On 26 March 2026, the Italian data protection authority (Garante per la protezione dei dati personali, „Garante“) fined Intesa Sanpaolo S.p.A. €31,800,000. This is one of the largest fines the Garante has ever imposed, and it carries clear lessons for any organisation that processes personal data at scale – not just banks.
What Happened
Between 21 February 2022 and 24 April 2024, a bank employee accessed the banking data of 3,573 clients without any professional justification. The clients whose data he accessed were outside his portfolio and branch. Over that period, he carried out more than 6,637 consultations, covering account details, transaction histories, credit card movements, and investment data.
Among the affected clients were national politicians, public figures from the worlds of sport and entertainment, Politically Exposed Persons (PEPs), and ordinary customers connected to the employee’s personal and professional circle.
The bank notified the Garante on 17 July 2024 – describing the breach as involving just 9 individuals. The true scale only emerged after press reports in early October 2024 prompted the Garante to open its own investigation. A supplementary notification, still incomplete, followed on 30 August 2024.
The Key Violations
The Garante found multiple GDPR violations.
Inadequate Security Measures and Access Management
The bank had made a business decision to allow its operators to query the entire client base „in full circularity“ – meaning any employee could access any client’s data across all branches, regardless of whether that client was in their own portfolio.
The Garante acknowledged this as a legitimate business choice, and one it has no power to override. But it comes with a clear condition: a wide access model of this kind requires proportionate counterbalancing controls. Those controls were found to be inadequate.
Specifically:
- There was no requirement for employees to obtain prior authorisation before accessing data of clients outside their own portfolio.
- Alerts were configured in a way that allowed repeated accesses to go undetected.
- There were no enhanced controls for high-risk clients – such as PEPs or other publicly exposed individuals – despite the heightened risks those profiles present.
- There was no automatic escalation mechanism: no immediate notification to a supervisor when a pattern of out-of-context accesses was detected.
The Garante was clear: the central issue was not the breach itself, but the systemic design of access controls that failed to detect suspicious behaviour for more than two years.
Failure to Notify the Breach Properly
The bank’s initial notification significantly understated the scope of the breach. The true picture only emerged through the Garante’s own investigation.
The Garante found that the notification was incomplete as to the actual perimeter of the breach, and that the deadlines under Article 33 GDPR were not met.
There was also a problem with how the bank assessed the risk level. The bank downgraded the breach from high to medium risk, focusing primarily on the fact that the incident involved an internal actor rather than on the probability and severity of impact on data subjects.
The Garante found this incompatible with the EDPB Guidelines 9/2022, which require risk assessment to focus on impact on data subjects regardless of the cause of the breach.
Failure to Notify Data Subjects
This had a direct consequence: because the bank concluded that the breach posed no high risk to the rights and freedoms of data subjects, it decided not to notify the affected clients directly.
The Garante disagreed. It held that notification under Article 34 GDPR is a preventive protection measure – its purpose is to allow individuals to take steps to protect themselves. Waiting for evidence of actual harm before notifying inverts that logic entirely.
The data accessed – account balances, transaction histories, investment portfolios – can enable fraud, identity theft, reputational damage, and targeted manipulation. For PEPs and other public figures, those risks are amplified.
The bank eventually notified affected clients, but only after the Garante issued a specific order to do so in November 2024.
The Fine
In calculating the fine, the Garante weighed several factors. On the aggravating side: the number of individuals involved (approximately 3,500), the financial nature of the data and the real risk of harm it carries, the duration of the breach (over two years), the incompleteness and delay of the breach notifications, and the existence of prior enforcement decisions against the same bank. We have already reported on one of them here.
On the mitigating side: the bank cooperated with the authority during the investigation, and – after the breach came to light – took serious corrective action, including enhanced ex-ante and ex-post monitoring, new escalation procedures, and dynamic data masking for specific categories of data.
Key Takeaways
This decision matters well beyond the banking sector. Any organisation that gives staff broad access to personal data – through HR systems, CRM platforms, healthcare records, or customer portals – faces equivalent risks.
Access controls: A broad access model is not unlawful in itself, but it requires proportionate compensating controls. Access to data outside an employee’s normal scope should trigger ex-ante checks or require justification, not simply be logged after the fact. High-risk individuals must have enhanced protections, not just the same default settings applied to everyone else.
Breach notification: When the full scope of a breach is not immediately clear, use the phased notification mechanism that Article 33 GDPR explicitly allows but do not use uncertainty as a reason to understate what you already know. Risk assessment must be objective and focused on impact on data subjects, not on the internal cause of the incident.
Communicating with data subjects: If there is any realistic possibility of high risk to individuals, notify them without undue delay. Do not wait for a regulator to order it.
One More Reason to Keep Your DPO in the Loop
Cases like this one are a reminder that involving your Data Protection Officer (DPO) or privacy counsel is not a formality – it is a genuine risk management tool.
A DPO who is properly integrated into the organisation’s processes will flag the risks of a wide-access model early, advise on proportionate controls, and provide independent oversight of breach classification decisions before they reach the authority. Do not inform your DPO after the fact. Bring them in at the design stage, during incidents, and before any breach notification goes out.