Intesa Sanpaolo S.p.A. – Order (Italy, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Intesa Sanpaolo, Italy's largest bank, faced scrutiny after an employee accessed sensitive financial data of nine individuals who were not clients. The bank terminated the employee and reported the incident, but did not notify the affected individuals, believing there was no high risk. This case shows the importance of proper data access controls and communication.
What happened
An employee accessed financial data of nine non-client individuals out of curiosity, leading to a data breach.
Who was affected
Nine individuals whose financial information was accessed without authorization.
What the authority found
The authority found that Intesa Sanpaolo did not adequately assess the risk of the data breach and failed to notify the affected individuals.
Why this matters
This case highlights the need for strict access controls and timely communication with affected individuals in case of data breaches. Companies should ensure employees understand data privacy responsibilities.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller, Intesa Sanpaolo (the biggest Italian bank) noticed that an employee had accessed data concerning the financial situation of 9 data subjects, even though those data subjects were not clients of the branch were that employee was working. The employee stated that they accessed the data out of curiosity. After an internal audit, the controller terminated the employment relationship with this employee. On 17 July 2024, the controller notified the data breach to the DPA pursuant to Article 33 GDPR. However, the controller believed that the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. Therefore, it did not notify the breach to the concerned data subjects according to Article 34(1) GDPR. The controller, however, sent an informal communication to the affected data subjects. In addition, on 10 October 2024, the DPA learned that, according to some newspapers, the same employee had performed other 6000 accesses to more than 3500 data subjects' bank account details, including the President of the Council of Ministers' sister and ex-partner; some Ministers, the Speaker of the Senate and the head of the national anti-mafia public prosecution office. Also with regard to this further accesses, the controller believed that the the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. However, the controller stated that it might send a "client caring" letter to explain what happened. Even though the investigation about this case is still open, the DPA deemed necessary to immediately decide about the controller's compliance with Article 34 GDPR. Contrary to what the controller argued, the DPA held that the data breach at hand is likely to result in a high risk to the rights and freedoms of natural persons. The DPA took into account the following facts: * the type of personal data at hand; * the performance of the accesses at hand could be considered a crime under [https:
Outcome
Order
A binding order requiring the controller to take specific action.
Related Enforcement Actions (1)
Other enforcement actions involving Intesa Sanpaolo S.p.A. in IT
Details
Order Date
2 November 2024
Authority
Garante per la protezione dei dati personali
GDPRhub ID
gdprhub-8549About this data
Cite as: Cookie Fines. Intesa Sanpaolo S.p.A. - Italy (2024). Retrieved from cookiefines.eu
Last updated: