Garante per la protezione dei dati personali (Italy) - 10070521

From GDPRhub
Garante per la protezione dei dati personali - 10070521
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 34(1) GDPR
Article 34(3)(c) GDPR
Article 58(2)(e) GDPR
Art. 615-ter c.p.
Type: Investigation
Outcome: Other Outcome
Started: 17.07.2024
Decided: 02.11.2024
Published: 05.11.2024
Fine: n/a
Parties: Intesa Sanpaolo S.p.A.
National Case Number/Name: 10070521
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la protezione dei dati personali (in IT)
Initial Contributor: fb

After a data breach concerning more than 3,500 data subjects, the DPA ordered Intesa Sanpaolo bank to notify the affected data subjects pursuant to Article 34 GDPR.

English Summary

Facts

The controller, Intesa Sanpaolo (the biggest Italian bank) noticed that an employee had accessed data concerning the financial situation of 9 data subjects, even though those data subjects were not clients of the branch were that employee was working.

The employee stated that they accessed the data out of curiosity. After an internal audit, the controller terminated the employment relationship with this employee.

On 17 July 2024, the controller notified the data breach to the DPA pursuant to Article 33 GDPR.

However, the controller believed that the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. Therefore, it did not notify the breach to the concerned data subjects according to Article 34(1) GDPR. The controller, however, sent an informal communication to the affected data subjects.

In addition, on 10 October 2024, the DPA learned that, according to some newspapers, the same employee had performed other 6000 accesses to more than 3500 data subjects' bank account details, including the President of the Council of Ministers' sister and ex-partner; some Ministers, the Speaker of the Senate and the head of the national anti-mafia public prosecution office.

Also with regard to this further accesses, the controller believed that the the data breach was not likely to result in a high risk to the rights and freedoms of natural persons. However, the controller stated that it might send a "client caring" letter to explain what happened.

Holding

Even though the investigation about this case is still open, the DPA deemed necessary to immediately decide about the controller's compliance with Article 34 GDPR.

Contrary to what the controller argued, the DPA held that the data breach at hand is likely to result in a high risk to the rights and freedoms of natural persons. The DPA took into account the following facts:

  • the type of personal data at hand;
  • the performance of the accesses at hand could be considered a crime under Article 615-ter of the Italian Criminal Code (Codice penale - c.p.);
  • the controller operates in the banking sector, a business area in which employees are required to have a really high confidentiality level.

Moreover, the DPA found that none of the 3 exceptions to the notification obligation listed by Article 34(3) GDPR could apply and that the controller has not proved any of those conditions to be met.

As for Article 34(3)(c) GDPR, the DPA pointed out that the controller certainly has contact details of the data subjects, since the latter are its clients. Therefore, it is not possible to argue that contacting them would involve a disproportionate effort.

Furthermore, the DPA noted that the EDPB Guidelines 9/2022 on personal data breach notification under GDPR state that data breaches that involve financial data are likely to cause a higher damage, since - if combined with other data - can lead also to identity theft (see para. 108).

Finally, the DPA stated that, as for the "client caring" letter the controller is planning to send to all clients, this has different content and purpose than the notification set by Article 34 GDPR.

On these grounds, pursuant to Article 34(4) GDPR in combination with Article 58(2)(e) GDPR, the DPA ordered the controller to notify the concerned data subjects about the data breach at hand without undue delay and, in every case, within 20 days. The DPA prescribed this notification to be made personally by bank employees working in the branch where the bank account had been opened and to document this meetings in writing according to Article 5(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO: Press release of 5 November 2024


[web doc. no. 10070521]

Measure of 2 November 2024

Register of measures
no. 659 of 2 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN in particular Articles 33 and 34 of the Regulation entitled, respectively, “Notification of a personal data breach to the supervisory authority” and “Communication of a personal data breach to the data subject”;

HAVING SEEN Legislative Decree No. 196 of 30 June 2003, containing the “Personal Data Protection Code”, as amended by Legislative Decree No. 101 of 10 August 2018 (hereinafter the “Code”);

HAVING REGARD to the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023, replacing the “Guidelines on the notification of personal data breaches under Regulation (EU) 2016/679” of the Article 29 Data Protection Working Party of 3 October 2017, as last amended and adopted on 6 February 2018 and endorsed by the European Data Protection Board on 25 May 2018 (hereinafter the “Notification Guidelines”);

HAVING REGARD to the “Guidelines 01/2021 on examples of notification of a personal data breach” adopted by the European Data Protection Board on 14 December 2021 (hereinafter the “Guidelines on personal data breach cases”);

HAVING SEEN the "Guidelines for data processing relating to the bank-customer relationship" of 25 October 2007 (published in the Official Journal no. 273 of 23 November 2007; www.gpdp.it, web doc. no. 1457247);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data (hereinafter, "Regulation 1/2019");

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

WHEREAS

The Authority became aware, through the notification of personal data breach of 17 July 2024 (file DB006866), made, definitively pursuant to art. 33 GDPR by Intesa Sanpaolo S.p.A. (hereinafter “Controller”, “Bank” or “Company”), of a loss of confidentiality of personal data caused by unauthorized access by an employee to the banking data of some customers.

In particular, in the aforementioned personal data breach notification, the Company stated that “In February 2024, the Privacy Function, responsible for second-level checks regarding potential anomalies in bank data access by employees detected by the alert systems adopted by this Data Controller, analyzed the queries performed by the employee concerned (assigned to the Agribusiness Branch of Barletta - Bisceglie Branch with the role of Agribusiness Manager) on the credit card transactions of a customer between 1 October 2023 and 12 October 2023. The alert system also intercepted other potential anomalous accesses on two additional customers in the same period (October - November 2023)…” and that “…Based on the outcome of all the checks conducted, it is believed that the perimeter of customers actually impacted by the ascertained anomalous operations carried out by the employee involved is 9 natural persons.”

