Italy: Data Protection Authority investigation into Poste Italiane and PostePay over alleged unlawful processing via BancoPosta and PostePay apps
Progress
Scope
Timeline of events
Data Protection Authority issued fines totalling EUR 12.5 million and ordered cessation of processing via BancoPosta and PostePay apps
On 17 April 2026, the Data Protection Authority found that Poste Italiane and PostePay, acting as joint controllers, had unlawfully processed personal data of millions of customers via the BancoPosta and PostePay applications, in breach of Articles …
SourceData Protection Authority opened enforcement proceedings over unlawful processing via BancoPosta and PostePay apps
On 2 April 2025, the Data Protection Authority notified Poste Italiane and PostePay, as joint controllers, of the opening of enforcement proceedings under Articles 58(2) and 83 of the GDPR and Article 166(5) of the Personal Data Protection Code. The…
SourceData Protection Authority conducted inspection over unlawful processing via BancoPosta and PostePay apps
On 17 July 2024, the Data Protection Authority conducted an inspection at the premises of Poste Italiane under Articles 58(1)(a), (e) and (f) of Regulation (EU) 2016/679 (GDPR) and Articles 157 and 158 of Legislative Decree No. 196/2003 (the Persona…
SourceData Protection Authority announced investigation over unlawful processing via BancoPosta and PostePay apps
On 16 April 2024, the Data Protection Authority sent a request for information to Poste Italiane and PostePay following 140 reports and 12 complaints received in April and May 2024. The complaints concerned the processing of personal data of users o…
Source