigation Outcome: Violation Found Started: Decided: 17.04.2026 Published: Fine: 12,501,000 EUR Parties: Poste Italiane S.p.a. PostePay S.p.a. National Case Number/Name: 10241537 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante (in IT) Initial Contributor: dt The DPA fined the Italian Post and PostePay a total of €12,501,000 for multiple infringements relating to the processing of personal data for the detection of dangerous software from the devices of users who installed the controllers’ applications. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancaposta” and “PostePay”, of the Italian Post and PostePay (joint controllers) received requests to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. The joint controllers also cited technical standards and norms requiring the implementation of mechanisms for monitoring and guaranteeing the safety of information and digital transactions. The joint controllers informed the DPA that ThreatMetrix, the application of a sub-data processor provided to a data processor, was used for the processing activities. The DPA launched an investigation into the matter. Holding Firstly, the DPA found a violation of Article 122 of the Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 due to the unlawful access of the joint controllers to the data on the users’ devices. Secondly, the DPA held that the joint controllers breached Article 6 GDPR by unlawfully processing personal data from the users’ devices for antifraud measures since, even though the processing fell within the application of Article 6(1)(f) GDPR (i.e. legitimate interest as a legal basis), the controllers failed to adequately balance the interests and rights of the data subjects. Thirdly, the DPA concluded that the joint controllers breached the principle of fairness and transparency in Article 5(1)(a) GDPR and Article 13 GDPR by failing to provide specific information that the processing of personal data was carried out via the ThreatMetrix application and on the fact that the joint controllers collect data relating to the apps installed or running on users’ devices. Fourthly, the DPA found violations of Article 28(1) GDPR and Article 28(3) GDPR due to the designation by the joint controllers of a data processor who did not present sufficient guarantees for implementing appropriate technical and organisational measures. The DPA reached this conclusion on one hand since the processing of users’ personal data via the ThreatMetrix application was not part of the agreement between the joint controllers and the data processor, and, on the other hand, because the agreement between the joint controllers and the processor did not mention the sub-processor who provided the ThreatMetrix app. Fifthly, the DPA held that the joint controllers violated Article 35 GDPR and Article 25 GDPR (i.e. privacy by design and by default). Finally, the DPA identified a violation of Article 5(1)(e) GDPR (i.e. storage limitation). The DPA found a difference between the processing purposes declared by the joint controllers and the sub-processor, as well as a difference between the data retention period initially declared by the joint controllers and the actual retention period of users’ personal data, the latter exceeding the former by 4 months. Therefore, the DPA fined the Italian Post €6,624,000 and PostePay €5,877,000 and ordered both to specify the storage times for the users’ data and which users’ data are processed via the ThreatMetrix application. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Press release of April 20, 2026 [web doc. no. 10241537] Measure of April 17, 2026 Register of Measures No. 237 of April 17, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, members, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the numerous reports and complaints received by the Authority since April 2024 against Poste Italiane S.p.a. and PostePay S.p.a. concerning the unlawful processing of personal data of users of the Bancoposta and PostePay apps, installed on Android operating systems; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Guarantor's Regulation No. 1/2000; REPORTER: Professor Pasquale Stanzione; WHEREAS 1. Reports and complaints. In April and May 2024, 140 reports and 12 complaints were received by this Authority. These complaints informed this Authority that users of the Bancoposta and PostePay apps (installed on Android operating systems) received a message inviting them to "authorize the app to access data to detect the presence of any malicious software." The same message indicated that this was a mandatory option, to be activated immediately, and that failure to activate it would result in a maximum of three accesses, after which the app would be blocked. Specifically, in the specific configuration screen to which the user was directed by the message in question, granting the aforementioned authorization allowed the Bancoposta and PostePay apps to access the so-called "data protection" (so-called "protected data"). "Usage data" for the purpose of monitoring the applications used and their frequency of use, as well as identifying the telephone operator, language settings, and "other usage data." Regarding this matter, the Italian Competition Authority (hereinafter "AGCM"), in relation to its areas of jurisdiction, also opened proceedings on April 22, 2024, regarding unfair commercial practices, identifying a possible violation of Articles 20, 24, and 25 of the Consumer Code. 2. The preliminary investigation. 2.1 The first request for information pursuant to Article 157 of the Code. With a note dated April 30, 2024, Poste Italiane S.p.a. and PostePay S.p.a. (hereinafter also "the Companies" or "the Parties") responded to the Author

Entities