Italian Bank's €17.6 Million Privacy Fine Gives 2.4 Million Customers Right to Switch Back

Italy's largest banking institution has been hit with a record-breaking privacy penalty following an investigation by the Italian Data Protection Authority (Garante Privacy). Intesa Sanpaolo Spa must pay €17.6 million after unilaterally transferring 2.4 million account holders to its digital-only subsidiary without proper legal grounds—a move that violated fundamental privacy protections guaranteed under European law.

Why This Matters

• Customer profiling without permission: The bank conducted customer profiling (profilazione dei clienti) to identify which clients would be moved without a valid legal basis under GDPR.

• Contractual changes imposed without clear notification: Transferred clients received new IBANs, lost physical branch access, and faced communication that the Garante determined was insufficient and unclear.

• Precedent for accountability: This is the largest privacy fine against an Italian bank for customer data mishandling, signaling tougher regulatory enforcement of data protection rights.

• Right to return: Affected customers have the right to reverse the transfer and return to standard Intesa Sanpaolo accounts.

The Investigation and Findings

The Italian Data Protection Authority (Garante Privacy) concluded its investigation on March 12 following complaints from account holders who discovered that their banking relationships had been fundamentally altered without proper consent. The regulator found that Intesa Sanpaolo conducted a systematic profiling operation to identify which customers would be moved to Isybank Spa, the group's fully digital banking platform.

The practical consequences for customers were significant. Transferred clients were assigned entirely new IBANs—the unique account identifiers required for all electronic payments and direct debits across Europe. This forced affected individuals to notify employers, utility providers, tax authorities, and anyone else with standing payment instructions. Access to physical branches was eliminated, replaced by an app-only interface that some clients had not requested.

The privacy watchdog was critical of how the bank communicated the transfer. The Authority determined that information provided was insufficient and unclear, failing to explain adequately the reasons for the transfer, the full consequences, or customer rights in terms that could be reasonably understood. According to the Garante, customers did not have appropriate legal basis under the General Data Protection Regulation (GDPR) to have their data processed for this systematic transfer.

What This Means for Intesa Sanpaolo Customers

If you were among the 2.4 million moved to Isybank, the regulatory intervention has secured your right to reconsider this decision. Following the Garante's investigation and regulatory pressure, Intesa Sanpaolo has committed to allowing customers who were transferred to reverse the move and return to the parent bank. Consumer advocacy groups including Federconsumatori and the National Consumer Union (UNC) have assisted thousands of account holders in filing objections and supporting complaints.

For customers considering a return to standard Intesa Sanpaolo accounts, it is advisable to review the terms being offered and make an informed decision about which banking solution best serves your needs. Those who believe they suffered specific damages from the transfer process—such as missed payments due to IBAN changes or lost access to services—may wish to explore whether individual compensation claims are available.

The Broader Context: Privacy Enforcement in Italian Banking

The Garante Privacy has placed significant regulatory attention on the banking, credit, and finance sector, which handles vast quantities of sensitive personal and financial information. This enforcement action underscores that financial institutions cannot treat customer data as a fungible asset to be moved, analyzed, and repurposed at institutional discretion without solid legal foundations and genuine customer consent.

Banks operating in Italy are increasingly deploying profiling and segmentation tools for legitimate business objectives such as personalizing offerings and optimizing operations. However, the Intesa Sanpaolo case establishes that these techniques cannot be used to impose material changes to contractual relationships or transfer customers to different platforms without proper legal grounds and clear customer understanding.

How the Fine Was Calculated

In determining the €17.6 million penalty, the Authority weighed several factors including the scale of the operation—2.4 million people—representing one of the largest privacy incidents in Italian banking history by customer count. The violations were classified as negligent rather than intentional, meaning the bank failed to exercise appropriate due care. The regulator credited Intesa Sanpaolo for cooperating during the investigation, a factor that likely influenced the final penalty amount. Under GDPR enforcement guidelines, fines can reach up to 4% of global annual turnover for the most serious violations.

What Comes Next

The ruling establishes important precedent regarding consent, transparency, and the limits of algorithmic decision-making in financial services. It clarifies that profiling techniques and customer segmentation must rest on solid legal foundations and cannot be used to impose material contractual changes without genuine customer understanding and consent.

For account holders who were transferred to Isybank and wish to understand their options for returning to Intesa Sanpaolo, consulting with the bank directly or contacting consumer advocacy organizations like Federconsumatori or UNC can provide guidance on available terms and deadlines. The fine itself represents a significant regulatory intervention, but the precedent it sets—that customer data rights will be actively protected and enforced—may prove equally important for all bank customers in Italy.