Garante per la protezione dei dati personali (Italy) - 280/2026

Summary

Italy's Garante per la protezione dei dati personali fined consulting company Ambrosetti S.p.A. €85,000 for violations of GDPR Articles 5, 32, 33, and 34 following a 2024 data breach affecting approximately 62,000 data subjects. The DPA found the company failed to ensure adequate security (storing passwords in plain text and insufficiently), retained data beyond necessity, and critically delayed notifying affected individuals until ordered to do so by the authority.

Full text

Help Garante per la protezione dei dati personali (Italy) - 280/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:43, 26 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators637 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:43, 26 May 2026 Garante per la protezione dei dati personali - 280/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 08.04.2024 Decided: 17.04.2026 Published: Fine: 85,000 EUR Parties: Ambrosetti S.p.A. National Case Number/Name: 280/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a consulting company €85,000 for failing to ensure security of processing in relation to a data breach. In addition, the company did not inform the affected data subjects until ordered to do so by the DPA. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Ambrosetti S.p.A. (the controller) is a consulting company. In 2024 the controller informed the DPA of a data breach, in accordance with Article 33 GDPR. The controller estimated that the data breach could have affected around 134,000 data subjects (later lowered to approximately 62,000), and concerned their contact details and login credentials. In addition, the controller stated that it was unlikely that the data breach posed a high risk for data subjects, since the credential data was the initial registration credentials set by the controller and not the user. Finally, the controller stated that it had hired external staff to develop a large number of their systems, and it had assumed that the system security was also monitored by the external staff. During its investigations, the DPA found that some of the passwords in question appeared to be set by the data subjects and not the controller. The controller did not initially inform the affected data subjects, but later contacted data subjects it had an email address on file. The controller also published a notice on its website and contacted news outlets. Holding The DPA found a violation of Article 34 GDPR, as the controller failed to inform data subjects within the time limit, and had failed to justify the delay. The DPA considered that the data breach was likely to pose a high risk to the rights and freedoms of data subjects, and therefore, the controller had the obligation to inform them. The DPA took into consideration data subjects’ tendency to reuse passwords, the high number of affected data subjects, and the fact that the controller did not inform the data subjects until the DPA ordered it to do so during its investigations. The DPA also found a violation of Article 5(1)(e) GDPR, as the controller had failed to comply with the principles of storage limitation. The DPA found that the controller retained authentication credentials when it was no longer needed (e.g. certain systems that were no longer in use). The DPA found that it was not necessary for the controller to store this data, especially considering the risks to data subjects’ rights and freedoms. Finally, the DPA found a violation of Articles 5(1)(f) and 32 GDPR, as the controller failed to ensure security of processing. The DPA found that the controller stored a portion of the data subjects’ passwords in plain text. In addition, the DPA found that another portion of passwords (around 98,000) were not stored in a sufficiently robust manner. The DPA fined the controller €85,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Newsletter of May 21, 2026 [web doc. no. 10252460] Measure of April 17, 2026 Register of Measures No. 280 of April 17, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation"); HAVING SEEN the Personal Data Protection Code, containing provisions for the adaptation of national legislation to Regulation (EU) 2016/679 (Legislative Decree No. 196 of June 30, 2003, as amended by Legislative Decree No. 101 of August 10, 2018, hereinafter the "Code"); HAVING SEEN the preliminary notification of personal data breach submitted by The European House - Ambrosetti S.p.A. to the Authority on April 8, 2024, pursuant to Article 33 of the Regulation, and the subsequent supplementary notification submitted on May 23, 2024; HAVING EXAMINED the documentation in the file; HAVING SEEN the observations made by the Secretary General pursuant to Article 15 of the Regulation of the Garante No. 1/2000; REPORTER: Professor Ginevra Cerrina Feroni; WHEREAS 1. The Office's investigation into the notified personal data breach, pursuant to Article 33 of the Regulation. On April 8, 2024, The European House - Ambrosetti S.p.A. (hereinafter, the Company), pursuant to Article 33 of the Regulation, submitted to the Authority a preliminary notification of a personal data breach, resulting from "data exfiltration following unauthorized access by an attacker," affecting the personal and contact details (email address) and authentication credentials (username and password) of an unspecified number of data subjects. The Company also stated that "technical investigations are still underway to identify the affected systems in detail" and stated that it had not communicated the personal data breach to the affected data subjects, believing that it was not likely to pose a high risk to the rights and freedoms of natural persons. On April 9, 2024, the Office sent the Company an initial request for information to acquire useful information for assessing the personal data protection aspects. In a note dated April 17, 2024, the Company, while highlighting that it "intends to finalize [the notification] in all its aspects and consequent obligations once the technological investigation activities have been completed, presumably by May 30, 2024," stated, among other things, that: "134,303 data subjects would be potentially involved. [...] The number is based on a preliminary estimate, but it is presumed to be lower, given that, given Ambrosetti's professional experience, individual data subjects often use different email addresses to authenticate to the services. The Company is carrying out all appropriate checks on this matter" (see note dated April 17, 2024, p. 2); With the entry into force of the GDPR in 2016, the Company began a process of evaluating and implementing security measures to protect personal data in accordance with the new regulatory provisions. The following is a summary of what has been done to date and its impact on the matter under consideration. In 2018, Ambrosetti began implementing a password management system in web applications, deciding to adopt a password encryption system. Taking into account the state of the art, implementation costs, as well as the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company therefore identified Bcrypt, one of the main consolidated tools on the market, as the algorithm to be used. Meanwhile, work continued to strengthen the protection systems, initiating the Company's

Entities