AEPD (Spain) - PS/00070/2019: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
m (Ar moved page AEPD - PS/00070/2019 to AEPD (Spain) - PS/00070/2019) |
||
(3 intermediate revisions by 3 users not shown) | |||
Line 71: | Line 71: | ||
|Party_Link_5= | |Party_Link_5= | ||
|Appeal_To_Body= | |Appeal_To_Body=AN (Spain) | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name=104/2021 | ||
|Appeal_To_Status= | |Appeal_To_Status=Annulled | ||
|Appeal_To_Link= | |Appeal_To_Link=https://gdprhub.eu/index.php?title=AN_-_0000104%2F2021 | ||
|Initial_Contributor=n/a | |Initial_Contributor=n/a | ||
| | |}} | ||
}} | |||
The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first | The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first fine was imposed for breaching the principle of transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing). | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The decision relates that various joint complaints against Banco Bilbao Vizcaya Argentaria, SA (BBVA). | The decision relates that various joint complaints against Banco Bilbao Vizcaya Argentaria, SA (BBVA). | ||
Line 97: | Line 96: | ||
The fifth complainant complained that they received calls and SMS with advertisements. BBVA outlined that the complainant signed the privacy policy document and consented to such processing of personal data for commercial purposes. It also said that the complainant signed the document a second time expressing their refusal to the processing for commercial purposes. In the first document that was no option to indicate consent and in the second document, the complainant signed the “I don’t want…”. | The fifth complainant complained that they received calls and SMS with advertisements. BBVA outlined that the complainant signed the privacy policy document and consented to such processing of personal data for commercial purposes. It also said that the complainant signed the document a second time expressing their refusal to the processing for commercial purposes. In the first document that was no option to indicate consent and in the second document, the complainant signed the “I don’t want…”. | ||
The privacy policy document in question contained personal data including name, tax ID, date of birth, nationality, address, matrimonial status, fixed and varying income and annual revenue. The purposes and legal bases for processing are also outlined: BBVA relied on legitimate interest for the purpose of | The privacy policy document in question contained personal data including name, tax ID, date of birth, nationality, address, matrimonial status, fixed and varying income and annual revenue. The purposes and legal bases for processing are also outlined: BBVA relied on legitimate interest for the purpose of “''Get to know [the client] better and personalize [the client’s] experience''”. It relied on the client’s consent for the following purposes: | ||
i) offer products and services from BBVA, the BBVA Group and others, customized for the client; | |||
ii) communicating the client’s personal data to BBVA Group companies so that they can offer them personalised products and services; and | * i) offer products and services from BBVA, the BBVA Group and others, customized for the client; | ||
iii) improve the quality of products and services. | * ii) communicating the client’s personal data to BBVA Group companies so that they can offer them personalised products and services; and | ||
* iii) improve the quality of products and services. | |||
According to the BBVA’s policy, signature by the client indicates acceptance of the privacy policy. However, for a data subject to be a client, they must sign it. After the signature point is a section on “additional information” with a glossary of the terminology. With regards to obtaining consent, the section just above the signature point provides different options for the data subject. This includes: | According to the BBVA’s policy, signature by the client indicates acceptance of the privacy policy. However, for a data subject to be a client, they must sign it. After the signature point is a section on “additional information” with a glossary of the terminology. With regards to obtaining consent, the section just above the signature point provides different options for the data subject. This includes: | ||
"We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. | ''"We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below.'' | ||
Products and prices more adjusted to you | |||
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | ''Products and prices more adjusted to you'' | ||
BBVA and others customized for me. | |||
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | ''[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me.'' | ||
offer own products and services customized for me. | |||
''[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer own products and services customized for me.'' | |||
''Quality improvement'' | |||
''[] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data''" | |||
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make your data " | |||
Upon request by the Spanish DPA, BBVA provide the data protection impact assessment (DPIA) for profiling for the purpose of advertisements and the DPIA for risk profiling. The DPA also requested a report where BBVA balanced legitimate interest for the processing relying on that legal basis as well a register of all data processing activities. | Upon request by the Spanish DPA, BBVA provide the data protection impact assessment (DPIA) for profiling for the purpose of advertisements and the DPIA for risk profiling. The DPA also requested a report where BBVA balanced legitimate interest for the processing relying on that legal basis as well a register of all data processing activities. | ||
=== Dispute === | ===Dispute=== | ||
Did the defendant’s privacy policy lack clarity and specificity in breach of Articles 12, 13 and 14 GDPR? | Did the defendant’s privacy policy lack clarity and specificity in breach of Articles 12, 13 and 14 GDPR? | ||
Did the defendant rely on valid legal bases for processing personal data within the scope of Article 6 GDPR? | Did the defendant rely on valid legal bases for processing personal data within the scope of Article 6 GDPR? | ||