With reference to the assessment of the risk of the breach, the Bank considered that the event presented a medium risk for the rights and freedoms of natural persons, due to the fact that "The interventions carried out by the competent Internal Audit and Human Resources function with direct contact with the employee who committed the breach and his subsequent suspension from service, made it possible to permanently interrupt access to the personal data of the affected customers. The compulsive and extensive behavior of the affected employee on customers outside his portfolio and the gradual assessments carried out, make the motivation he gave (i.e. curiosity) in consulting the personal data of such customers plausible, consequently limiting the potential impacts for the interested parties also taking into account the absence of signs of exfiltration of the information displayed".

Having regard to the communication to the interested parties, pursuant to art. 34 of the Regulation, the Bank stated that it wanted to communicate the event to the nine interested parties involved: "although it does not detect high risks for the rights and freedoms of individuals, this Data Controller will proceed, in order to provide all relevant information regarding the incident that occurred and allow a prompt response to any requests for further clarifications, to inform the 9 interested parties (including acquaintances and relatives of the employee involved) who have received the highest number of accesses, through an interview carried out by the Managers of the Branches where the relationships are rooted".

With reference to the notification of a personal data breach to the supervisory authority provided for by art. 33 of the Regulation, the Bank considered that it had provided all the necessary information with the notification submitted on 17 July 2024, which was in fact indicated as "complete".

On 30 August 2024, the Bank nevertheless proceeded to integrate the notification previously submitted, to inform the Authority that it had proceeded with the dismissal of the employee in question.

Subsequently, on 10 October 2024, the Authority learned, from press reports, that an Intesa Sanpaolo employee had access, outside of the correct operations connected to the performance of his work, to "... deposits of politicians and military personnel, including the prime minister's sister, her former partner and ministers Crosetto and Santanchè. But also Ignazio La Russa and the prosecutor of the National Anti-Mafia Directorate, Giovanni Melillo..." (see https://www.agi.it/cronaca/news/2024-10-10/spiati-conti-correnti-di-giorgia-meloni-e-sorella-inchiesta-su-ex-dipendente-intesa-sanpaolo-28202220/).

In particular, the accesses “…would have been almost seven thousand, made between February 21, 2022 and April 24, 2024, and would have more specifically concerned the over three thousand five hundred portfolio customers of 679 branches of Intesa Sanpaolo, spread throughout Italy” (see https://www.ansa.it/puglia/notizie/2024/10/10/spiati-i-conti-correnti-di-meloni-giambruno-la-russa_cb03fa8d-6456-4f78-9fb5-5eb7895cee00.html) and would have been discovered by the Institute, thanks to the complaint of a current account holder.

In this regard, the Authority, with note prot. 118325 of 10 October 2024, sent a request for information to Intesa Sanpaolo in order to verify whether the facts reported in the press reports were attributable to the personal data breach event described in the notification of 17 July 2024 and to know the actual scope of the events notified at the time in terms of much lesser scope in relation to the number of data subjects involved and their categories (holders of elected and public offices, political and public figures).

The Bank responded, with note no. 121551 of 17 October 2024, specifying that:

the personal data breach event described in the notification of 17 July 2024 is the same as that reported in the press reports;

the breach consisted of “…loss of confidentiality, due solely to access apparently not justified by service reasons carried out by an employee”;

the Bank became aware, for the first time, of an anomalous access by the employee on 9 October 2023, following the activation of the alert F23.2acc - Privacy Alert "Cards and CRIF", part of the controls set up by Intesa Sanpaolo, in compliance with the Authority's Provision no. 192/2011. This alert reported a potential anomaly regarding the employee's query of the movements, relating to the previous two months, of a customer's credit card;

following the activation of other alerts at a later time and the outcome of internal checks and verifications, also carried out through the analysis of the logs of the accesses carried out overall by the employee and retained for 24 months pursuant to the aforementioned Provision of the Guarantor no. 192/2011, on 4 July 2024, the Bank initiated disciplinary proceedings against the employee;

the number of interested parties involved is, at present, “…not determinable – that is, to be determined with reasonable certainty, it requires the use of a disproportionate effort. The number disclosed by the press of 3,572 customers, corresponding to 6,637 accesses made by the Employee and indicated in the Audit function report of 21 May 2024 (“Audit Report”, attached as Annex 1), corresponds to the customers not based at the Agribusiness Branch of Barletta and at the related branches of Bisceglie and Ruvo di Puglia (Branch and branches pertaining to the Employee) whose data were accessed by the Employee on 460 days between 21 February 2022 and 24 April 2024”;

