Italy: Data Protection Authority conducted inspection over unlawful processing via BancoPosta and PostePay apps

On 17 July 2024, the Data Protection Authority conducted an inspection at the premises of Poste Italiane under Articles 58(1)(a), (e) and (f) of Regulation (EU) 2016/679 (GDPR) and Articles 157 and 158 of Legislative Decree No. 196/2003 (the Personal Data Protection Code). The inspection established that the ThreatMetrix library, integrated into the Integrated Anti-Fraud Platform, collected MD5 hash codes of applications running on users' Android devices and transmitted them to the sub-processor's cloud systems. The inspection further established that the ThreatMetrix console displayed a "malicious installed apps" attribute listing identified malicious applications as MD5 hash strings. Data retention in ThreatMetrix systems was confirmed at six months. At the time of the inspection, 5.97 million BancoPosta app installations and 8.6 million PostePay app installations were recorded on Android devices.