=== Holding === | ===Holding=== | ||
The Spanish DPA (AEPD) jointly decided 5 complaints filed against BBVA in relation to its privacy policy and commercial communications (SMS and emails). | The Spanish DPA (AEPD) jointly decided 5 complaints filed against BBVA in relation to its privacy policy and commercial communications (SMS and emails). | ||
Line 130: | Line 130: | ||
The DPA imposed two distinct fines. The first one was a fine of €2 million for the absence of clear information in the privacy policy in breach of the principle of transparency as per Articles 12, 13 and 14. The second fine of €3 million was imposed as BBVA breached Articles 6 (legality of processing). The DPA also required from BBVA that they amend their privacy policy to ensure that they rely on a valid legal basis for processing and that sufficient information is provided to clients. | The DPA imposed two distinct fines. The first one was a fine of €2 million for the absence of clear information in the privacy policy in breach of the principle of transparency as per Articles 12, 13 and 14. The second fine of €3 million was imposed as BBVA breached Articles 6 (legality of processing). The DPA also required from BBVA that they amend their privacy policy to ensure that they rely on a valid legal basis for processing and that sufficient information is provided to clients. | ||
==== On the information within the privacy policy ==== | |||
The DPA first addressed the issue of the provision of information in the privacy policy. | The DPA first addressed the issue of the provision of information in the privacy policy. | ||
Imprecise terminology and vague formulations | ''Imprecise terminology and vague formulations'' | ||
The Spanish DPA referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles 11(1) and (2) of the Spanish Data Protection Law (LOPDGDD) to highlight the importance of the principle of transparency in data protection law. The DPA then held that BBVA, as a data controller that processes personal data, must in particular respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a). | The Spanish DPA referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles 11(1) and (2) of the Spanish Data Protection Law (LOPDGDD) to highlight the importance of the principle of transparency in data protection law. The DPA then held that BBVA, as a data controller that processes personal data, must in particular respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a). | ||
Line 140: | Line 141: | ||
The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA’s privacy policy fell within the examples of poor transparency practices. It used the guidelines as support for its decision that the privacy policy was too vague and unclear. | The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA’s privacy policy fell within the examples of poor transparency practices. It used the guidelines as support for its decision that the privacy policy was too vague and unclear. | ||
Information on categories of data processed and specific categories for each purposes | ''Information on categories of data processed and specific categories for each purposes'' | ||
The Spanish DPA held that information on the categories of personal data processed in the privacy policy was incomplete. The DPA referred to the Article 29 Working Party Guidelines on consent to highlight the requirements for valid consent, as defined in Article 4(11) GDPR. Accordingly, such consent must be freely given, specific informed and an unambiguous indication of the data subject’s wishes. | The Spanish DPA held that information on the categories of personal data processed in the privacy policy was incomplete. The DPA referred to the Article 29 Working Party Guidelines on consent to highlight the requirements for valid consent, as defined in Article 4(11) GDPR. Accordingly, such consent must be freely given, specific informed and an unambiguous indication of the data subject’s wishes. | ||
Line 149: | Line 151: | ||
Referring to the Guidelines on transparency and the GDPR Recitals, the DPA outlined the importance of transparency as a fundamental aspect of lawful and fair processing Article 5(1)(a) GDPR). Lack of clear information would, in turn, likely lead to an infringement of other principles under Article 5 such as purpose limitation and data minimisation. | Referring to the Guidelines on transparency and the GDPR Recitals, the DPA outlined the importance of transparency as a fundamental aspect of lawful and fair processing Article 5(1)(a) GDPR). Lack of clear information would, in turn, likely lead to an infringement of other principles under Article 5 such as purpose limitation and data minimisation. | ||
Information on purpose for which personal data is used and legal basis | ''Information on purpose for which personal data is used and legal basis'' | ||
The Spanish DPA identified several sections in the privacy policy where BBVA outlined that similar treatments for different purposes were at time on the basis of consent whereas other times on the basis of legitimate interest. For example, processing of personal data for the purpose of personalised offers relied on consent, and a similar processing activity, for improving customer experience was based on legitimate interest. | The Spanish DPA identified several sections in the privacy policy where BBVA outlined that similar treatments for different purposes were at time on the basis of consent whereas other times on the basis of legitimate interest. For example, processing of personal data for the purpose of personalised offers relied on consent, and a similar processing activity, for improving customer experience was based on legitimate interest. | ||
The DPA held that whilst the legal bases may be accurate, the similar processing activities with different legal bases meant that the privacy policy lacked clarity for an average citizen. The Spanish DPA also highlighted that having too general formulas for purposes in the privacy policy would fall short of the purpose limitation principle (Article 5(1)(b)). | The DPA held that whilst the legal bases may be accurate, the similar processing activities with different legal bases meant that the privacy policy lacked clarity for an average citizen. The Spanish DPA also highlighted that having too general formulas for purposes in the privacy policy would fall short of the purpose limitation principle (Article 5(1)(b)). | ||
