TITLE: Italy's Data Protection Authority Fines Intesa Sanpaolo €17.6 Million for Unlawful Customer Profiling
BODY:
On March 12, 2026, Italy's Data Protection Authority (Garante per la protezione dei dati personali) issued a fine of €17.6 million to Intesa Sanpaolo Spa for unlawfully processing the personal data of approximately 2.4 million customers in connection with a corporate restructuring.
Intesa Sanpaolo transferred customers unilaterally to its wholly-owned subsidiary, Isybank Spa, a fully digital bank. To identify which customers to transfer, the bank conducted customer profiling without adequate legal basis, selecting clients based on specific characteristics including age not exceeding 65 years, regular use of digital channels within the previous year, absence of investment products, and financial availability below a certain threshold. This profiling significantly affected customers' positions, resulting in the transfer of their accounts to a different data controller, unilateral modification of contractual conditions, and changes to account operations, including assignment of a new IBAN and exclusive access via mobile application without physical branch access.
The Authority found that communications to customers regarding this operation were inadequate. Notifications were sent primarily during summer months within the app's archive section without sufficient prominence, such as push notifications or SMS alerts, that the extraordinary nature of the operation warranted. The Garante determined that the bank's processing was unlawful because customers could not reasonably have anticipated it based on the context and information provided.
In determining the fine amount, the Authority considered the severity of violations, the high number of affected customers, the negligent nature of the breaches, and the bank's cooperation. The decision closes a complex investigation initiated following numerous customer complaints.