Overview
An employee at one of Italy's largest banks, Intesa Sanpaolo S.p.A. (the Bank), spent more than two years unlawfully accessing the financial records of thousands of customers, including politically exposed persons, without any legitimate work-related justification. When the breach eventually came to light, the bank notified the Italian DPA, the Garante per la protezione dei dati personali (the "Garante"), with an incomplete account of the incident and chose not to inform "all" affected individuals.
In a decision imposing a €31.8 million fine on the Bank, the Garante delivered a clear and uncompromising message: insider access risks require proactive, risk‑based controls, and a personal data breach cannot be minimised simply because personal data was viewed rather than extracted.
The facts
Between 21 February 2022 and 24 April 2024, an employee working at the Bank's Agribusiness branch accessed the banking data of approximately 3,573 customers without any professional justification. The affected individuals included the employee's mother, acquaintances, relatives, as well as current and former employees of the Bank.
The Bank first became aware of the breach on 9 October 2023, when flagged by an internal alert. However, it was only on 4 July 2024, following an analysis of access logs, that the Bank identified the full scale of the employee's conduct and initiated disciplinary proceedings. The employee was subsequently dismissed for "just cause" on 7 August 2024.
On 17 July 2024, the Bank notified the Garante of the personal data breach in accordance with Article 33 of the GDPR. That initial notification described a breach affecting just nine data subjects. A supplementary notification followed on 30 August 2024. However, it was only after press reports emerged in early October 2024, which revealed that the breach extended to thousands of customers, that the full extent of the incident became apparent.
The Bank's response and defence
The Bank advanced several arguments in its defence. On the adequacy of its security measures, it submitted that the mere occurrence of a personal data breach does not, in itself, demonstrate that the controller's technical and organisational measures were inadequate. The Bank argued that the requirement under the GDPR seeks to limit the risks of personal data breaches without claiming to eliminate them entirely. The Bank pointed to a range of pre-existing safeguards, including employee training policies, a system of role-based authorisations, and an alerting control system designed to identify anomalous behaviour, noting that this system had been strengthened and updated even before the breach was discovered.
The Bank further argued that the breach was particularly difficult to prevent as it involved an authorised employee misusing legitimate access permission. Such conduct could easily be confused with ordinary, lawful access operations carried out in the normal course of the employee's duties.
On accountability, the Bank contended that the principle does not mean a controller must never make a mistake or never suffer a breach, and that to hold otherwise would mean every infringement automatically constitutes an accountability violation. The Bank maintained that it could not be faulted for an isolated instance of employee misconduct.
As to notification, the Bank argued that the information transmitted to the Garante on 17 July 2024, as supplemented on 30 August 2024, was sufficient to provide a clear and complete picture of the incident, enabling the authority to assess the extent of the breach. With respect to the communication obligation under Article 34 of the GDPR, the Bank argued and in line with the conclusions of its Data Protection Officer, the breach was not likely to present a "high risk to the rights and freedoms of individuals". It emphasised that the employee had only viewed data and had not extracted or misused it, and therefore any failure to notify data subjects should be treated as harmless and therefore the Bank did not communicate the existence of the personal data breach to "all" data subjects.
The Garante's findings
The Garante disagreed with the Bank finding violations of the GDPR. In particular:
Inadequacy of security measures: Article 5(1)(f) of the GDPR requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing. Articles 5(2), 24, and 32 further require controllers to implement appropriate technical and organisational measures (ATOMs), taking into account the nature, scope, context, and purposes of processing, as well as the risks to data subjects.
The Garante found that the organisational and technical controls, including logging, alerts, and role-based access, did not adequately protect customer data. This assessment was grounded in what had actually occurred over two years of repeated, unjustified access by a single employee. The Garante held that the Bank should not have relied solely on basic or generic safeguards. Given the high-risk banking context, and what the Garante described as a "full circularity" access model that afforded employees broad access to customer information, additional and more robust safeguards were required. The Garante was particularly critical of the Bank's failure to differentiate its controls according to the status of the data subjects. Certain customers, such as politically exposed persons, presented an elevated risk profile. The absence of strengthened controls for such categories highlighted a fundamental gap in the Bank's risk assessment. Allowing employees broad access and monitoring it only after the fact was not sufficient under the GDPR. Where access rights are wide, controllers must introduce additional, risk-based controls capable of flagging and stopping suspicious behaviour early, even where that behaviour appears formally legitimate in system terms.
