AN - 0000104/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 66: Line 66:
}}
}}


The Spanish Court Audiencia Nacional annuled a millionaire fine imposed on BBVA. It held that the DPA violated principles of the administrative sanctioning procedure as it went beyond the facts reported in the original complaints and carried out a general investigation on the bank's data protection policy.
The Spanish Court Audiencia Nacional annulled a multi-million fine imposed on BBVA. It held that the DPA violated principles of the administrative sanctioning procedure as it went beyond the facts reported in the original complaints and carried out a general investigation on the bank's data protection policy.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 18 November 2020, the Spanish DPA ([[AEPD (Spain)|AEPD]]) jointly decided on five complaints made by different data subjects against Banco Bilbao Vizcaya Argentaria, SA (BBVA) [[AEPD - PS/00070/2019|(PS/00070/2019]]). In short, of the five complaints: One concerned the obligation to sign a data protection policy document to unblock a bank account; one referred to the validity of consent obtained through agreement with the data protection policy document; and other three were related to receiving advertising messages without consent (which the bank claimed to have obtained through the documents that the clients signed).
This decision is the result of an appeal against a Spanish DPA ([[AEPD (Spain)|AEPD]]) decision (a summary is available on [[AEPD - PS/00070/2019|GDPRhub]]) which fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) a total of €5,000,000 for violating articles [[Article 6 GDPR|6]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 of the GDPR]].
 
At the end of the procedures, the DPA found a violation of [[Article 6 GDPR]] and imposed a fine of €3,000,000. Due to the absence of clear information in the bank's data protection document, it also found a violation of Article [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]] and imposed a fine of €2,000,000. In its decision, the DPA considered that although the complaints referred to specific and individualized behaviors in relation to certain natural persons, the violations transcended said complaints. It held that the data protection policy documents well as the consent obtained from its customers infringed the GDPR, affecting all customers. Therefore, it ordered BBVA to adapt its processing operations to the data protection legislation, to provide adequate information to its customers and to correct the way through which consent was being obtained.  


The bank filed a judicial appeal against the DPA decision. Among other aspects, BBVA claimed that there was a total disconnection between the object of the procedure by the DPA and the complaints made by the data subjects. It argued that the DPA used specific and individual facts and complaints as an excuse to initiate a sort of general review of BBVA's practices and their data protection policy.
The bank filed a judicial appeal against the DPA decision. Among other aspects, BBVA claimed that there was a total disconnection between the object of the procedure by the DPA and the complaints made by the data subjects. It argued that the DPA used specific and individual facts and complaints as an excuse to initiate a sort of general review of BBVA's practices and their data protection policy.
=== Holding ===
While rejecting some of the arguments of BBVA, the Court agreed that there is a relevant disconnection between the initial complaints and the final DPA decision.


=== Holding ===
The Court stressed that [[Article 57 GDPR#1f|Article 57(1)(f) GDPR]] enables the DPA to investigate facts or the subject matter of the complaint. However, the Court considered that this would not cover the opening of a general procedure against the data protection policy itself. In its reasoning, it referred to one of its previous decisions from 23 April 2019 (Rec. 88/2017), in which it defined criteria for the application of the principles of the administrative sanctioning procedure within the scope of the DPA.  
In handling the bank's main claim, the Court stressed that [[Article 57 GDPR#1f|Article 57 (1)(f) GDPR]] enables DPAs to handle complaints lodged by data subjects and investigate, to the extent appropriate, the subject matter of the complaint. However, it does not allow the DPA to open a sanctioning proceeding against the controller as a result of the complaint. In its reasoning, it refers to a decision from 23 April 2019 (Rec. 88/2017), in which it defined criteria for the application of the principles of sanctioning administrative law within the scope of the DPAs.  


In the case at hand, the judges agreed that the AEPD failed: a) to examine the facts reported in the complaints; b) to make an assessment of the evidence in relation to those facts; and c) to link the facts to the privacy policy document. Rather, they found that the AEPD used these facts to open a sort of general investigation on the privacy policy document. In the Court's view, the reference that the data subjects made to the bank's privacy policy related to concrete facts. Therefore, the DPA is only empowered to investigate said facts or the "subject matter of the complaint".  
In the case at hand, the judges agreed that the DPA failed: (i) to examine the facts reported in the complaints; (ii) to make an assessment of the evidence in relation to those facts; and (iii) to link the facts to the data protection policy document. Rather, they found that the DPA opened a general investigation into the data protection policy of BBVA. In the Court's view, the DPA was bound by the facts of the data subject complaints. Therefore, the DPA is (at least initially) limited to investigate said facts or the "subject matter of the complaint".  


The Court also highlighted the relevance of the principle of legality, provided for in Article 25(1) of the [https://www.boe.es/buscar/pdf/1978/BOE-A-1978-31229-consolidado.pdf Spanish Constitution], within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the National Court understood that the mere existence of a privacy policy does not correspond to any concrete violation as the GDPR do not punish potential infringements. For this reason, it held that it was not possible to impose a fine on the controller on these grounds.
The Court invoked the principle of legality, provided for in Article 25(1) of the [https://www.boe.es/buscar/pdf/1978/BOE-A-1978-31229-consolidado.pdf Spanish Constitution], and referred to a [https://www.poderjudicial.es/search/AN/openDocument/e67b457a281d75be/20091008 Supreme Court (Tribunal Supremo) precedent] according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the Court states that the mere existence of a data protection policy does not correspond to any concrete violation as the GDPR, or other data protection legislation, does not punish potential infringements.  


