Italy's Garante last month announced a €31.8 million fine against Intesa Sanpaolo S.p.A. after a single bank employee accessed the private financial records of 3,573 customers over more than two years without justification.

The penalty, formally adopted on March 26, 2026 and announced on March 30, 2026, is one of the largest data protection sanctions issued by an Italian authority against a domestic financial institution. It arrives at a moment of heightened European regulatory scrutiny of how organisations manage internal access to personal data - a category of risk that, unlike external cyberattacks, originates inside the organisation itself.

The breach: scope and duration

According to the Garante's press release, an employee assigned to the Agribusiness branch in Barletta, in southern Italy, carried out more than 6,600 queries into the banking data of customers between February 21, 2022, and April 24, 2024. The bank's own internal audit report, cited in the formal enforcement decision, put the figure at 6,637 accesses across 460 working days, covering 3,572 customers not linked to the employee's own branch - plus the employee's own mother, bringing the total to 3,573 named individuals.

The data accessed was not trivial. According to the formal decision, the employee queried multiple internal systems: NJ00, which pulls up a customer profile including personal identity data; IY11, an internal account statement tool; ZAFI, which covers payment card movements; and DAPY, which covers investment and financial assets. In a number of cases, the queries went beyond basic identification to include transactional detail. The Garante's investigation confirmed the breach, noting the employee had no documented professional reason to access the vast majority of these accounts.

Among those affected were 34 national politicians from parties across the political spectrum, including figures from both centre-right and centre-left groupings. Also affected were 43 nationally prominent figures from entertainment, sport and media; 73 Intesa Sanpaolo employees and senior managers; and approximately 2,450 individuals from Bari and surrounding areas linked to the employee's personal and professional sphere. The Garante noted that Intesa Sanpaolo acts as treasury and cash management service provider for members of parliament and senior institutional figures, a role that makes the exposure of such individuals particularly significant.

What the bank's systems failed to catch

The employee's conduct was not flagged by the bank's automated alert systems for most of the period in question. According to the enforcement decision, the bank first detected anomalous activity by this individual on October 9, 2023 - more than 19 months after the earliest documented access on February 21, 2022. The trigger was a single alert related to credit card queries under the bank's compliance framework established by the Garante's own Provvedimento 192 of May 12, 2011, which requires banks to log and monitor employee access to customer data.

The Garante found this insufficient. According to the decision, the bank's alert architecture relied primarily on quantitative thresholds - the number of queries within defined time windows - rather than on contextual checks assessing whether an employee had any legitimate operational reason to access a given account. The employee's role as an Agribusiness manager formally permitted circular queries across the entire customer base, a design choice the authority described as inherently high-risk without compensating controls.

"The operational model used, which allowed operators to query the entire customer base in full circularity, was not in fact adequately balanced by controls designed to prevent and identify unauthorized access," according to the Garante.

The authority found the bank should have implemented pre-authorisation mechanisms requiring supervisor approval before accessing out-of-portfolio accounts, dynamic access limitations based on role and context, automatic coherence checks between the employee's role and the type of data being queried, and tiered alert thresholds calibrated to the public or political exposure of the customer being searched. For politically exposed persons and high-profile institutional clients - a category the bank's own documentation used - the absence of reinforced controls was viewed as a direct failure of risk-based data protection design.

The decision went further still. For customers identified as politically or publicly exposed, a risk-based approach under the GDPR would have required dedicated and more stringent controls, lower alarm thresholds, and more frequent monitoring windows. The bank, according to the Garante, should also have designed automatic escalation mechanisms that would immediately alert a supervisor and trigger review by compliance, privacy and security functions whenever access fell outside the scope of normal operations - particularly for these higher-profile clients.

A notification that obscured the true scale

Intesa Sanpaolo submitted its initial data breach notification to the Garante on July 17, 2024. According to the enforcement decision, that notification described the event as involving just 9 customers, assessed the risk as medium, and was marked by the bank as "complete." The full scale of the breach only became public in early October 2024, when Italian press reports cited internal audit figures indicating the actual number of affected customers was closer to 3,500. It was those press reports - not any supplementary communication from the bank - that prompted the Garante to open a formal inquiry.

On October 10, 2024, the authority sent a formal information request to the bank. The bank replied on October 17, 2024, acknowledging that the 3,572-figure aligned with an internal audit report already prepared by May 21, 2024 - five months before the press coverage. The bank had integrated its original notification on August 30, 2024, but the supplementary information remained partial.

According to the decision, the Garante found the notification seriously incomplete and filed with unjustified delay relative to when the bank had substantive knowledge of the breach's real scope. This constituted a violation of Article 33 of the GDPR, which requires controllers to notify supervisory authorities without undue delay and, where possible, within 72 hours of becoming aware of a personal data breach.

