Garante per la protezione dei dati personali (Italy) - 10230412
Italian DPA fines bank €17.6M for GDPR violations in customer profiling and account transfers.
Summary
Italy's Data Protection Authority (Garante) issued a €17,628,000 fine to a bank for GDPR violations involving automated profiling of "predominantly digital customers" and transferring their accounts to a subsidiary without proper legal basis or transparent consent. The violations included lack of valid legal basis under Article 6(1) GDPR, improper reliance on legitimate interest without adequate balancing, and failure to provide transparent notice under Articles 5(1)(a) and 14 GDPR. The bank implemented "silent consent" by setting objection deadlines without proper notification, and only informed customers through online accounts without alerts.
Full text
Help Garante per la protezione dei dati personali (Italy) - 10230412: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:46, 18 March 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators517 editsmTag: Visual edit← Older edit Latest revision as of 11:54, 19 March 2026 view source Carloc (talk | contribs)644 editsm Tag: Visual edit Line 83: Line 83: The DPA first referred to its guidelines for processing data related to bank-customer relationships. These transfers are also subject to national law.<ref>Article 58 of the Consolidated Banking Law (TUB) https://www.bancaditalia.it/compiti/vigilanza/intermediari/Testo-Unico-Bancario.pdf</ref> Banks must have a valid legal basis if they do not have the explicit consent of data subjects. In this case, the DPA stated that the controller could rely on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), and that data subjects’ rights and interests do not prevail over those of the controller in the case of transferring data subjects' accounts. The DPA, however, emphasised that this does not apply to sensitive personal data. The DPA first referred to its guidelines for processing data related to bank-customer relationships. These transfers are also subject to national law.<ref>Article 58 of the Consolidated Banking Law (TUB) https://www.bancaditalia.it/compiti/vigilanza/intermediari/Testo-Unico-Bancario.pdf</ref> Banks must have a valid legal basis if they do not have the explicit consent of data subjects. In this case, the DPA stated that the controller could rely on legitimate interest ([[Article 6 GDPR|Article 6(1)(f) GDPR]]), and that data subjects’ rights and interests do not prevail over those of the controller in the case of transferring data subjects' accounts. The DPA, however, emphasised that this does not apply to sensitive personal data. Nonetheless, the DPA found several violations of the GDPR. The DPA first clarified that identifying "predominantly digital customers" was a distinct processing activity to the transfer of data subjects' accounts, meaning it required its own legal basis ([[Article 6 GDPR|Article 6(1) GDPR]]). This processing fell under the scope of profiling, in accordance with [[Article 22 GDPR]]. This is because the controller identified data subjects from specific characteristics (such as their age and familiarity with digital channels) and transferred their accounts to its subsidiary based on these characteristics. This had a legal impact on the data subject, and was done using automated systems due to the large volume of accounts transferred. The DPA did not elaborate on the legal basis for profiling needed under Article 22(2) GDPR, and instead directly considered whether the controller could rely on legitimate interests. The DPA stated that in order to use legitimate interests as a legal basis, the controller must carry out a balancing test in accordance with EDPB Guidelines.<ref>“Guidelines 1/2024 on processing of personal data based on [https://gdprhub.eu/Article_6_GDPR#1f Article 6(1)(f) GDPR]" adopted on October 8, 2024, margin 82 https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf </ref> The DPA concluded that the controller had not appropriately balanced the interests and data subjects’ rights in accordance with CJEU case law<ref>Case C‑252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), margin 108 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0252</ref>, as the controller had argued that the processing did not have any negative effects on data subjects. The DPA also took into consideration the fact that the controller failed to provide any evidence that the processing fell within the scope of the data subjects’ legitimate expectations. Therefore, the controller could only rely on consent as a legal basis ([[Article 6 GDPR|Article 6(1)(a) GDPR]]). The DPA concluded that the controller processed the data without a legal basis, in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. Nonetheless, the DPA found several violations of the GDPR. The DPA first clarified that identifying "predominantly digital customers" was a distinct processing activity from the transfer of data subjects' accounts, meaning it required its own legal basis ([[Article 6 GDPR|Article 6(1) GDPR]]). This processing fell under the scope of profiling, in accordance with [[Article 22 GDPR]]. This is because the controller identified data subjects from specific characteristics (such as their age and familiarity with digital channels) and transferred their accounts to its subsidiary based on these characteristics. This had a legal impact on the data subject, and was done using automated systems due to the large volume of accounts transferred. The DPA did not elaborate on the legal basis for profiling needed under Article 22(2) GDPR, and instead directly considered whether the controller could rely on legitimate interests. The DPA stated that in order to use legitimate interests as a legal basis, the controller must carry out a balancing test in accordance with EDPB Guidelines.<ref>“Guidelines 1/2024 on processing of personal data based on [https://gdprhub.eu/Article_6_GDPR#1f Article 6(1)(f) GDPR]" adopted on October 8, 2024, margin 82 https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf </ref> The DPA concluded that the controller had not appropriately balanced the interests and data subjects’ rights in accordance with CJEU case law<ref>Case C‑252/21, Meta Platforms Inc and Others v Bundeskartellamt (4 July 2023), margin 108 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0252</ref>, as the controller had argued that the processing did not have any negative effects on data subjects. The DPA also took into consideration the fact that the controller failed to provide any evidence that the processing fell within the scope of the data subjects’ legitimate expectations. Therefore, the controller could only rely on consent as a legal basis ([[Article 6 GDPR|Article 6(1)(a) GDPR]]). The DPA concluded that the controller processed the data without a legal basis, in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. In terms of information obligations, the DPA found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 14 GDPR|14 GDPR]], as the controller had not processed data in a transparent manner. During its investigations, the DPA found that the controller had provided the notice through data subjects’ online account or app without a notification or message alert. As a result, the data subjects’ filing the complaint argued that they had not noticed or read the communication. The DPA also expressed concern over the content of the notice itself; first, it only made reference to profiling for direct marketing purposes, and not for the account transfers. The controller also implemented a form of “silent consent” by setting a deadline for data subjects to object to the transfer. In terms of information obligations, the DPA found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 14 GDPR|14 GDPR]], as the controller had not processed data in a transparent manner. During its investigations, the DPA found that the controller had provided the notice through data subjects’ online account or app without a notification or message alert. As a result, the data subjects filing the complaint argued that they had not noticed or read the communication. The DPA also expressed concern over the content of the notice itself; first, it only made reference to profiling for direct marketing purposes, and not for the account transfers. The controller also implemented a form of “silent consent” by setting a deadline for data subjects to object to the transfer. The DPA found a violation of [[Article 5 GDPR#1a|Arti