Poste Italiane and Postepay Fined €12.5 Million for Illegally Processing Personal Data of Millions of Users
Published
Key Takeaways
- Substantial regulatory penalty: The Italian Data Protection Authority imposed a €12.5 million fine on Poste Italiane and Postepay for unauthorized data processing violations.
- Non-compliant application: Regulatory assessment determined that the mobile application's fraud detection protocols were intrusive and lacked proper data protection impact assessments.
- Organizational response: Poste Italiane contested the determinations, asserting lawful access to device technical specifications exclusively for fraud prevention.
Poste Italiane and its payment processing subsidiary, Postepay, are to pay a substantial penalty totaling €12.5 million ($14.7 million) for unauthorized processing of personal data affecting millions of subscribers, the Italian Data Protection Authority announced on Monday.
Regulatory Determinations and GDPR Non-Compliance
The enforcement action addresses specific technical implementations within Poste's mobile applications engineered for malware and fraud detection.
According to the Italian Data Protection Authority, cited by Reuters, these fraud mitigation systems demonstrated excessive data collection beyond proportionality standards required for security objectives.
Additionally, the authority's comprehensive investigation documented multiple violations of the General Data Protection Regulation (GDPR). Regulatory findings indicated inadequate user information and the absence of adequate data protection impact assessments.
Organizational Response to the Poste Italiane Penalty
Following the Poste Italiane penalty announcement, the organization disputed the regulatory determinations. The service provider, which delivers financial and payment processing services in addition to conventional postal operations, maintained the "correctness and transparency of its actions," Reuters said.
The organization emphasized that such data collection occurred exclusively to implement requisite anti-fraud and anti-malware security measures essential for protecting consumers against financial exploitation schemes.
In other news, a Milan Court last week accepted a Meta Platforms class-action lawsuit accusing Facebook of scraping the personal data of 35 million users. Last year in Italy, a local transportation company was sanctioned for installing a geolocation system without informing employees.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular