{"id":7145,"date":"2026-04-27T14:08:51","date_gmt":"2026-04-27T14:08:51","guid":{"rendered":"https:\/\/avacysolution.com\/?p=7145"},"modified":"2026-04-27T14:11:14","modified_gmt":"2026-04-27T14:11:14","slug":"guida-profilazione-gdpr-caso-intesa-sanpaolo","status":"publish","type":"post","link":"https:\/\/avacysolution.com\/en\/blog\/news\/guida-profilazione-gdpr-caso-intesa-sanpaolo\/","title":{"rendered":"Profiling and GDPR: compliance lessons from the Intesa Sanpaolo case"},"content":{"rendered":"

Until recently, the Data Protection Authority had limited itself to proactive warnings regarding cookie banners and deficient disclosures. However, the \u20ac17.6 million maxi-fine<\/strong> imposed on Intesa Sanpaolo case<\/strong> has raised the bar significantly. We are no longer facing simple formal reminders, but rather an inspection intervention that strikes at the heart of digital strategies: the legal basis<\/strong>.<\/p>\n\n\n\n

The core of the issue lies in the balance between business needs and the right to data protection. Specifically, the ruling has put a spotlight on the methods used for user profiling<\/strong> during the migration to Isybank <\/strong>and the inadequate adoption of the accountability principle<\/strong>, challenging the improper use of \"legitimate interest\" where consent was required.<\/p>\n\n\n\n

But why does this case represent a point of no return for compliance? <\/p>\n\n\n\n

Let\u2019s look in detail at Intesa Sanpaolo\u2019s error and the foundations for GDPR-compliant<\/strong> profiling<\/strong>.<\/p>\n\n\n\n

Violations found against Intesa Sanpaolo by the Authority<\/strong><\/h2>\n\n\n\n

1. Using Legitimate Interest instead of Consent<\/strong><\/h3>\n\n\n\n

Intesa Sanpaolo based the data transfer and subsequent profiling of customers migrated to Isybank on legitimate interest<\/strong>. However, the Data Protection Authority ruled that, for activities of such an intrusive nature and for such a radical change to the terms of the contract, this legal basis was insufficient<\/strong>.<\/p>\n\n\n\n

The transition to profiling in digital banking contexts mandates the collection of explicit consent<\/strong>. Invoking legitimate interest<\/strong> without a prior balancing of user rights makes the processing unlawful and subject to sanctions.<\/p>\n\n\n\n

To learn more: \"GDPR Consents: Everything You Need to Know to Be Compliant<\/a>\"<\/p>\n\n\n\n

2. Deficient disclosures and communication methods<\/strong><\/h3>\n\n\n\n

The Authority found that the communications<\/strong> sent to customers were not sufficiently clear. Many users did not understand the implications of moving to Isybank, nor how their data<\/strong> would be processed for marketing and profiling purposes on the new platform.<\/p>\n\n\n\n

Processing compliance is dependent on the presence of a transparent and accessible information<\/strong>, ensuring the user is fully aware of how their personal data is managed and for what purposes.<\/p>\n\n\n\n

To find out more: \"Privacy Policy: What It Is and Why It Is Important<\/a>\"<\/p>\n\n\n\n

3. Lack of a real opportunity to object<\/strong><\/h3>\n\n\n\n

In addition to the incorrect legal basis, customers were not provided with a simple and immediate way to object to the transfer or to maintain their previous data management conditions.<\/p>\n\n\n\n

According to the law, the GDPR mandates that users must be able to exercise their right to object<\/strong> easily. Making the transition \"mandatory\" or difficult to refuse violates the principles of data<\/strong> self-determination<\/strong>.<\/p>\n\n\n\n

4. Non-granular management of profiling<\/strong><\/h3>\n\n\n\n

During the migration, data was processed on a massive scale. Users were not given the option to choose which specific profiling treatments to activate or deactivate within the new digital ecosystem.<\/p>\n\n\n\n

A proper profiling strategy<\/strong> cannot ignore the granular management<\/strong> of consent<\/strong>: imposing a \"take it or leave it\" package on personal data fails to respect the criteria for granular consent required by European regulations.<\/p>\n\n\n\n

For more information, read: \"Consent for Personal Data Processing for Websites<\/a>\"<\/p>\n\n\n\n

What Are the Risks for Those Who Don't Comply?<\/strong><\/h2>\n\n\n\n

The action taken by the Privacy Authority proves that regulatory compliance is no longer an option. With an increasingly proactive approach, those managing databases and digital platforms must ensure they are compliant to avoid devastating consequences:<\/p>\n\n\n\n

    \n
  1. Economic sanctions:<\/strong> the Intesa Sanpaolo case shows that fines are no longer merely symbolic. The GDPR provides for penalties of up to 4% of total annual global turnover.<\/li>\n\n\n\n
  2. Reputational damage:<\/strong> customer trust is a bank\u2019s or company\u2019s most precious resource. A public privacy fine generates a loss of credibility that is difficult to restore.<\/li>\n\n\n\n
  3. Blocking of processing:<\/strong> beyond the fine, the Authority can impose an immediate halt on the use of unlawfully collected data, paralyzing sales or customer acquisition operations.<\/li>\n\n\n\n
  4. Impact on competitiveness:<\/strong> compliance is an advantage. A company that guarantees security attracts more reliable partners and investors.<\/li>\n<\/ol>\n\n\n\n

    How to adapt your business to the regulations?<\/strong><\/h2>\n\n\n\n

    Here are the key actions<\/strong> to avoid issues:<\/p>\n\n\n\n