The sanction stems from a prolonged insider incident in which a single bank employee improperly accessed the sensitive banking information of 3,573 customers over more than two years — without any legitimate business reason. The unauthorized consultations totaled over 6,600 between February 21, 2022, and April 24, 2024.
What Happened: A Failure of Internal Controls
According to the Garante’s investigation, which was triggered after Intesa Sanpaolo notified a data breach in July 2024, the bank’s systems allowed staff to query the entire customer database with almost no effective restrictions. This “full circularity” access model was not balanced by adequate monitoring tools capable of detecting or preventing unjustified lookups.
Worryingly, the illicit accesses went completely undetected by internal security mechanisms for over two years. Even more concerning, the snooping included data belonging to “high-risk” customers — such as individuals holding prominent public roles — who should have benefited from strengthened safeguards.
The Authority found that Intesa Sanpaolo violated key GDPR principles, including:
- Integrity and confidentiality of personal data (Article 5(1)(f))
- Accountability, due to the overall inadequacy of technical and organizational security measures
The bank’s operating model essentially trusted employees too much without implementing proper “need-to-know” controls or real-time anomaly detection.
Additional Shortcomings in Breach Notification and Response
The problems didn’t stop at prevention. The Garante also criticized how Intesa Sanpaolo handled the breach itself. The initial notification to the Authority was deemed incomplete and delayed beyond legal deadlines. Communication to the affected customers only occurred after a prior order from the Garante in November 2024, further limiting the regulator’s ability to intervene quickly and protect individuals’ rights.
This combination of weak preventive controls and sluggish response contributed significantly to the size of the fine.
How the Fine Was Calculated
When determining the €31.8 million penalty (roughly $36 million), the Garante took into account several aggravating factors:
- The gravity and long duration of the violations (more than two years)
- The high number of affected individuals (over 3,500)
- The sensitive nature of the banking data involved
- The fact that high-profile customers were exposed
Mitigating elements included the corrective measures the bank implemented afterward, such as strengthening internal controls and security protocols.
What This Means for Banks and Organizations
This case sends a strong message across the financial sector and beyond: having a large customer base and sophisticated IT systems is not enough. Organizations must implement robust, proportionate access controls, effective monitoring, and timely breach response procedures — especially when handling highly sensitive financial and personal data.
For Intesa Sanpaolo, one of Italy’s largest banks with millions of customers, the fine represents a significant reminder that accountability under the GDPR applies even to insider threats, not just external cyberattacks.
Experts note that banks should now review their “need-to-know” policies, enhance role-based access controls (RBAC), deploy better behavioral analytics for detecting anomalous queries, and ensure breach notification processes are fast and transparent.
The decision, published on March 30, 2026, underscores the Garante’s continued focus on real-world data security practices in the banking industry.
This case follows a previous intervention by the Authority in November 2024 and highlights the importance of proactive compliance in an era where data is both a critical asset and a major liability.
