On March 12, 2026, the Italian Data Protection (“Garante”) adopted a decision concerning the transfer of personal data of banking customers from Intesa Sanpaolo S.p.A. (the “Bank”) to Isybank S.p.A., a newly established digital bank within the same corporate group.  The Garante found that the Bank’s processing in connection with the transfer of approximately 2.4 million customers to Isybank was unlawful.

We set out the decision’s key findings below.

Background

The Garante launched an investigation following numerous complaints from customers and reports from consumer associations.  During the investigation, the Garante found that the bank had initially identified the customers to be transferred to the new digital bank through an analysis and selection process based on various criteria, including age, patterns of banking service use, familiarity with digital channels, types of products held, and account balances.

Key Findings

Relevant processing activities

In its findings, the Garante rejected the view that the transaction involved a single processing activity amounting to the transfer of a portfolio of customers as part of a corporate transaction.  Rather, the Garante distinguishes two key processing activities: (1) the process of identifying the customers to be transferred, based on a series of criteria relating to personal characteristics of customers; and (2) the disclosure of data in connection with the transfer.  In the Garante’s view, the first activity constitutes profiling within the meaning of the GDPR and forms a separate processing operation from the subsequent disclosure of data in the context of the transaction.

Lawfulness of processing

While the Bank argued that it relied on its legitimate interest to carry out the mentioned processing activities, the Garante held that it had failed to demonstrate the necessity of the processing and a genuine balancing of the interests at stake.  The Garante also rejected the Bank’s legitimate interest assessment (LIA) as “tautological” and lacking a concrete and specific balancing assessment.

Moreover, the Garante noted that it was clear that the activity was not within the customers’ reasonable expectations, among other things, because of the number of complaints received and the number of customer dissents to the transfer, exercised in the course of a parallel investigation conducted by the competition authority.

Ultimately, the Garante held that the automatic transfer of accounts to Isybank constituted a unilateral change to the terms of the contract compared to those originally agreed upon, causing inconvenience to customers, including Isybank’s services being only available through digital channels and the lack of physical branches, the change of customers’ IBAN and the fact that Isybank did not offer certain features and services originally provided by the Bank.

Transparency

While the Bank had provided a privacy notice, the Garante maintained that it did not adequately explain the existence of profiling, the logic used, nor the expected consequences for the data subjects.

Finally, the Garante found that the communications sent to customers to inform them of the transaction were inadequate.  In particular, it considered that communications were displayed within the “archive” section of the Bank’s app, without giving the communication adequate prominence, such as by sending a push notification or an alert.  Moreover, the communications were sent during the summer months, at a time when customers may be less attentive.

Conclusion

As a result of the these findings, the Garante found that the Bank’s processing was unlawful and imposed a 17,6 million EUR fine.

*                                  *                                  *

Covington’s Data Privacy and Cybersecurity team regularly advises companies on their most challenging data protection and compliance issues in the EU, UK and other key markets. If you have any questions about the topics discussed in this article, please do not hesitate to contact us.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van QuathemEmail
Show more Show less
Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.

Read more about Laura SomainiEmail
Show more Show less