AEPD (Spain) - PS/00362/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
Line 52: Line 52:
}}
}}


The Spanish DPA fined the Banco Bilbao €120.000 for allowing to obtain detailed information on credit card transactions by only providing the ID number of the card holder as a violation of the confidentiality of data due to insufficient technical and organizational measures.
The Spanish DPA fined the Banco Bilbao €120.000 for allowing to obtain detailed information on credit card transactions by only providing the ID number of the card holder. It concluded that such a procedure violates the confidentiality of personal data due to insufficient technical and organizational safeguards.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Banco Bilbao provided clients with ‘Affinity Cards’, which are a credit cards that could be used only within an affiliated group of several stores and companies. In this regard, any person calling the automated information hotline provided by the bank was able to obtain details of the last transactions such cards in exchange of the ID-number of a card-holder.
The Banco Bilbao provided clients with ‘Affinity Cards’, which are a credit cards that could be used only within an affiliated group of several stores and companies. In this regard, any person calling the automated information hotline provided by the bank was able to obtain details of the last transactions of a card in exchange of the card-holder's ID-number.
 
In the abstinence of any other security measures to confirm the identity of the client, any person could call into the automated systems and obtain financial information, only by giving the ID-number without verifying that they are the real owner of the document.
 
=== Dispute ===
 


In the abstinence of other security measures to confirm the identity of the client, any person could call into the automated systems to obtain financial information only by giving the ID-number without verifying that they are the real owner of the document.
=== Holding ===
=== Holding ===
The AEPD decided that the bank thereby failed to adopt security measures, violating the principle of integrity and confidentiality according to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and the necessity to implement technical and organizational safeguards from [[Article 32 GDPR|Article 32 GDPR]]. Accordingly, only asking for the ID-number is insufficient to appropriately authenticate the client in question.
The AEPD decided that the bank thereby failed to adopt security measures, violating the principle of integrity and confidentiality according to [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and the necessity to implement technical and organizational safeguards from [[Article 32 GDPR|Article 32 GDPR]]. Accordingly, only asking for the ID-number is insufficient to appropriately authenticate the client in question.


Considering the number of clients affected, the solvency of the entity and the high degree of responsibility of the entity, the DPA imposed a fine of €200.000 on the bank. However, the fine was finally reduced to €120.000 because of prior voluntary payment and the acknowledgment of responsibility by the bank.
Considering the number of clients affected, the solvency and the high degree of responsibility of the entity, the DPA imposed a fine of €200.000 on the bank. However, the fine was finally reduced to €120.000 because of prior voluntary payment and their acknowledgment of responsibility.


== Comment ==
== Comment ==

Revision as of 09:24, 2 September 2021

AEPD (Spain) - PS/00362/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.07.2021
Published: 20.10.2021
Fine: 120.000 EUR
Parties: BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
National Case Number/Name: PS/00362/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined the Banco Bilbao €120.000 for allowing to obtain detailed information on credit card transactions by only providing the ID number of the card holder. It concluded that such a procedure violates the confidentiality of personal data due to insufficient technical and organizational safeguards.

English Summary

Facts

The Banco Bilbao provided clients with ‘Affinity Cards’, which are a credit cards that could be used only within an affiliated group of several stores and companies. In this regard, any person calling the automated information hotline provided by the bank was able to obtain details of the last transactions of a card in exchange of the card-holder's ID-number.

In the abstinence of other security measures to confirm the identity of the client, any person could call into the automated systems to obtain financial information only by giving the ID-number without verifying that they are the real owner of the document.

Holding

The AEPD decided that the bank thereby failed to adopt security measures, violating the principle of integrity and confidentiality according to Article 5(1)(f) GDPR and the necessity to implement technical and organizational safeguards from Article 32 GDPR. Accordingly, only asking for the ID-number is insufficient to appropriately authenticate the client in question.

Considering the number of clients affected, the solvency and the high degree of responsibility of the entity, the DPA imposed a fine of €200.000 on the bank. However, the fine was finally reduced to €120.000 because of prior voluntary payment and their acknowledgment of responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: PS / 00362/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT

                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                 BACKGROUND

FIRST: On July 27, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against BANCO BILBAO
VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement
which is transcribed:

<<






Procedure No.: PS / 00362/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following




                                     FACTS




FIRST: A.A.A. (hereinafter, the claimant) dated March 25, 2020
filed a claim with the Spanish Data Protection Agency.




