News

🇮🇹 🚨 A Curious Bank Employee Illicitly Accesses 6,637 Records Over 460 Days

📢 Order to Inform Clients About Unauthorized Data Access
Source : 10070521

🏦 Context
The bank Intesa Sanpaolo discovered that an employee had accessed the data of 9 individuals who were not clients of the branch where he worked.
🔍 The employee justified these accesses as mere curiosity.
🔎 After an internal audit, the bank terminated his contract.

📅 On July 17, 2024: The bank reported this data breach to the APD, in compliance with Article 33 of the GDPR.

⚠️ Failure to Inform Affected Individuals
📌 The bank ruled that this breach did not pose a high risk to the rights of the affected individuals and did not notify the concerned clients, in violation of Article 34(1) of the GDPR.

🔎 New Revelations: 6,637 Unauthorized Accesses
📅 On October 10, 2024, journalistic investigations revealed that the employee had illegally accessed the bank accounts of 3,572 additional individuals between February 2022 and April 2024, including:

• 👩‍⚖️ The sister and ex-partner of the Prime Minister
• 🏛️ Ministers, the Senate President, and the National Anti-Mafia Prosecutor

🔐 APD Decision
📜 The APD ruled that the bank should have informed the affected individuals.
📢 In accordance with Article 34(4) of the GDPR and Article 58(2)(e) of the GDPR, the APD ordered the bank to:
✅ Inform affected clients without delay, within a maximum of 20 days.
✅ Ensure that these notifications are made personally by bank employees at the branch where the accounts were opened.
✅ Document these notifications in writing to comply with Article 5(2) of the GDPR.

⚖️ Conclusion
❗ The bank should have acted sooner to alert clients about these unauthorized accesses.
🔎 This case highlights the importance of access controls and transparency in banking data management.