The Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) recently announced that it levied a €600,000 fine on banking institution UniCredit for several violations of the Italian Personal Data Protection Code, in its pre-General Data Protection Regulation (“GDPR”) form.

The sanction was imposed following a data breach that took place between April 2016 and July 2017 that the banking institution notified to the Garante at the end of July 2017. As a result of the breach, the personal data of over 700,000 customers, including contact details, employment data (e.g., salary information), education data, identification details and financial data (e.g., bank account number, information on loans, payment status and customers’ credit ratings), was unlawfully accessed.

The Garante found that the bank had failed to implement adequate security measures and comply with local requirements regarding the tracking of banking transactions. In determining the amount of the fine, the Garante took into account the number of individuals affected by the breach, as well as the fact that the bank had implemented various security measures to strengthen the security of its IT systems following the breach.

Read the Garante’s decision (in Italian).