Intesa Sanpaolo S.p.A – €100,000 Fine (Italy, 2022)

€100,000Garante per la protezione dei dati personali26 May 2022Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Intesa Sanpaolo S.p.A. was fined EUR 100,000 for wrongly sharing a customer's bank data with her father after she became an adult. This case is important because it shows that companies must respect privacy rights and ensure data is only shared with authorized individuals.

What happened

Intesa Sanpaolo S.p.A. unlawfully disclosed a customer's bank data to her father after she reached adulthood.

Who was affected

A bank customer whose personal financial data was shared with her father without her consent.

What the authority found

The Italian DPA ruled that Intesa Sanpaolo S.p.A. violated GDPR by sharing personal data without a valid legal basis.

Why this matters

This ruling highlights the importance of verifying data access permissions and respecting individuals' privacy rights. Companies should regularly update and review access controls to prevent unauthorized data sharing.

GDPR Articles Cited

Art. 6 GDPR
Art. 5(1)(a) GDPR
Italy enforcementGarante per la protezione dei dati personali actionsAll Intesa Sanpaolo S.p.A actions
Full Legal Summary
Detailed

The Italian DPA has imposed a fine of EUR 100,000 on Intesa Sanpaolo S.p.A.. The bank had unlawfully disclosed data of the data subject to unauthorized third parties (the father of the data subject ). The data subject's father, a former employee of the bank, had been authorized to access his daughter's bank data until she reached the age of majority. However, the father had demanded access to his daughter's data, who in the meantime had already reached the age of majority. An employee of the bank suspected that the father still had authorization and for this reason passed on the daughter's data.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Intesa Sanpaolo S.p.A in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

26 May 2022

Authority

Garante per la protezione dei dati personali

Fine Amount

€100,000

Enforcement Tracker ID

ETid-1258

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Intesa Sanpaolo S.p.A - Italy (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: