The Italian Data Protection Authority (Garante per la protezione dei dati personali) doesn’t hand out €17.6 million fines lightly. On March 12, 2026, it did exactly that to Intesa Sanpaolo, Italy’s largest banking group, for what the regulator called unlawful processing of personal data involving roughly 2.4 million customers. The case centers on the 2024 migration of retail accounts to Isybank, the bank’s fully digital subsidiary, and the profiling that decided who got moved — and who didn’t.
This isn’t a minor slip-up. It’s a textbook example of how even sophisticated financial institutions can run afoul of GDPR when they treat large-scale customer data as a tool for corporate restructuring without proper safeguards, transparency, or legal grounding.
How the Profiling Operation Unfolded — and Why It Crossed the Line
To decide which customers to shift from traditional Intesa Sanpaolo accounts to Isybank, the bank ran an automated selection process that looked a lot like profiling under Article 4(4) GDPR. Customers were filtered on criteria including:
- Age 65 or younger
- Regular use of digital banking channels in the previous 12 months
- No active investment products
- Financial assets below a defined threshold
The result: selected customers were notified of a unilateral transfer of their banking relationship to a new controller (Isybank), complete with a new IBAN, mandatory app-only access, no physical branches, and altered contractual terms. For many, this meant re-notifying employers, utilities, and payment providers of the new account details — a significant practical burden.
The Garante ruled that this profiling lacked a valid legal basis under Article 6 GDPR. Legitimate interests (Article 6(1)(f)) were not properly balanced against the impact on data subjects. Consent was never sought. Contract necessity (Article 6(1)(b)) didn’t hold because the migration wasn’t essential to the original account agreement. The bank’s internal corporate reorganization couldn’t justify overriding core GDPR principles.
Transparency Failures Made It Worse
Even if the profiling had been lawful — which it wasn’t — the way customers were informed sealed the violation. Notifications were mostly buried in the app’s archive section during the summer holiday period. Push notifications or SMS were largely absent. The messages downplayed the “extraordinary” nature of the change and failed to make clear that customers could object or that the shift would materially alter their banking experience.
GDPR Article 12 requires information to be provided in a concise, transparent, intelligible, and easily accessible form. Article 13–14 demand clear details on processing purposes and rights. The Garante found Intesa Sanpaolo fell short on both counts. Customers could not reasonably have anticipated or understood the operation based on what they received.
“The processing… is unlawful also because the data subject could not reasonably expect it in the context and given the information provided.” — Garante per la protezione dei dati personali, Provvedimento del 12 marzo 2026 (Doc-Web n. 10230273)
The Fine: How the Garante Arrived at €17,628,000
Under GDPR Article 83, fines must be effective, proportionate, and dissuasive. The Garante weighed several aggravating factors:
- Very large number of affected data subjects (≈2.4 million)
- Seriousness of the infringements (unlawful profiling + inadequate transparency)
- Negligent (rather than intentional) character of the violations
- High economic value of the processing (core to a major corporate restructuring)
- Significant impact on individuals’ financial autonomy and daily banking
Mitigating factors included Intesa Sanpaolo’s cooperation during the investigation and steps taken to remediate (e.g., allowing some customers to reverse the migration). Still, the final amount — €17,628,000 — ranks among the higher GDPR fines issued in Europe for non-malicious but systemic compliance failures in the financial sector.
What This Means for Banks and Fintechs
This decision sends a clear signal across the EU: large-scale automated customer segmentation for business-model changes is not automatically covered by legitimate interests. When it involves reassigning data to a new controller and altering service delivery (branchless, app-only), the bar for legal basis, impact assessment, and transparency is extremely high.
Key lessons for compliance teams:
- Profile with caution. Any systematic evaluation of personal aspects to support automated decisions — even internal ones — can trigger Article 22 and requires explicit legal basis + safeguards.
- Legitimate interests isn’t a catch-all. Conduct and document a proper LIA (legitimate interests assessment) that weighs necessity, balancing test, and reasonable expectations. Corporate convenience rarely wins.
- Notify meaningfully. Summer app-archive messages don’t cut it for high-impact changes. Use layered, multi-channel communications (push, email, SMS) with opt-out clarity and easy objection mechanisms.
- Map controller changes. Transferring relationships to a subsidiary isn’t just an internal shuffle if it creates a new data controller. GDPR Article 26 joint-controller rules or full controller-to-controller transfer obligations may apply.
- DPIA early and often. High-risk processing like mass profiling for migration demands a data protection impact assessment before launch — not after complaints roll in.
The Broader Enforcement Trend
Italy’s Garante has been among the most active DPAs in Europe on financial-sector enforcement. This fine follows other high-profile actions against banks for unlawful credit-scoring, inadequate security, and misleading consent practices. With the EDPB pushing harmonized approaches to legitimate interests and profiling, expect similar scrutiny in other member states — especially where digital-only banking migrations are accelerating.
AI and Automated Decision-Making
The profiling here relied on rule-based criteria, but the logic is the same for machine-learning models used in customer segmentation or churn prediction. As banks increasingly feed behavioral data into AI for similar decisions, regulators will ask the same questions: What’s the lawful basis? Was impact assessed? Were people meaningfully informed?
