Overview

An employee at one of Italy’s largest banks, Intesa Sanpaolo S.p.A. (the Bank), spent more than two years unlawfully accessing the financial records of thousands of customers, including politically exposed persons, without any legitimate work-related justification. When the breach eventually came to light, the bank notified the Italian DPA, the Garante per la protezione dei dati personali (the “Garante”), with an incomplete account of the incident and chose not to inform “all” affected individuals.

In a decision imposing a €31.8 million fine on the Bank, the Garante delivered a clear and uncompromising message: insider access risks require proactive, risk‑based controls, and a personal data breach cannot be minimised simply because personal data was viewed rather than extracted.

---

The facts 

Between 21 February 2022 and 24 April 2024, an employee working at the Bank’s Agribusiness branch accessed the banking data of approximately 3,573 customers without any professional justification. The affected individuals included the employee’s mother, acquaintances, relatives, as well as current and former employees of the Bank.

The Bank first became aware of the breach on 9 October 2023, when flagged by an internal alert. However, it was only on 4 July 2024, following an analysis of access logs, that the Bank identified the full scale of the employee’s conduct and initiated disciplinary proceedings. The employee was subsequently dismissed for “just cause” on 7 August 2024.

On 17 July 2024, the Bank notified the Garante of the personal data breach in accordance with Article 33 of the GDPR. That initial notification described a breach affecting just nine data subjects. However, it was only after press reports emerged in early October 2024, which revealed that the breach extended to thousands of customers, that the full extent of the incident became apparent.

---

The Bank’s response and defence

The Bank made several arguments in its defence. On the adequacy of its security measures, it submitted that the mere occurrence of a personal data breach does not, in itself, demonstrate that the controller’s technical and organisational measures were inadequate. The Bank argued that the requirement under the GDPR seeks to limit the risks of personal data breaches without claiming to eliminate them entirely. The Bank pointed to a range of pre-existing safeguards, including employee training policies, a system of role-based authorisations, and an alerting control system designed to identify anomalous behaviour, noting that this system had been strengthened and updated even before the breach was discovered.

The Bank further argued that the breach was particularly difficult to prevent as it involved an authorised employee misusing legitimate access permission. Such conduct could easily be confused with ordinary, lawful access operations carried out in the normal course of the employee’s duties.

On accountability, the Bank contended that the principle does not mean a controller must never make a mistake or never suffer a breach, and that to hold otherwise would mean every infringement automatically constitutes an accountability violation. The Bank maintained that it could not be faulted for an isolated instance of employee misconduct.

---

The Garante’s findings 

The Garante disagreed with the Bank finding violations of the GDPR. In particular: 

1. Inadequacy of security measures: Article 5(1)(f) of the GDPR requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing. Articles 5(2), 24, and 32 further require controllers to implement appropriate technical and organisational measures (ATOMs).
   
   The Garante found that the organisational and technical controls, including logging, alerts, and role-based access, did not adequately protect customer data. The Bank should not have relied solely on basic or generic safeguards. Given the high-risk banking context additional and more robust safeguards were required. The Garante was particularly critical of the Bank’s failure to differentiate its controls according to the status of the data subjects. Allowing employees broad access and monitoring it only after the fact was not sufficient under the GDPR. Where access rights are wide, controllers must introduce additional, risk-based controls capable of flagging and stopping suspicious behaviour early.
   
   In response to the Bank’s argument that insider misuse is inherently difficult to prevent, the Garante held that this very risk should have been anticipated and mitigated. The difficulty of detecting insider access increases, rather than reduces, the controller’s responsibility to implement robust controls.
   
   On accountability, the Garante accepted that accountability does not demand perfection and is not automatically breached whenever another GDPR provision is violated. However, in this case the Bank had fallen short because it could not demonstrate that its risk assessments and safeguards were genuinely adequate.

2. Breach notification: Article 33 of the GDPR requires controllers to notify the supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours.
   
   Although the Bank described its notification of 17 July 2024 as “complete“, the Garante found it to be largely incomplete as to the actual extent of the data breach and the number of data subjects involved. The true extent of the breach emerged exclusively from press reports and the Garante’s own investigation, initiated ex officio. The Bank’s failure to provide a timely, full, and accurate account of the incident seriously impaired the Garante’s ability to exercise its supervisory and intervention powers.

3. Communication to data subjects: The Garante further found that the Bank had violated Article 34 of the GDPR by failing to communicate the breach to “all” affected data subjects. Contrary to the Bank’s assessment, the Garante determined that the breach of personal data was likely to present a high risk to the rights and freedoms of those individuals. It ordered the Bank to notify all data subjects whose personal and banking data had been unlawfully accessed.

---

The enforcement outcome  

In determining the appropriate sanction, the Garante considered a number of factors. These included the nature of the breach, the lack of ATOMs, accountability, breach management, the number of affected individuals and the duration of the breach and impact on data subject rights. Considering these factors, the Garante imposed an administrative fine of €31,800,000. 

---

Key takeaways

The Garante’s decision is a reminder of the regulatory expectations that apply when personal data is accessed from within an organisation.

At its core, the ruling makes clear that insider access risks must be treated as a central feature of a controller’s risk landscape. In environments where employees enjoy wide-ranging access to customer information, reliance on generic safeguards or post‑hoc reviews will not suffice. Controllers are expected to anticipate the risk of misuse and to design controls capable of detecting and limiting it before harm materialises.

Finally, the ruling dispels any suggestion that a breach can be treated as inconsequential simply because data was not exfiltrated. Unauthorised access alone can expose individuals to meaningful risks, and communication obligations arise where those risks are likely, not where damage has already been established.

Taken together, the decision illustrates how accountability under the GDPR operates in practice: not as a strict liability regime, but as a requirement that controllers can evidence informed, risk-based decision making across security, detection, and incident management.

If you have any specific questions you would like advice on or if you would like information about what is discussed in this article, then please contact: Abi.Frederick@lewissilkin.com of Lewis Silkin LLP.