Information on legitimate interest of the data controller and third parties | ''Information on legitimate interest of the data controller and third parties'' | ||
The DPA held that information provided by BBVA was vague with regards to the legal basis for processing. BBVA did not substantiate the legality of its data processing, in breach of the principle of transparency. For example, BBVA’s definition of legitimate interest in the privacy policy did not provide sufficient information as to the justification for relying on this legal basis. The DPA held that BBVA did not elaborate on the parties’ (including third parties) interests at stake nor their “reasonable expectations” (quoting Recital 47). There was therefore a breach of Article 13. | The DPA held that information provided by BBVA was vague with regards to the legal basis for processing. BBVA did not substantiate the legality of its data processing, in breach of the principle of transparency. For example, BBVA’s definition of legitimate interest in the privacy policy did not provide sufficient information as to the justification for relying on this legal basis. The DPA held that BBVA did not elaborate on the parties’ (including third parties) interests at stake nor their “reasonable expectations” (quoting Recital 47). There was therefore a breach of Article 13. | ||
According to the DPA, sufficient information, which in this case lacked, would have enabled the client or data subject to be able to object to this legal basis. | According to the DPA, sufficient information, which in this case lacked, would have enabled the client or data subject to be able to object to this legal basis. | ||
Information on profiling | ''Information on profiling'' | ||
The Spanish DPA clarified that BBVA used personal data to elaborate profiles for various purposes outlined in the privacy policy, including for commercial purposes. This relied on consent and legitimate interest, which as mentioned above was not sufficiently defined in the privacy policy. | The Spanish DPA clarified that BBVA used personal data to elaborate profiles for various purposes outlined in the privacy policy, including for commercial purposes. This relied on consent and legitimate interest, which as mentioned above was not sufficiently defined in the privacy policy. | ||
Line 168: | Line 173: | ||
To summarise, the DPA held Articles 13 and 14 GDPR, which regulate the application of the principle of privacy, were breached as a result of the lack of information in the privacy policy on all the above mentioned circumstances. | To summarise, the DPA held Articles 13 and 14 GDPR, which regulate the application of the principle of privacy, were breached as a result of the lack of information in the privacy policy on all the above mentioned circumstances. | ||
==== Legal basis for processing ==== | |||
The DPA then went on to assess the legality of the legal bases relied upon by BBVA. | The DPA then went on to assess the legality of the legal bases relied upon by BBVA. | ||
Processing of personal data based on consent | ''Processing of personal data based on consent'' | ||
The Spanish DPA outlined the conditions for consent as a legal basis for processing as prescribed within Articles 4(11), 6 and 7 GDPR. It also referred to the correlating article in the Spanish data protection law (Article 6 LOPDGDD). Finally, it outlined the Article 29 Working Party Guideline on consent. The DPA highlighted that these Articles enable the data subject to have true control over their personal data and their destination. | The Spanish DPA outlined the conditions for consent as a legal basis for processing as prescribed within Articles 4(11), 6 and 7 GDPR. It also referred to the correlating article in the Spanish data protection law (Article 6 LOPDGDD). Finally, it outlined the Article 29 Working Party Guideline on consent. The DPA highlighted that these Articles enable the data subject to have true control over their personal data and their destination. | ||
Line 182: | Line 188: | ||
Therefore, BBVA processed data without a legal basis for the 3 purposes relying on consent. This was a breach of Article 6 GDPR in connections with Articles 4(11) and 7 on valid consent. | Therefore, BBVA processed data without a legal basis for the 3 purposes relying on consent. This was a breach of Article 6 GDPR in connections with Articles 4(11) and 7 on valid consent. | ||
Other processing without legal basis | ''Other processing without legal basis'' | ||
There were other processing activities conducted by BBVA which lacked any legal basis. | There were other processing activities conducted by BBVA which lacked any legal basis. | ||
Processing of personal data on the basis of legitimate interest of the data controller or third party | ''Processing of personal data on the basis of legitimate interest of the data controller or third party'' | ||
The Spanish DPA held that there was no sufficient legal basis for processing personal that the BBVA claimed was on the basis of legitimate interest. Additionally, some processing supposedly relying on legitimate interest were very similar to those based on consent, which as mentioned, was invalid. Therefore, the DPA held that processing based on legitimate interest were not legal. | The Spanish DPA held that there was no sufficient legal basis for processing personal that the BBVA claimed was on the basis of legitimate interest. Additionally, some processing supposedly relying on legitimate interest were very similar to those based on consent, which as mentioned, was invalid. Therefore, the DPA held that processing based on legitimate interest were not legal. | ||
Line 198: | Line 206: | ||
Therefore, the DPA held that BBVA did not satisfy the conditions of Article 6(1)(f). There was no, legal basis for processing the data allegedly relying on legitimate interest. | Therefore, the DPA held that BBVA did not satisfy the conditions of Article 6(1)(f). There was no, legal basis for processing the data allegedly relying on legitimate interest. | ||
