- in Turkey
- within International Law topic(s)
Italian DPA Fines Intesa Sanpaolo €31.8M for Two-Year Insider Breach
Italy's data protection authority imposed one of its largest banking-sector fines after a single Intesa Sanpaolo employee made over 6,600 unauthorised queries of 3,573 customer accounts -including high-profile public figures -between February 2022 and April 2024 without triggering a single internal alert. The Garante found violations of Articles 32 (inadequate technical and monitoring controls), 33 (delayed and incomplete breach notification), and 34 (failure to communicate the breach to affected individuals until ordered to do so). The fine signals that regulators are scrutinising inward-facing controls as closely as perimeter defences. Financial institutions holding large customer datasets should urgently audit behavioural analytics and insider-threat detection capabilities.
EDPB Publishes Case Digest on 'Legitimate Interest' Decisions
EDPB has published a case digest compiling onestop-shop decisions on the use of "legitimate interest" as a legal basis under the GDPR.The digest brings together examples from decisions adopted by Data Protection Authorities, illustrating how the three-step test for legitimate interest is applied in practice across different factual scenarios. It also reflects recent guidance and relevant case law, highlighting both compliant and non-compliant uses of this legal basis.The document was prepared under the EDPB's Support Pool of Experts programme to support cooperation and consistency in enforcement.
ICO Urges Platforms to Strengthen Age Assurance Measures
The UK Information Commissioner's Office ("ICO") has issued an open letter calling on social media and video-sharing platforms to strengthen age assurance measures and prevent underage users from accessing their services. The ICO emphasized that reliance on self-declared age is insufficient and expects platforms to use available technologies to effectively enforce minimum age requirements. It has also asked major platforms to demonstrate how their current measures meet these expectations.
The letter forms part of the next phase of the ICO's Children's Code strategy and follows recent enforcement actions against platforms for failing to implement adequate age assurance and for unlawful processing of children's data.
EDPB Study Maps Data Broker Ecosystem and Risk Categories
EDPB has published on 3 March 2026, a market study analysing the data broker ecosystem in Belgium, including a methodology to identify data brokers and a typology of their business models.The study defines data brokers as entities that collect, aggregate and monetize personal data from multiple sources, often without direct interaction with individuals. It identifies different categories of data brokers and data providers, distinguishing them based on how data is collected, processed and shared, and assessing their relative risk levels. It also highlights that only a limited number of companies fully meet the strict definition of a data broker, leading to a broader classification framework covering related actors within the data economy.
CNIL Clarifies Strict Limits on Audio Recording in Video Surveillance
The French Data Protection Authority ("CNIL") has published guidance clarifying that audio recording in the context of video surveillance is, as a rule, prohibited due to its intrusive nature.
The CNIL notes that the use of sound recording devices may only be justified in exceptional circumstances, provided that such measures are necessary and proportionate. In particular, audio recording must be limited, not continuous, and typically activated only in response to a specific incident. The guidance also emphasizes that recordings should only be retained where an incident is confirmed, and that data subjects must be properly informed and their rights safeguarded.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
