Italian Regulator Fines National Postal Service Orgs $15 Million for Data Privacy Violations

Italy's data protection authority, the Garante per la protezione dei dati personali (Garante), has levied combined fines totaling approximately $15 million (€12.5 million) against two prominent national postal and payments organizations for illegally processing the personal data of millions of users.

The enforcement action targets Poste Italiane SpA — Italy's state-controlled postal services provider — and its digital payments subsidiary Postepay SpA. The Garante fined Poste Italiane €6.6 million ($7.8 million) and Postepay €5.9 million ($7 million), representing one of the largest GDPR enforcement actions against Italian companies in 2026.

What the Garante Found

Italy's data regulator concluded that both organizations had engaged in unlawful personal data processing affecting millions of users. While full details of the Garante's decision have not been published at the time of reporting, the violations are consistent with categories the Garante has historically prioritized:

Poste Italiane manages one of Italy's largest consumer databases given its role as the national postal operator, while Postepay handles tens of millions of prepaid payment card accounts — making data handling practices at both organizations a significant GDPR risk surface.

Scale of the Issue

The combined fine reflects the broad scope of users potentially affected. Poste Italiane serves virtually every Italian household through postal services, financial products, and telecommunications. Postepay, its fintech arm, operates millions of prepaid cards widely used for online purchases and peer-to-peer transfers — making it one of Italy's most-used digital payment instruments.

With a user base spanning tens of millions, even narrow categories of unlawful processing can represent a significant breach of the rights of large numbers of data subjects under GDPR's risk-based framework.

Context: Italy's GDPR Enforcement Trend

The Garante has been an increasingly active enforcer within the EU's data protection ecosystem. Notable recent actions include:

This enforcement pattern illustrates the Garante's focus on large-scale consumer data holders — particularly utilities, telecoms, and financial services — where the potential for privacy harm is amplified by scale.

Implications for Organizations

The action against two subsidiaries of the same national infrastructure group sends a clear message about intra-group data sharing and subsidiary accountability under GDPR. Regulators increasingly treat corporate groups as collections of independently responsible data controllers rather than a single entity — meaning each entity must maintain its own lawful basis for processing.

Key lessons for data protection practitioners:

1. Subsidiary independence: Each legal entity in a corporate group must independently satisfy GDPR requirements — even if the group shares data infrastructure
2. Consent chains: Marketing and profiling activities require fresh, specific consent that survives corporate restructuring and product bundling
3. Scale amplifies risk: Large consumer datasets attract regulatory scrutiny proportional to the number of data subjects affected
4. National postal and payments services are explicitly in regulators' crosshairs across the EU

What Happens Next

Both Poste Italiane and Postepay have the option to appeal the Garante's decision before Italian administrative courts. The organizations are likely required to:

• Cease the specific processing activities identified as unlawful
• Implement corrective measures to bring processing into GDPR compliance
• Notify users of the violations and remediation steps where required

Source: The Record — Italian regulator fines national postal service orgs $15 million for data privacy violations