The Italian Garante (Data Protection Authority) fined a bank €600,000 for several violations that occurred before the GDPR came into force. The violations affected over 700,000 customers between April 2016 and July 2017. The bank reported the violation to the Authority in July 2017. Employees of a commercial partner of the bank were able to access personal and sensitive information about the bank’s customers. This information included personal and contact data, profession, level of study, identification details of an identification document and information relating to employer, salary, loan amount, payment status, “approximation of the customer’s credit rating,” and IBAN code. That is a lot of sensitive information!

Interestingly, the Garante explained the rationale for the amount of the fine as follows: “In determining the amount of the amount in €600,000, the Authority took into account several elements, including the fact that the violations were committed against a significant number of people and that the bank — which did not suffer previous sanctioning measures by the Guarantor — following the data breach, adopted various measures and initiatives aimed at strengthening the security of its IT systems.”