AEPD (Spain) - EXP202200471: Difference between revisions
m (→Facts) |
m (Ar moved page AEPD (Spain) - PS/00419/2022 to AEPD (Spain) - EXP202200471) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
DPA fined a bank for | The Spanish DPA fined a bank €64,000 for lack of adequate technical and organisational measures under [[Article 32 GDPR]], in relation to a confidentiality data breach. A contract was accidentally disclosed to and retained by a third party for almost four months in violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 26 October 2021, the data subject asked BBVA Bank (the controller) for an account holder attestation through the bank app. Instead, they received another customer's contract with their name, surname, ID number, home address, and IBAN number. | |||
The data subject communicated the incident to the | The data subject communicated the incident to the controller and manifested their concern for the protection of their own personal data. The bank representative apologised and stated that it was due to an “operational error” and that the data subject’s rights were protected. However, the data subject manifested that they still had access to the third-party's document through the chat. The controller's employee answered that technically it was not possible to delete or retrieve the submission of that document. Consequently, the data subject submitted a complaint before the Spanish DPA against the controller for having access to a third-party contract instead of the requested document. | ||
The DPA started an investigation and notified the | The DPA started an investigation and notified the controller, who claimed that the chat tool was a secure channel for communications (a log-in mechanism), which allowed access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk had made an isolated human error and that the controller requested the data subject to delete the document. The controller informed the data subject about the prohibition of its disclosure, reproduction, or distribution. Additionally, the controller eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible. | ||
=== Holding === | === Holding === | ||
Firstly, the Spanish DPA analysed the reaction of the controller to | Firstly, the Spanish DPA analysed the reaction of the controller to the confidentiality data breach. It observed that the occurence of a data breach does not automatically suppose the imposition of a fine, but requires an analysis of the due diligence and security measures applied by the controller. | ||
Secondly, the DPA highlighted the | Secondly, the DPA highlighted the importance of complying with GDPR provisions regarding personal data integrity and confidentiality, [[Article 5 GDPR|Article 5(1)(f) GDPR]], and the security of processing, foreseen in [[Article 32 GDPR|Article 32 GDPR.]] The DPA found a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and considered as an aggravating circumstance the level of responsibility of the controller regarding its technical and organisational measures applied, as required by [[Article 25 GDPR|Articles 25]] and [[Article 32 GDPR|32 GDPR]]. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorised third parties. In addition, the security breach was not corrected until February 2022 (lasting for 4 months), which showed that appropriate measures were lacking. The DPA also found a violation of [[Article 32 GDPR]]. At the time of the data breach, the controller did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link, which was supposed to contain the data subject documentation. | ||
Finally, the DPA fined the controller €50,000 for the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] and €30,000 for the violation of [[Article 32 GDPR|Article 32 GDPR.]] According to the national legislation ([https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 76(2)(b) LOPDGDD]on sanctions and corrective measures), the DPA considered as an aggravating circumstance the controller's high number of data processing activities. According to the DPA, a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing. However, the controller benefited from two reductions of this amount, voluntary payment and the admission of guilt, and ended up paying €64,000 for both violations. | |||
== Comment == | == Comment == |
Latest revision as of 13:21, 13 December 2023
AEPD - PS-00419-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR §76(2)(b) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 80.000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00419-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA fined a bank €64,000 for lack of adequate technical and organisational measures under Article 32 GDPR, in relation to a confidentiality data breach. A contract was accidentally disclosed to and retained by a third party for almost four months in violation of Article 5(1)(f) GDPR.
English Summary
Facts
On 26 October 2021, the data subject asked BBVA Bank (the controller) for an account holder attestation through the bank app. Instead, they received another customer's contract with their name, surname, ID number, home address, and IBAN number.
The data subject communicated the incident to the controller and manifested their concern for the protection of their own personal data. The bank representative apologised and stated that it was due to an “operational error” and that the data subject’s rights were protected. However, the data subject manifested that they still had access to the third-party's document through the chat. The controller's employee answered that technically it was not possible to delete or retrieve the submission of that document. Consequently, the data subject submitted a complaint before the Spanish DPA against the controller for having access to a third-party contract instead of the requested document.
The DPA started an investigation and notified the controller, who claimed that the chat tool was a secure channel for communications (a log-in mechanism), which allowed access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk had made an isolated human error and that the controller requested the data subject to delete the document. The controller informed the data subject about the prohibition of its disclosure, reproduction, or distribution. Additionally, the controller eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible.
Holding
Firstly, the Spanish DPA analysed the reaction of the controller to the confidentiality data breach. It observed that the occurence of a data breach does not automatically suppose the imposition of a fine, but requires an analysis of the due diligence and security measures applied by the controller.
