Intesa Sanpaolo S.p.A. – Order (Italy, 2024)

The controller, Intesa Sanpaolo (the biggest Italian bank) noticed that an employee had accessed data concerning the financial situation of 9 data subjects, even though those data subjects were not clients of the branch were that employee was working. The employee stated that they accessed the data out of curiosity. After an internal audit, the controller terminated the employment relationship with this employee. On 17 July 2024, the controller notified the data breach to the DPA pursuant to Article 33 GDPR. However, the controller believed that the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. Therefore, it did not notify the breach to the concerned data subjects according to Article 34(1) GDPR. The controller, however, sent an informal communication to the affected data subjects. In addition, on 10 October 2024, the DPA learned that, according to some newspapers, the same employee had performed other 6000 accesses to more than 3500 data subjects' bank account details, including the President of the Council of Ministers' sister and ex-partner; some Ministers, the Speaker of the Senate and the head of the national anti-mafia public prosecution office. Also with regard to this further accesses, the controller believed that the the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. However, the controller stated that it might send a "client caring" letter to explain what happened. Even though the investigation about this case is still open, the DPA deemed necessary to immediately decide about the controller's compliance with Article 34 GDPR. Contrary to what the controller argued, the DPA held that the data breach at hand is likely to result in a high risk to the rights and freedoms of natural persons. The DPA took into account the following facts: * the type of personal data at hand; * the performance of the accesses at hand could be considered a crime under [https: