Intesa Sanpaolo’s Isybank Hit with €17.6 Million Fine Over Customer Data: What You Need to Know

You know the saying, "if it seems too good to be true, it probably is"? It couldn't be more accurate, especially when it comes to banks and those "offers" that pop up in your app, looking like they're doing you a favour. Before you know it, you’ve got a new IBAN and your local branch has vanished into thin air. The talk of the town right now is the €17.6 million fine slapped on Intesa Sanpaolo. It's a hefty sum, no doubt, and it's the Data Protection Authority's way of saying "enough is enough" to the whole messy business of customers being herded onto Isybank.

So, what exactly happened? The inside story on the Intesa Sanpaolo Isybank fine

Grab a seat, because this is a story you need to hear. It all kicked off between late 2023 and early 2024. Intesa Sanpaolo decided to go all-in on digital and launched Isybank, its new online-only, app-based bank with no physical branches. So far, so modern. The problem? It was the way they went about populating it.

They took around 2.4 million current account holders and transferred them over to Isybank without asking. And how were these customers chosen? They were carefully profiled, like picking the best apples at the market: under 65, no investments (like funds or shares), savings under a certain amount (reportedly €100,000), and frequent users of online banking. In other words, the "digital natives" ready to be shipped off to this new branchless promised land.

The crux of the matter: unlawful data processing and communications that went unnoticed

And here's where it all went wrong for the bank. To carry out this selection, Intesa Sanpaolo used customer data, citing "legitimate interest." Now, you might be thinking, "legitimate interest" sounds serious and above board, right? It can be, but the Data Protection Authority ruled that it just didn't cut it here. For a change that fundamentally alters your banking life – a new IBAN to sort out for your salary, no more local branch, dealing with a new "data controller" – they needed your explicit consent. And that was never asked for. The result? Unlawful data processing and a record fine.

And if that wasn't enough, here's the part that really gets people going: how did they announce this massive shake-up? Not with a clear push notification, not with a text. They tucked the notice away in the "archive" section of the Intesa Sanpaolo app. And guess when they did it? Right in the middle of summer. When everyone's mind is on holidays and, well, anything but banking. A perfect strategy, really, to make sure no one noticed in time to object. The Authority called the communications "insufficient" and said they failed to give proper prominence to such a monumental change.

What does this mean for affected customers? A practical guide on what to do next

Now, the big question on everyone's lips is: "I got caught up in this mess, what should I do?". The fine has been issued, the bank is paying up (a significant amount at that), but you still have rights. Here’s a handy review of the situation and how to navigate it:

• Is the damage already done? For many, yes. If you were transferred, you've already experienced the change in terms and conditions. The Authority acknowledges this has caused "inconvenience".
• Can I switch back? This is the key point. You need to check if, at the time of the transfer, you were given a clear and obvious way to opt-out. Given how the communications were handled, it's highly likely many people couldn't make an informed choice. In theory, the move should have been based on your conscious decision.
• What should I do now? If you're one of the 2.4 million people involved, keep your wits about you. Consumer rights groups are already onto this. You might be entitled to compensation, or at the very least, you could request to be moved back to your original terms with Intesa Sanpaolo.

Isybank: a million customers and an uncertain future

Despite the controversy, Isybank is a real entity that, by early 2026, has already surpassed one million customers and aims to double that by 2029. It's a "cloud-native" bank, very much a product of its time, designed to take on the fintechs. But this €17.6 million fine is a serious blow to its reputation. Because while a fine is a one-off financial hit, trust is a different matter entirely. And trust, as they say, is like glass – once it's cracked, it's never quite the same.

In deciding the amount, the Data Protection Authority considered the huge number of customers affected and the severity of the breach. They also took into account that the bank cooperated and that the conduct was deemed "negligent" rather than "deliberate." In other words: "You made a serious blunder, and it's going to cost you."

So, the story isn't over yet. The bank can appeal the decision, and for you, the customer, the best advice is to stay vigilant. The lesson here is simple: when you get a message from your bank, even if it's buried in some virtual drawer within the app, read it. And if something doesn't feel right, remember that now you know the Data Protection Authority might just be on your side.