Italy's data protection authority, the Garante per la Protezione dei Dati Personali, today issued a fine of 17,628,000 euros against Intesa Sanpaolo S.p.A. for unlawfully processing the personal data of approximately 2.4 million customers during a large-scale corporate restructuring. The penalty, adopted on 12 March 2026 under Order No. 163, stems from the bank's transfer of customer accounts to its wholly owned digital subsidiary Isybank S.p.A. - a move the authority found had been preceded by unlawful profiling, inadequate transparency, and a flawed legal basis for processing.

The case is one of the largest GDPR enforcement actions issued by the Garante against an Italian financial institution, and it raises pointed questions about whether internal corporate data operations - transfers between parent companies and subsidiaries, restructurings, migrations - are subject to the same consent and transparency obligations as external disclosures.

The Isybank transfer: what happened

Intesa Sanpaolo, one of Italy's largest banks, decided to launch Isybank as a standalone digital bank without physical branches. The project, described internally as a strategic structural initiative, involved transferring customer relationships to Isybank under Article 58 of Italy's Consolidated Banking Law (Testo Unico Bancario, or TUB). That provision allows banks to transfer business units - including their associated customer contracts - without obtaining individual consent from each customer. In other words, customers could be moved to a new bank without being asked first.

According to the Garante's order, the operation unfolded in two phases. In the first, approximately 275,000 customers were transferred to Isybank on 16 October 2023. In the second, roughly 2.1 million additional customers were scheduled for transfer on 18 March 2024. The combined scope of the operation touched around 2.4 million individuals, all classified by the bank as "prevalentemente digitali" - predominantly digital customers.

To determine which customers fell into that category, Intesa Sanpaolo applied a set of selection criteria. According to the Garante's findings, customers were included if they met all of the following conditions: age not exceeding 65 years; exclusive or near-exclusive use of digital banking channels for dispositive transactions over the preceding twelve months, with no more than ten branch-based transactions during that period; absence of investment or protection products in their portfolio (with the exception of certain payment protection and fire insurance policies); financial holdings below 100,000 euros; and absence of specific legal or personal constraints such as seizure orders, minority, or interdiction.

Why the Garante called it profiling

Intesa Sanpaolo argued throughout the investigation that this selection process did not constitute profiling within the meaning of Article 4(4) of the GDPR. The bank maintained that it had merely performed database extractions based on objective, predefined criteria, without any automated evaluation of individual personal characteristics and without any marketing intention. It also argued that the process involved significant human oversight, with multiple working groups reviewing and refining the selection criteria over time.

The Garante rejected that argument. According to the order, profiling under the GDPR does not require a marketing purpose - the regulation defines it as any form of automated processing of personal data used to evaluate certain personal aspects of an individual, in particular to analyse or predict aspects relating to that person's behaviour, preferences, economic situation, or location. The authority found that the bank's selection process met that definition: it used automated systems to extract, filter, and identify individual customers based on personal characteristics including age, financial status, digital behaviour over a defined time window, and the composition of their product portfolios. That activity, in the Garante's view, constituted a distinct processing operation that needed its own legal basis under Article 6 of the GDPR - separate from the legal basis applicable to the data transfer itself.

This distinction is technically important. The Garante acknowledged that the data transfer from Intesa Sanpaolo to Isybank - once the selection was complete - could be grounded in legitimate interest under Article 6(1)(f) of the GDPR, consistent with a prior Garante guidance note from October 2007 concerning the communication of customer data in banking business unit transfers under Article 58 TUB. But that prior guidance, the authority clarified, applied only to the act of data communication, not to any upstream profiling activity that preceded it. In the cases addressed by the 2007 guidance, customers had simply been part of a branch or business unit being sold as a block - no individual assessment of their personal characteristics had taken place. The Isybank case was different. Here, the bank had actively evaluated individual customer attributes to decide who would be transferred, and that evaluation required its own legal justification.

The legitimate interest test failed

The bank argued that even if the selection process qualified as profiling, legitimate interest under Article 6(1)(f) remained an available legal basis - and that its Legitimate Interest Assessment (LIA) demonstrated the necessary balancing of interests. The Garante was unconvinced.

According to the order, the bank's balancing test contained only a tautological statement to the effect that the processing was necessary for the success of the operation and did not appear to have negative effects on customers because it was also in their interest. The Garante found this formulation apodictic - a bare assertion unsupported by substantive analysis. Crucially, the bank's LIA had not been conducted specifically in relation to the profiling activity itself. Intesa Sanpaolo had treated the profiling and the data transfer as a single, undivided operation, and had therefore never performed the required balancing test for the profiling step in isolation.