Finally, the Court held that the assessment of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients.
Further, the Court held that it was for the DPA to assess the evidence of the facts in order to duly respect the principle of presumption of innocence. In its ruling, it pointed out that in this case the DPA only stated the proven facts related to the complaints, but did not assess these facts in its final decision. If an individual violation is not proven, neither should the conclusion be reached that the data protection policy violated the rights of all customers.


For these reasons, the Court annulled the DPA's decision holding that it was not in accordance with the law.
For these reasons, the Court annulled the DPA decision holding that it was not in accordance with the law.


== Comment ==
== Comment ==
There is no discussion about the possibility of the DPA to investigate "ex officio". Spanish administrative law provides for this option. In "ex officio" procedures the DPA has a wider margin to define the scope of the procedure as when it is directly confronted with a complaint. Given that both possibilities exist (complaint based procedure and "ex officio" procedure - see Art. 64.2 [https://boe.es/buscar/act.php?id=BOE-A-2018-16673&p=20230221&tn=1#a6-6 LOPDGDD]) it should have been brought up (or if it was brought up during the procedure, mentioned in the final decision) if it is permissible for the DPA to switch from a complaint based procedure to an "ex officio" procedure and, if yes, under which circumstances. For now the answers provided seem to be rather limited.  
There is no discussion about the possibility of the DPA to investigate ''ex officio''. Spanish administrative law provides for this option. In ''ex officio'' procedures the DPA has a wider margin to define the scope of the procedure as when it is directly confronted with a complaint. Given that both possibilities exist (complaint based procedure and ''ex officio'' procedure - see Art. 64.2 [https://boe.es/buscar/act.php?id=BOE-A-2018-16673&p=20230221&tn=1#a6-6 LOPDGDD]) it should have been brought up (or if it was brought up during the procedure, mentioned in the final decision) if it is permissible for the DPA to switch from a complaint based procedure to an ''ex officio'' procedure and, if yes, under which circumstances. Judging from the content of the decision, such an option seems rather limited.  


== Further Resources ==
== Further Resources ==

Latest revision as of 15:19, 26 April 2023

AN - 0000104/2021
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law: Article 57(1)(f) GDPR
Decided: 23.12.2022
Published:
Parties: BBVA
AEPD
National Case Number/Name: 0000104/2021
European Case Law Identifier: ECLI:ES:AN:2022:6460
Appeal from: AEPD (Spain)
PS/00070/2019
Appeal to: Unknown
Original Language(s): Spanish
Original Source: Audiencia Nacional (in Spanish)
Initial Contributor: Bernardo Armentano

The Spanish Court Audiencia Nacional annulled a multi-million fine imposed on BBVA. It held that the DPA violated principles of the administrative sanctioning procedure as it went beyond the facts reported in the original complaints and carried out a general investigation on the bank's data protection policy.

English Summary

Facts

This decision is the result of an appeal against a Spanish DPA (AEPD) decision (a summary is available on GDPRhub) which fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) a total of €5,000,000 for violating articles 6, 13 and 14 of the GDPR.

The bank filed a judicial appeal against the DPA decision. Among other aspects, BBVA claimed that there was a total disconnection between the object of the procedure by the DPA and the complaints made by the data subjects. It argued that the DPA used specific and individual facts and complaints as an excuse to initiate a sort of general review of BBVA's practices and their data protection policy.

Holding

While rejecting some of the arguments of BBVA, the Court agreed that there is a relevant disconnection between the initial complaints and the final DPA decision.

The Court stressed that Article 57(1)(f) GDPR enables the DPA to investigate facts or the subject matter of the complaint. However, the Court considered that this would not cover the opening of a general procedure against the data protection policy itself. In its reasoning, it referred to one of its previous decisions from 23 April 2019 (Rec. 88/2017), in which it defined criteria for the application of the principles of the administrative sanctioning procedure within the scope of the DPA.

In the case at hand, the judges agreed that the DPA failed: (i) to examine the facts reported in the complaints; (ii) to make an assessment of the evidence in relation to those facts; and (iii) to link the facts to the data protection policy document. Rather, they found that the DPA opened a general investigation into the data protection policy of BBVA. In the Court's view, the DPA was bound by the facts of the data subject complaints. Therefore, the DPA is (at least initially) limited to investigate said facts or the "subject matter of the complaint".

The Court invoked the principle of legality, provided for in Article 25(1) of the Spanish Constitution, and referred to a Supreme Court (Tribunal Supremo) precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the Court states that the mere existence of a data protection policy does not correspond to any concrete violation as the GDPR, or other data protection legislation, does not punish potential infringements.

Further, the Court held that it was for the DPA to assess the evidence of the facts in order to duly respect the principle of presumption of innocence. In its ruling, it pointed out that in this case the DPA only stated the proven facts related to the complaints, but did not assess these facts in its final decision. If an individual violation is not proven, neither should the conclusion be reached that the data protection policy violated the rights of all customers.

For these reasons, the Court annulled the DPA decision holding that it was not in accordance with the law.

Comment

There is no discussion about the possibility of the DPA to investigate ex officio. Spanish administrative law provides for this option. In ex officio procedures the DPA has a wider margin to define the scope of the procedure as when it is directly confronted with a complaint. Given that both possibilities exist (complaint based procedure and ex officio procedure - see Art. 64.2 LOPDGDD) it should have been brought up (or if it was brought up during the procedure, mentioned in the final decision) if it is permissible for the DPA to switch from a complaint based procedure to an ex officio procedure and, if yes, under which circumstances. Judging from the content of the decision, such an option seems rather limited.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database will be able to consult the documents as long as they do so for their private use. The use of the database for commercial purposes is not allowed, nor is the massive download of information. The reuse of this information for the preparation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may lead to the adoption of the appropriate legal measures.