Garante per la protezione dei dati personali (Italy) - 10241537

Summary

Italy's Data Protection Authority (Garante) issued a €12.5 million fine to Poste Italiane and PostePay for processing personal data without adequate consent to detect malware on users' devices via their Bancoposta and PostePay applications. The DPA found violations of GDPR Articles 5, 6, 13, 25, 32, 35 and the e-Privacy Directive, citing inadequate legal basis, unfair consent mechanics (blocking app access if users rejected permission), and failure to properly balance legitimate interests against user rights. The investigation was triggered by user complaints in 2024 regarding coercive authorization requests for device data access.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10241537: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editNewer edit →VisualWikitext Revision as of 07:42, 29 April 2026 view sourceCarloc (talk | contribs)699 editsm Tag: Visual edit← Older edit Revision as of 08:28, 29 April 2026 view source Dt (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators393 editsm Tag: Visual editNewer edit → Line 79: Line 79: }}}} The DPA fined the Italian Post and PostePay a total of €12,501,000 for multiple infringements relating to the processing of personal data for the detection of dangerous software from the devices of users who installed the controllers’ applications.The DPA fined the Italian Post and PostePay a total of €12,501,000 for multiple infringements relating to the processing of personal data for the detection of malware from the devices of users who installed the controllers’ applications. == English Summary ==== English Summary == === Facts ====== Facts === The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancoposta” and “PostePay”, provided by the Italian Post and PostePay (joint controllers), were notified to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancoposta” and “PostePay”, provided by the Italian Post and PostePay (joint controllers of each of the two apps), were notified to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. Line 90: Line 90: The joint controllers also cited technical standards and norms requiring the implementation of mechanisms for monitoring and guaranteeing the safety of information and digital transactions. The joint controllers also cited technical standards and norms requiring the implementation of mechanisms for monitoring and guaranteeing the safety of information and digital transactions. The joint controllers informed the DPA that ThreatMetrix, the application of a sub-data processor provided to a data processor, was used for the processing activities. The joint controllers informed the DPA that ThreatMetrix, an application provided by a sub-processor, was used for the processing activities. The DPA launched an investigation into the matter.The DPA launched an investigation into the matter. Revision as of 08:28, 29 April 2026 Garante per la protezione dei dati personali - 10241537 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 25 GDPR Article 32 GDPR Article 35 GDPR Article 122 Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 Type: Investigation Outcome: Violation Found Started: Decided: 17.04.2026 Published: Fine: 12,501,000 EUR Parties: Poste Italiane S.p.a. PostePay S.p.a. National Case Number/Name: 10241537 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: Garante (in IT) Initial Contributor: dt The DPA fined the Italian Post and PostePay a total of €12,501,000 for multiple infringements relating to the processing of personal data for the detection of malware from the devices of users who installed the controllers’ applications. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The Italian DPA received several complaints in 2024 claiming that the users of the applications “Bancoposta” and “PostePay”, provided by the Italian Post and PostePay (joint controllers of each of the two apps), were notified to authorise the apps to access data on their devices for the detection of dangerous software. Rejecting the request would have limited the number of times a user was able to access the app, eventually leading to the blocking of the app. The joint controllers claimed the data collected were limited to what was necessary for the purpose of guaranteeing the safety of the information and transactions of the users. The joint controllers also cited technical standards and norms requiring the implementation of mechanisms for monitoring and guaranteeing the safety of information and digital transactions. The joint controllers informed the DPA that ThreatMetrix, an application provided by a sub-processor, was used for the processing activities. The DPA launched an investigation into the matter. Holding First, the DPA found a violation of Article 122 of the Italian Code transposing Article 5(3) e-Privacy Directive 2002/58 due to the unlawful access of the joint controllers to the data on the users’ devices. Second, the DPA held that the joint controllers breached Article 6 GDPR by unlawfully processing personal data from the users’ devices for antifraud measures since, even though the processing fell within the application of Article 6(1)(f) GDPR (i.e. legitimate interest as a legal basis), the controllers failed to adequately balance the interests and rights of the data subjects. Third, the DPA concluded that the joint controllers breached the principle of fairness and transparency in Article 5(1)(a) GDPR and Article 13 GDPR by failing to provide specific information that the processing of personal data was carried out via the ThreatMetrix application and on the fact that the joint controllers collect data relating to the apps installed or running on users’ devices. Fourth, the DPA found violations of Article 28(1) GDPR and Article 28(3) GDPR due to the designation by the joint controllers of a data processor who did not present sufficient guarantees for implementing appropriate technical and organisational measures. The DPA reached this conclusion on one hand since the processing of users’ personal data via the ThreatMetrix application was not part of the agreement between the joint controllers and the data processor, and, on the other hand, because the agreement between the joint controllers and the processor did not mention the sub-processor who provided the ThreatMetrix app. Fifth, the DPA held that the joint controllers violated Article 35 GDPR by failing to conduct a data protection impact assessment, as well as Article 25 GDPR (i.e. privacy by design and by default) by failing to provide from the outset the necessary safeguards for the protection of data subjects' rights . Finally, the DPA identified a violation of Article 5(1)(e) GDPR (i.e. storage limitation). The DPA found a difference between the processing purposes declared by the joint controllers and the sub-processor, as well as a difference between the data retention period initially declared by the joint controllers and the actual retention period of users’ personal data, the latter exceeding the former by 4 months. Therefore, the DPA fined the Italian Post €6,624,000 and PostePay €5,877,000 and ordered both to specify the storage times for the users’ data and which users’ data are processed via the ThreatMetrix application. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian

Entities