Secondly, the DPA highlighted the importance of complying with GDPR provisions regarding personal data integrity and confidentiality, Article 5(1)(f) GDPR, and the security of processing, foreseen in Article 32 GDPR. The DPA found a violation of Article 5(1)(f) GDPR and considered as an aggravating circumstance the level of responsibility of the controller regarding its technical and organisational measures applied, as required by Articles 25 and 32 GDPR. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorised third parties. In addition, the security breach was not corrected until February 2022 (lasting for 4 months), which showed that appropriate measures were lacking. The DPA also found a violation of Article 32 GDPR. At the time of the data breach, the controller did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link, which was supposed to contain the data subject documentation.
Finally, the DPA fined the controller €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. According to the national legislation (Article 76(2)(b) LOPDGDDon sanctions and corrective measures), the DPA considered as an aggravating circumstance the controller's high number of data processing activities. According to the DPA, a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing. However, the controller benefited from two reductions of this amount, voluntary payment and the admission of guilt, and ended up paying €64,000 for both violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202200471 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On September 15, 2022, the Director of the Spanish Agency of Data Protection agreed to initiate sanction proceedings against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement which is transcribed: << File No.: EXP202200471 AGREEMENT TO START THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claiming party) dated November 15, 2021 filed a complaint with the Spanish Data Protection Agency. The The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (hereinafter BBVA). The reasons on which the claim is based are the following: following: It states that it requested a certificate of ownership of its account, through the APP of said entity, receiving, by the same route, on date 26 October 2021, copy of a third party contract. After notifying the entity the incidence and its concern for the protection of its data, receives response, dated October 26, 2021, indicating the following: "I apologize on behalf of my partner, it was an operational error. Your data They are protected." The claimant transfers to the respondent entity that continues to have access to the document with data from third parties, which is still available through the chat of contact with the claimed entity and states that said entity indicates that, computerized, it is not possible to delete said document. Along with the notification is provided: -Contract relating to two holders other than the claimant, dated October 26, 2021. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 -Conversations held with employees of the entity's management team claimed (on October 25 and 26 and November 11, 2021) about the request for the certificate of ownership, of the contract received relating to third parties, of the operational error. communication from the claimant informing that he continues to have access to the third-party contract through said channel and response from a management company the claimed entity, dated November 11, 2021, indicating that it attaches letter from the bank in this regard, as well as a response from the claimant showing his disagreement with the response received and the lack of respect for the protection of data, adding that he continues to have access to the controversial document. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereafter LOPDGDD), said claim was forwarded to BBVA so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 01/18/2022, as stated in the acknowledgment of receipt in the file. On 02/21/2022, this Agency received a written response indicating: "The incident that has given rise to the request for information is due to the fact that the claimant declares that it requested a certificate of ownership from the entity claimed of your account, through the APP of said entity, receiving, by the same means, in dated October 26, 2021, copy of a third-party contract. The "My Conversations" tool facilitates customer contact with their manager commercial, allowing to attach and send documentation. It is a secure channel (environment logged) and efficient that provides access to the history of conversations, with in order to guarantee the transparency and traceability of all operations. It is true that the manager of the team with you BBVA made a specific and human error when attach to your electronic communication a different contract than the one signed by Mr. A.A.A. and that it is an isolated event, with no evidence of other complaints from affected people. BBVA regrets the error and informs this Agency that, at the time the claimant contacted with the manager to warn of the error, he apologized for it, being unable to do more than reiterate his apologies in writing, on 11/11/2021, where he also requested to remove or delete the attached document. BBVA has eliminated customer access to the contract file. although I know maintains the conversation between the manager and the client, the link to the file has been removed in such a way that it cannot access the download/viewing of the document". THIRD: On February 11, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: Relevant documentation provided by the claimant: - Document with header that refers to the claimant and title "Certificate of ownership”. Contains a conversation supposedly held between the claimant and a person belonging to the "team of your manager" of the claimant. In it, the person from the management team quotes, in a message dated October 26 of 2021, which attaches the account contract. To this message, the claiming responds by pointing out that the document refers to data from third parties. is indicated that it was an "operational error". In the last message contained in the document, dated November 11, 2021, the defendant warns that You continue to have access to the certificate with personal data from third parties. - Agreement to open an account (“Election Account Agreement”) in the claimed dated October 26, 2021 in which they appear as owners two third parties other than the claimant. In addition to the contract conditions, it includes the following categories of third party personal data: name, surname, NIF, address, IBAN code of the bank account. INVESTIGATED ENTITIES During these proceedings, the following entities have been investigated: - BILBAO VIZCAYA ARGENTARIA BANK, S.A. with NIF A48265169 with address at CIUDAD BBVA C/ AZUL 4, EDIF. LA VELA, 7TH FLOOR - 28050 MADRID (MADRID) RESULT OF INVESTIGATION ACTIONS In