The authority also found a violation of accountability principles under Articles 5(2) and 24 of the GDPR. The bank applied a risk "override" that reclassified the event from its initial severity score downward, citing the absence of evidence that data had been exfiltrated beyond the bank's systems. According to the decision, this reasoning was inconsistent with the ENISA methodology the bank claimed to apply, which requires risk assessment to focus on consequences for individuals rather than on the internal cause of the incident. The presence of politically exposed persons among those affected was, in the authority's view, fundamentally incompatible with a downgraded risk classification.

Notification to affected customers: delayed and incomplete

The bank initially declined to notify affected customers individually under Article 34 of the GDPR, judging the risk insufficient to trigger that obligation. On November 2, 2024, the Garante issued enforcement order n. 659, instructing the bank to communicate the breach individually to all customers whose data had been accessed without clear operational justification, within 20 days of receiving the order.

The bank's subsequent compliance was detailed in its December 5, 2024, submission to the Garante. According to that submission, confirmed in the March 2026 final decision, Intesa Sanpaolo identified three broad clusters among the affected customers. First, 1,648 customers were notified because no justification for the access could be established. Second, 597 customers - whose accounts had been accessed at a level including balances, movements and payment cards - were prioritised as higher-risk and contacted through branch staff before the wider notification began. Third, 1,328 customers had initially been excluded from notification on the grounds that only basic identity data (name, date of birth, tax code) had been viewed; the Garante rejected this reasoning and required the bank to contact this group as well.

Communication to 1,645 affected customers was delivered through a combination of channels. A total of 1,144 received notification via the bank's online banking and mobile app platforms, visible from November 21, 2024; 385 received it by registered post; and 116 received it through both methods. A pop-up banner was activated from November 27 in the app and internet banking interface, persisting until the customer acknowledged the message by clicking "I understand." The bank also notified 1,272 additional customers from the previously excluded group by December 19, 2024, using similar channel combinations. Two customers holding senior state positions were notified directly by the bank's senior leadership.

Remediation: the Programma Nemo

During the investigation, Intesa Sanpaolo launched what it called the Programma Nemo, an internal data protection remediation programme. According to the decision, this included the introduction of pop-up prompts for branch staff accessing data for clients outside their portfolio, effective from November 4, 2024; a pre-authorisation workflow requiring digital sign-off from a branch director for out-of-portfolio access without customer presence, effective from November 18, 2024; a dedicated task force to analyse alert outputs from October 28 and support authorisation decisions; a list of "sensitive clients" (SEC) with reinforced ringfencing - starting with 18 individuals on October 21 and expanding to 623 by November 19, 2024; and a data masking system for high-level summary views.

The authority acknowledged these measures and took them into account as mitigating factors. However, it found they were reactive rather than preventive - implemented only after the breach and the Garante's intervention, not as part of a proactive risk-based design consistent with the accountability principle.

The fine and its calculation

The formal sanction, adopted on March 26, 2026 as Provvedimento n. 208 (doc. web n. 10234984), set the penalty at €31,800,000. According to the decision, the Garante applied Article 83(3) of the GDPR, which caps the total fine at the maximum applicable for the most serious single violation when multiple provisions have been breached within the same or related processing operations. The authority found violations of Articles 5(1)(f) and 5(2), 24, 32, 33, and 34 of the GDPR.

In determining the amount, the authority cited several aggravating factors: the seriousness and two-year duration of the violations; the roughly 3,500 customers affected; the presence of politically exposed persons and public figures among the victims; the inadequacy of the bank's pre-breach controls given its business model; the incomplete and delayed nature of the breach notification; and the existence of three prior enforcement actions against the bank for related matters - Provvedimenti n. 270 of May 27, 2021; n. 272 of July 28, 2022; and n. 202 of May 26, 2022. The authority noted these prior actions should have prompted systemic review of internal access protocols.

Mitigating factors included the bank's cooperation after formal proceedings opened, the non-sensitive nature of the personal data categories involved under GDPR's Article 9 definitions (financial data is not classed as special category data), and the corrective measures taken through the Programma Nemo. The bank has 30 days from notification to pay. Under Article 166(8) of Italy's data protection code, it may settle for half the amount - €15.9 million - within the appeal window.

Why this matters for the data and marketing industry

The Intesa Sanpaolo case is notable precisely because it does not involve an external cyberattack, a rogue vendor, or a technical misconfiguration. It involves an employee using a system operating exactly as designed. The bank's circular-access model - which allowed any Agribusiness manager to query any customer account across the entire portfolio - was a deliberate operational choice. The Garante did not rule that choice unlawful in itself. What it ruled was that the choice created a heightened risk that required commensurate controls, and that those controls were not in place.

This framing has direct relevance for any organisation operating large customer data systems where employees have broad functional access. The principle of accountability under GDPR Articles 5(2) and 24 requires controllers not only to implement appropriate measures but to demonstrate that those measures are proportionate to the risk their own architecture creates. As GDPR enforcement data across European authorities shows, only 1.3% of GDPR cases between 2018 and 2023 resulted in monetary penalties - but when fines are imposed in high-profile breach cases, they tend to reflect the scale and duration of harm rather than the sophistication of the attack.