== Comment == | ==Comment== | ||
Comment from @Francesc Julve: | Comment from @Francesc Julve: | ||
== Further Resources == | Many are looking at the amount of the fine imposed but the sanction is also important with regards to the prohibition of processing data and the obligation to delete the unlawful processed data that the AEPD also imposed. | ||
==Further Resources== | |||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
<pre> | <pre> | ||
Page 1 | |||
1/124 | |||
Procedure Nº: PS / 00070/2019 | |||
RESOLUTION OF SANCTIONING PROCEDURE | |||
Of the procedure instructed by the Spanish Agency for Data Protection and based on the | |||
following | |||
BACKGROUND | |||
FIRST: On 10/16/2018, a claim submitted to this Agency | |||
by D. AAA (hereinafter claimant 1), against the entity BANCO BILBAO VIZCAYA | |||
ARGENTARIA, SA (hereinafter BBVA), for sending to its mobile phone line, at | |||
dated 10/11/2018, of a promotional SMS. He adds that he has not authorized the sending of such | |||
messages and has been on the Robinson List for a long time. | |||
With your claim, you only provide a copy of the SMS object of the same, the text of which | |||
is the following: | |||
“Publi BBVA: You lend UP TO 9,000 EUROS to start your projects. Info | |||
912975969. https://bbva.info/2xLgPps. No + publi send BAJA to 217582 ". | |||
This claim was transferred to the entity BBVA. In response to what was stated by | |||
Claimant 1, BBVA informs this Agency that it agreed to the | |||
content of the document "Customer identification, processing of personal data and signature | |||
digitized ” , signed by the claimant on 06/07/2016, by virtue of which the client | |||
He consented to the sending of advertising by BBVA " through any means" . | |||
BBVA adds that, however, in view of the claim made, it has proceeded to | |||
disable the option relating to the sending of commercial communications to the claimant 1. | |||
BBVA provides the document "Customer identification, processing of personal data | |||
and digitized signature ” signed by the complainant on 06/07/2016. | |||
SECOND: On 12/09/2018, a claim submitted to this Agency | |||
by D. BBB (hereinafter claimant 2), against the entity BBVA, noting that the App | |||
BBVA for the entity's Android systems does not meet the legal requirements regarding | |||
free and informed consent. In this claim it shows that the past | |||
11/09/2018 the aforementioned App, through a pop-up screen, required the provision of | |||
consent whose scope should be known through a link to another page, in which | |||
the option to transfer data to third parties was activated by default. | |||
It adds that on the previous June 6, BBVA recognized by letter the right of opposition of the | |||
claimant to the processing of their data for commercial purposes (provide a copy of this | |||
communication), and that this circumstance should have been taken into account by BBVA before | |||
require again the provision of your consent to the processing of data through | |||
the BBVA App. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 2 | |||
2/124 | |||
On the other hand, the claimant warns that he addressed the aforementioned entity stating the | |||
same circumstances and that said claim was rejected on 11/29/2019. | |||
The claimant provides a copy of one of the emails sent to BBVA, dated | |||
11/09/2018, in which it expressly indicates the following: | |||
“Dear BBVA DPO | |||
The document attached to the previous message comes from the BBVA APP offered on the Android platform. | |||
The aforementioned application requires the user, as a step prior to its use, to provide consent through the | |||
electronic signature of a document that only offers the possibility of opposing data processing | |||
personal for purposes other than those necessary for the purposes of providing financial services if the | |||
Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the | |||
GDPR) should be considered as activated. The informative text is inconsistent with the | |||
principle of transparency of article 12 of the RGPD and above all because after activating the aforementioned boxes | |||
opposition, a pop-up screen appears with a new warning that clearly restricts the | |||
freedom of consent in the terms of article 7 of the RGPD. | |||
I hope I have more clearly described the problem related to the aforementioned APP and the document | |||
of consent generated by it. | |||
Finally, I would like to attach your communication regarding my exercise of the right to object to | |||
processing of personal data already registered by your department, and that should have been taken in | |||
account regarding the operation of the BBVA APP ”. | |||
BBVA responds to this email by means of another dated 11/29/2018 in which | |||
literally indicates: | |||
“The way in which the consent to which you refer is obtained has been considered valid | |||
not only in the internal analyzes of our own entity, but in all those forums where it has been | |||
raised the question, since the interested party has the option of choosing in a simple and | |||
easily understandable the option you prefer. About pop-up screens that you tell us | |||
comments, BBVA understands that it must provide interested parties with the necessary information so that | |||
know what happens when you activate these boxes, so that with all the information in your hand, decide the | |||
option that most satisfies them ” . | |||
The claimant also accompanies the document generated by the App, with the label | |||
"Declaration of economic activity and personal data protection policy" (as | |||
also "Privacy Policy" ), in which section 1 contains the data | |||
identification of the client (the claimant) and his declaration of economic activity. Among others | |||
data, include those related to name, surname, tax identifier, date of birth, | |||
nationality, address, marital status, matrimonial status, contact details, fixed income and | |||
variables, entity in which it provides services, gross annual income. | |||
Section 2 of this document is dedicated to the "data protection policy | |||