The authority also pointed to the CJEU's July 2023 judgment in Case C-252/21 (Meta Platforms Inc. v. Bundeskartellamt), which confirmed that the legitimate interest condition requires three cumulative elements: a legitimate interest, necessity of processing, and that the data subject's interests do not override the controller's. Applying paragraph 116 of that judgment, the Garante assessed the reasonable expectations of affected customers and found those expectations had plainly not been met. Evidence came from the volume of complaints - five direct complaints and three reports, plus a submission from the Unione Nazionale Consumatori representing hundreds of customers - and from the outcome of a subsequent contact campaign.

That campaign, carried out under orders from Italy's competition authority (AGCM), offered customers in the second transfer group the option to consent explicitly before being moved to Isybank. Only 76,000 of the approximately 2.1 million customers in that group provided such consent. The remaining customers - overwhelmingly - did not. According to the Garante, this outcome was direct evidence that the bank's assumption about reasonable customer expectations was wrong.

The practical consequences of the transfer also weighed on the authority's analysis. According to the order, being moved to Isybank involved significant changes: customers could only interact with the new bank through a smartphone app, as Isybank has no physical branches; during the initial service period, the bank's website was not accessible via desktop browser; customers received a new IBAN, requiring them to notify payees and counterparties; and certain features available at Intesa Sanpaolo - including virtual cards for online purchases and chequebook functionality - were absent at Isybank. These were not cosmetic differences. They materially altered the terms on which customers had signed up for banking services.

Transparency failures

Beyond the legal basis issue, the Garante found that Intesa Sanpaolo's information notices to customers breached Articles 5(1)(a) and 14 of the GDPR. The notices disclosed profiling only in the context of direct and indirect marketing, without any reference to the profiling conducted for purposes of the corporate transfer. Customers were not told about the logic used to select them, its significance, or the foreseeable consequences of that processing - information required under Article 14(2)(g) of the GDPR.

Delivery of the notices compounded the problem. According to the Garante's findings, the communications were placed in the archive section of the Intesa Sanpaolo app or internet banking area without push notifications or SMS alerts, and were sent beginning on 28 June 2023 - during a period largely coinciding with the Italian summer holiday season, when user attention tends to be lower. Customers were given a deadline to express disagreement; those who did not respond were treated as having accepted the transfer through a form of implied consent or "silenzio-assenso." Many customers who later complained to the Garante stated they had not noticed the communication in time to act on it, mixed as it was among everyday banking notifications.

The Garante's EDPB Guidelines 1/2024 on Article 6(1)(f) GDPR, adopted on 8 October 2024, further reinforced the position that legitimate interest cannot be invoked automatically or instrumentally - it requires proportionate measures and rigorous documentation. Those guidelines post-date the Isybank transfer, but the Garante cited them to confirm the interpretive framework it applied.

The fine and mitigating factors

The exact penalty stands at 17,628,000 euros. The violations found were: Article 5(1)(a) of the GDPR (principles of lawfulness, fairness, and transparency), Article 6(1) (legal basis for processing), and Article 14 (information to be provided to data subjects). The Garante assessed the violations as serious rather than minor.

Several mitigating factors were taken into account. The bank's conduct was found to be negligent rather than intentional. Intesa Sanpaolo cooperated with the authority throughout the investigation. Remedial measures had also been implemented in parallel with the separate AGCM proceedings. The AGCM had opened its own investigation on 31 October 2023, issued a precautionary order on 28 November 2023, and closed the case on 4 June 2024 without a finding of infringement after the banks adopted compliance commitments - including the requirement to obtain explicit consent from customers in the second transfer group.

According to the Garante's press release, Intesa Sanpaolo may close the case by paying half the fine within 30 days. The order also notes that a legal challenge is pending: the bank has filed an opposition (giudizio di opposizione), which means the ancillary publication sanction - requiring publication of the order - is currently suspended.

Why this matters for the marketing and data industry

The Isybank case illustrates a principle that carries direct relevance for data-driven marketing operations: segmentation and audience selection are themselves processing activities under the GDPR, regardless of whether the end use is commercial, operational, or structural.

Marketing teams and data engineers routinely build audience segments using combinations of behavioural, demographic, and transactional signals. In most cases, this is understood to require a legal basis - typically consent or legitimate interest. The Isybank ruling makes clear that this requirement does not disappear simply because the segmentation serves a non-advertising purpose. A bank selecting customers for migration to a digital subsidiary, an insurer sorting policyholders for a portfolio transfer, a retailer identifying customer subsets for a platform integration - all of these activities could, depending on the methods used, constitute profiling under Article 4(4) of the GDPR, and all would require a documented legal basis separate from whatever underpins the downstream data transfer.