“…the inquiries made by the Employee in the two-year analysis period on 3,572 customers could, theoretically, be consistent with the specific operations of an Agribusiness Manager (qualification held by the Employee), who may have to question “in circularity” even customers not established at their own Branch…”.In this regard, “…the Employee has objected to the legitimacy of some of the 6,637 accesses…”;

the Audit Report shows that, with reference to the customers accessed by the Employee: “…34 are national politicians, belonging to both centre-right and centre-left political forces. In total, in the two-year analysis period, the Employee made 102 inquiries regarding these individuals (equal to 1.54% of the total 6,637 accesses cited in the Audit Report). In particular, for 15 of the 34 politicians, the Employee made only one inquiry and, for another 11 individuals, he made two inquiries and, of the 34 politicians, it turned out that 10 did not have – at the time of the facts – any relationship with the Bank (with a blank ballot result); 43 are nationally famous figures from the world of entertainment, sports and news; 73 are employees and managers of the Bank, including some top management; the remaining 3,422 customers consist mainly of individuals from the Employee's place of residence or rooted in other places that revolve around his personal and professional sphere. In particular, approximately 2,450 of these individuals are from the places of Bari and neighboring areas of the Employee's place of residence; the accesses concerned 1) contractual positions/SICLI (NJ00 - customer card), 2) movement of accounts (IY11 - e/c for internal use) and payment cards (ZAFI - allows you to query the world of "payment cards"), sometimes also with transaction details, and 3) financial activities (DAPY - investments).";

the Bank declared that it had no evidence of extraction of the data accessed by its employee through internal information systems;

the Bank reiterated that it had not proceeded to communicate to the interested parties pursuant to art. 34 of the Regulation “In line with the conclusions of the Data Protection Officer, the Bank (data controller) did not in turn consider that the personal data breach in question was “likely to present a high risk to the rights and freedoms of natural persons” (art. 34.1 GDPR) and, therefore, did not communicate the same personal data breach to all potentially involved parties”;

the Bank is however “…considering sending to our entire customer base, consisting of approximately 13 million interested parties, a client caring communication dedicated to describing how the incident actually unfolded and what its possible consequences may be, but also the measures we have adopted and those we are considering adopting”;

with respect to what was described in the notification of 17 July 2024, the Bank intended to clarify that: “…The notification filed on 17 July 2024 is only the first communication to the Authority on the matter of interest…” and, with reference to the indication of 9 interested parties involved, “certainly the positions of 9 customers of the Bank (7 NDG5 + 2 co-account holders) were subject to anomalous accesses by the Employee in consideration of the number of such accesses” and that, furthermore, “Specifically, these are customers who were subject to a total of 1,333 accesses out of a total of 6,637 accesses extracted in the Two-Year Analysis Period for the purposes of the Bank’s checks”.

* * *

Pending the definition of a broader investigation, still underway, aimed at examining in depth what has been illustrated above and defining all aspects related to the event that occurred, it is necessary to assess the conformity of the initiatives undertaken so far by the Bank to protect the interested parties, with particular reference to the full and effective fulfillment of the communication obligations pursuant to art. 34 of the Regulation, in light of both the declarations made by the Data Controller and the elements independently acquired by the Office.

In this regard, the Regulation indicates that, in the risk assessment, both the probability and the severity of the risks for the rights and freedoms of the interested parties are taken into account, and that such risks are determined on the basis of an objective assessment (see recommendations nos. 75 and 76).

In particular, the Notification Guidelines identify the following factors to be considered – in the event of a personal data breach – in the assessment of the risk for the rights and freedoms of the interested parties: the type of breach; the nature, sensitivity and volume of the personal data; the ease of identification of the data subjects; the severity of the consequences for the data subjects; the particular characteristics of the data subject; the particular characteristics of the Data Controller; and the number of data subjects involved.

Contrary to what was assessed by the Data Controller, the Authority considers that the personal data breach in question is likely to present a high risk for the rights and freedoms of natural persons, taking into account the nature of the personal data breach - which under the conditions set out in the Criminal Code, art. 615-ter, may constitute a criminal offence - the categories of personal data subject to the breach, the severity and persistence of the possible consequences for natural persons that could arise from the breach (such as, by way of mere example, disclosure of information regarding the financial status, reputational damage) as well as the sector of activity of the Data Controller, which requires a high degree of accountability on the part of its representatives, in order to guarantee the trust in them by customers, satisfying, in particular, their legitimate expectations of confidentiality and security of the processing.

Article 34, par. 1, of the Regulation which establishes that “where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject without undue delay”, except in cases where such communication is not required because one of the conditions set out in par. 3 of the same article is met, which is not applicable to the case in question.

The aforementioned Guidelines on notification recall that “in principle, the breach should be communicated directly to the data subjects concerned, unless this would involve a disproportionate effort. In such a case, a public communication or a similar measure shall be made that allows the data subjects to be informed with equal effectiveness” (see art. 34, par. 3, letter c), of the Regulation), recalling the “Guidelines on transparency under Regulation (EU) 2016/679” of the Article 29 Working Party, adopted by the European Data Protection Board on 25 May 2018. These latter Guidelines clarify that the controller should “carry out an assessment by weighing, on the one hand, the effort […] and, on the other hand, the impact and effects […] on the data subject”.

In this regard, the Guidelines on notification draw the attention of data controllers to the provisions of art. 34, par. 3, of the Regulation, noting that “in accordance with the accountability principle, the controller should be able to demonstrate to the supervisory authority that it meets one or more […] conditions” for which it is not required to communicate the personal data breach directly to the data subjects involved.

Communication to the data subjects is, moreover, one of the measures that the controller can adopt to mitigate the possible negative effects of the personal data breach for the data subjects and has as its main objective that of providing specific information on the measures that the data subjects themselves can adopt to protect themselves from the possible negative consequences of a breach (see recital no. 86 of the Regulation).

In any case, the Guidelines on notification recommend that the controller “choose a means that maximizes the possibility of correctly communicating the information to all data subjects” highlighting that “it could also be envisaged to adopt technical provisions to make information on the breach available upon request, a solution that could prove useful for natural persons who may be affected by a breach but who the controller cannot otherwise contact”.

