Postepay S.p.a. – €5,877,000 Fine (Italy, 2026)

€5,877,000Garante per la protezione dei dati personali17 April 2026Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Postepay was fined €5,877,000 for improperly using a fraud prevention tool that gathered too much data from its banking app users. The Italian data protection authority found that the company did not comply with data processing and transparency rules. This case serves as a warning for businesses to be cautious about data collection practices and to inform users properly.

What happened

Postepay collected excessive data from users of its banking app through the mandatory ThreatMetrix fraud prevention tool.

Who was affected

Customers using Postepay's banking application were affected by the excessive data collection.

What the authority found

The authority ruled that Postepay lacked a valid legal basis for processing personal data and failed to meet transparency obligations under GDPR.

Why this matters

This case highlights the need for businesses to ensure they only collect necessary data and to be transparent with users. Companies using similar tools should evaluate their data handling practices to avoid fines.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 25(GDPR)
Art. 28(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)
Art. 5(1)(c) GDPR
Art. 6(1) GDPR
View original scraped data
Art. 5(GDPR)
Art. 6(GDPR)
Art. 13(GDPR)
Art. 25(GDPR)
Art. 28(GDPR)
Art. 32(GDPR)
Art. 35(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 122 Codice Privacy

Entities Involved

Postepay S.p.a.
€5,877,000
(controller)
Poste Italiane S.p.a.0(joint controller)
Source verified 27 May 2026
articles corrected
national law identified
entity split needed
Italy enforcementGarante per la protezione dei dati personali actionsAll Postepay S.p.a. actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 5,877,000 on Postepay S.p.a. The controller operated a banking application and used the ThreatMetrix fraud prevention tool. Use of the tool was mandatory for customers using the controller's banking app. The tool had been configured in such a way that it collected data that was deemed excessive for the purpose. Additionally, the DPA found that the controller failed to base the processing on a sufficient legal basis, failed to fulfil transparency obligations, failed to enter into sufficient data processing agreements, failed to conduct a specific data protection impact assessment, failed to implement privacy by design, failed to implement adequate technical and organisational measures and implemented excessive retention periods.

Related Enforcement Actions (0)

No other enforcement actions found for Postepay S.p.a. in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

17 April 2026

Authority

Garante per la protezione dei dati personali

Fine Amount

€5,877,000

Enforcement Tracker ID

ETid-3179

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Postepay S.p.a. - Italy (2026). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: