Italy

Postepay S.p.a.

5,877,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2026-04-17.

Rank · Sector

of 322 in Finance, Insurance and Consulting

Rank · Italy

#13

of 543

Rank · All fines

#62

of 3,050

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2026-04-17
Controller / Processor: Postepay S.p.a.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 13 GDPR, Art. 25 GDPR, Art. 28 GDPR, Art. 32 GDPR, Art. 35 GDPR
Type of violation: Non-compliance with general data processing principles

Summary

The Italian DPA has imposed a fine of EUR 5,877,000 on Postepay S.p.a. The controller operated a banking application and used the ThreatMetrix fraud prevention tool. Use of the tool was mandatory for customers using the controller's banking app. The tool had been configured in such a way that it collected data that was deemed excessive for the purpose. Additionally, the DPA found that the controller failed to base the processing on a sufficient legal basis, failed to fulfil transparency obligations, failed to enter into sufficient data processing agreements, failed to conduct a specific data protection impact assessment, failed to implement privacy by design, failed to implement adequate technical and organisational measures and implemented excessive retention periods.

Open original source Links to the regulator's original publication or another source.