Italy

Intesa Sanpaolo S.p.A.

31,800,000 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2026-03-26.

Rank · Sector

of 321 in Finance, Insurance and Consulting

Rank · Italy

of 543

Rank · All fines

#24

of 3,039

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2026-03-26
Controller / Processor: Intesa Sanpaolo S.p.A.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 5 (1) f), (2) GDPR, Art. 24 GDPR, Art. 32 GDPR, Art. 34 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Italian DPA has imposed a fine of EUR 31,800,000 onIntesa Sanpaolo S.p.A. The controller suffered a data breach when an employee accessed the banking data of 3,573 data subjects via 6,637 accesses over a period of 35 months. This included the data of public figures, other employees and relatives, for example. This access was in no way related to the employee's work. After uncovering the breach, the controller notified the DPA, reporting that only nine data subjects had been affected. The controller also failed to implement adequate technical and organisational measures to prevent such incidents due to a lack of internal safeguards preventing employees from accessing unnecessary data. The controller also failed to implement sufficient internal control mechanisms.

Open original source Links to the regulator's original publication or another source.