The EDPB's case digest on legitimate interest published in early 2026 found that controllers systematically underestimate what the balancing test requires - treating legitimate interest as a flexible fallback rather than a carefully documented legal basis. The Garante's findings in this case are consistent with that pattern. Intesa Sanpaolo's LIA addressed the data transfer but not the profiling step. The authority found that gap dispositive.

The case also reinforces that transparency obligations extend to the method and timing of disclosure, not only its content. Burying a material notice in an app archive during the summer holiday period, without push notification or SMS, and then treating non-response as consent, is unlikely to satisfy the GDPR's transparency requirements - regardless of the technical accuracy of the underlying notice. The GDPR enforcement data across European authorities shows fines remain statistically rare, but when they do occur, they reflect the scale of harm and the number of individuals affected.

For advertising technology professionals, the ruling adds to an increasingly detailed picture of how European regulators treat data selection and segmentation. Earlier enforcement against Intesa Sanpaolo related to internal data access resulted in a separate 31.8 million euro fine from the Garante in March 2026, covering a different set of violations related to an employee's unauthorised access to 3,573 customer records. Together, the two decisions place Intesa Sanpaolo at the centre of two of the largest Italian data protection enforcement actions in recent memory.

The France's upheld Criteo fine and Italy's Apple fine demonstrate that regulators across the EU are applying consistent pressure on the legal architecture of data processing - particularly around the question of what constitutes a valid legal basis and whether it has been properly documented before processing begins.

Timeline

  • 28 June 2023: Intesa Sanpaolo begins sending customer notices regarding the Isybank transfer via the archive section of its app and internet banking platform, without push notifications or SMS alerts.
  • 16 October 2023: First transfer of approximately 275,000 customers from Intesa Sanpaolo to Isybank (first business unit tranche).
  • 31 October 2023: AGCM opens investigation into potential unfair commercial practices related to the Isybank operation.
  • 28 November 2023: AGCM issues precautionary order prescribing compliance measures.
  • 16 November 2023 - 23 July 2024: Garante sends four separate information requests to Intesa Sanpaolo as part of its investigation, with the bank responding between December 2023 and September 2024.
  • 18 March 2024: Second transfer of approximately 2.1 million customers to Isybank (second business unit tranche).
  • 4 June 2024: AGCM closes its investigation without finding an infringement, rendering the banks' compliance commitments legally binding.
  • 8 October 2024: EDPB adopts Guidelines 1/2024 on Article 6(1)(f) GDPR, cited by the Garante in its legal analysis. EDPB's case digest on legitimate interest (PPC Land, March 2026)
  • 3 January 2025: Garante formally notifies Intesa Sanpaolo of the start of enforcement proceedings under Article 166(5) of Italy's data protection code.
  • 3 March 2025: Intesa Sanpaolo submits its defence memorandum, arguing that the selection process did not constitute profiling and that legitimate interest was a valid legal basis.
  • 12 March 2026: Garante adopts Order No. 163 (doc. web n. 10230412), imposing a fine of 17,628,000 euros. Italy's Garante also fined Intesa Sanpaolo 31.8M in a separate case involving employee data access (PPC Land, April 2026)

Summary

Who: Italy's Garante per la Protezione dei Dati Personali fined Intesa Sanpaolo S.p.A., one of Italy's largest banks. The order was signed by President Pasquale Stanzione.

What: A fine of 17,628,000 euros for unlawfully profiling approximately 2.4 million customers without a valid legal basis, failing to provide adequate transparency notices, and breaching GDPR Articles 5(1)(a), 6(1), and 14. The profiling was used to identify which customers would be transferred to Isybank, the bank's wholly owned digital subsidiary.

When: The Garante adopted the order on 12 March 2026. The underlying customer transfers took place on 16 October 2023 and 18 March 2024.

Where: The processing and customer communications took place in Italy. The Garante is headquartered in Rome. Intesa Sanpaolo is headquartered in Turin.

Why: The Garante found that the bank's selection of customers for transfer to Isybank constituted profiling under Article 4(4) of the GDPR - an automated evaluation of personal characteristics including age, digital behaviour, financial holdings, and product portfolio. That profiling was a distinct processing operation requiring its own legal basis. The bank's reliance on legitimate interest failed because the balancing test was inadequate, customer expectations had not been properly considered, and the delivery of information notices was insufficient to meet GDPR transparency requirements.

Share this article
The link has been copied!