With Decision No. 208 of 26 March 2026, the Italian Data Protection Authority (“Garante” or “Authority”) imposed a fine of €31.8 million on Intesa Sanpaolo S.p.A. (“ISP” or “Bank”), concluding an investigation initiated following the data breach notified by the Bank in July 2024, which had revealed significant shortcomings in the security of personal data.
Unauthorized access and ineffective controls
The investigation established that an employee had accessed the banking data of 3.573 customers without justification, carrying out more than 6.600 accesses between February 2022 and April 2024. The duration and repetitiveness of the conduct made it possible to reconstruct a particularly critical scenario, further aggravated by the fact that such accesses had never been detected by internal control systems and had also involved “high-risk” customers, including individuals holding prominent public roles.
For these latter individuals – according to the Authority – enhanced levels of protection should have been applied: dedicated and stricter controls, lower alert thresholds and more frequent monitoring, automatic escalation mechanisms in the event of out-of-context access compared to ordinary operations – including immediate notification to the operator’s direct supervisor – and prompt verification by the Bank’s control functions (compliance, privacy, and security).
As highlighted by the Authority, ISP’s operating model allowed employees to query the entire customer database “with full circular access” – not only the data of customers operating at their own branch – without this breadth of access being matched by adequate prevention and monitoring safeguards, such as requiring prior authorization from a supervisor, limiting access to customers of other branches, or implementing additional measures to prevent, detect, and promptly report suspicious access.
This constituted a breach of the principles of accountability and security of processing (Articles 5, 24, and 32 GDPR), also considering the requirements set out in Decision No. 192/2011 concerning the “circulation of information in the banking sector and tracking of banking transactions” for updating and strengthening the measures adopted to protect personal data.
Breaches of data breach notification rules and communication to data subjects
The Authority identified further shortcomings in the management of the data breach: the notification was deemed incomplete and submitted late with respect to the deadlines set by law. Moreover, although the Bank claimed to have used the ENISA methodology for structured risk assessment, it ultimately deviated from it substantially, without objective and verifiable justification.
Through its own assessment, ISP had reduced the level of risk based on the internal cause of the incident – which had not involved data exfiltration – without, however, demonstrating objective factors that would effectively reduce the impact or likelihood of harm to data subjects. Furthermore, the presence of personal data relating to individuals holding public roles was hardly compatible with a reclassification of risk aimed at reducing its scope.
Having underestimated the level of risk, the communication to data subjects was also delayed and only carried out following a prior decision of the Authority (dated 2 November 2024, web doc. no. 10070521).
These actions therefore compromised the Authority’s ability to intervene promptly to protect the rights and freedoms of data subjects, directly influencing the final considerations of the sanctioning procedure.
Assessment of the amount of the fine
In determining the amount of the fine, the Authority considered: the nature, gravity, and duration of the infringement (considering the failure to implement measures ensuring adequate security of personal data, compliance with the accountability principle, and proper management of obligations related to the data breach); the high number of customers involved and the consequences suffered by data subjects, given that mitigating measures were adopted late.
The existence of previous relevant violations was also a determining factor.
As mitigating elements, the Authority acknowledged the absence of special categories of data involved in the breach, the Bank’s cooperation during the proceedings, and the adoption of certain organizational and technical measures in compliance with sector regulations, as indicated in the defense submissions of July 2025.
CONCLUSIONS
The decision strongly reiterates that the implementation of the accountability principle requires concrete operational evidence and cannot be reduced to mere formal declarations of compliance.
This entails adopting access logics consistent with the “need-to-know” principle, implementing truly effective monitoring systems, and managing incident response with a focus on timeliness and completeness of information.
The sanction imposed on ISP marks a clear milestone in the Authority’s case law: the protection of personal data, especially in the banking sector, reflects an organizational responsibility measured by results. And when controls fail, the consequences inevitably take on sanctioning – and reputational – implications.
Lawyer Rossella Bucca and Dr. Melissa Marro