Until recently, the Data Protection Authority had limited itself to proactive warnings regarding cookie banners and deficient disclosures. However, the €17.6 million maxi-fine imposed on Intesa Sanpaolo case has raised the bar significantly. We are no longer facing simple formal reminders, but rather an inspection intervention that strikes at the heart of digital strategies: the legal basis.

The core of the issue lies in the balance between business needs and the right to data protection. Specifically, the ruling has put a spotlight on the methods used for user profiling during the migration to Isybank and the inadequate adoption of the accountability principle, challenging the improper use of "legitimate interest" where consent was required.

But why does this case represent a point of no return for compliance? 

Let’s look in detail at Intesa Sanpaolo’s error and the foundations for GDPR-compliant profiling.

Violations found against Intesa Sanpaolo by the Authority

1. Using Legitimate Interest instead of Consent

Intesa Sanpaolo based the data transfer and subsequent profiling of customers migrated to Isybank on legitimate interest. However, the Data Protection Authority ruled that, for activities of such an intrusive nature and for such a radical change to the terms of the contract, this legal basis was insufficient.

The transition to profiling in digital banking contexts mandates the collection of explicit consent. Invoking legitimate interest without a prior balancing of user rights makes the processing unlawful and subject to sanctions.

To learn more: "GDPR Consents: Everything You Need to Know to Be Compliant"

2. Deficient disclosures and communication methods

The Authority found that the communications sent to customers were not sufficiently clear. Many users did not understand the implications of moving to Isybank, nor how their data would be processed for marketing and profiling purposes on the new platform.

Processing compliance is dependent on the presence of a transparent and accessible information, ensuring the user is fully aware of how their personal data is managed and for what purposes.

To find out more: "Privacy Policy: What It Is and Why It Is Important"

3. Lack of a real opportunity to object

In addition to the incorrect legal basis, customers were not provided with a simple and immediate way to object to the transfer or to maintain their previous data management conditions.

According to the law, the GDPR mandates that users must be able to exercise their right to object easily. Making the transition "mandatory" or difficult to refuse violates the principles of data self-determination.

4. Non-granular management of profiling

During the migration, data was processed on a massive scale. Users were not given the option to choose which specific profiling treatments to activate or deactivate within the new digital ecosystem.

A proper profiling strategy cannot ignore the granular management of consent: imposing a "take it or leave it" package on personal data fails to respect the criteria for granular consent required by European regulations.

For more information, read: "Consent for Personal Data Processing for Websites"

What Are the Risks for Those Who Don't Comply?

The action taken by the Privacy Authority proves that regulatory compliance is no longer an option. With an increasingly proactive approach, those managing databases and digital platforms must ensure they are compliant to avoid devastating consequences:

  1. Economic sanctions: the Intesa Sanpaolo case shows that fines are no longer merely symbolic. The GDPR provides for penalties of up to 4% of total annual global turnover.
  2. Reputational damage: customer trust is a bank’s or company’s most precious resource. A public privacy fine generates a loss of credibility that is difficult to restore.
  3. Blocking of processing: beyond the fine, the Authority can impose an immediate halt on the use of unlawfully collected data, paralyzing sales or customer acquisition operations.
  4. Impact on competitiveness: compliance is an advantage. A company that guarantees security attracts more reliable partners and investors.

How to adapt your business to the regulations?

Here are the key actions to avoid issues:

  • Review legal bases: evaluate whether legitimate interest is truly applicable or if consent is required.
  • Total transparency: update disclosures and communications, making them simple, immediate, and transparent.
  • Granular consent: allow the user to choose exactly what to accept.

Compliance solutions: Avacy's support

Ensuring compliance, especially in complex profiling cases, can be a highly intricate process. Many companies underestimate the configuration of data collection systems, exposing themselves to extreme risks.

This is where Avacy comes in: a professional solution for automating privacy compliance.

What Avacy offers:

  1. GDPR-compliant consent implementation: Avacy allows you to create clear consent collection systems consistent with real data usage, avoiding ambiguous statements.
  2. Advanced and granular management: with Avacy, your site or platform features a system that allows users to accept or reject individual categories of processing (profiling, marketing, etc.).
  3. Continuous monitoring and updates: regulations evolve. Avacy monitors legislative changes and automatically adapts settings to keep your business compliant.
  4. Audit and reporting: It provides tools to prove at any time that consent was collected correctly, which is essential in the event of an inspection by the Authority.

Integrating Avacy  transforms data management into a competitive advantage, ensuring a transparent user experience and a fluid consent collection system that strengthens customer trust.

Conclusion

The Intesa Sanpaolo case is a lesson for the entire market: the GDPR no longer waits for reports but acts proactively. No entity is too large to be fined if its legal basis is fragile. Compliance is not just an obligation, but a strategic move to protect your brand value. Those who do not adapt, risk: now is the time to act.