Garante per la protezione dei dati personali (Italy) - 10234984

Summary

Italy's Data Protection Authority (Garante) issued a €31.8M fine to Intesa Sanpaolo S.p.A. for failing to implement sufficient technical and organizational measures to prevent an employee from accessing financial data of over 3,500 data subjects for non-service purposes over a two-year period. The bank also violated notification obligations under GDPR Articles 33 and 34 by providing incomplete breach information late and only notifying affected individuals after DPA intervention. The violations involved Articles 5(1)(f), 5(2), 24, 32, 33, and 34 GDPR, with aggravating factors including high-risk customers (public figures) and delayed breach notification.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10234984: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 10:57, 8 April 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators895 editsm Tag: Visual edit← Older edit Latest revision as of 11:03, 8 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators550 editsmTag: Visual edit (One intermediate revision by the same user not shown)Line 71: Line 71: }}}} The DPA fined a bank 31,800,000 for not implementing sufficient safeguards to prevent an employee from accessing the financial data of over 3,500 data subjects for non-service purposes. The controller also failed to inform the DPA and the affected data subjects on time.The DPA fined a bank €31,800,000 for not implementing sufficient safeguards to prevent an employee from accessing the financial data of over 3,500 data subjects for non-service related purposes. The controller also failed to inform the DPA and the affected data subjects about the data breach on time. == English Summary ==== English Summary == Line 83: Line 83: === Holding ====== Holding === The DPA found a violation of Articles 5(1)(f), 24 and 32 GDPR. During its investigations, the DPA found that the employee involved had full access to the financial data of all data subjects, and that the controller’s alert system did not detect any anomalies in the two year period the employee accessed data subjects’ data for non-service related reasons. Therefore, the controller had failed to implement appropriate security measures and had not complied with the principle of data security or accountability. This was especially relevant considering the fact that the controller processed financial data of “high risk customers“ (public or political figures).The DPA found a violation of [[Article 5 GDPR|Articles 5(1)(f)]], [[Article 24 GDPR|24]] and [[Article 32 GDPR|32 GDPR]]. During its investigations, the DPA found that the employee involved had full access to the financial data of all data subjects, and that the controller’s alert system did not detect any anomalies in the two year period the employee accessed data subjects’ data for non-service related reasons. Therefore, the controller had failed to implement appropriate security measures and had not complied with the principle of data security or accountability. This was especially relevant considering the fact that the controller processed financial data of “high risk customers“ (public or political figures). The DPA also found a violation of [[Article 33 GDPR]]. The DPA considered that the controller had not followed the notification obligations following a data breach, as it had provided incomplete information that was supplemented much later (following press reports and the DPA’s investigation). In addition, the DPA stated that the controller had incorrectly applied ENISA Guidelines.The DPA also found a violation of [[Article 33 GDPR]]. The DPA considered that the controller had not followed the notification obligations following a data breach, as it had provided incomplete information that was supplemented much later (following press reports and the DPA’s investigation). In addition, the DPA stated that the controller had incorrectly applied ENISA Guidelines. Line 89: Line 89: Finally, the DPA found a violation of [[Article 34 GDPR]]. The DPA noted that the controller had only notified data subjects after being ordered to do so by the DPA. In addition, the controller had failed to inform all affected data subjects. Nonetheless, the DPA acknowledged that the controller had taken measures to strengthen safeguards. Finally, the DPA found a violation of [[Article 34 GDPR]]. The DPA noted that the controller had only notified data subjects after being ordered to do so by the DPA. In addition, the controller had failed to inform all affected data subjects. Nonetheless, the DPA acknowledged that the controller had taken measures to strengthen safeguards. The DPA found a violation of Articles 5(1)(f) and (2), 24, 32, 33, and 34 GDPR, and fined the controller €31,800,000. The DPA took into consideration the high number of data subjects affected (including public figures), as well as the delay from the controller’s part in notifying the data breach after being aware of it.The DPA found a violation of [[Article 5 GDPR|Articles 5(1)(f) and (2)]], [[Article 24 GDPR|24]], [[Article 32 GDPR|32,]] [[Article 33 GDPR|33,]] and [[Article 34 GDPR|34 GDPR]], and fined the controller €31,800,000. The DPA took into consideration the high number of data subjects affected (including public figures), as well as the delay from the controller’s part in notifying the data breach after being aware of it. == Comment ==== Comment == Latest revision as of 11:03, 8 April 2026 Garante per la protezione dei dati personali - 10234984 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 10.10.2024 Decided: 26.03.2026 Published: 26.03.2026 Fine: 31,800,000 EUR Parties: Intesa Sanpaolo S.p.A. National Case Number/Name: 10234984 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a bank €31,800,000 for not implementing sufficient safeguards to prevent an employee from accessing the financial data of over 3,500 data subjects for non-service related purposes. The controller also failed to inform the DPA and the affected data subjects about the data breach on time. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Intesa Sanpaolo S.p.A. (the controller) is a bank. In 2024, the controller reported a data breach to the DPA in accordance with Article 33 GDPR. According to the controller, the data breach occurred between 2022 and 2024, as a result of an employee accessing the banking data of nine data subjects without authorisation. The controller also stated that it would inform the affected data subjects, despite claiming that it had not identified any high risks to their rights and freedoms. The DPA began an ex-officio investigation after the press reported a much higher number of data subjects affected than the controller had claimed (over 3,500). The controller argued that the fact that a data breach occurred did not mean its security measures were insufficient. In addition, it argued that there was no need to inform all affected data subjects, as the data breach did not pose a high risk for their rights and freedoms. During its investigations, the DPA concluded that the data breach likely posed a high risk for the affected data subjects, and ordered the controller to notify all affected data subjects. In response, the controller informed the DPA of the different measures taken to inform data subjects and to ensure security of processing. Specifically, it informed the DPA that it had decided not to contact approximately 1,300 data subjects, as it considered that the employee had accessed their data for purely service related reasons. The DPA considered that its order had not been complied with. Holding The DPA found a violation of Articles 5(1)(f), 24 and 32 GDPR. During its investigations, the DPA found that the employee involved had full access to the financial data of all data subjects, and that the controller’s alert system did not detect any anomalies in the two year period the employee accessed data subjects’ data for non-service related reasons. Therefore, the controller had failed to implement appropriate security measures and had not complied with the principle of data security or accountability. Thi

Entities