Italy: Data Protection Authority issued interim ruling in investigation into Intesa Sanpaolo over alleged violations of General Data Protection Regulation

On 3 January 2025, the Data Protection Authority (GPDP) notified Intesa Sanpaolo, an Italian banking group, of the initiation of proceedings for the adoption of corrective and sanctioning measures under Articles 58(2) and 83 of thw General Data Protection Regulation (Regulation (EU) 2016/679, GDPR), pursuant to Article 166(5) of the Personal Data Protection Code. The GPDP identified alleged violations of Article 5(1)(a), Article 6(1)(a), and Article 14 of the GDPR. The alleged violations concerned the profiling of customers classified as "predominantly digital customers" and the personal data processing conducted in relation to the transfer of business units to Isybank. Intesa Sanpaolo requested an extension to submit its defence submissions under Article 13(3) of the GPDP's Regulation no. 1/2019, which the GPDP granted with a deadline of 4 March 2025. Intesa Sanpaolo submitted its defence submissions on 3 March 2025.