Intesa Sanpaolo Fined €17.6m Over Isybank Customer Data Transfer: What We Know

Someone once told me that nothing in life is free, and they weren't wrong. Especially when it comes to banks and those "offers" that pop up in your app, looking like they're doing you a favour, only for you to end up with a new sort code and no branch to visit. The news doing the rounds at the moment is the €17.6 million fine handed to Intesa Sanpaolo. It's a significant sum, and one the Italian privacy watchdog (Garante) has dished out to put a stop to the controversial mass migration of customers to its digital-only bank, Isybank.

What exactly happened? Unpacking the Intesa Sanpaolo Isybank fine

Grab a coffee, because this story needs a proper explanation. It all kicked off between late 2023 and early 2024. Banking group Intesa Sanpaolo decided to push forward with its digital strategy and launched Isybank, its new, fully online subsidiary. No physical branches, just an app. So far, so modern. The issue was *how* they went about populating this new venture.

They took roughly 2.4 million current account holders and transferred them over to Isybank without asking. How did they choose them? They ran a detailed profile, picking customers based on specific criteria: under 65, no investment products (like funds or shares), balances below a certain threshold (reportedly under €100,000), and frequent users of online banking. In short, they were seen as the ideal digital customers, ready to be moved to this new branchless set-up.

The core of the problem: Unlawful data processing and buried communications

And here's the rub. Or rather, where the bank slipped up. To carry out this selection, Intesa Sanpaolo used customer data based on "legitimate interest". Now, you might think: "But legitimate interest is a valid legal basis, isn't it?" Absolutely, it can be. However, the Garante ruled that it wasn't sufficient in this case. For an operation that fundamentally changes your banking relationship – a new sort code and account number to update for your salary, the loss of a physical branch, and a new entity controlling your data – explicit consent was required. And that consent was never sought. The result? A finding of unlawful data processing, and a significant fine.

Then there's the added detail that really gets people going: how was this momentous change communicated? Not with a clear push notification, not with a text message. They tucked the communication away in the "archive" section of the Intesa Sanpaolo app. And guess when they did it? Right in the middle of summer. A time when most people's minds are on holidays. It was a perfect strategy to ensure hardly anyone noticed in time to object. The Garante described the communications as "inadequate" and failing to give proper prominence to such a major change.

What does this mean for customers? A practical guide on what to do next

Now, the big question everyone is asking is: "I was caught up in this – what should I do?" The fine has been issued, the bank pays it (and it's not small change), but you have rights. Here's a quick review of the situation and how to proceed:

• Is the damage done? For many, yes. If you were transferred, you've already experienced the change in terms and conditions and how you bank. The Garante acknowledges this has caused "inconvenience".
• Can I go back? This is the key point. You need to check if, at the time of the transfer, you were given a clear opportunity to object. Given how the communications were handled, it's likely many couldn't make an informed choice. In theory, the new arrangement should have been based on your conscious decision.
• What should you do now? If you're one of the 2.4 million people affected, keep an eye out. Consumer associations are already looking into this. You might be entitled to compensation, or at the very least, you could request to be moved back to the original terms and conditions with Intesa Sanpaolo (the parent company).

Isybank: A million customers and an uncertain future

Despite everything, Isybank is a growing entity. By early 2026, it had already surpassed one million customers and aims to double that by 2029. It's a "cloud-native" bank, designed to compete with fintechs. But this €17.6 million fine is a serious blow to its reputation. While the fine itself is a one-off financial hit, trust is a different matter entirely. And trust, as they say, is like glass – once cracked, it's hard to restore.

In deciding the amount, the Garante took into account the huge number of customers involved and the severity of the breach. They also noted that the bank cooperated and that the conduct was deemed "negligent" rather than "deliberate". In other words, it wasn't a malicious act, but one born of carelessness. The message is clear: it was a serious mistake, and it's proving costly.

So, the story isn't over yet. The bank can appeal the decision to an administrative court. As for you, the customer, the best advice is to stay vigilant. The lesson here is simple: when you get a communication from your bank, even if it seems hidden away in a virtual drawer within the app, read it. And if something doesn't feel right, know that the regulator might just be on your side.