Garante per la protezione dei dati personali (Italy) - 280/2026

Summary

Italy's Garante per la protezione dei dati personali issued a €85,000 fine against Ambrosetti S.p.A., a consulting company, for violations of GDPR Articles 5, 32, and 34 following a 2024 data breach affecting approximately 62,000 data subjects. The DPA found the company failed to notify affected individuals within required timeframes, stored passwords in plain text and weak formats, and retained credentials unnecessarily. The controller also falsely assumed external contractors were monitoring system security, demonstrating negligent data protection practices.

Full text

Help Garante per la protezione dei dati personali (Italy) - 280/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 11:43, 26 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators637 edits Tag: submission [1.0] Latest revision as of 11:45, 26 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators637 editsmTag: Visual edit Line 7: Line 7: |DPA_With_Country=Garante per la protezione dei dati personali (Italy)|DPA_With_Country=Garante per la protezione dei dati personali (Italy) |Case_Number_Name=280/2026|Case_Number_Name=Case number: 280/2026 Internal number (from the DPA): 10252460 |ECLI=|ECLI= Line 74: Line 75: === Facts ====== Facts === Ambrosetti S.p.A. (the controller) is a consulting company. In 2024 the controller informed the DPA of a data breach, in accordance with [[Article 33 GDPR|Article 33 GDPR]]. The controller estimated that the data breach could have affected around 134,000 data subjects (later lowered to approximately 62,000), and concerned their contact details and login credentials. In addition, the controller stated that it was unlikely that the data breach posed a high risk for data subjects, since the credential data was the initial registration credentials set by the controller and not the user. Finally, the controller stated that it had hired external staff to develop a large number of their systems, and it had assumed that the system security was also monitored by the external staff. Ambrosetti S.p.A. (the controller) is a consulting company. In 2024 the controller informed the DPA of a data breach, in accordance with [[Article 33 GDPR]]. The controller estimated that the data breach could have affected around 134,000 data subjects (later lowered to approximately 62,000), and concerned their contact details and login credentials. In addition, the controller stated that it was unlikely that the data breach posed a high risk for data subjects, since the credential data was the initial registration credentials set by the controller and not the user. Finally, the controller stated that it had hired external staff to develop a large number of their systems, and it had assumed that the system security was also monitored by the external staff. During its investigations, the DPA found that some of the passwords in question appeared to be set by the data subjects and not the controller. The controller did not initially inform the affected data subjects, but later contacted data subjects it had an email address on file. The controller also published a notice on its website and contacted news outlets.During its investigations, the DPA found that some of the passwords in question appeared to be set by the data subjects and not the controller. The controller did not initially inform the affected data subjects, but later contacted data subjects it had an email address on file. The controller also published a notice on its website and contacted news outlets. === Holding ====== Holding === The DPA found a violation of [[Article 34 GDPR|Article 34 GDPR]], as the controller failed to inform data subjects within the time limit, and had failed to justify the delay. The DPA considered that the data breach was likely to pose a high risk to the rights and freedoms of data subjects, and therefore, the controller had the obligation to inform them. The DPA took into consideration data subjects’ tendency to reuse passwords, the high number of affected data subjects, and the fact that the controller did not inform the data subjects until the DPA ordered it to do so during its investigations. The DPA found a violation of [[Article 34 GDPR]], as the controller failed to inform data subjects within the time limit, and had failed to justify the delay. The DPA considered that the data breach was likely to pose a high risk to the rights and freedoms of data subjects, and therefore, the controller had the obligation to inform them. The DPA took into consideration data subjects’ tendency to reuse passwords, the high number of affected data subjects, and the fact that the controller did not inform the data subjects until the DPA ordered it to do so during its investigations. The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller had failed to comply with the principles of storage limitation. The DPA found that the controller retained authentication credentials when it was no longer needed (e.g. certain systems that were no longer in use). The DPA found that it was not necessary for the controller to store this data, especially considering the risks to data subjects’ rights and freedoms. The DPA also found a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]], as the controller had failed to comply with the principles of storage limitation. The DPA found that the controller retained authentication credentials when it was no longer needed (e.g. certain systems that were no longer in use). The DPA found that it was not necessary for the controller to store this data, especially considering the risks to data subjects’ rights and freedoms. Finally, the DPA found a violation of Articles 5(1)(f) and 32 GDPR, as the controller failed to ensure security of processing. The DPA found that the controller stored a portion of the data subjects’ passwords in plain text. In addition, the DPA found that another portion of passwords (around 98,000) were not stored in a sufficiently robust manner.Finally, the DPA found a violation of [[Article 5 GDPR|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]], as the controller failed to ensure security of processing. The DPA found that the controller stored a portion of the data subjects’ passwords in plain text. In addition, the DPA found that another portion of passwords (around 98,000) were not stored in a sufficiently robust manner. The DPA fined the controller €85,000.The DPA fined the controller €85,000. Latest revision as of 11:45, 26 May 2026 Garante per la protezione dei dati personali - Case number: 280/2026 Internal number (from the DPA): 10252460 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 08.04.2024 Decided: 17.04.2026 Published: Fine: 85,000 EUR Parties: Ambrosetti S.p.A. National Case Number/Name: Case number: 280/2026 Internal number (from the DPA): 10252460 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a consulting company €85,000 for failing to ensure security of processing in relation to a data breach. In addition, the company did not inform the affected data subjects until ordered to do so by the DPA. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Ambrosetti S.p.A. (the controller) is a consulting company. In 2024 the controller informed the DPA of a data breach, in accordance with Article 33 GDPR. The controller estimated that the data breach could have affected around 134,000 data subjects (later lowered to approximately 62,000), and concerned their contact details and login credentials. In addition, the controller stated that it was unlikely that the data breach posed a high risk for data subjects, since the credential data was the initial registration credentials set by the controller and not the user. Finally, the controller stated that it had hired external staff to develop a large number of their systems, and it had assumed that the system security was also monitored by the external staff. During its investigations, the DPA found that some of the passwords in question appeared to be set by the data sub

Entities