In a landmark enforcement action that is sending shockwaves across Europe’s financial and fintech sectors, Italy’s data protection authority – Garante per la protezione dei dati personali – has imposed over €12.5 million in fines on Poste Italiane and Postepay for unlawful processing of personal data tied to their mobile applications.
The decision highlights a growing regulatory stance: security cannot justify excessive data collection, especially when it intrudes into users’ private digital environments.
What Happened?
Following a wave of complaints starting in April 2024, the Italian regulator launched an investigation into the BancoPosta and Postepay mobile apps.
According to findings later published by the authority, the apps required users to grant access to sensitive device-level data, including:
- Installed applications
- Running processes
- Device activity
This access was positioned as mandatory for using the services, allegedly to detect malware and prevent fraud.
However, regulators concluded that this approach was disproportionate and overly intrusive, exceeding what is strictly necessary for security purposes.
Key Violations Identified
The investigation uncovered multiple breaches of data protection principles under General Data Protection Regulation, including:
- Excessive data collection beyond necessity
- Inadequate user transparency (unclear privacy notices)
- Missing Data Protection Impact Assessment (DPIA)
- Weak or insufficient security safeguards
- Poor data retention policies
- Irregularities in appointing data processors
The regulator emphasized that fraud prevention does not justify unrestricted monitoring of users’ devices.
The Financial and Operational Impact
- €6.6M fine imposed on Poste Italiane
- €5.8M fine imposed on Postepay
- Immediate order to stop unlawful data processing practices
- Mandatory compliance updates on data retention and governance
Beyond financial penalties, the reputational impact is significant especially for institutions handling millions of users’ financial data.
Why This Matters Globally
This case sets a powerful precedent for:
- Banks and fintech platforms using mobile security controls
- App developers implementing anti-fraud mechanisms
- Organizations relying on device fingerprinting or behavioral monitoring
The message is clear:
– Security must be proportionate, transparent, and privacy-respecting.
Globally, regulators are increasingly scrutinizing how companies balance fraud prevention vs. user privacy a tension that is only intensifying in the age of mobile-first banking.
MEA Perspective (When Applicable)
For financial institutions across the Middle East and Africa, this ruling is particularly relevant as:
- Mobile banking adoption continues to surge
- Digital identity and fraud detection systems expand
- Regulatory frameworks evolve toward GDPR-like models
Organizations in the region must ensure that security innovation does not outpace compliance especially when deploying advanced monitoring technologies.
10 Critical Actions for Security & Compliance Teams
- Conduct a full Data Protection Impact Assessment (DPIA) before deploying monitoring features
- Limit data collection strictly to what is necessary for security purposes
- Ensure transparency with clear, user-friendly privacy notices
- Avoid mandatory consent for excessive data access
- Implement strong data minimization policies
- Review mobile app permissions and telemetry practices
- Strengthen governance over third-party data processors
- Define clear data retention and deletion policies
- Align security controls with privacy-by-design principles
- Partner with trusted cybersecurity experts like Saintynet Cybersecurity to ensure compliance, risk assessment, and secure architecture
Additionally, organizations should invest in security awareness and compliance training programs via saintynet.com to align teams with evolving regulatory expectations.
Industry Insight
This enforcement reflects a broader shift in cybersecurity:
- Privacy is now a core security metric
- Over-collection of data is becoming a liability, not an asset
- Regulators are prioritizing user rights over convenience-driven security models
For deeper insights on data protection and mobile security trends, explore related analysis on CyberCory.com.
Conclusion
The €12.5 million fine against Poste Italiane and Postepay marks a critical moment in the evolution of data protection enforcement.
It reinforces a fundamental principle:
– You cannot secure users by compromising their privacy.
As mobile ecosystems become central to financial services, organizations must rethink how they design security controls ensuring they are effective, compliant, and respectful of user trust.
