Mistaken Bank Transfer: Confidentiality and Privacy Must Yield, Says the Florence Court
A recent interim order issued by the Court of Florence (order dated 7 May 2025) addressed the potential conflict between banking confidentiality and the rights of third parties.
In this case, an Italian company mistakenly transferred funds to an unknown party due to an incorrect IBAN, while intending to move the money between two of its own bank accounts. Notably, the company had indicated itself as the “payee” in the transfer order.
Attempts to obtain the cooperation of the recipient’s bank—to either reverse the transaction or at least provide the recipient’s details—were unsuccessful. The bank cited banking confidentiality and personal data protection as reasons for the refusal. The company then sought an interim injunction compelling the bank to urgently disclose the requested information.
The Florence Court granted the injunction. The judge held that the transferor was entitled to obtain the recipient’s details under the Transparency Provisions issued by the Bank of Italy and through a purposive interpretation of Legislative Decree No. 11/2010, which implements the so-called Payment Services Directives.
The court also referred to a ruling by the Italian Supreme Court on the obligations of financial intermediaries towards a payee who suffers a loss due to an incorrect IBAN (in this case, the petitioner was both the transferor and the intended payee). It found that the bank must at least show it took steps to enable the interested party to identify the unintended recipient.
Regarding the bank’s data protection objections, the Court held that the legal basis for the disclosure of personal data was Article 6(1)(f) of the GDPR, which permits processing, without the data subject’s consent, when necessary to pursue a legitimate interest of the controller or a third party. The Court also cited Article 9(2)(f), which provides an exception to the prohibition on processing special categories of personal data where necessary for the establishment, exercise, or defence of legal claims—arguing that if this applies to sensitive data, it applies a fortiori to non-sensitive data.
The judge therefore ordered the bank to immediately disclose the relevant information, including whether the funds had been withdrawn, by whom, and when, and imposed a daily monetary penalty for any delay in compliance.
In the author’s view, although the outcome is correct, the reasoning concerning data protection is not entirely convincing.
Once it was established that the petitioner had a right to the requested information and the bank had a corresponding duty to disclose it, the appropriate conclusion would have been that the processing was both lawful and mandatory under Article 6(1)(b) and (c) of the GDPR—that is, for the performance of a contract or to comply with a legal obligation.
There appears to be no valid reason to rely on the “legitimate interest” basis instead: this legal basis involves a balancing test that is inherently less robust than other, more concrete bases such as legal obligation. More importantly, legitimate interest may justify data processing, but it does not make it mandatory.
The reference to Article 9 of the GDPR is also unnecessary, as the provision concerns special categories of personal data (which were not at issue in this case) and requires an additional condition for legitimacy beyond a lawful basis for processing.