Italy: Data Protection Authority fined Intesa Sanpaolo EUR 17.628 million violations of General Data Protection Regulation

On 12 March 2026, the Data Protection Authority (GPDP) imposed a fine of EUR 17.628 million on Intesa Sanpaolo and declared unlawful certain personal data processing carried out in connection with the transfer of two business units to Isybank under Article 58 of the Consolidated Banking Act (TUB). The GPDP found that Intesa Sanpaolo had profiled approximately 2.4 million customers identified as “predominantly digital customers” through automated processing of personal data, including age, use of digital channels, absence of investment products, and financial balances below EUR 100,000. According to the GPDP, this profiling lacked a valid legal basis under Article 6(1) of the General Data Protection Regulation. The GPDP determined that informed consent under Article 6(1)(a) of the GDPR was the only applicable legal basis, and that such consent had not been obtained. The GPDP also found that the privacy notice provided in the context of the corporate transaction between Intesa Sanpaolo and Isybank did not disclose the profiling activity or explain its logic, which the authority considered to be in breach of the transparency requirements set out in Articles 5(1)(a) and 14 of the GDPR. Intesa Sanpaolo must pay the fine within 30 days of notification of the decision.