personal ” . The full content of this section, the "extended information" that is offered to the | |||
interested party and part of the "glossary of terms" contained in the same document, which is | |||
declares reproduced in this act, it is attached as Annex 1. | |||
In the document provided by claimant 2 all the options are marked | |||
enabled for the interested party to give their consent to the processing of data | |||
personal with the purposes that are expressed in said options: | |||
". Products and prices more adjusted to you | |||
[x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 3 | |||
3/124 | |||
[x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[x] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make your data ". | |||
THIRD: On 02/13/2019, a claim submitted to this Agency | |||
by D. CCC (hereinafter claimant 3), against the entity BBVA, noting that for the | |||
unlocking your account it was necessary to sign the data protection document | |||
personal information, that it was sent to him electronically, and that he had no possibility to mark the | |||
options on the treatment of information. | |||
Provides printing of the information available in the BBVA App, in the personal area | |||
of the claimant (February 1 to 6, 2019), which includes a section "Use of personal data" | |||
in which a box is made available to the interested party that can be marked with the indication | |||
"I have read, understand and accept the Personal Data Protection Policy to be a client | |||
of BBVA ” . | |||
Also, provide a copy of an email sent to the claimant's address | |||
from the address notifications-bbva@bbva.com, with an attached file called | |||
"LOPDDAE", in pdf format, and the text "You have a pending signature ... (name and surname of | |||
Claimant 3), you have a document pending signature. We recommend that you read with | |||
calm down the document that we enclose, before signing it ” . Below is a | |||
button labeled “Sign Now” . Subsequently, the interested party is informed that he has | |||
other channels for signing the document in question (office, App, web and telephone banking). | |||
Said document, which is also attached to the claim, corresponds to the | |||
"Declaration of Economic Activity and Policy of Protection of Personal Data" , whose | |||
content coincides with that which is reproduced in Annex 1, except for the detail related to the | |||
box through which the customer is offered the option "I do not want BBVA to process my data | |||
to offer me products and services from BBVA, Grupo BBVA and others customized for | |||
me ” , which allows you to mark the following channels: | |||
[ ] By email | |||
[] By SMS | |||
[] By phone (phone call) | |||
[] By post | |||
The document provided appears dated 02/11/2019 and without signature. Of the options | |||
enabled in this document so that the interested party gives their consent to the treatment | |||
of your personal data for the purposes that are expressed in each case, the | |||
option “I do not want BBVA to process my data to offer me BBVA products and services, | |||
from the BBVA Group and others personalized for me by email ” . | |||
The aforementioned claim was forwarded to BBVA so that it could analyze it and send | |||
the information pertinent to this Agency. The period granted to BBVA to respond to | |||
Said transfer occurred without any response from this Agency. | |||
FOURTH: On 05/23/2019, a claim submitted to this Agency | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 4 | |||
4/124 | |||
by D. DDD (hereinafter claimant 4), against BBVA, noting that, under the pretext | |||
If you have been informed by means of a document that you have not signed, said entity sends you | |||
commercial communications that you have not requested or authorized. He adds that he informed him about the | |||
adoption of measures to prevent you from continuing to receive commercial communications, | |||
who stopped sending emails, but continued to receive SMS, in which no | |||
unsubscribe mechanisms are provided. | |||
It provides several SMS in which pre-granted loans are offered; copy of a | |||
writing in which BBVA estimates the right of opposition exercised by the claimant, of | |||
04/10/2019; another previous letter, dated 02/25/2019, in which BBVA informs you that your data | |||
Personal are treated according to the attached document, signed on 11/26/2018, in which | |||
He was offered the possibility of refusing the aforementioned purposes. The attached document | |||
the last written review corresponds to the "Declaration of Economic Activity and Policy of | |||
Data Protection ” , which contains the details of the complainant as a BBVA customer. In | |||
This document does not include any of the options offered to the interested party to | |||
consent to the processing of your personal data, | |||
This claim was transferred to the entity BBVA. In response to what was stated by | |||
Claimant 4, BBVA informs this Agency that commercial communications were sent | |||
to the same, that he did not object to this data processing in the document signed on | |||
11/26/2018. Notices that communications ceased after the exercise of the right to | |||
opposition by the claimant, although the mobile phone line cited in the claim | |||
as a recipient of commercial communications, it is not associated with its data in | |||
your information system. | |||
Subsequently, BBVA stated that the SMS were sent manually by a manager | |||
commercial from the corporate mobile phone without previously checking that the client was | |||
included in the Robinson listing. | |||
FIFTH: On 08/27/2019, a claim submitted to this Agency | |||
by D. EEE (hereinafter the claimant 5), against the entity BBVA, for the performance of | |||
telephone calls and sending of advertising SMS, to offer insurance, credit cards and | |||
financing of receipts, despite the fact that he exercised the right to object to the transfer of his | |||
data for promotional purposes and that it was attended by said entity. In its | |||
claim details the telephone lines that issue the calls and messages, the line | |||
receiver and the date and time of the last call. | |||
