Italy: Data Protection Authority opened an investigation into Intesa Sanpaolo over alleged violations of General Data Protection Regulation

On 16 November 2023, the Italian Data Protection Authority (GPDP) opened an investigation into Intesa Sanpaolo, an Italian banking group, over alleged violations of the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR). The GPDP received 5 complaints and 3 notifications filed directly by data subjects, as well as a notification from the National Consumers Union (UNC) on behalf of hundreds of consumers. The complaints concerned personal data processing carried out by Intesa Sanpaolo in connection with the transfer of two business units to its wholly-owned subsidiary Isybank, pursuant to Article 58 of the Consolidated Banking Act (TUB). The transfer targeted customers classified as "predominantly digital customers". Data subjects alleged that the transfer was decided unilaterally, without their express consent, and that the notices provided were unclear and inadequate. The GPDP consolidated the individual proceedings to conduct a coordinated examination of the issues raised and issued a first request for information to Intesa Sanpaolo under Article 157 of the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003).