Data Subject versus Poste Vita S.p.A. – €80,000 Fine (Italy, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Poste Vita S.p.A. was fined after a policyholder's identity was stolen, leading to the company disclosing her personal data to an impersonator. The Italian data protection authority found that Poste Vita failed to verify the identity of the person making requests for information. This case shows how crucial it is for companies to have strong verification processes to protect customer data from identity theft.
What happened
Poste Vita disclosed personal data to a third party who impersonated a policyholder without proper verification.
Who was affected
The policyholder whose identity was stolen and personal data was disclosed was affected.
What the authority found
The authority ruled that Poste Vita unlawfully disclosed personal data and failed to notify the authority about the breach in a timely manner.
Why this matters
This ruling underscores the need for companies to implement robust verification processes for identity requests. It serves as a warning that failing to protect customer data can lead to significant penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Poste Vita (the controller) is the insurance branch of the Italian post company. A policyholder (the data subject) filed a complaint against the company following the theft of her identity. Between 2021 and 2023 a third party impersonated the data subject and filed access requests with the controller. In order to fool the controller, the impersonator create an email with the data subject's name, provided the controller with correct and detailed information about the data subject's account and transaction history, and included the data subject's handwritten signature in their emails. The controller considered the requests to be genuine and disclosed data. The impersonator later produced the data in court proceedings against the data subject. As a result, the data subject learned about the identity theft and reached out to the controller. The controller then suspended communications with the third party and opened an internal investigation. The controller notified the DPA about the breach months later, at the end of the internal investigation. The DPA held that the controller unlawfully disclosed personal data and failed to notify the DPA of the breach within due time. On these grounds, the DPA issues a €80,000 fine. In determining the fine, the DPA considered that the controller had since improved its verification procedures for data subject requests. == The DPA found that the controller unlawfully disclosed personal data to a third party without adequate verification measures, breaching the principles of lawfulness, fairness, integrity and confidentiality under Articles 5(1)(a) and (f) GDPR. The DPA acknowledged that the controller acted in good faith but still held it responsible for disclosing personal data without appropriate safeguards. == The controller claimed that it notified the breach to the DPA in due time. In the controller's view, the 72-hour deadline of Article 33 GDPR began when the controller was certain of the breach- i.e. at the end of the inves
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Data Subject versus Poste Vita S.p.A. in IT
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
10 July 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€80,000
GDPRhub ID
gdprhub-9462About this data
Cite as: Cookie Fines. Data Subject versus Poste Vita S.p.A. - Italy (2025). Retrieved from cookiefines.eu
Last updated: