The Italian data protection authority GPDP has fined two postal companies for illegally processing the personal data of millions of users.
Poste Italiane SpA was sanctioned €6,624,000, and Postepay SpA has to pay a fine of €5,877,000. Combined, that makes a little over €12.5 million.
An inquiry into the postal companies was launched in April 2024, after receiving numerous reports and complaints.
The apps of the postal companies required users to consent to the monitoring of a range of data on their mobile devices to identify any malicious software, including installed and running applications.
According to the postal companies, this was necessary to ensure the security of transactions and comply with payment service regulations.
However, according to Italy’s privacy and data protection authority, the adopted measures encompassed “excessively intrusive interference” on user privacy and weren’t necessary to prevent fraud.
In addition, the GPDP claimed that the postal companies violated privacy legislation by providing users with insufficient information about how their data was processed, failing to implement adequate security measures, and retaining data for too long.
Furthermore, the companies failed to conduct a data protection impact assessment (DPIA), a tool used to verify compliance with European privacy regulations. The legal basis for implementing a DPIA can be found in Article 35 of the General Data Protection Regulation (GDPR).
In addition to the fines, the GDPR has also ordered the postal companies to cease the data processing in question within 30 days, to the extent that they have not already done so, and to comply with data retention rules.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked