The Italian data protection authority Garante fined Poste Italiane and Postepay a total of 12.5 million euros. The reason—their mobile app required users to grant access to the list of all installed apps on the phone. The purpose was fraud prevention, but the Garante found the method to be disproportionate. Fraud prevention could have been achieved with far less intrusive measures.
Users who refused to grant access were informed that the app would be blocked after a limited number of logins. For most, there was no real choice – the app was tied to daily account usage and payments. Additionally, Garante found that data was stored for up to 28 months in external analysis systems, and that the company had not conducted a required risk assessment (DPIA) before implementing the monitoring.
**Practical point:**
Data minimization means only collecting what you actually need for the purpose. Review your registration forms, employee forms, and customer registers. Are you asking for date of birth, private address, or social security number — do you need it to provide the service? If not, stop collecting it.
Inspired by: Guarantee