Summary
Italy's data protection authority, the Garante per la protezione dei dati personali (Garante), has levied a €36 million fine against Intesa Sanpaolo SpA, Italy's largest bank and one of Europe's leading financial institutions, for what the regulator described as "serious shortcomings in personal data security."
The Garante cited the bank's failure to implement adequate technical and organizational measures to protect customer personal data, a core requirement under the European Union's General Data Protection Regulation (GDPR).
Regulatory Findings
The Italian regulator's investigation found that Intesa Sanpaolo had failed to meet the data security standards required by GDPR Article 32, which mandates that data controllers and processors implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk.
Key findings reportedly included:
- Inadequate access controls — insufficient restrictions on who within the organization could access personal data
- Weak monitoring and logging — failure to detect or respond to unauthorized internal data access in a timely manner
- Organizational failures — lack of proper policies, training, or accountability structures to enforce data protection standards
- Delayed detection — the bank's internal controls did not surface the issues until after significant exposure had occurred
Scale of the Incident
Intesa Sanpaolo is one of the largest banks in the eurozone, serving millions of retail and business customers across Italy and internationally. The scale of the bank's operations means that any systemic data protection failures can have broad implications for a large number of data subjects.
The Garante's decision signals that financial institutions — regardless of size or systemic importance — are not exempt from rigorous GDPR enforcement.
GDPR Context
Under GDPR, supervisory authorities can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. For a bank the size of Intesa Sanpaolo, a €36 million penalty, while significant in absolute terms, represents a fraction of the maximum possible fine — suggesting regulators calibrated the penalty relative to the findings rather than imposing the ceiling.
The ruling is part of a broader trend of European data protection authorities increasing enforcement activity against large financial institutions that handle sensitive personal and financial data at scale.
Industry Implications
This enforcement action carries several important lessons for financial sector organizations:
- GDPR compliance is non-negotiable — size and systemic importance do not provide immunity from regulatory action
- Technical controls must match stated policies — having a privacy policy is insufficient without technical enforcement
- Insider access must be monitored — many large financial data breaches trace back to inadequate internal access controls
- Regulators are scrutinizing financial data handlers — banks and fintech firms should expect increased supervisory attention
The fine follows similar large-scale GDPR enforcement actions across Europe, including penalties against technology platforms, telecommunications providers, and other financial institutions.