Postel S.p.A – €900,000 Fine (Italy, 2024)

€900,000Garante per la protezione dei dati personali4 July 2024Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Postel S.p.A was fined 900,000 euros after a ransomware attack exposed personal data of about 25,000 people. The Italian data protection authority found that the company did not address known security vulnerabilities, leading to the breach. This incident highlights the need for companies to prioritize data security to protect personal information.

What happened

Postel S.p.A suffered a ransomware attack that compromised personal data due to inadequate security measures.

Who was affected

Employees, former employees, and job applicants whose personal data was exposed in the ransomware attack.

What the authority found

The authority ruled that Postel failed to implement necessary security measures to protect personal data, violating GDPR requirements.

Why this matters

This ruling underscores the importance of robust data security practices. Companies must regularly update their systems to prevent data breaches and protect user information.

GDPR Articles Cited

AI-verified

Art. 25(GDPR)
Art. 32(GDPR)
Art. 33(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 33 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
Italy enforcementGarante per la protezione dei dati personali actionsAll Postel S.p.A actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 900,000 on Postel S.p.A. The company suffered a ransomware attack that resulted in the loss of access to files containing personal data of approximately 25,000 individuals. Data subjects included employees, former employees, and job applicants. The compromised data included contact details, identification details, payment details, and criminal records (special category data) of the data subjects. Although the company had been aware of the security vulnerability (following a report from the software manufacturer), it had not updated its systems. For this reason, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. Furthermore, the company failed to provide the DPA with sufficient information on the incident.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Postel S.p.A in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

4 July 2024

Authority

Garante per la protezione dei dati personali

Fine Amount

€900,000

Enforcement Tracker ID

ETid-2474

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Postel S.p.A - Italy (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: