In April 2026, the Italian Data Protection Authority (GPDP) imposed a fine of 12.5 million EUR on Poste Italiane SpA and PostePay SpA. In its decision, the GPDP emphasized the high standards for consent regarding data collection via apps, as well as the close interconnection between the ePrivacy Directive and the GDPR.
At the heart of the proceedings, which were triggered by a large number of reports and complaints, was the question of under what conditions businesses are permitted to access usage data from mobile devices. The data controllers required users of their “Bancoposta” and “PostePay” financial apps to consent to the monitoring of a range of data on their devices, including the names of installed and running applications. This data collection was intended to detect malware and combat fraud. However, this consent was not voluntary but rather a prerequisite for using the app. The controllers justified this on the grounds of security interests and obligations under Italian payment services regulations.
In its decision, the authority distinguished between two processing steps. The collection of data on the device is subject to the ePrivacy Directive, while further processing falls under the GDPR. For both steps, the GPDP determined that consent would have been required. The ePrivacy Directive provides for exceptions only for data processing that is technically necessary. The authority clarified that broad-ranging security and fraud monitoring does not fall under this exception across the board.
Likewise, reliance on the legal basis of a legal obligation under payment services regulations was rejected. This is only possible if the applicable law provides for an explicit and specific obligation.
Ultimately, consent as a legal basis failed due to the lack of voluntariness, as the controllers presented data access as mandatory.
The decision underscores that security interests do not justify every type of data processing. The ePrivacy Directive sets strict limits. Businesses must carefully assess whether data collection is technically necessary or requires valid consent.