← All articles

consultant

€31.8m fine against Intesa Sanpaolo: 72h to notify a GDPR breach

Italy’s DPA fined Intesa Sanpaolo €31.8m for inadequate security and late/incomplete GDPR breach notification. Immediate takeaway for Luxembourg: meet the 72-hour rule and know what to notify.

On 30 March 2026, Italy’s Garante fined Intesa Sanpaolo S.p.A. €31.8m after a data breach caused by unauthorized internal access to the banking data of 3,573 customers over more than two years (21/02/2022 → 24/04/2024). The authority found serious deficiencies in technical and organizational measures, a late and incomplete authority notification, and communication to data subjects only after a prior order on 02/11/2024. The official note adds that “high-risk” clients, including public figures, were affected and that monitoring controls failed to detect the undue accesses. Reference: Garante press release of 30/03/2026 and the “Provvedimento del 26 marzo 2026”. See the Garante’s official release.

Why it matters in Luxembourg: the same GDPR framework applies, and CNPD expectations on 72-hour breach notification and content follow the EDPB’s Guidelines 01/2021. CNPD provides an official breach notification form explicitly recalling the 72-hour deadline. Access the CNPD form and the EDPB Guidelines 01/2021 (FR).

Legal reasoning

  • GDPR Article 32: security of processing (appropriate technical and organizational measures). Ineffective access controls and failure to detect/prevent unjustified consultations breach integrity/confidentiality (Art. 5(1)(f)) and the “appropriateness” requirement under Article 32. The Garante criticized a “fully circular” access model to the entire customer base without effective compensating controls. Source: Garante.
  • GDPR Article 33: notify the authority “without undue delay and, where feasible, not later than 72 hours after becoming aware,” provide reasons for delay if any, and include minimum content (Art. 33(3): nature, categories/volume, likely consequences, measures taken/proposed). Official text: EUR‑Lex.

Authorities’ interpretation

  • Garante (Italy): ineffective internal controls and late/incomplete notification aggravated the case. The Article 32 and 33 failures warranted a high fine (duration, number of customers, sensitivity of profiles, detection failures). Press release.
  • EDPB (EU): Guidelines 01/2021 provide concrete scenarios on when to notify, risk assessment, when to inform data subjects (Art. 34), and expected content.
  • CNPD (Luxembourg): official form and reminder of the 72-hour deadline; if exceeded, reasons must be justified. CNPD form.

Important note — NIS 2 distinction: if you are an “essential/important entity,” cyber-incident alerts/notifications to the ILR follow specific timelines (24h/72h/1 month) that are additional — they do not replace GDPR notification. European Commission reminder. For local context, see the NIS 2 timelines in Luxembourg.

What this changes in practice

  • Higher evidentiary bar for Article 32. Banking (and other high-sensitivity) systems should demonstrate: a robust need-to-know/least-privilege model; continuous, correlated monitoring (anomalous access detection, UEBA rules, alerts on bulk views or VIP/PEP clients); actionable traceability (immutable logs, regular reviews); and compensating controls (segmentation, four-eyes, near real-time alerting). Source: Garante.
  • The 72-hour notification is not optional. Even while investigating, an initial notification should be filed within 72 hours “where feasible,” then completed without undue delay. Follow the EDPB’s staged reporting. Ref.: Guidelines 01/2021.
  • Data subject communication (Art. 34) without delay where risk is high, with clear language and concrete advice (account monitoring, credential changes, credit freeze, etc.). Basis: Articles 33–34 (EUR‑Lex).
  • In Luxembourg, align procedures with the CNPD form. Embed required fields, attach supporting information, and document the timestamp of “becoming aware” (starts the clock), a key EDPB point for accountability. For the general framework, see Articles 32, 33 and 34 GDPR.

Common pitfalls

  1. Waiting for hard proof of exfiltration before notifying: a common mistake. The duty hinges on the likelihood of a risk to rights and freedoms. When in reasonable doubt, notify and supplement later. Ref.: EDPB 01/2021.
  2. Underestimating unauthorized internal access. “Curiosity” access or open directories are breaches and often expose structural Article 32 gaps. In Intesa, over 6,600 undue consultations went undetected. Source: Garante.
  3. Unjustified late notification. If you exceed 72 hours, Article 33 requires reasons for the delay; missing explanations or incomplete content aggravate the case. Garante.
  4. Late or inadequate data subject communication. Generic letters without concrete measures or a clear description are insufficient. Basis: Art. 34 and Commission reminders. Garante.
  5. Confusing GDPR and NIS 2. Reporting to the ILR does not replace CNPD notification, and vice versa. Your playbooks must cover both channels, timelines, and required content. See official summaries.

Official sources

In short: Intesa is not “just Italian” — it sets an EU standard applicable in Luxembourg. Overbroad access, ineffective controls, and late/incomplete GDPR notification lead to heavy sanctions. The right response: deep monitoring to detect undue access, notification playbooks aligned with Article 33 and EDPB 01/2021, and disciplined use of the CNPD form as soon as you become aware.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →