Data Subject versus Poste Vita S.p.A. – €80,000 Fine (Italy, 2025)
Poste Vita S.p.A. was fined after a third party impersonated a policyholder and accessed her personal data without proper verification. The data protection authority found that the company failed to protect personal data and notify authorities about the breach in a timely manner. This case highlights the need for strong verification processes to prevent identity theft.
What happened
The company disclosed personal data to a third party who impersonated a policyholder without adequate verification measures.
Who was affected
The policyholder whose identity was stolen and whose personal data was disclosed to an impersonator.
What the authority found
The authority ruled that Poste Vita unlawfully disclosed personal data and failed to notify the data protection authority of the breach promptly.
Why this matters
This ruling underscores the importance of implementing robust verification procedures to protect personal data and prevent identity theft.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Poste Vita (the controller) is the insurance branch of the Italian post company. A policyholder (the data subject) filed a complaint against the company following the theft of her identity. Between 2021 and 2023 a third party impersonated the data subject and filed access requests with the controller. In order to fool the controller, the impersonator create an email with the data subject's name, provided the controller with correct and detailed information about the data subject's account and transaction history, and included the data subject's handwritten signature in their emails. The controller considered the requests to be genuine and disclosed data. The impersonator later produced the data in court proceedings against the data subject. As a result, the data subject learned about the identity theft and reached out to the controller. The controller then suspended communications with the third party and opened an internal investigation. The controller notified the DPA about the breach months later, at the end of the internal investigation. The DPA held that the controller unlawfully disclosed personal data and failed to notify the DPA of the breach within due time. On these grounds, the DPA issues a €80,000 fine. In determining the fine, the DPA considered that the controller had since improved its verification procedures for data subject requests. == The DPA found that the controller unlawfully disclosed personal data to a third party without adequate verification measures, breaching the principles of lawfulness, fairness, integrity and confidentiality under Articles 5(1)(a) and (f) GDPR. The DPA acknowledged that the controller acted in good faith but still held it responsible for disclosing personal data without appropriate safeguards. == The controller claimed that it notified the breach to the DPA in due time. In the controller's view, the 72-hour deadline of Article 33 GDPR began when the controller was certain of the breach- i.e. at the end of the inves
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Data Subject versus Poste Vita S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€80,000
GDPRhub ID
gdprhub-9462About this data
Cite as: Cookie Fines. Data Subject versus Poste Vita S.p.A. - Italy (2025). Retrieved from cookiefines.eu
Last updated: