Intesa Sanpaolo SpA – €100,000 Fine (Italy, 2022)

The controller is Intesa Sanpaolo SpA, a bank in Italy. The data subject is a customer of the bank. The controller communicated the data subject's current account data to her father while she was already of age. The data was disclosed in a pending judgment in the Tribunale di Bari. The documents were meant for limited disclosure. The data subject lodged a complaint with the Italian DPA for unlawful processing of her personal data by the controller, consisting of communication to unauthorized third parties (her father). The controller justified the incident by invoking the good faith of its employee, as the data subject's father was previously authorized to access her account data, exercising parental authority until she reached the age of majority. Furthermore, her father was a former employee of the controller. This previously existing relationship had led the employee to believe he was still authorized to access the accounting data. Thus, the bank had acted in good faith. The DPA stated that there was no legal basis for processing the data subject's account data. The DPA therefore held that the processing in question was unlawful, as it was carried out in violation of the general principles pursuant to Article 5(1)(a) and (f) and Article 6 GDPR. Contrary to what was argued by the controller, the DPA found the exemption of good faith not applicable. Good faith can only exclude liability when it is unavoidable. In the present case, the employee should have checked whether the data subject's father was still authorized to access her account details. The DPA issued a €100,000 fine for these violations.