Italy: Data Protection Authority opened enforcement proceedings over unlawful processing via BancoPosta and PostePay apps

On 2 April 2025, the Data Protection Authority notified Poste Italiane and PostePay, as joint controllers, of the opening of enforcement proceedings under Articles 58(2) and 83 of the GDPR and Article 166(5) of the Personal Data Protection Code. The Data Protection Authority identified presumed violations of Articles 5, 6, 13, 25, 28, 32 and 35 of the GDPR and Article 122 of the Personal Data Protection Code in relation to the processing of personal data carried out through the BancoPosta and PostePay apps using the ThreatMetrix application. The identified violations concerned the absence of a valid legal basis, the absence of a specific and adequate privacy notice to data subjects, the absence of a data protection impact assessment specific to the ThreatMetrix solution prior to processing, inadequate security measures, failure to respect the data retention limitation principle, and failure to fulfil obligations relating to the designation of the data processor.