€49.4 Million in Lessons: What Intesa Sanpaolo’s Twin GDPR Fines Mean for Financial Institutions
For Intesa Sanpaolo, March has been a costly month for compliance.
It’s not every day that you see GDPR fines imposed on one of the largest banking groups and a major European player. In March, Italy’s Data Protection Authority (Garante) issued two fines on Intesa Sanpaolo:
Fine 1: Processing Customers’ Personal Data Without an Appropriate Legal Basis
On March 12, 2026, Garante imposed the first fine, amounting to €17.6 million, on Intesa Sanpaolo for unlawfully processing the data of approximately 2.4 million customers, as it unilaterally transferred the data to its wholly-owned subsidiary Isybank SpA, a fully digital bank. The Garante found that:
- Intesa Sanpaolo SpA conducted the processing of customer data without an appropriate legal basis. This processing was carried out in relation to the transfer transaction in favor of its subsidiary Isybank SpA.
- For the purposes of this transaction, Intesa Sanpaolo SpA selected customers who met certain criteria, including: age, which, according to the chosen parameter, could not exceed 65 years of age, familiarity with the digital channels in the last year, the absence of investment products, and financial balances below a certain amount.
- Customer accounts from Intesa Sanpaolo SpA were transferred to a different data controller (Isybank SpA), leading to a forced alteration of the existing account’s operating processes and contractual terms and conditions, in contrast to those originally intended, resulting in new IBANs, a lack of physical branches, and forced access via the mobile application.
- Customers weren’t informed about this transaction, and the notice was sent to the archive section of the Intesa Sanpaolo SpA mobile application without prompting any push notifications or text messages.
Garante emphasized that the bank’s processing in the way specified is unlawful since the customers could not have reasonably anticipated this activity, given the circumstances and the information they were given.
Fine 2: Unauthorized Access to Customer’s Banking Information for Over Two Years
Garante imposed the second fine on Intesa Sanpaolo on March 30, 2026, amounting to €31.8 million for unauthorized access to the banking information of over 3,500 customers for more than two years. The regulator emphasized that there were serious shortcomings in personal data security due to the inadequacy of the technical and organizational measures adopted.
The Garante found that:
- An employee accessed, without justification, the banking information of 3,573 customers, making over 6,600 inquiries between February 21, 2022, and April 24, 2024.
- These unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms.
- High-risk individuals’ data, such as those with significant public positions, for whom more stringent controls would have been required, was also obtained illegally.
- This unauthorized access to customers’ personal data violated principles of integrity and confidentiality of personal data, as well as the principle of accountability, noting the overall inadequacy of the measures adopted.
The fines send a stark reminder to the financial institutions, compelling them to honor GDPR requirements or face noncompliance penalties. For Intesa Sanpaolo, this reminder came at a steep price, nudging the banking group to not take customer transparency and internal controls lightly.
Key Takeaways for Financial Institutions
This isn’t the first time Garante has imposed financial penalties. For organizations, this is a learning curve that demonstrates significant compliance gaps existing in the industry today and the critical need to ensure regulatory requirements are met.
Financial institutions must ensure the following:
1. Provide a Legal Basis for Data Processing
Customer’s data should not be processed without either obtaining their prior consent or relying on other appropriate lawful basis of processing (i.e., legitimate interest, performance of contract, etc.). Any and all alterations in personal data handling and processing should be promptly notified to the customer, and their consent must be honored. This is particularly important when engaging in profiling. Prior Data Protection Impact Assessments (DPIAs) must be conducted when engaging in large-scale profiling and high-risk processing.
2. Ensure Transparency in Communications
Organizations must provide clear and appropriate notices to customers when processing their personal data. Transparency must be maintained with communications displayed properly, accurately, and in an action-oriented manner.
3. Ensure Data Security, Minimization and Purpose Limitation
Adopt robust security measures, implement access controls through stringent role-based access (RBAC), and the Principle of Least Privilege (PoLP). Organizations should also ensure data confidentiality, integrity, and, most importantly, collect the minimum data required for the originally intended purpose. Moreover, sensitive financial data should not be easily accessible without multi-layered protocols.
4. Implement Robust Detection Systems
Real-time detection of insider risks should be promptly notified, and a culture of continuous monitoring should be embedded across the organization’s data collection, storage, processing, and sharing processes. This helps in early detection of data mishandling and unauthorized access across the data lifecycle, minimizing regulatory exposure and non-compliance penalties.
The most valuable asset a financial institution can have is customer trust. Therefore, operating in hyperscale data ecosystems requires organizations to be one step ahead in regulatory compliance.
Operationalizing GDPR Compliance with Securiti
GDPR compliance requires an automated approach to ensure all regulatory requirements are met, especially when handling large-scale financial data.
Securiti helps financial institutions avoid costly noncompliance fines by:
- Automating Data Discovery & Access Governance: Identifies where sensitive data lives and enforces role-based, least-privilege access to reduce insider risk.
- Real-Time Monitoring & Risk Detection: Detects anomalous data access and usage patterns to flag insider misuse early.
- DPIA & Risk Assessment Automation: Streamlines DPIAs, LIAs, and risk scoring for profiling and high-risk processing.
- Consent & Preference Management: Ensures valid consent collection and transparency for customer data use, especially profiling.
- Data Subject Rights Fulfillment: Automates responses to access, deletion, and portability requests at scale.
- Centralized Compliance & Audit Readiness: Provides evidence, reporting, and accountability dashboards for regulators.
Request a demo to learn more.