The Guidelines on Personal Data Breach cases highlight how communication to data subjects is a good practice and a mitigating factor in the presence of a ransomware attack with exfiltration because “the breach affects not only the availability of the data, but also confidentiality, as the attacker may have modified and/or copied the data from the server. Therefore, the type of breach entails a high risk” and that “the nature, sensitivity and volume of personal data further increase the risks, as the number of individuals affected is high, as is the overall amount of personal data compromised” (see paragraphs 42 and 43) and, where it involves data of different nature, including financial data, it can cause greater damage: “Breaches involving health data, identity documents or financial data such as credit card details can cause damage in themselves, but if used together they could be used for identity theft. A combination of personal data is typically more sensitive than a single personal data.” (see paragraph 108).

In light of the above, therefore, the Data Controller is required to communicate the violation to the interested parties, given the particular sensitivity of the personal data subject to the violation, obeying a precautionary principle which, despite the uncertainty about the actual further uses of the data to which the employee has had access (which is not known, at the moment, whether they have been acquired as computer data or as images or have simply been consulted and, possibly, manually transcribed on paper or electronic media), requires adopting in any case the greatest possible precautions in light of the potential harm caused by the repeated actions carried out by the employee and which are still being examined by the competent Judicial Authority.

Furthermore, it should be noted that the Data Controller's decision not to communicate to the interested parties does not allow them to take appropriate precautionary measures in consideration of the nature of the personal data subject to the violation that concern them (cons. no. 86 of the Regulation; see also Provv. no. 264 of 10 December 2020, web doc. no. 9557555). 

This, also taking into account the fact that, during the investigation carried out so far, the Data Controller has not demonstrated in any way the existence of the condition referred to in art. 34, par. 3, of the Regulation in relation to the disproportionate effort that the aforementioned communication would require.

Therefore, the condition provided for in letter c) of par. 3, also considering that the customers whose bank positions have been accessed by the employee are certainly known to the Bank, as are the contact details of each of them, and taking into account the time elapsed and the analyses carried out by the Bank, also in cross-examination with the employee.

Furthermore, the communication does not appear to involve a disproportionate effort in view of the number of interested parties to whom it should be addressed, a number which, by admission of the Bank itself, represents "... a small number of interested parties compared - for the Bank - to the total number of customers".

This also considering that the communication that the Data Controller has declared it wants to send to the entire customer base would have different contents and purposes from the necessarily more specific one required by art. 34 of the Regulation, which, instead, must be made to those whose personal data have been the subject of undue access, or in the absence of documented reasons of service, likely to present a high risk for their fundamental rights and freedoms.

Art. 34, par. 4, of the Regulation, finally establishes that "in the event that the data controller has not yet communicated the personal data breach to the data subject, the supervisory authority may require, after having assessed the likelihood that the personal data breach presents a high risk, that the data subject do so".

* * *

In light of the examination of the circumstances brought to the attention of the Authority and the considerations made, it is deemed necessary and urgent to order the Data Controller, pursuant to the combined provisions of Articles 34, par. 4, and 58, par. 2, letter e) of the Regulation, to individually communicate the personal data breach to all data subjects whose personal and banking data have been accessed and cannot be traced back with certainty to the employee's ordinary work activity, providing at least the information referred to in Article 34, par. 2, of the Regulation, "without unjustified delay" and, in any case, within twenty days from the date of receipt of this provision, in order to ensure effective protection for the interested parties, in particular by describing the nature of the violation and its possible consequences, providing the contact details of the data protection officer or another contact point specifically established where further information can be obtained, as well as providing information on the measures adopted to remedy the violation and to mitigate its possible negative effects.

Such communication must be made through individual contact, preferably through specifically trained personnel of the customer's rooted branch, in the manner that the Data Controller deems most appropriate, identifying an order of priority and a possibly differentiated calendar, according to a timing proportionate to the risk.

The communication must be addressed individually and personally to each interested party to whom the data subject to undue access refers, when there is no evidence of access carried out for service needs.

It is also required that the contact activities of the customers involved be recorded in detail and that they be documented in written form, in the methods of execution and in the outcomes of the contact, in compliance with the principle of accountability.

Accesses justified by reasons of service of the employee, evidently excluded from the communication action, must also be documented, as well as accesses that, precisely following the communication action, should be recognized as legitimate by the customers because they were carried out in their interest and in any case for reasons of service.

Any other determination following the definition of the investigation started on the case remains intact, also with reference, among others, to the obligations regarding suitable technical and organizational measures aimed at guaranteeing the protection of data from the design stage and by default, as well as notification of violations of personal data pursuant to Articles 24, 25 and 33 of the Regulation, and which, in any case, pursuant to Article. 19, paragraph 6 of Regulation 1/2019, the control activity is without prejudice in the event of subsequent elements of fact or law or of a different and further assessment by the Guarantor.

Furthermore, it is recalled, pursuant to the combined provisions of Articles 58, paragraph 1, letter a) of the Regulation and 157 of the Code, that the Data Controller must demonstrate to the Authority that he has complied with the requirements given by sending documented feedback to the Guarantor within the term of 30 days deemed appropriate in the specific case.

Finally, it is recalled that, pursuant to Article 83, paragraph 6, of the Regulation, "failure to comply with an order by the supervisory authority pursuant to Article 58, paragraph 2, is subject to administrative pecuniary sanctions of up to EUR 20 000 000, or in the case of undertakings, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher".

