Italy: Data Protection Authority issued fines totalling EUR 12.5 million and ordered cessation of processing via BancoPosta and PostePay apps

On 17 April 2026, the Data Protection Authority found that Poste Italiane and PostePay, acting as joint controllers, had unlawfully processed personal data of millions of customers via the BancoPosta and PostePay applications, in breach of Articles 5, 6, 13, 25, 28, 32, and 35 of the General Data Protection Regulation, as well as Article 122 of the Personal Data Protection Code. The Authority imposed administrative fines of EUR 6.62 million on Poste Italiane and EUR 5.88 million on PostePay and ordered the publication of the decision on its website. It established that the ThreatMetrix application had collected data relating to installed and running applications on users’ Android devices without a valid legal basis and without providing sufficient transparency to data subjects. The Authority further ordered both companies to cease, within 10 days of notification, all processing activities involving the collection of device-level data on installed and running applications, and to define specific retention periods for data processed through ThreatMetrix within 30 days.