Italian Regulator Fines National Postal Service Orgs $15 Million for Data Privacy Violations

The Italian Data Protection Authority (Garante) has stepped up enforcement of the EU’s General Data Protection Regulation (GDPR) as digital‑payment services proliferate across traditional industries. Poste Italiane, a state‑controlled yet publicly traded postal operator, has been a flagship example of a legacy brand pivoting to fintech through its Postepay app and the BancoPosta platform. By imposing a €12.5 million ($14.7 million) penalty, the regulator sends a clear message that even well‑established entities must align privacy safeguards with modern data‑processing expectations.

The core of the violation lay in the apps’ requirement for users to grant permission to scan installed and running applications on their smartphones. While the companies defended the practice as a fraud‑prevention tool, the Garante concluded that the scope of data collected was disproportionate to the security benefit, lacked transparent user consent, and was retained beyond necessity. This mirrors recent GDPR actions against other European fintechs, where regulators have penalized overly broad telemetry and insufficient disclosure, reinforcing a continent‑wide trend toward stricter data‑minimization standards.

For businesses eyeing the lucrative digital‑payments market, the case serves as a cautionary tale. Companies must embed privacy‑by‑design principles, limit data collection to what is strictly required, and provide clear, accessible notices to users. Failure to do so not only risks hefty fines but also erodes consumer trust, a critical asset in the competitive fintech landscape. As regulators continue to refine enforcement tactics, proactive compliance will be a decisive factor in sustaining growth and avoiding costly penalties.