NOW, CONSIDERING ALL THE ABOVE, THE GUARANTOR

1) pursuant to the combined provisions of Articles 34, paragraph 4 and 58, paragraph 2, letter e) of the Regulation, orders Intesa Sanpaolo S.p.A. to communicate the breach of personal data in question to the data subjects involved, within the terms specified in the reasons, without delay and, in any case, within twenty days from the date of receipt of this provision, within the terms set out in the preamble, providing at least the information referred to in Article 34, paragraph 2, of the Regulation;

2) pursuant to the combined provisions of Articles 58, paragraph 1, letter a) of the Regulation and 157 of the Code, also orders the company to send the Authority, within thirty days from the date of receipt of this provision, adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 1);

3) pursuant to Article 17 of the Regulation of the Guarantor no. 1/2019 of 4 April 2019, provides for the annotation of the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation in the internal register of the Authority, provided for by art. 57, par. 1, letter u) of the Regulation;

4) pursuant to art. 154-bis, paragraph 3 of the Code and art. 37 of the Regulation of the Guarantor no. 1/2019, provides for the publication of this provision on the Authority's website.

Please note that failure to respond to this request is punishable by an administrative sanction pursuant to the combined provisions of art. 83, par. 5, letter e) of the Regulation and 166 of the Code.

Pursuant to art. 78 of the Regulation, as well as art. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the Data Controller is resident, within thirty days of the date of its communication.

Rome, 2 November 2024

for THE PRESIDENT
THE VICE PRESIDENT
Cerrina Feroni

for THE REPORTER
THE VICE PRESIDENT
Cerrina Feroni

THE GENERAL SECRETARY
Mattei

 

SEE ALSO: Press release of 5 November 2024

 

[web doc. no. 10070521]

Provision of 2 November 2024

Register of provisions
no. 659 of 2 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter “Regulation”);

SEEN in particular Articles 33 and 34 of the Regulation entitled, respectively, “Notification of a personal data breach to the supervisory authority” and “Communication of a personal data breach to the data subject”;

HAVING SEEN Legislative Decree No. 196 of 30 June 2003, containing the “Personal Data Protection Code”, as amended by Legislative Decree No. 101 of 10 August 2018 (hereinafter the “Code”);

HAVING SEEN the “Guidelines 9/2022 on the notification of personal data breaches under the GDPR” adopted by the European Data Protection Board on 28 March 2023, replacing the “Guidelines on the notification of personal data breaches under Regulation (EU) 2016/679” of the Article 29 Data Protection Working Party of 3 October 2017, as amended and lastly adopted on 6 February 2018 and adopted by the European Data Protection Board on 25 May 2018 (hereinafter the “Notification Guidelines”);

HAVING SEEN the “Guidelines 01/2021 on examples of notification of a personal data breach” adopted by the European Data Protection Board on 14 December 2021 (hereinafter “Guidelines on cases of personal data breach”);

HAVING SEEN the “Guidelines for data processing relating to the bank-customer relationship” of 25 October 2007 (published in the Official Journal no. 273 of 23 November 2007; www.gpdp.it, web doc. no. 1457247);

HAVING SEEN Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Data Protection Authority (hereinafter “Regulation 1/2019”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Authority no. 1/2000;

REPORTER Prof. Pasquale Stanzione;

WHEREAS

The Authority became aware, through the notification of personal data breach of 17 July 2024 (file DB006866), made, definitively pursuant to art. 33 GDPR by Intesa Sanpaolo S.p.A. (hereinafter “Controller”, “Bank” or “Company”), of a loss of confidentiality of personal data caused by unauthorized access by an employee to the banking data of some customers.

In particular, in the aforementioned personal data breach notification, the Company stated that “In February 2024, the Privacy Function, responsible for second-level checks regarding potential anomalies in bank data access by employees detected by the alert systems adopted by this Data Controller, analyzed the queries performed by the employee concerned (assigned to the Agribusiness Branch of Barletta - Bisceglie Branch with the role of Agribusiness Manager) on the credit card transactions of a customer between 1 October 2023 and 12 October 2023. The alert system also intercepted in the same period (October - November 2023) other potential anomalous accesses on two additional customers…” and that “…Based on the outcome of all the checks conducted, it is believed that the perimeter of customers actually impacted by the ascertained anomalous operations carried out by the employee involved is 9 natural persons.”

With reference to the assessment of the risk of the breach, the Bank considered that the event presented a medium risk for the rights and freedoms of natural persons, due to the fact that "The interventions carried out by the competent Internal Audit and Human Resources function with direct contact with the employee who committed the breach and his subsequent suspension from service, made it possible to permanently interrupt access to the personal data of the affected customers. The compulsive and extensive behavior of the affected employee on customers outside his portfolio and the gradual assessments carried out, make the motivation he gave (i.e. curiosity) in consulting the personal data of such customers plausible, consequently limiting the potential impacts for the interested parties also taking into account the absence of signs of exfiltration of the information displayed".

Having regard to the communication to the interested parties, pursuant to art. 34 of the Regulation, the Bank stated that it wanted to communicate the event to the nine interested parties involved: "although it does not detect high risks for the rights and freedoms of individuals, this Data Controller will proceed, in order to provide all relevant information regarding the incident that occurred and allow a prompt response to any requests for further clarifications, to inform the 9 interested parties (including acquaintances and relatives of the employee involved) who have received the highest number of accesses, through an interview carried out by the Managers of the Branches where the relationships are rooted".

With reference to the notification of a personal data breach to the supervisory authority provided for by art. 33 of the Regulation, the Bank considered that it had provided all the necessary information with the notification submitted on 17 July 2024, which was in fact indicated as "complete".

On 30 August 2024, the Bank nevertheless proceeded to integrate the notification previously submitted, to inform the Authority that it had proceeded with the dismissal of the employee in question.

Subsequently, on 10 October 2024, the Authority learned, from press reports, that an Intesa Sanpaolo employee had access, outside of the correct operations connected to the performance of his work, to "... deposits of politicians and military personnel, including the prime minister's sister, her former partner and ministers Crosetto and Santanchè. But also Ignazio La Russa and the prosecutor of the National Anti-Mafia Directorate, Giovanni Melillo..." (see https://www.agi.it/cronaca/news/2024-10-10/spiati-conti-correnti-di-giorgia-meloni-e-sorella-inchiesta-su-ex-dipendente-intesa-sanpaolo-28202220/).

In particular, the accesses “…would have been almost seven thousand, made between February 21, 2022 and April 24, 2024, and would have more specifically concerned the over three thousand five hundred portfolio customers of 679 branches of Intesa Sanpaolo, spread throughout Italy” (see https://www.ansa.it/puglia/notizie/2024/10/10/spiati-i-conti-correnti-di-meloni-giambruno-la-russa_cb03fa8d-6456-4f78-9fb5-5eb7895cee00.html) and would have been discovered by the Institute, thanks to the complaint of a current account holder.

In this regard, the Authority, with note prot. 118325 of 10 October 2024, sent a request for information to Intesa Sanpaolo in order to verify whether the facts reported in the press reports were attributable to the personal data breach event described in the notification of 17 July 2024 and to know the actual scope of the events notified at the time in terms of much lesser scope in relation to the number of data subjects involved and their categories (holders of elected and public offices, political and public figures).

The Bank responded, with note no. 121551 of 17 October 2024, specifying that:

the personal data breach event described in the notification of 17 July 2024 is the same as that reported in the press reports;

the breach consisted of “…loss of confidentiality, due solely to access apparently not justified by service reasons carried out by an employee”;

the Bank became aware, for the first time, of an anomalous access by the employee on 9 October 2023, following the activation of the alert F23.2acc - Privacy Alert "Cards and CRIF", part of the controls set up by Intesa Sanpaolo, in compliance with the Authority's Provision no. 192/2011. This alert reported a potential anomaly regarding the employee's query of the movements, relating to the previous two months, of a customer's credit card;

following the activation of other alerts at a later time and the outcome of internal checks and verifications, also carried out through the analysis of the logs of the accesses carried out overall by the employee and retained for 24 months pursuant to the aforementioned Provision of the Guarantor no. 192/2011, on 4 July 2024, the Bank initiated disciplinary proceedings against the employee;

the number of interested parties involved is, at present, “…not determinable – that is, to be determined with reasonable certainty, it requires the use of a disproportionate effort. The number disclosed by the press of 3,572 customers, corresponding to 6,637 accesses made by the Employee and indicated in the Audit function report of 21 May 2024 (“Audit Report”, attached as Annex 1), corresponds to the customers not based at the Agribusiness Branch of Barletta and at the related branches of Bisceglie and Ruvo di Puglia (Branch and branches pertaining to the Employee) whose data were accessed by the Employee on 460 days between 21 February 2022 and 24 April 2024”;

“…the inquiries made by the Employee in the Two-Year Analysis Period on 3,572 customers could, theoretically, be consistent with the specific operations of an Agribusiness Manager (qualification held by the Employee), who may have to question “in circularity” even customers not established at his/her own Branch…”. In this regard, “…the Employee has objected to the legitimacy of some of the 6,637 accesses…”;

the Audit Report shows that, with reference to the customers accessed by the Employee: “…34 are national politicians, belonging to both center-right and center-left political forces. In total, in the Two-Year Analysis Period, the Employee’s inquiries relating to these subjects were 102 (equal to 1.54% of the total of 6,637 accesses cited in the Audit Report). In particular, for 15 of the 34 politicians, the Employee carried out only one inquiry and, for another 11 individuals, he carried out two inquiries and, of the 34 politicians, it turned out that 10 did not have – at the time of the facts – any relationship with the Bank (with a blank ballot result); 43 are nationally famous figures from the world of entertainment, sports and news; 73 are employees and managers of the Bank, including some top management; the remaining 3,422 customers consist mainly of individuals from the Employee's place of residence or rooted in other places that revolve around his personal and professional sphere. In particular, approximately 2,450 of these individuals are from places in Bari and surrounding areas of the Employee's place of residence; the accesses concerned 1) contractual positions/SICLI (NJ00 - customer card), 2) movement of accounts (IY11 - e/c for internal use) and payment cards (ZAFI - allows you to query the world of "payment cards"), sometimes also with transaction details, and 3) financial activities (DAPY - investments).";

the Bank declared that it had no evidence of extraction of the data subject to access by its employee through internal information systems;

the Bank reiterated that it had not proceeded to communicate to the interested parties pursuant to art. 34 of the Regulation "Consistent with the conclusions of the Data Protection Officer, the Bank (data controller) did not in turn consider that the personal data breach in question was "likely to present a high risk for the rights and freedoms of natural persons" (art. 34.1 GDPR) and, therefore, did not communicate the same personal data breach to all potentially involved subjects";

the Bank would however be "... evaluating sending to our entire customer base, consisting of approximately 13 million interested parties, a client caring communication dedicated to describing how the matter actually unfolded and what its possible consequences may be, but also the measures we have adopted and those we are evaluating to adopt";

with respect to what was described in the notification of 17 July 2024, the Bank intended to clarify that: "... The notification filed on 17 July 2024 is only the first communication to the Authority on the matter of interest..." and, with reference to the indication of 9 interested parties involved, "certainly the positions of 9 customers of the Bank (7 NDG5 + 2 joint account holders) were subject to anomalous accesses by the Employee in consideration of the number of such accesses" and that, furthermore, "Specifically, these are customers who were subject to a total of 1,333 accesses out of a total of 6,637 accesses extracted in the two-year analysis period for the purposes of the Bank's checks".