The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
with NIF A48265169 (hereinafter, the claimed one).




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/16








The reasons on which the claim is based are that the defendant provides the detail of the
last movements of the Affinity Card through an attention system

automated telephone number *** TELEPHONE. 1 which only asks for
as identification data the client's DNI.




It is stated by the claimant that the claimed entity does not adopt any other
security measure to confirm the identity of the client so that any

person can call, give a DNI number and obtain information associated with that
DNI, without verifying that the caller is the owner of said document
identifying.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), with reference number E / 03724/2020, a transfer of
said claim to the defendant on June 8, 2020, to proceed with its

analysis and inform this Agency within a month, of the actions taken
carried out to adapt to the requirements provided in the data protection regulations.




Despite the nature of this requirement, which as indicated in article 65.4 of the
LOPDGDD, is optional and prior to the start of any procedure, the
September 25, 2020, the entity claimed in response to the request of this

The Agency states that in the Agency's letter, the deadline for
respond, which supposes an error in the processing of the procedure, reason for the
that based on article 76.2 of Law 39/2015 on Common Administrative Procedure

of the Public Administrations, requests that the procedure be stopped, until
this error is corrected and you will be notified again of said request for information.




THIRD: On December 4, 2020, the Director of the Spanish Agency for
Data Protection agreed to accept for processing the claim presented by the

claimant.



FOURTH: In view of the facts denounced in the claim and the

documents provided by the claimant, the Subdirectorate General for Inspection of
Data proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/16








in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the claimed one.




Likewise, the following points are found:




On December 10, 2020, a request for information is sent to the BANK
BILBAO VIZCAYA ARGENTARIA, S.A. using several ways:




     Electronically through notific @, a system that allows you to prove that the
        notification has been delivered on December 16, 2020, but no

        receives reply.



     By post, but no reply is received.




                             FOUNDATIONS OF LAW




                                               I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.




                                              II




Article 58 of the RGPD states:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/16








"2. Each supervisory authority shall have all of the following corrective powers

listed below:



(…)


i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each

particular case;



(…) "




The RGPD establishes in article 5 of the principles that must govern the treatment of
personal data and mentions among them that of "integrity and confidentiality".




The article notes that:




"1. The personal data will be:



(…)




 f) treated in such a way as to guarantee adequate data security

personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ('integrity and confidentiality') ”.




In turn, the security of personal data is regulated in article 32, of the
RGPD, where it is established that:




 "1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/16








appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:




a) pseudonymisation and encryption of personal data;




a) the ability to guarantee confidentiality, integrity, availability and
permanent resilience of treatment systems and services;




b) the ability to restore the availability and access to personal data
quickly in the event of a physical or technical incident;




d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.




2. When evaluating the adequacy of the security level, particular attention will be paid to
take into account the risks presented by the data processing, in particular as

consequence of accidental or illegal destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.




3. Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element

to demonstrate compliance with the requirements established in section 1 of the
this article.




4. The person in charge and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the controller or processor and

have access to personal data can only process said data by following
instructions of the person in charge, unless it is obliged to do so by virtue of the Right to
the Union or the Member States ”.




The violation of article 32.1 of the RGPD is typified in article 83.4.a)
of the aforementioned RGPD in the following terms:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/16











"4. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the

global total annual business volume of the previous financial year, opting for
the highest amount:




a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43.


(…) "



For its part, the LOPDGDD in its article 71, Infractions, states that: “They constitute

offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the

present organic law ”.



And in its article 73, for the purposes of prescription, it qualifies as “Infractions considered

serious ”:



"Based on what is established in article 83.4 of Regulation (EU) 2016/679,

considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the

following:



(…)




f) Failure to adopt technical and organizational measures that result
appropriate to ensure a level of security appropriate to the risk of the treatment,

in the terms required by article 32.1 of Regulation (EU) 2016/679. "




                                             III



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/16








The RGPD in the aforementioned article 32, does not establish a list of security measures
that are applicable in accordance with the data that are subject to treatment, but

that establishes that the person in charge and the person in charge of the treatment will apply measures
technical and organizational that are appropriate to the risk involved in the treatment,
taking into account the state of the art, the costs of application, the nature,

scope, context and purposes of the treatment, the risks of probability and severity
for the rights and freedoms of the interested persons.




