Unlawful Profiling and Poor Transparency: Key Takeaways from the Garante’s Fine Against Intesa Sanpaolo

The Italian Data Protection Authority (Garante) has imposed a €17.6 million fine on Intesa Sanpaolo, one of the largest banking groups in Italy, for unlawful processing of personal data affecting approximately 2.4 million customers in the context of their transfer to the digital bank Isybank.

What makes this case particularly relevant is not only its scale, but the nature of the processing involved. The bank relied on a data-driven selection process that effectively profiled customers and led to decisions producing significant effects on them, including unilateral changes to their banking relationship. This occurred without a valid legal basis and without adequately informing the individuals concerned.

What Happened?

Between 2023 and 2024, Intesa Sanpaolo carried out a corporate reorganization involving the transfer of approximately 2.4 million customer relationships to its fully owned digital subsidiary, Isybank.

As part of this transformation, the bank identified a segment of customers considered “predominantly digital”. This identification was based on a structured assessment of personal and behavioral characteristics, including age, use of digital banking channels, absence of investment products, and financial thresholds.

Customers meeting these criteria were extracted from the bank’s systems and transferred to Isybank. This was not a neutral operational change. It resulted in a change of data controller and significantly altered the customers’ situation, including the assignment of a new IBAN, the loss of access to physical branches, and a shift to a fully app-based banking model.

At the same time, customers were informed through communications that lacked visibility and clarity, often placed in the archive section of the banking app without active alerts or prominent notifications.

Profiling Without a Valid Legal Basis

A central issue in the decision was whether the bank’s activity qualified as profiling. Intesa Sanpaolo argued that it had merely classified customers based on objective criteria for internal organizational purposes.

The Garante rejected this position. It found that the bank had analyzed multiple aspects of individuals, including their behavior and financial situation, and used this analysis to evaluate and segment them in order to decide whether they should be transferred to another bank. This process, carried out through automated data processing at scale, clearly constituted profiling under Article 4 para. 4 GDPR.

Importantly, the Garante clarified that profiling is not limited to marketing activities. Any processing that evaluates personal aspects and leads to decisions affecting individuals falls within its scope.

The decisive factor was the impact on customers. The profiling was not theoretical or preparatory. It directly led to outcomes that significantly affected individuals’ rights and contractual positions. As such, it required a solid legal basis and appropriate safeguards.

The bank relied on legitimate interest, considering the profiling and the subsequent transfer as part of a single processing operation. However, the Garante found that legitimate interest had not been validly established for the profiling stage, since the bank had not demonstrated necessity or carried out a proper balancing of interests. In those circumstances, the authority considered informed consent to be the only legal basis concretely available for that profiling activity.

Transparency Failures

In addition to the lack of a valid legal basis, the Garante identified serious shortcomings in transparency.

From a content perspective, the information provided to customers was incomplete. The privacy information referred to profiling only in connection with marketing purposes, while failing to mention the profiling carried out to identify customers for transfer to Isybank, or to explain the logic, significance, and consequences of that processing.

From a delivery perspective, the deficiencies were equally significant. The information was made available within the archive section of the online banking platform or app, without any prominent indication such as push notifications or alerts. It was also communicated during a period coinciding with summer holidays, when users’ attention is typically lower.

Customers were given a deadline to object. Many individuals did not notice the communication in time, as it was indistinguishable from routine notifications received through the app.

The Garante made clear that transparency is not only about what is communicated, but also how it is communicated. Considering the significant impact on customers, these methods were deemed inadequate and misleading, resulting in a breach of the principles of fairness and transparency under Article 5 GDPR.

Key Lessons for Organizations

This decision provides several important lessons for organizations implementing data-driven strategies or digital transformation initiatives.

• Profiling must be understood broadly. It is not limited to marketing and can arise in internal business processes whenever individuals are evaluated and decisions affecting them are made.
• Different processing activities must be assessed separately. Profiling cannot be treated as a mere preparatory step and absorbed into another legal basis, such as legitimate interest for data transfer.
• Transparency must reflect the real impact of the processing. Where individuals are subject to significant changes, information must be clear, prominent, and effectively brought to their attention.

This case illustrates how easily data-driven business decisions can cross the line into unlawful processing when profiling is not properly identified and assessed. Organizational or strategic initiatives do not lower the GDPR threshold, especially where decisions significantly affect individuals. This is precisely where the involvement of a Data Protection Officer or privacy advisor becomes essential.