* * *

Pending the definition of a broader investigation, still underway, aimed at examining in depth what has been illustrated above and defining all aspects related to the event that occurred, it is necessary to assess the conformity of the initiatives undertaken so far by the Bank to protect the interested parties, with particular reference to the full and effective fulfillment of the communication obligations pursuant to art. 34 of the Regulation, in light of both the declarations made by the Data Controller and the elements independently acquired by the Office.

In this regard, the Regulation indicates that, in the risk assessment, both the probability and the severity of the risks for the rights and freedoms of the interested parties are taken into account, and that such risks are determined on the basis of an objective assessment (see recommendations nos. 75 and 76).

In particular, the Notification Guidelines identify the following factors to be considered – in the event of a personal data breach – in the assessment of the risk for the rights and freedoms of the interested parties: the type of breach; the nature, sensitivity and volume of the personal data; the ease of identification of the data subjects; the severity of the consequences for the data subjects; the particular characteristics of the data subject; the particular characteristics of the Data Controller; and the number of data subjects involved.

Contrary to what was assessed by the Data Controller, the Authority considers that the personal data breach in question is likely to present a high risk to the rights and freedoms of natural persons, taking into account the nature of the personal data breach – which under the conditions set out in the Criminal Code, art. 615-ter, may constitute a criminal offence – the categories of personal data subject to the violation, the severity and persistence of the possible consequences for natural persons that could arise from the violation (such as, for example, disclosure of information regarding the financial status, reputational damage) as well as the sector of activity of the Data Controller, which requires a high degree of accountability on the part of its agents, in order to guarantee the trust in them by customers, satisfying, in particular, their legitimate expectations of confidentiality and security of the processing.

Art. 34, par. 1, of the Regulation which establishes that "where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the breach to the data subject without undue delay", except in cases where such communication is not required because one of the conditions set out in par. 3 of the same article, not applicable to the case in question, is met.

The aforementioned Notification Guidelines recall that “in principle, the breach should be communicated directly to the data subjects concerned, unless this would involve a disproportionate effort. In that case, a public communication or a similar measure allowing the data subjects to be informed with equal effectiveness” (see art. 34, par. 3, letter c), of the Regulation), recalling the “Guidelines on transparency under Regulation (EU) 2016/679” of the Article 29 Working Party, adopted by the European Data Protection Board on 25 May 2018. These latter Guidelines clarify that the controller should “carry out an assessment weighing up, on the one hand, the effort […] and, on the other hand, the impact and effects […] on the data subject”.

In this regard, the Notification Guidelines draw the attention of data controllers to the provisions of art. 34, par. 3, of the Regulation, noting that “in accordance with the accountability principle, the controller should be able to demonstrate to the supervisory authority that it meets one or more […] conditions” for which it is not required to communicate the personal data breach directly to the data subjects involved.

Communication to the data subjects is, moreover, one of the measures that the controller can adopt to mitigate the possible negative effects of the personal data breach for the data subjects and has as its main objective that of providing specific information on the measures that the data subjects themselves can adopt to protect themselves from the possible negative consequences of a breach (see recital no. 86 of the Regulation).

In any case, the Guidelines on notification recommend that the controller “choose a means that maximizes the possibility of correctly communicating the information to all data subjects” highlighting that “it could also be envisaged to adopt technical provisions to make information on the breach available upon request, a solution that could prove useful for natural persons who may be affected by a breach but who the controller cannot otherwise contact”.

The Guidelines on Personal Data Breach cases highlight how communication to data subjects is a good practice and a mitigating factor in the presence of a ransomware attack with exfiltration because “the breach affects not only the availability of the data, but also confidentiality, as the attacker may have modified and/or copied the data from the server. Therefore, the type of breach entails a high risk” and that “the nature, sensitivity and volume of personal data further increase the risks, as the number of individuals affected is high, as is the overall amount of personal data compromised” (see paragraphs 42 and 43) and, where it involves data of different nature, including financial data, it can cause greater damage: “Breaches involving health data, identity documents or financial data such as credit card details can cause damage in themselves, but if used together they could be used for identity theft. A combination of personal data is typically more sensitive than a single personal data.” (see paragraph 108).

In light of the above, therefore, the Data Controller is required to communicate the violation to the interested parties, given the particular sensitivity of the personal data subject to the violation, obeying a precautionary principle that, despite the uncertainty about the actual further uses of the data to which the employee has had access (which is not known, at the moment, whether they have been acquired as computer data or as images or have simply been consulted and, possibly, manually transcribed on paper or electronic media), requires adopting in any case the greatest possible precautions in the face of the potential harm caused by the repeated actions carried out by the employee and which are still being examined by the competent judicial authority.

Furthermore, it should be noted that the Data Controller's decision not to communicate to the interested parties does not allow them to take appropriate precautionary measures in consideration of the nature of the personal data subject to the violation that concern them (cons. no. 86 of the Regulation; see also Provv. no. 264 of 10 December 2020, web doc. no. 9557555). 

