Intesa Sanpaolo SpA – €100,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Intesa Sanpaolo SpA faced a EUR 100,000 fine for improperly sharing a customer's account information with her father after she was of legal age. This ruling is crucial because it highlights that companies must have clear policies on who can access personal data, even if the requester is a family member. Businesses should ensure they have proper verification processes in place to protect customer data.
What happened
The bank shared a customer's account data with her father without valid consent after she turned 18.
Who was affected
The customer whose account information was disclosed to her father without authorization.
What the authority found
The Italian DPA found that the bank unlawfully processed the customer's data, violating GDPR principles.
Why this matters
This case illustrates the need for strict data access policies. Companies should regularly train employees on data protection to prevent unauthorized disclosures.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller is Intesa Sanpaolo SpA, a bank in Italy. The data subject is a customer of the bank. The controller communicated the data subject's current account data to her father while she was already of age. The data was disclosed in a pending judgment in the Tribunale di Bari. The documents were meant for limited disclosure. The data subject lodged a complaint with the Italian DPA for unlawful processing of her personal data by the controller, consisting of communication to unauthorized third parties (her father). The controller justified the incident by invoking the good faith of its employee, as the data subject's father was previously authorized to access her account data, exercising parental authority until she reached the age of majority. Furthermore, her father was a former employee of the controller. This previously existing relationship had led the employee to believe he was still authorized to access the accounting data. Thus, the bank had acted in good faith. The DPA stated that there was no legal basis for processing the data subject's account data. The DPA therefore held that the processing in question was unlawful, as it was carried out in violation of the general principles pursuant to Article 5(1)(a) and (f) and Article 6 GDPR. Contrary to what was argued by the controller, the DPA found the exemption of good faith not applicable. Good faith can only exclude liability when it is unavoidable. In the present case, the employee should have checked whether the data subject's father was still authorized to access her account details. The DPA issued a €100,000 fine for these violations.
Related Enforcement Actions (0)
No other enforcement actions found for Intesa Sanpaolo SpA in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 May 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€100,000
GDPRhub ID
gdprhub-5060About this data
Cite as: Cookie Fines. Intesa Sanpaolo SpA - Italy (2022). Retrieved from cookiefines.eu
Last updated: