Bad news for Intesa Sanpaolo: the Guarantor for the protection of personal data has issued a fine of 17,628,000 euros towards the bank. At the center of the provision is the forced transfer of over 2 million account holders to Isybank, the digital bank 100% controlled by the group, carried out illicitly and without adequate information to the interested parties.
What exactly happened? Between 2022 and 2023, Intesa Sanpaolo unilaterally moved around 2.4 million customers to Isybanka bank operating exclusively via app, without physical branches. The operation entailed concrete and significant changes for the account holders involved: assignment of a new IBAN, obligation to communicate it to employers, users and suppliers, and the loss of access to traditional branches.
To decide who to transfer, Intesa Sanpaolo carried out real customer profiling, without having a valid legal basis for doing so. The criteria used included: age not exceeding 65 years, regular use of digital channels in the last year, absence of investment products and financial availability below a certain threshold. In practice, the bank selected customers deemed more “digitalised” and with fewer resources, moving them towards the digital channel without asking for their consent.
To make matters worse, the communications sent to customers informing them of the operation were far from transparent. The alerts were inserted into the Intesa Sanpaolo app archive during the summer period, without push notifications or SMS, and without the necessary evidence being given to a change of this magnitude. According to the Guarantor, customers could not reasonably expect such a radical change to their banking relationship. In the press release relating to the sanction to Intesa San Paolo the Authority in fact he writes:
The processing carried out by the bank in the manner described in the provision is unlawful, also because the customer could not reasonably have foreseen it based on the context and information received.
The intervention of the Guarantor
The investigation was started following numerous reports from account holders and now ends with this sanction. But it is not the first time that this move has come under the scrutiny of the authorities: already in 2023 the Antitrust (AGCM) had ordered the suspension of the transfer, establishing that customers should be able to freely choose whether to stay with Intesa Sanpaolo or move to Isybank.
The fine of over 17 million euros takes into account the seriousness of the violations and the high number of people involved. The Guarantor writes:
In determining the amount of the fine, the Authority took into account the relevance of the violations, the high number of customers involved but also the negligent nature of the transgressions and the collaboration provided by the bank.
This story reminds everyone – institutions, companies and citizens – that personal data is not a commodity to be handled arbitrarily. User profiling, even when it occurs within apparently “internal” company operations, requires a solid legal basis, transparency and respect for people’s will.
