UniCredit hit by data breach of Italian client records
uk.reuters.comWill the GDPR kick in?
They informed authorities, just as required by GDPR article 33, a good question is whether they reacted within 72 hours of finding out, given that the breach is from 2015. They seem/claim to be compliant with article 32, but I guess they should be investigated.
See section 2 here: http://www.privacy-regulation.eu/en/index.htm