The Privacy Guarantor has sanctioned Intesa Sanpaolo “for having unlawfully processed” the data of approximately 2.4 million customers, unilaterally transferred to the 100% controlled online bank Isybank. For this reason the authority imposed a fine worth 17.6 million euros on the bank led by Carlo Messina.
The Guarantor’s considerations
“Today’s provision closes a complex investigation, started following numerous reports from account holders,” states the Privacy Guarantor, defining the violations that emerged during the investigation as “serious”.
To identify among its customers those to be transferred to the newly established Isybank – explained the Authority – Intesa Sanpaolo carried out customer profiling, selecting customers who presented certain characteristics, including an age not exceeding 65 years, habitual use of digital channels in the last year, absence of investment products and financial availability below a certain threshold.
Unilateral modification of contracts
An operation which, according to the Guarantor, significantly affected their position, since it involved the transfer of relationships to a different data controller, with consequent unilateral modification of the contractual conditions and operating methods of the current account compared to those originally envisaged (e.g. attribution of a new IBAN and consequent need to communicate it to third parties; lack of physical branches and exclusive access via app).
The limited information provided to customers
Furthermore, according to the Authority, the communications sent by the Bank to customers to inform them of this operation were lacking. In fact, the communications were mostly sent coinciding with the summer period, in the archive section of the Intesa Sanpaolo app, without giving them the necessary evidence that the extraordinary nature of the operation would have required (e.g., through push notifications or SMS). It follows that the processing carried out by the bank in the manner described in the provision is unlawful, also because the customer could not reasonably have foreseen it based on the context and information received.
Isybank’s numbers and prospects
Isybank, the online bank of the Intesa Sanpaolo Group, closed 2025 with over 1 million active accounts, of which 900,000 already opened by new customers and approximately 350,000 by customers transferred from Intesa Sanpaolo. In the Group’s new strategic plan, Isybank aims to acquire one million new customers by 2029, with an increase in the number of customers to over 2 million and to bring customer financial assets at Isybank to around 8 billion euros in 2029 from around 2.9 billion in 2025, with a net result of around 100 million euros in 2029 from around 19 million in 2025 (+52% CAGR).
