Background information

• Date of final decision: 10 July 2025
• National case
• Controller: Banco Bilbao Vizcaya Argentaria SA
• Legal Reference (s): Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 15 (Right to access by the data subject)
• Decision: Administrative fine
• Key words: Administrative fine, Data subject rights, Transparency

Summary of the Decision

Origin of the case  

A customer, who was the victim of fraud, contacted the bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10 000 EUR and reconstructing what had happened. Having received no satisfactory response, he lodged a complaint with the Garante. Only after the Authority had opened proceedings, the bank provided the recordings, but by then the 30-day deadline set by the GDPR had already passed.

Key Findings 

During the investigation, the Italian SA pointed out that – according the European Data Protection Baord Guidelines 01/2022 on data subject right of access – even telephone calls between customers and banks can be considered personal data and, as such, must be accessible upon request, in compliance with the rights of any third parties involved.

Decision

The Garante imposed an administrative fine of 100 000 EUR. In determining the amount, the Authority took into account the bank's turnover, its cooperation during the investigation and the absence of previous infringements.

For further information: 

• National press release: Diritto di accesso, il Garante privacy sanziona una banca per 100mila euro. Cliente può accedere ai propri dati contenuti nelle registrazioni degli ordini telefonici (Italian)