With your claim, provide a copy of an invoice corresponding to the receiving line | |||
of calls and messages, issued on behalf of the claimant; letter from BBVA addressed to | |||
same, dated 03/07/2018, in which your request to oppose the use and | |||
transfer of your data to third parties for the purposes of commercial or advertising prospecting of the entity | |||
or other Group companies; transcription of messages sent to BBVA warning | |||
again on your wish not to receive advertising, of 05/26/2019, answered the day | |||
next by the person in charge with a message of apology; screen printing | |||
08/27/2019, on the inclusion of its mobile phone line in the Robinson List; and detail of | |||
calls received (there is a call from the number that is the subject of the claim, | |||
made on 08/27/2019. | |||
This claim was transferred to the entity BBVA. In response to what was stated by | |||
Claimant 5, BBVA informs this Agency that, on 06/18/2018, the interested party signed | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 5 | |||
5/124 | |||
digitally the document "Declaration of Economic Activity and Protection Policy of | |||
Personal Data ” , giving your consent to the processing of your data for the | |||
commercial, even though he was given the opportunity to object to the use of his | |||
data to offer you products and services from BBVA and from Group entities. This option is | |||
formalized the claimant by signing that document later through the | |||
remote banking. It adds that the lines to which the claim refers belong to | |||
BBVA Seguros, of which the claimant is a client, which made three calls in August | |||
2019 (days 20, 21 and 27); and that BBVA forwarded the complainant's opposition letter to BBVA | |||
Seguros, which took the appropriate measures to stop commercial communications on | |||
same day 08/27/2019. | |||
BBVA provides the documents "Declaration of Economic Activity and Policy of | |||
Protection of Personal Data ” , signed by the claimant on 06/18/2018 and | |||
05/27/2019. In the first of them there is no mark in the boxes enabled to | |||
that the client expresses his consent to the following treatments: | |||
. Products and prices more adjusted to you | |||
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make your data ". | |||
In the one signed on 05/27/2019, these three boxes are marked. | |||
SIXTH: The claims to which the proceedings refer were admitted for processing | |||
through resolutions dated 02/01/2019 (those relating to claimants 1 and 2), 08/06/2019 | |||
(the one related to claimant 3), 09/13/2019 (the one related to claimant 4) and 10/30/2019 (the one related | |||
to the claimant 5). | |||
SEVENTH: On 11/21/2019, the General Sub-Directorate of Data Inspection | |||
Access the BBVA website ( “bbva.com” ) and obtain available information about the entity. | |||
This website indicates: | |||
"BBVA in Spain | |||
As one of the leading entities in the country, with more than 10 million clients and close to 30,000 | |||
employees, we provide financial services through our network of 3,200 offices ” . | |||
Financial information is also obtained, of which it is worth highlighting that relating to the | |||
Income Statement, which "as of 09/30/2019" reflects a "Net Margin" of 9,304 million | |||
euros. In the "Geographical diversification" section , the breakdown by country is indicated, | |||
corresponding to Spain 23.4%. | |||
According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" | |||
amounts to 3,267,264,424.20 euros. | |||
EIGHTH: On 12/02/2019, the Director of the Spanish Agency for Data Protection | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 6 | |||
6/124 | |||
agreed to initiate a sanctioning procedure against the BBVA entity, in accordance with the provisions | |||
in article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of | |||
04/27/2016, relating to the Protection of Natural Persons with regard to Treatment | |||
of Personal Data and the Free Circulation of this Data (General Regulation of | |||
Data Protection, hereinafter RGPD), for the alleged violation of article 13 of the | |||
RGPD, typified in article 83.5.b) of the aforementioned Regulation; and for the alleged violation of | |||
Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation, determining that | |||
the penalty that may correspond would amount to a total of 6,000,000.00 euros | |||
(3,000,000.00 euros for each of the infringements charged), without prejudice to what | |||
result of the instruction. | |||
The indicated imputations result from the analysis of the data collection form | |||
personal data used by the BBVA entity after 05/25/2018, called | |||
"Declaration of economic activity and personal data protection policy" , through | |||
which BBVA announces the terms applicable to the protection of personal data and | |||
requires the consent of the interested parties. The reasons underlying the accusations | |||
indicated are, succinctly, the following: | |||
a) Infringement of article 13 of the RGPD: | |||
. Use of imprecise terminology to define the privacy policy. | |||
. Insufficient information on the category of personal data that will be submitted to | |||
treatment, especially in relation to the data that BBVA says it obtains from the use by the | |||
customer of products, services and channels; the economic and solvency data obtained from | |||
products contracted with BBVA or of which BBVA is a marketer; and the data | |||
personal data that will be transferred to BBVA Group companies. | |||
. Breach of the obligation to report on the purpose of the treatment and legal basis | |||
that legitimizes it, especially in relation to the processing of personal data that | |||
BBVA is based on legitimate interest. | |||
. Insufficient information on the type of profiles to be made, the uses | |||
specific to which they will be used | |||
b) Infringement of article 6 of the RGPD: | |||
. Non-existence of a specific mechanism for collecting the consents of the | |||
clients for the processing of personal data. The interested party's options are | |||
limited to marking a box by which you record your | |||
opposition to data processing. | |||
