Intesa Sanpaolo Fined €17.6 Million Over Customer Profiling Linked to Isybank Transfer

Key Takeaways

• Major Privacy Enforcement: Italy’s data protection authority fined Intesa Sanpaolo €17.6 million for unlawfully processing the personal data of approximately 2.4 million customers.
• Customer Profiling Without Legal Basis: The bank analyzed customer characteristics to determine who would be transferred to its digital subsidiary Isybank, but regulators found the profiling lacked a valid legal basis.
• Digital Bank Migration: Customers selected through the profiling process were moved to Isybank, receiving new IBAN numbers and transitioning to an app-only banking model without physical branch access.
• Communication Failures: Regulators said the bank’s notifications, largely placed in the archive section of its mobile app during the summer, did not adequately inform customers about the significant change.

Deep Dive

Italy’s data protection authority has fined Intesa Sanpaolo €17.6 million after concluding that the bank unlawfully processed the personal data of roughly 2.4 million customers while preparing a large-scale transfer of accounts to its digital subsidiary Isybank.

The ruling follows a complex investigation opened after numerous customers reported being moved to the newly created digital bank without clearly understanding how or why they had been selected.

According to the authority, Intesa Sanpaolo analyzed customer data to determine which account holders would be migrated to Isybank. The regulator found that this profiling activity lacked an appropriate legal basis, making the processing unlawful under data protection rules.

Profiling Used to Identify Customers for Digital Migration

The investigation found that the bank evaluated several characteristics to identify customers it considered suitable for the digital-only platform. Among the factors used were age, the frequency with which customers used digital banking channels, whether they held investment products, and the level of financial resources associated with the account.

In practice, the selection process focused largely on customers who were 65 years old or younger, had actively used digital banking services in the past year, did not hold investment products, and fell below a certain financial threshold.

The authority determined that using customer data in this way to support a corporate restructuring required a valid legal basis that was not present in the bank’s approach.

Transfer Brought Significant Changes for Customers

The migration to Isybank did more than simply shift accounts within the same corporate group. Customers moved to the digital bank were transferred to a different data controller, fundamentally altering how their accounts were managed.

For affected customers, the move meant receiving new IBAN numbers, notifying employers or other payers of updated account details, and operating their accounts exclusively through a mobile app without access to physical branches.

The regulator said these changes significantly modified the conditions of the banking relationship compared with those originally agreed upon when customers opened their accounts.

Regulator Criticizes Customer Communication

Another key element of the case centered on how customers were informed of the transition. The authority found that notifications about the transfer were largely sent during the summer period and placed in the archive section of the bank’s mobile app, rather than being delivered through more prominent alerts such as push notifications or SMS messages.

Given the scale and significance of the change, regulators said the communication approach did not provide the level of disclosure that customers reasonably should have received.

According to the authority, customers could not reasonably have anticipated the profiling and account transfer based on the information previously provided to them.

The regulator also noted that the bank cooperated during the investigation, a factor that was taken into account when calculating the final amount.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.