Poste Italiane S.p.a. – €6,624,000 Fine (Italy, 2026)

€6,624,000Garante per la protezione dei dati personali17 April 2026Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Poste Italiane was fined €6,624,000 for using a fraud prevention tool that collected too much data from its banking app users. The Italian data protection authority found that the company didn't follow rules about data processing and transparency. This case highlights the importance of using only necessary data and being clear with customers about how their information is used.

What happened

Poste Italiane collected excessive data from users of its banking app through the mandatory ThreatMetrix fraud prevention tool.

Who was affected

Customers using Poste Italiane's banking application were affected by the excessive data collection.

What the authority found

The authority ruled that Poste Italiane lacked a valid legal basis for processing personal data and failed to meet transparency obligations under GDPR.

Why this matters

This ruling emphasizes that companies must be careful about how much data they collect and ensure they have a valid reason for processing it. Other businesses using similar tools should review their data practices to avoid penalties.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 25(GDPR)
Art. 28(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 5(1)(c) GDPR
Art. 6(1) GDPR
View original scraped data
Art. 5(GDPR)
Art. 6(GDPR)
Art. 13(GDPR)
Art. 25(GDPR)
Art. 28(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 122 Codice Privacy

Entities Involved

Poste Italiane S.p.a.
€6,624,000
(controller)
PostePay S.p.a.0(controller)
Source verified 27 May 2026
articles corrected
national law identified
entity split needed
Italy enforcementGarante per la protezione dei dati personali actionsAll Poste Italiane S.p.a. actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 6,624,000 on Poste Italiane S.p.a. The controller operated a banking application and used the ThreatMetrix fraud prevention tool. Use of the tool was mandatory for customers using the controller's banking app. The tool had been configured in such a way that it collected data that was deemed excessive for the purpose. Additionally, the DPA found that the controller failed to base the processing on a sufficient legal basis, failed to fulfil transparency obligations, failed to enter into sufficient data processing agreements, failed to conduct a specific data protection impact assessment, failed to implement privacy by design, failed to implement adequate technical and organisational measures and implemented excessive retention periods.

Related Enforcement Actions (2)

Other enforcement actions involving Poste Italiane S.p.a. in IT

Fine
Oct 2022· Garante per la protezione dei dati personali

The Italian DPA (Garante) fined Poste Italiane S.p.a. EUR 10,000 for failing to respond to the data subject's request for access to their data in a ti...

€10K
Fine
Apr 2026· Garante per la protezione dei dati personali

The case involves unauthorized access and processing of device data for security purposes, unrelated to cookies or consent mechanisms.

€12.5M
Current
Apr 2026

Fine

€6.6M

Details

Fine Date

17 April 2026

Authority

Garante per la protezione dei dati personali

Fine Amount

€6,624,000

Enforcement Tracker ID

ETid-3178

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Poste Italiane S.p.a. - Italy (2026). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: