Italy’s data protection authority, the Garante, has fined Poste Italiane and its subsidiary PostePay a combined total of €12.5 million following a series of privacy violations related to the processing of personal data.
The enforcement action proves a persistent tension where government-backed organizations struggle to meet the very privacy benchmarks they are legally required to uphold for the public.
The investigation by the Garante revealed that the state-owned postal operator and its electronic money institution failed to implement sufficient technical and organizational measures. These shortcomings led to the unauthorized processing of data belonging to thousands of customers.
According to the regulator, the entities were found to have violated core principles of the GDPR, specifically regarding the security of data processing and the failure to provide clear information to users. Under the pretext of security, both apps required users to grant permission for the monitoring of various device data, such as a list of installed and active applications.
The companies said the monitoring was needed to protect transactions and comply with payment services rules, but the regulator alleges that the methods used were excessively invasive and were not needed for fraud prevention.
The Paradox of the “Protector”
While the state is responsible for drafting and enforcing privacy regulations, its own digital systems frequently fall short of these mandates.
In this case, the regulator pointed to flaws in how the organizations handled data access and internal security protocols. For citizens, there is often no alternative to using these state services, creating a forced trust dynamic that becomes particularly problematic when the agency in question fails to secure sensitive information.
| PIVX: Your Rights. Your Privacy. Your Choice | |
| PIVX.org | Discord | Telegram | X | Github |
| MEXC | Binance | Poloniex | XT.com | WhiteBIT | LBank | Coinstore | Biconomy | And more! |