Garante per la protezione dei dati personali (Italy) - 10241537
Italian DPA fines Italian Post and PostePay for unlawful device data access via Bancaposta and PostePay apps.
Summary
Italy's Data Protection Authority (Garante) found multiple GDPR violations by Italian Post and PostePay for requiring users of their Bancaposta and PostePay banking apps to authorize device data access for malware detection, with app blocking as a penalty for refusal. The DPA identified breaches of Articles 5, 6, 13, 25, 28, and 35 GDPR, as well as the e-Privacy Directive, citing unlawful processing, lack of transparency about ThreatMetrix use, inadequate data processor oversight, missing data protection impact assessments, and retention periods exceeding declared limits by 4 months.
Full text
Help Garante per la protezione dei dati personali (Italy) - 10241537: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 15:05, 27 April 2026 view sourceDt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators378 edits Tag: submission [1.0] Latest revision as of 07:46, 28 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators378 editsmTag: Visual edit (One intermediate revision by the same user not shown)Line 84: Line 84: === Facts ====== Facts === The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancaposta” and “PostePay”, of the Italian Post and PostePay (joint controllers) received requests to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancaposta” and “PostePay”, provided by the Italian Post and PostePay (joint controllers), were notified to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. Line 95: Line 95: === Holding ====== Holding === Firstly, the DPA found a violation of Article 122 of the Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 due to the unlawful access of the joint controllers to the data on the users’ devices. First, the DPA found a violation of Article 122 of the Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 due to the unlawful access of the joint controllers to the data on the users’ devices. Secondly, the DPA held that the joint controllers breached [[Article 6 GDPR|Article 6 GDPR]] by unlawfully processing personal data from the users’ devices for antifraud measures since, even though the processing fell within the application of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] (i.e. legitimate interest as a legal basis), the controllers failed to adequately balance the interests and rights of the data subjects. Second, the DPA held that the joint controllers breached [[Article 6 GDPR]] by unlawfully processing personal data from the users’ devices for antifraud measures since, even though the processing fell within the application of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] (i.e. legitimate interest as a legal basis), the controllers failed to adequately balance the interests and rights of the data subjects. Thirdly, the DPA concluded that the joint controllers breached the principle of fairness and transparency in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 13 GDPR|Article 13 GDPR]] by failing to provide specific information that the processing of personal data was carried out via the ThreatMetrix application and on the fact that the joint controllers collect data relating to the apps installed or running on users’ devices. Third, the DPA concluded that the joint controllers breached the principle of fairness and transparency in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 13 GDPR]] by failing to provide specific information that the processing of personal data was carried out via the ThreatMetrix application and on the fact that the joint controllers collect data relating to the apps installed or running on users’ devices. Fourthly, the DPA found violations of [[Article 28 GDPR#1|Article 28(1) GDPR]] and [[Article 28 GDPR#3|Article 28(3) GDPR]] due to the designation by the joint controllers of a data processor who did not present sufficient guarantees for implementing appropriate technical and organisational measures. Fourth, the DPA found violations of [[Article 28 GDPR#1|Article 28(1) GDPR]] and [[Article 28 GDPR#3|Article 28(3) GDPR]] due to the designation by the joint controllers of a data processor who did not present sufficient guarantees for implementing appropriate technical and organisational measures. The DPA reached this conclusion on one hand since the processing of users’ personal data via the ThreatMetrix application was not part of the agreement between the joint controllers and the data processor, and, on the other hand, because the agreement between the joint controllers and the processor did not mention the sub-processor who provided the ThreatMetrix app. The DPA reached this conclusion on one hand since the processing of users’ personal data via the ThreatMetrix application was not part of the agreement between the joint controllers and the data processor, and, on the other hand, because the agreement between the joint controllers and the processor did not mention the sub-processor who provided the ThreatMetrix app. Fifthly, the DPA held that the joint controllers violated [[Article 35 GDPR|Article 35 GDPR]] and [[Article 25 GDPR|Article 25 GDPR]] (i.e. privacy by design and by default). Fifth, the DPA held that the joint controllers violated [[Article 35 GDPR]] by failing to conduct a data protection impact assessment, as well as [[Article 25 GDPR]] (i.e. privacy by design and by default) by failing to provide from the outset the necessary safeguards for the protection of data subjects' rights . Finally, the DPA identified a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] (i.e. storage limitation). The DPA found a difference between the processing purposes declared by the joint controllers and the sub-processor, as well as a difference between the data retention period initially declared by the joint controllers and the actual retention period of users’ personal data, the latter exceeding the former by 4 months. Finally, the DPA identified a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] (i.e. storage limitation). The DPA found a difference between the processing purposes declared by the joint controllers and the sub-processor, as well as a difference between the data retention period initially declared by the joint controllers and the actual retention period of users’ personal data, the latter exceeding the former by 4 months. Latest revision as of 07:46, 28 April 2026 Garante per la protezione dei dati personali - 10241537 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 25 GDPR Article 32 GDPR Article 35 GDPR Article 122 Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 Type: Investigation Outcome: Violation Found Started: Decided: 17.04.2026 Published: Fine: 12,501,000 EUR Parties: Poste Italiane S.p.a. PostePay S.p.a. National Case Number/Name: 10241537 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante (in IT) Initial Contributor: dt The DPA fined the Italian Post and PostePay a total of €12,501,000 for multiple infringements relating to the processing of personal data for the detection of dangerous software from the devices of users who installed the controllers’ applications. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancaposta” and “PostePay”, provided by the Italian Post and PostePay (joint con