The fines are thought to be the highest ever issued by a European data protection authority.
The illegal data processing was discovered as part of a money laundering investigation into Sigue Global Services Ltd and four other companies. The investigation discovered that funds had been divided up and falsely attributed to thousands of unsuspecting individuals before being transferred abroad. This was done to ensure that the transfers fell below the financial limit over which stringent money laundering checks would be applied.
The Italian data protection authority found that the personal data of the individuals who had funds falsely attributed to them had been processed illegally. In particular, the individuals had not consented to the processing of their personal data. Given the seriousness of the crime and the number of individuals involved, the Italian data protection authority fined the companies €5.88m, €1.59m, €1.43m, €1.26m and €0.85m respectively.
This decision is notable for the scale of the fines (in the UK, for example, fines for data breaches are currently capped at £500,000). Fines of this magnitude (and larger) are likely to become more common when the GDPR comes into force in May 2018, when national regulators will be able to impose fines of up to €20m or 4% of total worldwide annual turnover.