GDPR Article 6: the Intesa/Isybank lesson on legitimate interest vs consent

Summary — On 12 March 2026, the Italian DPA (Garante) fined Intesa Sanpaolo (€17.6M) for profiling and unilaterally transferring about 2.4 million customers to Isybank without a valid legal basis. Core message: legitimate interest cannot replace valid consent or strict necessity under Article 6 GDPR.

The case

The Garante found prior profiling (age, digital usage, no investments, etc.), insufficient transparency, and no valid legal basis for a unilateral transfer to a separate controller (Isybank), with concrete impacts (new IBAN, changed access channels, no physical branches). Official materials: Provvedimento of 12 March 2026, Doc‑Web 10230412 and the press release of 12/03/2026.

See: Garante, Provvedimento 12/03/2026 and the “Comunicato stampa” factsheet Doc‑Web 10230273 (garanteprivacy.it).

The legal reasoning

• Legal basis (Article 6 GDPR). The operation was neither “necessary for contract performance” (Art. 6(1)(b)) nor covered by an overriding legitimate interest (Art. 6(1)(f)). The Garante ties lawfulness and transparency to the actual effects on individuals. Source: gpdp.it.
• Contractual necessity: strict EDPB view. Guidelines 2/2019 require “objective necessity”: the processing must be indispensable to the contract’s core service; usefulness or optimization is insufficient. See EDPB Guidelines 2/2019 Art. 6(1)(b): EDPB page and consolidated PDF.
• Legitimate interest: three-part test. Controllers must prove: (i) a specific legitimate interest; (ii) necessity; (iii) a favorable, well-documented balancing test (LIA) and appropriate transparency. See CNPD: lawful basis and legitimate interest.
• CJEU case law. Case C‑252/21 (Meta/Bundeskartellamt, 4 July 2023): Art. 6(1)(b) “necessity” requires an indispensable contribution to the contract’s core subject matter. See EUR‑Lex.

In a nutshell

Intesa/Isybank showcases two common pitfalls: (1) stretching Art. 6(1)(b) to cover business reconfigurations; (2) invoking Art. 6(1)(f) without a robust LIA and concrete safeguards (clear notice, effective objection, alternative channels).

Practical implications for organizations in Luxembourg

• Migrations/segmentation projects (banks, insurers, PSFs, e‑commerce, B2C): the legal basis must be robust; Art. 6(1)(b) is limited to what is indispensable to the original contract. EDPB reference on Art. 6(1)(b): edpb.europa.eu. To structure decisions, engage a certified DPO mandate early.
• Legitimate interest (6(1)(f)): document a full LIA (purpose, necessity, proportionality, mitigations: prominent information, easy opt‑out, non‑degraded alternatives). CNPD emphasizes these cumulative conditions: cnpd.public.lu. For GDPR compliance in Luxembourg, align processes and evidence.
• Transparency (Arts. 12‑14): “hidden” notices (quiet portal messages without push/SMS) fall short. The Garante explicitly criticized this on 12/03/2026: gpdp.it/docweb/10230412.
• Governance: involve the DPO upfront, run a DPIA where required (scale, profiling, significant effects), test notice/objection flows, and design non‑penalizing alternatives. To frame your processing program, review the GDPR obligations.

Frequent audit pitfalls

1. Overbroad “contractual necessity”: switching customers from “branch + app” to “app‑only” under Art. 6(1)(b) without proving indispensability. See EDPB Art. 6(1)(b) and CJEU C‑252/21: edpb.europa.eu.
2. Legitimate interest without a written LIA: missing balancing test, dedicated notice, and working opt‑out. CNPD expects a structured LIA: cnpd.public.lu.
3. “Pro forma” information: a low‑visibility portal message without active notification fails Arts. 12‑14. See Garante 12/03/2026: gpdp.it.
4. Under‑estimating profiling: segmenting to decide a transfer or IBAN change is profiling with significant effects (GDPR Arts. 4(4), 22). See CNIL.
5. No equivalent alternative: a complex or late opt‑out undermines free choice. Under Art. 6(1)(f), this weighs against the controller; under Art. 6(1)(a), it invalidates consent.

Official sources

• Garante — Provvedimento 12/03/2026 Doc‑Web 10230412: gpdp.it/docweb/10230412
• Garante — Comunicato stampa 12/03/2026 Doc‑Web 10230273: garanteprivacy.it
• EDPB — Guidelines 2/2019 Art. 6(1)(b): EDPB page and PDF
• CNPD Luxembourg — Legitimate interest: cnpd.public.lu
• CJEU — C‑252/21 Meta/Bundeskartellamt: EUR‑Lex

Regulatory note for LU: expect the CNPD to require (i) a precisely articulated legal basis; (ii) a solid LIA if relying on Art. 6(1)(f); (iii) active, timely transparency; (iv) non‑penalizing alternatives. When in doubt, use explicit consent. For hands‑on support, speak with our DPO team or review your Luxembourg GDPR program.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.