addition to the documentation mentioned in the background section, it includes information from the following sources: - Written from the claimed and registered entry in the AEPD (numbers O00007128e2200008077 and O00007128e2200008078) dated February 21, 2022 (Written1). Context of the facts The defendant states in the Writ1 that the application of the entity has a section, "My Conversations", which allows the client to interact with their manager commercial. Indicates that access to this part is secure (“logged environment”) and provides access to the history of conversations "in order to guarantee the transparency and traceability of all operations”. The defendant states in the Brief1 that the facts described in the claim were consequence of a "specific and human" error of the manager when attaching in the communication with the claimant the third party contract. He adds that "this is an isolated incident, not having evidence of other claims by the affected people. reaction to incident The defendant in Brief 1 states that he has eliminated the possibility of accessing the third party contract by the claimant. In this regard, he points out that "although C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 maintains the conversation between the manager and the client, the link to the file has been removed in such a way that it cannot access the download/viewing of the document." To prove it, attach the following: - Document number 3, screen print of the conversation in which leaked the disputed document (taken on February 16, 2022 according to the date of the equipment in the printing itself), which includes the link to contract According to the claimant, this screenshot reflects the situation prior to withdrawal. - Document number 4, screen print of the conversation in which leaked the disputed document (taken on February 21, 2022 according to the date of the equipment in the printing itself), which does not include the link to contract According to the claimant, this screenshot reflects the post-withdrawal situation. The defendant also provides information on the communications addressed to the claimant in relation to these facts: - Document number 2 attached to the Writ1 is a communication addressed by the claimed from the claimant (undated, although the Brief1 states that it was sent on November 11, 2021) which includes the following: "We are writing to you regarding the incident that occurred on the 26th of October, in which we mistakenly sent you documentation that was not corresponded to that of his ownership. First of all, we would like to convey our apologies warning you that it was a specific situation caused by a human factor. Although, we have to warn that when dealing with confidential information submitted especially to professional secrecy, its disclosure, reproduction or distribution is prohibited, so having received the information by mistake, you should know that your reading, copying and use are prohibited thanking you to proceed with its destruction. - Document number 1 attached to the Writ1 is a communication addressed by the claimed to the claimant on February 14, 2022 that includes the following: "The purpose of your claim, set forth in your communication, is to state your annoyance for having received through the BBVA APP the copy of the contract of account of a third party, rather than your own. We inform you that this was due to the employee with whom you previously chatted and to whom you requested said shipment, got the file confused and uploaded that of another client. We are very sorry for what happened and the office has already taken action with the staff to avoid confusion of these characteristics.” FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 4 paragraph 12 of the GDPR defines, in a broad way, "violations of security of personal data" (hereinafter security breach) as "all those security violations that cause the destruction, loss or alteration accidental or unlawful personal data transmitted, stored or otherwise processed form, or unauthorized communication or access to said data.” In the present case, there is a personal data security breach in the circumstances indicated above, categorized as a breach of confidentiality, by the complaining party has been provided with a contract containing data third party personal It should be noted that the identification of a security breach does not imply the imposition of a sanction directly by this Agency, since it is necessary analyze the diligence of managers and managers and security measures applied. Within the principles of treatment provided for in article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. For its part, the security of personal data comes regulated in articles 32, 33 and 34 of the GDPR, which regulate the security of the treatment, the notification of a breach of the security of personal data to the control authority, as well as the communication to the interested party, respectively. II Article 5.1.f) "Principles relating to processing" of the GDPR establishes: "1. Personal data will be: (…) f) processed in such a way as to guarantee adequate security of the personal data, including protection against unauthorized processing or illicit and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” In this case, it is clear that the personal data of a BBVA customer, in its database, were improperly exposed to the complaining party when you requested access to your own contract, as a link was provided to you through of which, instead of agreeing to his own contract, he agreed to someone else's. In accordance with the evidence available in this agreement of initiation of the disciplinary procedure, and without prejudice to what results from the investigation, it is considered that the known facts could constitute a infringement, attributable to BBVA, due to violation of article 5.1.f) of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 IV. If confirmed, the aforementioned violation of article 5.1.f) of the GDPR could lead to the commission of the offenses typified in article 83.5 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available at the present time of agreement to start disciplinary proceedings, and without prejudice to what results from the investigation, it is considered that the offense in question is serious for the purposes of the GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: -The degree of responsibility of the controller or the person in charge of the treatment, taking into account the technical or organizational measures that they have applied in virtue of articles 25 and 32. Art. 83.2.d). BBVA, as data controller, has to implement measures adequate to avoid the exposure of personal data to third parties authorized. Given that in the present case there has been a breach of confidentiality, which was not corrected until at least February 16, 2022, it can be assumed that appropriate measures had not been taken. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 "Sanctions and measures corrective measures" of the LOPDGDD: As aggravating factors: -The linking of the offender's activity with the performance of processing of personal data. (Art. 76.2.b). The activity of BBVA, a financial institution, and the high number of customers that it has, involves handling a large number of data personal. This implies that they have sufficient experience and should have with adequate knowledge for the treatment of said data. The balance of the circumstances contemplated in article 83.2 of the GDPR and the Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the established in article 5.1.f) of the GDPR, allows initially setting a penalty of €50,000 (fifty thousand euros). SAW Article 32 "Security of treatment" of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of processing, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the person in charge and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which may include, among others: a) the pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness technical and organizational measures to guarantee the safety of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to take into account the risks presented by data processing, in particular as consequence of the destruction, loss or accidental or illegal alteration of data personal information transmitted, preserved or processed in another way, or the communication or unauthorized access to such data. 3. Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or processor and have access to personal data can only process such data by following C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the Union or of the Member States. In the present case, at the time the breach occurred, BBVA did not have appropriate technical and organizational measures to prevent the occurrence of the circumstance of making available to a person a link that gave access to the contract of a third party, thus exposing the client's personal data from the October 21, 2021 through at least February 16, 2022. . In accordance with the evidence available in this agreement of initiation of the disciplinary procedure, and without prejudice to what results from the investigation, it is considered that the known facts could constitute a infringement, attributable to BBVA, for violation of article 32 of the GDPR. VII If confirmed, the aforementioned infringement of article 32 of the GDPR could lead to the commission of the offenses typified in article 83.4 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge according to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 73 "Infractions considered serious" of the LOPDGDD indicates: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to ensure a level of security appropriate to the risk of treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 VIII For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available at the present time of agreement to start disciplinary proceedings, and without prejudice to what results from the investigation, it is considered that the offense in question is serious for the purposes of the GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the criteria that Article 83.2 of the GDPR establishes: Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 "Sanctions and measures corrective measures" of the LOPDGDD: As aggravating factors: -The linking of the offender's activity with the performance of processing of personal data. (Art. 76.2.b). The activity of BBVA, a financial institution, and the high number of customers that it has, involves handling a large number of data personal. This implies that they have sufficient experience and should have with adequate knowledge for the treatment of said data. The balance of the circumstances contemplated in article 83.2 of the GDPR and the Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the established in article 32 of the GDPR, allows the initial setting of a penalty of €30,000 (thirty thousand euros). IX Among the corrective powers provided by article 58 "Powers" of the GDPR, in the section 2.d) establishes that each supervisory authority may “order the controller or processor that the processing operations are comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. The Spanish Agency for Data Protection in the resolution that puts an end to the this procedure may order the adoption of measures, as established in article 58.2.d) of the GDPR and in accordance with what is derived from the instruction of the procedure, if necessary, in addition to sanctioning with a fine. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: INITIATE SANCTION PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 5.1.f) of the GDPR typified in Article 83.5 of the GDPR. START SANCTION PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 32 of the GDPR typified in Article 83.4 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the Sub-directorate General of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be: - For the alleged infringement of article 5.1.f) of the GDPR, typified in article 83.5 of said regulation, an administrative fine amounting to 50,000.00 euros - For the alleged infringement of article 32 of the GDPR, typified in article 83.4 of said regulation, an administrative fine of 30,000.00 euros FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, granting it a hearing period of ten business days for him to formulate the allegations and present the evidence he deems convenient. In your statement of allegations you must provide your NIF and the number of procedure that appears in the heading of this document. If, within the stipulated period, he does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in this proceeding. With the application of this reduction, the sanction would be established at 64,000.00 euros, resolving the procedure with the imposition of this sanction. In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 64,000.00 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 In this case, if both reductions were to be applied, the amount of the penalty would remain established at 48,000.00 euros. In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (64,000.00 euros or 48,000.00 euros), you must make it effective by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to name of the Spanish Data Protection Agency in the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it receives. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-110422 Mar Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On September 23, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 48,000 euros using the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal via against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Commencement Agreement. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202200471, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es