Italian DPA Fines Poste: Security and GDPR Impact

Analysis of the Italian DPA fine against Poste Italiane for excessive app permissions: the conflict between PSD2 security and GDPR. Here's what to know.

Italian DPA Fines Poste: Security and GDPR Impact

Financial applications that require broad device access to ensure user security represent an increasingly common paradigm, but they often risk compromising individual privacy. In April 2026, the Personal Data Protection Authority (Garante) imposed an overall fine of over 12.5 million euros on Poste Italiane and PostePay for unlawful data processing. The BancoPosta and PostePay apps were found responsible for collecting disproportionate information about users' devices, sparking a heated debate on the coexistence between anti-fraud directives and privacy regulations.

The DPA's ruling and excessive permissions

In April 2026, the Data Protection Authority announced a sanctioning measure against Poste Italiane, with a fine of 6,624,000 euros, and against PostePay, with a fine of 5,877,000 euros. The investigation, initiated in April 2024 following numerous reports and complaints from users of the BancoPosta and PostePay Android apps, highlighted a series of significant issues. As reported by the Authority: "The companies illegally processed the personal data of millions of users through their mobile apps."

The core of the issue lies in the request for authorization to monitor devices. The apps asked users to consent to the tracking of a wide array of data, including installed and running applications. Although the stated goal was the identification of malicious software, the DPA concluded that this approach was disproportionate to the pursued purposes. This dynamic falls into a known misconfiguration of systems, where the implementation of security measures results in the granting of excessive permissions and data collection well beyond what is necessary, generating a privacy violation from over-collection.

The absence of DPIA and governance shortcomings

The DPA's investigation did not stop at the disproportion of the requested permissions, but brought to light a framework of structural shortcomings in the companies' data management. In particular, a marked lack of an adequate Data Protection Impact Assessment (DPIA) was found. This tool, essential for anticipating and mitigating risks related to invasive processing, was found to be absent or deficient for the apps in question.

In addition to the absence of the DPIA, the Authority identified gaps in transparency towards users, insufficient security measures, and weak data retention practices. These latter elements indicate information lifecycle management that does not comply with the principles of minimization and storage limitation enshrined in the GDPR. For these reasons, the DPA ordered the companies to cease the contested processing and to adapt their data retention practices to legal requirements.

The clash between PSD2 compliance and GDPR

Poste Italiane's response to the measure highlights the complexity of balancing security and privacy in the financial sector. "The company stated that it accessed customers' device data exclusively to activate anti-fraud and anti-malware protections," reads the DPA's dossier. The institution rejected the Authority's conclusions, arguing that data access was necessary to comply with the PSD2 directive on payment services, which imposes strict security and strong authentication obligations.

This defensive stance fits into an already intricate legal context. In February 2026, the Lazio TAR (Regional Administrative Court) annulled a separate Antitrust sanction imposed on Poste Italiane for the same anti-fraud technology, a precedent that strengthens the company's argument regarding the importance of these systems for financial protection. However, the Privacy DPA maintained that compliance with security directives cannot justify a systematic violation of fundamental rights to privacy and personal data protection. Poste Italiane announced an appeal to the Court of Rome to request the annulment of the DPA's decision, prolonging the legal war over the interpretation of the two regulations.

The banking sector context: cases and implications

The fine against Poste Italiane is not an isolated case in the recent Italian financial landscape. At the beginning of 2026, the DPA imposed a fine of 31.8 million euros on Intesa Sanpaolo for serious shortcomings in data protection. Among the violations contested against Intesa Sanpaolo, the case of an employee who accessed customer records more than 6,600 times without a legitimate business reason stands out. These episodes outline a worrying trend in the sector, where access to sensitive data seems to be managed with a high margin of risk and often inadequate governance.

The Poste Italiane case, however, introduces a different technical variable. While the Intesa Sanpaolo affair mainly concerns unauthorized internal access and departmental governance practices, the controversy over BancoPosta and PostePay concerns the client-side architectural design of the applications. The massive collection of diagnostic and system data, justified by anti-malware defense, suggests that the apps' security architecture was configured to prioritize extracting the maximum amount of information possible for predictive fraud analysis, neglecting the necessary upstream minimization filters.

It is likely that, to bypass the limitations imposed by mobile operating systems on background access, the apps were configured to request broad and generalized permissions, creating an indiscriminate data collection channel. This technical approach clashes with the principle of purpose limitation and data minimization, creating an unresolved friction point between financial intelligence needs and users' digital rights.

Frequently asked questions

Why was Poste Italiane fined by the Privacy DPA?
In April 2026, Poste Italiane and PostePay were fined over 12.5 million euros for unlawfully processing the personal data of millions of users through the BancoPosta and PostePay apps by requesting disproportionate permissions for device monitoring.
What is the conflict between the PSD2 directive and the GDPR in this case?
The conflict arises from the need to balance financial security with privacy: Poste Italiane argues that access to device data was necessary for the anti-fraud protections required by PSD2, while the Privacy DPA considers the data collection disproportionate and in violation of GDPR principles.
What were the shortcomings found in the BancoPosta and PostePay apps?
The investigation highlighted a lack of an adequate Data Protection Impact Assessment (DPIA), gaps in transparency, insufficient security measures, weak data retention practices, and overall inadequate governance.

The information has been verified against the cited sources and is updated as of the time of publication.

Sources