Likewise, the security measures must be adequate and proportionate to the
risk detected, noting that the determination of the technical measures and
organizational must be carried out taking into account: pseudonymisation and encryption,

ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process

verification (not audit), evaluation and assessment of the effectiveness of
measures.



In any case, when evaluating the adequacy of the security level, the

particularly take into account the risks presented by data processing, such as
consequence of accidental or illegal destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages
physical, material or immaterial.




In this same sense, recital 83 of the RGPD states that:



“(83) In order to maintain security and prevent the treatment from violating the provisions of

this Regulation, the person in charge or the person in charge must assess the risks
inherent to the treatment and apply measures to mitigate them, such as encryption. Are

Measures should ensure an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
with respect to the risks and the nature of the personal data that must

protect yourself. When assessing risk in relation to data security, you should
take into account the risks arising from the processing of personal data,
such as accidental or illegal destruction, loss or alteration of personal data

transmitted, preserved or otherwise processed, or communication or access does not
authorized to said data, susceptible in particular to cause damages
physical, material or immaterial ”.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/16








                                            IV




In this case, it is stated that the claimed entity facilitates the detail of the
last movements of the Affinity Card through an attention system
automated telephone number *** TELEPHONE. 1 which only asks for

as identification data the client's DNI.



Unless proven otherwise, these facts suppose that the respondent would not adopt the

adequate security measures, since anyone using the system
Automated telephone service could give a DNI number, whether or not the owner of the

itself and obtain information associated with that DNI, since the claimed entity does not
adopts security measures to verify that the person requesting said
information is the owner of said identification document.




This Agency informed the entity of the claim presented and
requested information in relation to this claim, in accordance with the

Article 65.4 of the RGPD.



On September 25, 2020, the entity claimed in response to said request

requests the suspension of the procedure, in accordance with article 76.2 of the law
39/2015 of the Common Administrative Procedure of Public Administrations,

alleging defects in the processing.



The Spanish Agency for Data Protection addressed the claimed requesting him

information in accordance with article 65.4 of the RGPD that establishes the following:



"Before deciding on the admission for processing of the claim, the Spanish Agency

of Data Protection may send the same to the data protection delegate who
had, where appropriate, designated the person in charge or in charge of the treatment or the
supervisory body established for the application of codes of conduct to

the effects provided for in articles 37 and 38.2 of this organic law. The agency
Spanish Data Protection may also send the claim to the
responsible or in charge of the treatment when a

data protection officer or adhering to resolution mechanisms
extrajudicial of conflicts, in which case the person in charge or manager must give

response to the claim within a month. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/16










Said requirement is ex gratia character, to discern on the convenience or

not to admit the procedure for processing by virtue of the answer given by the
claimed from this Agency, to avoid initiating procedures as far as possible

penalties when the situation that is the subject of the claim has already been resolved or
there is a serious and verifiable purpose that is being solved, without prejudice to
the investigation actions that the Spanish Agency for Data Protection,

as a supervisory authority, it can always carry out, if it considers it appropriate and
necessary, in accordance with article 57.1 of the RGPD.




Neither of the two is inferred from the answer given by the claimed entity.
indicated possibilities.




Therefore, due to the facts claimed, that is, lack of adoption of measures of
adequate security by the claimed entity, without respecting the principle of

integrity and confidentiality of article 5.1 f) of the RGPD, whose purpose, among others, is to avoid
unauthorized or illegal treatment of personal data, this Agency proceeds to
the opening of the corresponding sanctioning procedure against the entity

claimed, for the possible violation of article 32 of the RGPD, transcribed in the
Ground II that states that “the person in charge and the person in charge of the treatment will apply
appropriate technical and organizational measures to ensure a level of security

suitable".



