Italian Regulator Fines Poste Italiane €12.5 Million for Invasive Data Monitoring in Payment Apps
What Happened — Italy’s data‑protection authority imposed a €12.5 million fine on state‑controlled postal operator Poste Italiane and its digital‑payments subsidiary Postepay for illegally processing millions of users’ personal data. The regulator said the Postepay and BancoPosta mobile apps forced users to authorize “monitoring of a series of data contained on mobile devices, including installed and running applications,” a practice deemed excessively invasive and unnecessary for fraud prevention.
Why It Matters for TPRM —
- Regulatory penalties of this magnitude illustrate the financial exposure tied to non‑compliant data‑processing practices.
- Payment‑service providers embedded in broader supply chains can become a privacy liability for their corporate customers.
- Ongoing vendor oversight must include verification of lawful consent, data‑minimisation, and retention policies.
Who Is Affected — Financial‑services/payments providers, postal and logistics firms with digital‑payment arms, and any organization that integrates Poste Italiane’s payment APIs or relies on its mobile‑app ecosystem.
Recommended Actions — Review and tighten contractual privacy clauses; request the vendor’s data‑processing impact assessments; audit the mobile‑app code or SDKs for unnecessary device‑monitoring functions; confirm that data‑retention schedules meet GDPR requirements; and implement continuous monitoring of the vendor’s compliance posture.
Technical Notes — The issue was not a software vulnerability (no CVE) but a design‑level misuse of device‑telemetry data collected via the Postepay and BancoPosta apps. The monitoring was justified by the vendor as fraud‑prevention, yet the regulator found the scope disproportionate and lacking a lawful basis. Source: The Record