. Non-compliance with the requirements established for the provision of a | |||
specific, unequivocal and informed consent. | |||
. Insufficient justification of the processing of personal data based on interest | |||
legitimate of the person in charge. | |||
Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of | |||
At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the | |||
imposition on the entity BBVA of the obligation to adopt the necessary measures to | |||
adapt to the personal data protection regulations the processing operations that | |||
performs, the information offered to its clients and the procedure by which they | |||
give their consent for the collection and processing of their personal data, with the | |||
scope expressed in the Basis of Law of the repeated agreement and without prejudice to the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 7 | |||
7/124 | |||
resulting from the instruction. | |||
NINTH: Once the aforementioned initiation agreement was notified, BBVA presented a brief of allegations in the | |||
that requests that a resolution be issued declaring the nullity of full right of the | |||
procedure for the reasons set out in its following first allegation or, in its | |||
default, your file is remembered. In summary, the aforementioned entity bases its request on the | |||
following considerations: | |||
1. The setting of the amount of the sanction in the agreement to initiate the procedure, which is | |||
justified in Law Foundation VI, produces helplessness to the interested party who vitiates | |||
nullity the same. Understand that determining the sanctioning reproach in said act, evaluating | |||
even concurrent aggravations without minimally motivating them, on which he has not had | |||
occasion to demonstrate, affects the application of the fundamental principles of law | |||
criminal, applicable with certain qualifications to the administrative sanctioning procedure, such as | |||
has revealed settled jurisprudence. | |||
It considers that the initiation agreement exceeds the legally foreseen content, as | |||
It should only incorporate the limits of the possible sanction that could be imposed, and not | |||
determine a specific amount that implies a summary assessment of the circumstances | |||
concurrent. The agreement issued goes beyond what is admitted in article 68.1 of the Law | |||
Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of | |||
Digital Rights (hereinafter LOPDGDD). | |||
This anticipated and lacking motivation assessment of BBVA's responsibility, indicating | |||
even the mitigating and aggravating ones, even if it is by their mere mention, and even when | |||
intends to save what finally proceeds according to the instruction, in the opinion of that | |||
entity, an unprecedented part is carried out , without any allegation of the accused that allowed the | |||
sanctioning body assess the circumstances appreciated in light of said allegations, | |||
generating helplessness to the part. | |||
The fact that the amount comes from the mere enumeration also produces defenselessness | |||
circumstances, without stating how they affect liability. | |||
This is a matter that affects the impartiality of the investigating body designated in the | |||
same agreement to initiate the procedure, which he knows before beginning the procedure the | |||
criterion of the body to which the file will finally be submitted, on which it hierarchically depends. | |||
This supposes a rupture of the principle of separation between the investigation phase and the sanction phase. | |||
(Article 63.1 of Law 39/2015, of October 1, on the Common Administrative Procedure of | |||
Public Administrations - hereinafter LPACAP), depriving the instructor of a | |||
objective knowledge of the facts and the possibility of making an assessment of the | |||
circumstances arising from the instruction. | |||
On the other hand, article 85 of the LPACAP is cited to specify in the operative part of the | |||
opening agreement the reductions that entail the recognition of responsibility or the | |||
voluntary payment of the penalty. However, the BBVA entity considers that this precept | |||
establishes that the amount of the pecuniary sanction may be determined “beginning on | |||
sanctioning procedure ” and that it is only applicable to cases that give rise to the | |||
imposition of a fine of a fixed and objective nature. In the present case, the sanction is not fixed and | |||
nor necessarily of a pecuniary nature, given that the RGPD establishes a wide | |||
range of possible sanctions and corrective measures, including issuing a warning. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 8 | |||
8/124 | |||
2. The non-existent link between the | |||
claims made for the purpose of the procedure and the content of the file | |||
administrative, since the allegedly infringing facts that are invoked cannot | |||
be the basis on which the AEPD relies for the opening of this proceeding, nor | |||
the alleged violations can support the sanction sought. | |||
The scope of the Privacy Policy is analyzed without linking any reasoning to the | |||
content of the claims and without stating any action carried out by the AEPD | |||
that motivates the opening of the procedure. In this regard, it notes that the Agency has | |||
limited, in the previous phases, to transfer the claim to the DPD of the entity, except for the | |||
relative to claimant 2, and to agree to its admission for processing once clarifications are received | |||
of the aforementioned DPD. | |||
This was understood by the National Court in Judgment of 04/23/2019 (appeal 88/2017), that | |||
annuls the sanction of the AEPD, among other reasons, due to a discrepancy between what was denounced | |||
and the object of the sanctioning resolution: | |||
"This Chamber considers that the proven facts of the resolution are not adjusted to the requirements | |||
that, according to the principles set out, must be respected in a sanctioning procedure. | |||
In the first place, because such proven facts appear totally disconnected from the facts. | |||
denounced, and which led to the opening of preliminary investigation actions, since | |||
