Garante per la protezione dei dati personali (Italy) - 10234984

Summary

Italy's Garante per la protezione dei dati personali fined Intesa Sanpaolo S.p.A. €31,800,000 for failing to implement sufficient security measures that allowed an employee to access financial data of over 3,500 data subjects without authorization between 2022 and 2024. The bank also violated notification obligations under GDPR Articles 33 and 34 by initially reporting only nine affected individuals, providing incomplete information, and delaying notification until ordered by the DPA. The violations encompassed inadequate access controls, non-functional alert systems, and failure to notify data subjects after a breach was discovered.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10234984: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:48, 7 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators541 edits Tag: submission [1.0] (No difference) Latest revision as of 13:48, 7 April 2026 Garante per la protezione dei dati personali - 10234984 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(f) GDPR Article 5(2) GDPR Article 24 GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 10.10.2024 Decided: 26.03.2026 Published: 26.03.2026 Fine: 31,800,000 EUR Parties: Intesa Sanpaolo S.p.A. National Case Number/Name: 10234984 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a bank 31,800,000 for not implementing sufficient safeguards to prevent an employee from accessing the financial data of over 3,500 data subjects for non-service purposes. The controller also failed to inform the DPA and the affected data subjects on time. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Intesa Sanpaolo S.p.A. (the controller) is a bank. In 2024, the controller reported a data breach to the DPA in accordance with Article 33 GDPR. According to the controller, the dat breach occurred between 2022 and 2024, as a result of an employee accessing the banking data of nine data subjects without authorisation. The controller also stated that it would inform the affected data subjects, despite claiming that it had not identified any high risks to their rights and freedoms. The DPA began an ex-officio investigation after the press reported a much higher number of data subjects affected than the controller had claimed (over 3,500). The controller argued that the fact that a data breach occurred did not mean its security measures were insufficient. In addition, it argued that there was no need to inform all affected data subjects, as the data breach did not pose a high risk for their rights and freedoms. During its investigations, the DPA concluded that the data breach likely posed a high risk for the affected data subjects, and ordered the controller to notify all affected data subjects. In response, the controller informed the DPA of the different measures taken to inform data subjects and to ensure security of processing. Specifically, it informed the DPA that it had decided not to contact approximately 1,300 data subjects, as it considered that the employee had accessed their data for purely service related reasons. The DPA considered that its order had not been complied with. Holding The DPA found a violation of Articles 5(1)(f), 24 and 32 GDPR. During its investigations, the DPA found that the employee involved had full access to the financial data of all data subjects, and that the controller’s alert system did not detect any anomalies in the two year period the employee accessed data subjects’ data for non-service related reasons. Therefore, the controller had failed to implement appropriate security measures and had not complied with the principle of data security or accountability. This was especially relevant considering the fact that the controller processed financial data of “high risk customers“ (public or political figures). The DPA also found a violation of Article 33 GDPR. The DPA considered that the controller had not followed the notificiation obligations following a data breach, as it had provided incomplete information that was supplemented much later (following press reports and the DPA’s investigation). In addition, the DPA stated that the controller had incorrectly applied ENISA Guidelines. Finally, the DPA found a violation of Article 34 GDPR. The DPA noted that the controller had nly notified data subjects after being ordered to do so by the DPA. In addition, the controller had failed to inform all affected data subjects. Nonetheless, the DPA acknowledged that the controller had taken measures to strengthen safeguards. The DPA found a violation of Articles 5(1)(f) and (2), 24, 32, 33, and 34 GDPR, and fined the controller €31,800,000. The DPA took into consideration the high number of data subjects affected (including public figures), as well as the delay from the controller’s part in notifying the data breach after being aware of it. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO - Press release of March 30, 2026 - Provision of November 2, 2024 - Press release of November 5, 2024 [web doc. no. 10234984] Provision of March 26, 2026 Register of Provisions No. 208 of March 26, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; HAVING SEEN, in particular, Articles 33 and 34 of the Regulation, entitled, respectively, "Notification of a personal data breach to the supervisory authority" and "Communication of a personal data breach to the data subject"; HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018); HAVING REGARD to the "Guidelines 9/2022 on the Notification of Personal Data Breach under the GDPR" adopted by the European Data Protection Board on March 28, 2023, replacing the "Guidelines on the Notification of Personal Data Breach under Regulation (EU) 2016/679" of the Article 29 Data Protection Working Party of October 3, 2017, as amended and lastly adopted on February 6, 2018, and endorsed by the European Data Protection Board on May 25, 2018 (hereinafter the "Notification Guidelines"); HAVING REGARD to the "Guidelines 01/2021 on examples of personal data breach notification" adopted by the European Data Protection Board on December 14, 2021 (hereinafter the "Guidelines on Personal Data Breach Cases"); HAVING REGARD to Decision No. 192 of May 12, 2011, as amended, containing "Provisions on the circulation of information in the banking sector and the tracking of banking transactions," published in the Official Journal (G.U.) No. 127 of June 3, 2011 (available on the Authority's website at: https://www.gpdp.it, web doc. No. 1813953); HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Authority's Regulation No. 1/2000; REPORTER: Professor Pasquale Stanzione; WHEREAS 1. Introduction On July 17, 2024, Intesa Sanpaolo S.p.A. (hereinafter, ISP or the Bank) submitted to the Authority, pursuant to Article 33 of Regulation (EU) 2016/679 (hereinafter, GDPR), a breach notification was issued following the unauthorized access by a Bank employee working at the Agribusiness branch in Barletta to the bank data of several customers "...without professional motivation." In this context, the Bank stated that the breach occurred between February 21, 2022, and April 24, 2024, and that such access "...involved customers (including their mother and other acquaintances/relatives), current and former employees of the Bank," for a total of nine data subjects. It also stated that it became aware of the incident during periodic "...second-level checks regarding potential anomalies in employee access to bank data, d

Entities