€31.8 Million GDPR Fine for an Insider Breach That Ran Undetected for Two Years
On 30 March 2026, Italy’s data protection authority, the Garante della Privacy, issued a €31.8 million GDPR fine against one of the country’s largest financial institutions for failing to see what its own staff were doing.
What did the Garante Found?
The investigation was triggered by the institution’s own breach notification in July 2024, more than two years after the unauthorised accesses began in February 2022. The Garante identified three separate failures.
Article 32 – inadequate security measures. One employee queried large portions of the customer database in what the Garante described as a “circular” pattern for over two years without triggering a single internal alert. Among those accessed were individuals in prominent public roles, who require a higher, not a lower, level of protection. The controls existed on paper. They did not function in practice.
Article 33 – late and incomplete breach notification. When the institution did report to the Garante, the notification was both delayed and did not meet the content requirements.
Article 34 – delayed communication to data subjects. Affected customers were only notified after the Garante intervened directly in November 2024. Article 34 does not give organisations the option to wait for a regulatory prompt.
What does this mean in Practice?
Most GDPR conversations in financial services focus on third-party processors, data transfers, and consent. Insider access monitoring rarely gets the same attention, until a case like this makes it unavoidable.
The Garante’s core finding was not that the incident occurred. Insider breaches happen. The finding was that no system detected the pattern: one employee, 6,600 queries, 26 months. Any functioning anomaly detection setup should have caught that long before it did.
The notification failures are separate violations. Late reporting and delayed communication to data subjects each carry their own weight under the regulation, independent of the underlying breach.
How GDPRLocal Approaches these kinds of situations
GDPRLocal works with organisations on both sides of this problem.
Before an incident: reviewing what employee access to personal data looks like in practice, identifying which monitoring triggers should exist, and ensuring documentation reflects controls that actually work, not just controls listed on a policy page.
After an incident: supporting the notification process from the first hours, covering timing, content, and direct communication to affected individuals, to meet Articles 33 and 34 correctly the first time.
Conclusion
This case signals that GDPR enforcement is increasingly focused on what happens inside the organisation, not just at the perimeter. Regulators are asking whether your systems were capable of detecting a breach, whether you properly reported it, and whether you notified your customers in time.
About the Author
Ana Mishova
Sales and Business Development Consultant – GDPRLocal
Ana focuses on helping organisations understand their compliance obligations and find the right data protection solutions. At GDPRLocal she works closely with businesses of all sizes, making GDPR and privacy compliance clear, practical, and accessible.