In response to the Bank's argument that insider misuse is inherently difficult to prevent, the Garante held that this very risk should have been anticipated and mitigated. The difficulty of detecting insider access increases, rather than reduces, the controller's responsibility to implement robust controls.
On accountability, the Garante accepted that accountability does not demand perfection and is not automatically breached whenever another GDPR provision is violated. However, in this case the Bank had fallen short because it could not demonstrate that its risk assessments and safeguards were genuinely adequate. The principle of accountability requires controllers to be able to show that the measures they have adopted are appropriate to the risks they face.
Breach notification: Article 33 of the GDPR requires controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours. Whilst the GDPR permits phased notification where a controller requires further time to investigate, this mechanism is intended to allow the authority to assess the steps taken by the controller and the measures adopted to remedy the situation.
Although the Bank described its notification of 17 July 2024 as "complete", the Garante found it to be largely incomplete as to the actual extent of the data breach and the number of data subjects involved. The supplementary notification of 30 August 2024 was still only partial and seriously delayed. The true extent of the breach emerged exclusively from press reports and the Garante's own investigation, initiated ex officio. The Bank's failure to provide a timely, full, and accurate account of the incident seriously impaired the Garante's ability to exercise its supervisory and intervention powers and to support risk‑mitigation measures for affected individuals.
Communication to data subjects: The Garante further found that the Bank had violated Article 34 of the GDPR by failing to communicate the breach to "all" affected data subjects. Contrary to the Bank's assessment, the Garante determined that the breach of personal data was likely to present a high risk to the rights and freedoms of those individuals. It ordered the Bank to notify all data subjects whose personal and banking data had been unlawfully accessed.
Furthermore, the Garante rejected the Bank's argument that the absence of data exfiltration rendered the failure to notify harmless. Article 34 of the GDPR is concerned with preventing risk, not compensating proven harm. The delay in making the communication, which took place only following the Garante's order, and its incompleteness had limited the ability of data subjects to adopt timely mitigation measures and to exercise their rights in a fully informed manner, consequently increasing their exposure to risk. The Garante did, however, acknowledge that the Bank had taken steps to strengthen its safeguards following the breach, through what was described as the "Nemo Program".
The enforcement outcome
In determining the appropriate sanction, the Garante considered a number of factors. These included the nature of the breach, the lack of ATOMs, accountability, breach management, the number of affected individuals and the duration of the breach and impact on data subject rights. The Garante also considered the significant delay in the breach notification. Considering these factors, the Garante imposed an administrative fine of €31,800,000.
Key takeaways
The Garante's decision is a timely reminder of the regulatory expectations that apply when personal data is accessed from within an organisation.
At its core, the ruling makes clear that insider access risks must be treated as a central feature of a controller's risk landscape. In environments where employees enjoy wide-ranging access to customer information, reliance on generic safeguards or post‑hoc reviews will not suffice. Controllers are expected to anticipate the risk of misuse and to design controls capable of detecting and limiting it before harm materialises.
The decision also emphasises the significance of breach response obligations. Supervisory authorities depend on accurate and timely notifications to assess risk and guide remedial action. Where a controller delays in identifying the full scale of a breach or communicates an unduly narrow account of what has occurred, it undermines that process and exposes itself to further regulatory action.
Finally, the ruling dispels any suggestion that a breach can be treated as inconsequential simply because data was not exfiltrated. Unauthorised access alone can expose individuals to meaningful risks, and communication obligations arise where those risks are likely, not where damage has already been established.
Taken together, the decision illustrates how accountability under the GDPR operates in practice: not as a strict liability regime, but as a requirement that controllers can evidence informed, risk-based decision making across security, detection, and incident management.