The notification failures add a second layer of concern. The initial July 2024 filing described 9 affected individuals. The real number, known internally from at least May 2024, was 3,572. The regulator obtained the accurate figure from press coverage, not from the bank. As GDPR procedural reform debates continue at the European level, the Intesa Sanpaolo case illustrates the practical consequences of incomplete breach reporting - the authority was deprived of months during which it could have acted to protect affected individuals.

For advertisers, data platforms and marketing technology vendors that hold large first-party data sets or operate audience data systems with broad internal access, the case reinforces that data security compliance is not satisfied by having logging in place. The adequacy of alert thresholds, the logic of access control design, and the responsiveness of escalation processes are all subject to scrutiny - particularly when, as here, the same authority had previously issued binding instructions on internal access monitoring.

Italy's privacy regulator has shown willingness to impose significant fines across sectors. It previously fined Apple €98.6 million through the Italian Competition Authority for asymmetric consent design in its App Tracking Transparency framework, as covered by PPC Land. The broader European enforcement landscape - which has seen France uphold Criteo's €40 million fine and French regulators fine Optimove €1 million for processor failures - signals that data controllers face genuine exposure when their governance architecture does not match the risks their systems create.

Timeline

  • February 21, 2022: First documented unauthorised access by the Intesa Sanpaolo employee to customer data outside his legitimate portfolio.
  • May 21, 2024: Internal Intesa Sanpaolo audit report documents 3,572 affected customers and 6,637 accesses across 460 working days.
  • July 17, 2024: Intesa Sanpaolo submits data breach notification to the Garante under Article 33 GDPR, citing 9 affected individuals and marking the notification as "complete."
  • August 7, 2024: The employee is dismissed for cause following a disciplinary procedure.
  • August 30, 2024: Intesa Sanpaolo submits supplementary breach notification to the Garante, still partial.
  • October 9-10, 2024: Italian press reports the true scale of the breach. The Garante sends a formal information request to the bank the same day.
  • October 17, 2024: The bank confirms to the Garante that the breach affected approximately 3,572 customers, not 9.
  • November 2, 2024: The Garante issues Provvedimento n. 659 (doc. web n. 10070521), ordering individual customer notification within 20 days.
  • November 21, 2024: First wave of customer notifications visible via the bank's online and mobile banking platforms (ROL).
  • November 27, 2024: Pop-up alert activated in app and internet banking to direct customers to the breach notification.
  • December 5, 2024: Bank submits compliance report to the Garante detailing 1,645 customers notified in the first phase.
  • December 19, 2024: Second wave of notifications sent to 1,272 previously excluded customers. Context on GDPR enforcement frequency: GDPR enforcement data shows low fine rates across European authorities.
  • January 14, 2025: Garante sends further information request regarding app-based notification procedures.
  • May 27, 2025: Garante formally notifies the bank of proceedings under Article 166(5) of Italy's data protection code, citing suspected violations of Articles 5, 24, 32, 33 and 34 of the GDPR.
  • July 10, 2025: Bank submits formal defence memorandum.
  • March 26, 2026: Garante adopts final enforcement decision (Provvedimento n. 208, doc. web n. 10234984) and imposes €31.8 million fine.
  • March 30, 2026: Garante publishes press release announcing the sanction.

Related PPC Land coverage:

Summary

Who: Italy's data protection authority, the Garante per la Protezione dei Dati Personali, sanctioned Intesa Sanpaolo S.p.A., one of Italy's largest banks.

What: A €31.8 million administrative fine for violations of the GDPR's integrity and confidentiality principle, accountability requirements, data breach notification obligations, and failure to promptly notify affected customers. The underlying incident was the unauthorised access by a single employee to the banking data of 3,573 customers over more than two years, with 6,637 documented queries covering financial accounts, payment card data and investment information - including accounts belonging to politicians, senior officials and public figures.

When: The unauthorised accesses occurred between February 21, 2022, and April 24, 2024. The Garante adopted its final enforcement decision on March 26, 2026, and published the announcement on March 30, 2026.

Where: The employee operated from the Agribusiness branch in Barletta, Puglia. The bank's customer base - and the individuals affected - was spread across Italy, including parliamentary figures and senior institutional clients.

Why: The Garante found that the bank's circular-access model, which allowed employees to query the entire customer base without systematic pre-authorisation, was not balanced by adequate monitoring and prevention controls. Alert thresholds were set too broadly to detect a pattern of repeated access concentrated on individuals with no portfolio link to the employee. The initial breach notification substantially understated the scale of the event, and customers were not individually informed until the Garante ordered it - nearly four months after the bank had filed its original notification.

Share this article
The link has been copied!