In addition, in accordance with article 32 of the RGPD, it will be required that the claimed

take appropriate technical and organizational measures to ensure a level of
adequate security using mechanisms that allow:




-the pseudonymisation and encryption of personal data;




-the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;




-the ability to restore the availability and access to personal data of
quickly in the event of a physical or technical incident;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/16











-a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.




                                            V




Article 83.4 a) of the RGPD establishes that:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the

of greater amount:

a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43


In turn, article 73.f) of the LOPDGDD, under the heading "Violations considered

bass has:



"Based on article 83.4 of Regulation (EU) 2016/679, they will be considered serious and

The infractions that suppose a substantial violation will prescribe after two years
of the articles mentioned therein, and in particular the following:




f) Failure to adopt technical and organizational measures that result
appropriate to ensure a level of security appropriate to the risk of the treatment,

in the terms required by article 32.1 of Regulation (EU) 2016/679. "



                                            SAW




In accordance with the indicated precepts, against the infringement of article 32,
considers that the sanction to be imposed should be adjusted in accordance with the following

criteria established in article 83.2 of the RGPD:




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/16









As aggravating factors the following:




     The number of clients of the claimed entity is high and therefore also the

        number of affected (art. 83.2 a)




     The respondent is a solvent entity that has the technical means to take
        adequate security measures, their lack implies negligence in their actions

        (art. 83.2 b)




     The high degree of responsibility of the claimed party, since trying to
        daily personal data of your customers as part of your business and

        adopting adequate security measures, including those of the
        regulation for the prevention of fraud in banking entities, is

        fully aware of the need to implement security measures
        appropriate to the risk in all the treatments you carry out, aggravates your

        responsibility for lack of security measures (art. 83.2 d)




     Despite previous requirements and attempts to communicate this Agency with the
        claimed entity to know the situation from the point of view of all the

        affected parties, the complained entity, has not submitted allegations to the
        prior requirement, rather than to request its stoppage alleging errors in the

        processing of a procedure not started, and without collaborating with this Agency in
        their actions, despite having knowledge of the claim filed against

        her (art. 83.2 f)




                                              VII


















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/16








Therefore, based on the foregoing,




By the Director of the Spanish Data Protection Agency,



HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE against BANCO BILBAO

VIZCAYA ARGENTARIA, S.A., with NIF A48265169, in accordance with the provisions of
Article 58.2.b) of the RGPD, for the alleged violation of Article 32 of the RGPD,
typified in article 83.4.a) of the RGPD.



SECOND: APPOINT B.B.B. as an instructor. and, as Secretary to C.C.C., indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of the

Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).




THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection during the

investigation phase, as well as the report of previous Inspection actions.




FOURTH: THAT for the purposes provided for in art. 64.2. b) of Law 39/2015, of 1
October and article 58.2.b) of the RGPD, it would be appropriate to impose a penalty of 200,000

euros (two hundred thousand euros) for the violation of article 32 of the RGPD, without prejudice
of what results from the instruction.



FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, granting a hearing period of ten
business days to make the allegations and present the evidence that it considers

convenient. In your statement of allegations you must provide your NIF and the number of
procedure at the top of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/16








64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in

the present procedure. With the application of this reduction, the sanction would be
established at € 160,000 (one hundred and sixty thousand euros), resolving the procedure
with the imposition of this sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at € 160,000 (one hundred and sixty thousand euros), and its payment

will imply the termination of the procedure.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
established at € 120,000 (one hundred and twenty thousand euros).




In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
indicated above € 160,000 (one hundred and sixty thousand euros) or € 120,000 (one hundred
twenty thousand euros), you must make it effective by entering account number ES00

0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in the bank CAIXABANK, S.A., indicating in the concept the number
reference of the procedure that appears in the heading of this document and

the cause of reduction of the amount to which it is accepted.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/16











Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






Mar Spain Martí


Director of the Spanish Agency for Data Protection






>>



SECOND: On August 18, 2021, the claimed party has made the payment
of the sanction in the amount of 120,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.



                            FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/16








December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


                                           II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:

"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation

of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations. "


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00362/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/16









Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                         936-160721
Mar Spain Martí
Director of the Spanish Agency for Data Protection
















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es