This, also taking into account the fact that, during the investigation carried out so far, the Data Controller has not demonstrated in any way the existence of the condition referred to in art. 34, par. 3, of the Regulation in relation to the disproportionate effort that the aforementioned communication would require.

Therefore, the condition provided for in letter c) of par. 3, also considering that the customers whose bank positions have been accessed by the employee are certainly known to the Bank, as are the contact details of each of them, and taking into account the time elapsed and the analyses carried out by the Bank, also in cross-examination with the employee.

Furthermore, the communication does not appear to involve a disproportionate effort in view of the number of interested parties to whom it should be addressed, a number which, by admission of the Bank itself, represents "... a small number of interested parties compared - for the Bank - to the total number of customers".

This also considering that the communication that the Data Controller has declared it wants to send to the entire customer base would have different contents and purposes from the necessarily more specific one required by art. 34 of the Regulation, which, instead, must be made to those whose personal data have been the subject of undue access, or in the absence of documented reasons of service, likely to present a high risk for their fundamental rights and freedoms.

Art. 34, par. 4, of the Regulation, finally establishes that "in the event that the data controller has not yet communicated the personal data breach to the data subject, the supervisory authority may require, after having assessed the likelihood that the personal data breach presents a high risk, that the data subject do so".

* * *

In light of the examination of the circumstances brought to the attention of the Authority and the considerations made, it is deemed necessary and urgent to order the Data Controller, pursuant to the combined provisions of Articles 34, par. 4, and 58, par. 2, letter e) of the Regulation, to individually communicate the personal data breach to all data subjects whose personal and banking data have been accessed and cannot be traced back with certainty to the employee's ordinary work activity, providing at least the information referred to in Article 34, par. 2, of the Regulation, "without undue delay" and, in any case, within twenty days from the date of receipt of this provision, in order to ensure effective protection for the interested parties, in particular by describing the nature of the violation and its possible consequences, providing the contact details of the data protection officer or another contact point specifically established where further information can be obtained, as well as providing information on the measures adopted to remedy the violation and to mitigate its possible negative effects.

Such communication must be made through individual contact, preferably through specially trained personnel of the customer's branch, in the manner that the Data Controller deems most appropriate, identifying an order of priority and a possibly differentiated calendar, according to a timing proportionate to the risk.

The communication must be addressed individually and personally to each interested party to whom the data subject to undue access refers, when there is no evidence of accesses carried out for service needs.

It is also required that the contact activities of the customers involved be recorded in detail and that they be documented in written form, in the methods of carrying out and in the outcomes of the contact, in compliance with the principle of accountability.

Accesses justified by reasons of service of the employee, evidently excluded from the communication action, must also be documented, as well as accesses that, precisely following the communication action, should be recognized as legitimate by the customers because they were carried out in their interest and in any case for service reasons.

Any other determination remains valid following the conclusion of the investigation initiated on the case, also with reference, among others, to the obligations regarding suitable technical and organizational measures aimed at guaranteeing data protection from the design stage and by default, as well as notification of personal data breaches pursuant to Articles 24, 25 and 33 of the Regulation, and that, in any case, pursuant to Article 19, paragraph 6 of Regulation 1/2019, the control activity is safeguarded in the event of subsequent elements of fact or law or of a different and further assessment by the Guarantor.

Furthermore, it is recalled, pursuant to the combined provisions of Articles 58, paragraph 1, letter a) of the Regulation and 157 of the Code, that the Data Controller must demonstrate to the Authority that it has complied with the requirements given by sending documented feedback to the Guarantor within the term of 30 days deemed appropriate in the specific case.

Finally, it is recalled that, pursuant to art. 83, par. 6, of the Regulation, “failure to comply with an order by the supervisory authority pursuant to Article 58, paragraph 2, shall be subject to administrative fines of up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”.

CONSIDERING ALL THE ABOVE, THE GUARANTOR

1) pursuant to the combined provisions of art. 34, par. 4 and 58, par. 2, letter e) of the Regulation, orders Intesa Sanpaolo S.p.A. to communicate the personal data breach in question to the data subjects involved, within the terms specified in the reasons, without delay and, in any case, within twenty days from the date of receipt of this provision, within the terms set out in the introduction, providing at least the information referred to in art. 34, par. 2, of the Regulation;

2) pursuant to the combined provisions of Articles 58, paragraph 1, letter a) of the Regulation and 157 of the Code, also orders the company to send the Authority, within thirty days of the date of receipt of this provision, adequately documented feedback on the initiatives undertaken in order to implement the provisions of point 1);

3) pursuant to Article 17 of the Regulation of the Guarantor no. 1/2019 of 4 April 2019, orders the annotation of the violations and measures adopted in accordance with Article 58, paragraph 2, of the Regulation in the internal register of the Authority, provided for by Article 57, paragraph 1, letter u) of the Regulation;

4) pursuant to Article 154-bis, paragraph 3 of the Code and Article 37 of the Regulation of the Guarantor no. 1/2019, provides for the publication of this provision on the Authority's website.

Please note that failure to respond to this request is punishable by an administrative sanction pursuant to the combined provisions of Articles 83, paragraph 5, letter e) of the Regulation and 166 of the Code.

Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an objection to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the Data Controller is resident, within thirty days of the date of its communication.

Rome, 2 November 2024

for THE PRESIDENT
THE VICE PRESIDENT
Cerrina Feroni

for THE RAPPORTEUR
THE VICE PRESIDENT
Cerrina Feroni

THE SECRETARY GENERAL
Mattei