On 26 March 2026, the Italian data protection authority (Garante per la protezione dei dati personali, „Garante“) fined Intesa Sanpaolo S.p.A. €31,800,000. This is one of the largest fines the Garante has ever imposed, and it carries clear lessons for any organisation that processes personal data at scale – not just banks. What Happened Between […]
Giulia Provini
About Giulia Provini
Posts by Giulia Provini:
When Access Requests Become Abusive: Key Takeaways from C-526/24 Brillen Rottler
The Court of Justice of the European Union (CJEU) has clarified in Brillen Rottler (C-526/24) that, in exceptional circumstances, even a first data subject access request (DSAR) may be refused as “manifestly unfounded or excessive” under Article 12 para. 5 GDPR. This is an important development. However, the judgment should not be misunderstood. The Court […]
Unlawful Profiling and Poor Transparency: Key Takeaways from the Garante’s Fine Against Intesa Sanpaolo
The Italian Data Protection Authority (Garante) has imposed a €17.6 million fine on Intesa Sanpaolo, one of the largest banking groups in Italy, for unlawful processing of personal data affecting approximately 2.4 million customers in the context of their transfer to the digital bank Isybank. What makes this case particularly relevant is not only its […]
Spanish AEDP v FC Barcelona: DPIA Required for Processing Biometric Data
The Spanish Data Protection Authority (AEPD) recently imposed a €500,000 fine on Fútbol Club Barcelona for failing to properly conduct a Data Protection Impact Assessment (DPIA) when implementing biometric systems used during the club’s membership census process. This complex decision ultimately focuses on Article 35 GDPR, with the AEPD concluding that the club failed to […]
Biometric Data: Key GDPR Lessons from an AEPD Decision
The Spanish Data Protection Authority (AEPD) recently imposed a €950,000 fine on a company offering digital identity and age verification services that rely on facial analysis technology. The decision is particularly relevant for organisations deploying facial analysis technologies, including AI-based age estimation and identity verification systems that generate biometric templates, as it illustrates how regulators […]
Italian DPA Orders Amazon Entity to Stop Unlawful Employee Data Processing
The Italian Data Protection Authority (Garante per la protezione dei dati personali) has issued an urgent order with immediate effect requiring Amazon Italia Logistica S.r.l. to stop processing personal data relating to more than 1,800 employees at one of its logistics facilities. The investigation revealed multiple violations from a data protection perspective. In particular, the […]
Digital Accessibility and Data Protection: Insights from the Italian Data Protection Authority
Digital accessibility is becoming a central compliance topic across Europe. With the entry into application of the European Accessibility Act (Directive (EU) 2019/882, EAA), EU Member States must ensure that a wide range of digital products and services meet accessibility requirements so that people with disabilities can access them without barriers. These requirements apply to […]
No Account, No Purchase? EDPB Pushes Back on Mandatory Registration
Requiring users to create an account in order to complete an online purchase is a widespread practice in e-commerce. Businesses commonly justify this requirement by reference to operational efficiency, customer convenience, or the development of long-term commercial strategies. With its Recommendations 2/2025, the European Data Protection Board (EDPB) addresses this practice directly and clarifies the […]
Reading Between the Lines of the Italian DPA’s 2026 Inspection Plan
With its Resolution of 30 December 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) published its inspection plan for the period January to July 2026. The plan sets out the Authority’s inspection focus for the first semester of the year and provides for at least 40 targeted inspections across the […]
CNIL Fines Samaritaine €100,000 for Hidden Cameras: A Legal Analysis
On 18 September 2025, the French Data Protection Authority (CNIL) issued Deliberation SAN-2025-008, imposing a €100,000 fine on Samaritaine SAS for clandestinely installing surveillance cameras in employee areas. In August 2023, in response to a rise in stockroom thefts, the company installed five hidden cameras disguised as smoke detectors. The devices also recorded audio. Within […]
Automated Credit Scoring Under Scrutiny in Europe
The CJEU’s SCHUFA judgement (C-634/21) in 2023 clarified that producing and transmitting a credit score can itself amount to an automated decision under Article 22 GDPR where the score is determinative for contract outcomes. This ruling has now translated into concrete enforcement. In 2025, both the Austrian and Hamburg DPAs issued decisions that apply these […]
Pseudonymised Data: Not Always Personal According to The Latest CJEU Judgement
On 4 September 2025, the Court of Justice of the European Union (CJEU) handed down its judgment in EDPS v Single Resolution Board (C-413/23 P). The ruling addresses a fundamental question in EU data protection law: when pseudonymised information qualifies as personal data, and for whom. This decision provides important clarification on the scope of […]
UK Data (Use and Access) Act 2025: Key Changes for Privacy Compliance
On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, becoming law in the UK and marking a significant development in the country’s data protection framework. The first provisions will take effect on 20 August 2025 under the Commencement No. 1 Regulations, with others phased in through mid‑2026; some changes (most […]
Enforcement Trends in DSR Handling: Key Lessons from Recent EU Decisions
Over recent months, data protection authorities have issued rulings that expose common failings in the handling of data subject rights requests (DSRs). While these were isolated complaints, the supervisory authorities found that the organisations involved lacked internal procedures, failed to provide legally reasoned responses, and could not demonstrate accountability when challenged. These rulings confirm that […]
Preventable Data Breaches: Compliance Takeaways from Recent ICO Cases
Over the past few months, the UK Information Commissioner’s Office (ICO) has issued a series of enforcement actions that underscore a recurring regulatory concern: data breaches that, in the ICO’s view, were not merely accidental but the result of organisations failing to implement even basic data protection safeguards—violations of their accountability obligations under the UK […]