Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Poste Vita s.p.a.
  Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine
• Key words: Administrative fine, Clients, Data security, Insurance, Personal data breach

Summary of the Decision

Origin of the case  

The investigation was initiated following a complaint from an insurance company (Poste Vita) customer who complained about the unlawful disclosure of personal data to an unauthorised third party who had then used it in legal proceedings. The data related to three life insurance policies held by the complainant.

Key Findings 

During the investigation, the Italian Supervisory Authority (SA) verified that the data breach had occurred due to a series of errors committed by the company's operators. They had responded to requests for information regarding the data subject's policies without first verifying that the email address from which the requests were sent matched the contact details provided by the customer. The requests came from two email addresses which, although they had the name and surname of the data subject, who had never provided any email address to the company, were in fact linked to third parties.

Decision

Noting that in the meantime the insurance company had implemented corporate procedures aimed at rigorously verifying the identity of the person concerned, the Italian SA imposed a fine of 80,000 EUR, without taking further measures.

For further information: Data breach, il Garante sanziona Poste Vita per 80mila euro