Background information

On 22 June 2017, the Italian Data Protection Authority (hereinafter, “Garante”) confirmed the unlawful processing of personal data by an Italian financial institution (“Bank”), which permitted one of its employees to illicitly view and communicate current account data of one its clients to third parties.

In the case at stake, an account holder argued before the Garante that specific data relating to her current account between 2010 and 2012 were presented as evidence during a judicial trail without her specific authorisation or other legal basis.  Following the Garante’s investigation, the Bank recognised that one of its employees had accessed such data without a specific reason and likely communicated it to the opponent in the judicial trial.

Legal framework and main issues

Back in 2007, the Garante published its Guidelines for the processing of customers' data in the banking sector, emphasising the illicit nature - which can have serious consequences also in terms of civil and criminal liability under Sections 15 and 167 of the Personal Data Protection Code – of banking information communicated to third parties that had not been authorised by the data subject.

In 2011, the Garante enacted a decision (in Italian only) requiring the banking sector to implement, no later than September 2014, tracking systems, alerts and annual internal audits to secure the processing of customers’ data.                                                        

Whilst the case at stake refers to personal data processed before the applicability of the security measures prescribed in the 2011 decision, the Garante confirmed that, by means of an employee, the Bank unlawfully processed and communicated personal data without the data subject’s consent or another legal basis as described in the 2007 Guidelines (see also Section 11(a) and Sections 23 and 24 of the Personal Data Protection Code).                                                 

Interestingly enough, the Garante mentioned the principle of “accountability” of Article 24 of the General Data Protection Regulation (“GDPR”) to state that, starting from next May, data controllers in the banking sector cannot rely upon prescriptive laws in terms of security measures: each data controller will have to assess its own security, deciding when and how to track or to carry out audits.

Practical implications

Since 2014, the Italian banking sector is required to implement the organisational and technical measures defined in the Garante’s 2011 decision (which must be read in conjunction with the 2007 Guidelines) which requires the banking sector to implement tracking systems, alerts and annual internal audits to secure the processing of customers’ data.

Furthermore, financial institutions need to make sure that customers are identified and an adequate legal basis is determined before any processing (in particular, the communication) of personal data takes place. Employees must receive a data protection training, their operations must be tracked, and the tracking system adequately audited.

Starting from  25 May 2018, financial institutions may not rely upon prescriptive data protection laws. They will have to improve their organisational and technical measures as the 2007 Guidelines and the 2011 decision will represent an insufficient starting point.