no mention is made in said proven facts about the behaviors denounced by the | |||
three participants in the procedure, the AEPD totally disregarding the result of the | |||
investigations carried out as a result of these complaints, as well as the numerous tests | |||
practiced. | |||
The account of "proven facts", both in the criminal procedure and in the administrative sanctioning procedure, | |||
It is essential to establish the facts and the typified behaviors, since only in this way is it possible to respect | |||
the principle of typicity, which, according to the doctrine is “the legal description of a specific conduct to | |||
that the administrative sanction will be connected ”. This principle is just the projection of the need for | |||
certainty that should guide the exercise of the sanctioning power of the Administration that includes the | |||
Article 25.1 CE and its foundation is in the respect of two other values such as freedom | |||
and legal security ” . | |||
At the same time, the AEPD has revealed throughout the entire file a | |||
manifests inactivity, taking into account that the claim of the | |||
Claimants 1 and 2 dated 02/01/2019, the last of them without prior transfer to the DPD, and | |||
that the request sent by BBVA on 02/21/2019 was not even answered requesting | |||
information on the status of the claim (it was not reported on its admission for processing). | |||
Subsequently, without any additional action, three other claims were admitted before | |||
to dictate the initiation agreement. In other words, the preliminary investigation phase was kept open | |||
for ten months without any action aimed at investigating the content of the | |||
claim. It could be considered that the AEPD waited for a number of | |||
claims that he considered significant, in this case, five, although they related to | |||
different issues, to reactivate a procedure that had been "suspended" since the | |||
first admissions to process, and which deals only with the "Declaration of Activity | |||
Economic and Data Protection Policy ” , held by the AEPD from the presentation of | |||
the claim by claimant 2, dated 12/09/2018. We are faced with an assumption | |||
in which the authority considers it necessary to allow a period of time to elapse from the | |||
admission for processing of a claim related to a specific treatment, to | |||
verify if the conduct is due to a specific or structural failure of the person in charge. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 9 | |||
9/124 | |||
During that time, BBVA acted with the confidence that, being the Agency aware of | |||
the circumstances manifested in the claims and no actions having taken place | |||
investigation or other nature, the existence of irregularity was not appreciated. Would fit | |||
consider whether it has not been the inaction of the AEPD during those ten months that has aggravated | |||
the reproach that it considers concurrent in BBVA, given that the Agency knew the Policy | |||
of Privacy and did not warn about the admission for processing of claims or the eventual | |||
illegality of this Privacy Policy. The reproach derived from its maintenance over time | |||
it should be attributable to whoever kept that opinion hidden. | |||
Regarding the specific claims made, it indicates that they show common elements that | |||
illustrate the good work of BBVA in respecting data protection regulations | |||
personal, which represent a tiny and irrelevant percentage of the wide universe of | |||
treatments carried out and the number of clients. In this regard, it provides certificate | |||
issued by the DPD relative to the year 2019, noting that, out of a total of personal clients | |||
eight million thirty-one thousand, received nine hundred six communications and only | |||
six referred to comments on the Privacy Policy. Understand that it shows | |||
that customers have not considered their rights violated, except for the five | |||
claimants. | |||
As elements common to all claims, the following stand out: | |||
. All interested parties / claimants could choose between all the alternatives offered and | |||
manage your consent to the processing of your data when they formalized the document and | |||
They were able to change their preferences through multiple channels, thus respecting the power of | |||
disposition of those affected. | |||
. It has respected the rights exercised, responding in a timely manner to the | |||
Revocations of consent or exercise of opposition rights. This has happened in the | |||
case of any of the claimants. | |||
. In the cases in which the claimant shows his disagreement with the way to obtain | |||
consent, he had made use of the mechanisms made available to him, since | |||
outside at the time of signing the "Declaration" or later electronically. | |||
It is contradictory, in BBVA's opinion, that the signature of the document accompanied by the | |||
Checking the boxes should be considered an affirmative action and the signature of the | |||
document without checking the boxes does not have, according to the Agency, the same scope or nature | |||
affirmative action (implicit consent, other than tacit, presumed or inaction). | |||
. When an error has occurred, as in the case of claimant 4, it has been recognized and | |||
repaired with the utmost diligence, having led to the development of a large number of | |||
actions to fully comply with the regulations (also on the occasion of the | |||
claims). | |||
Next, BBVA dedicates a part of this second allegation to highlighting | |||
some specific considerations for each of the claims: | |||
a) Claimant 1 refers to the sending of advertising via SMS, carried out with the | |||
consent of the interested party, as evidenced in the response made in the | |||
framework of E / 08334/2018, and their right to object was immediately addressed. Does not exist | |||
any subsequent complaint or claim. | |||
b) The claim presented by claimant 2 was not known by BBVA until the opening | |||
of the procedure, so he has not had the opportunity to refute the accusations | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 10 | |||
10/124 | |||
made on the Privacy Policy, the operation of the application or the legality of the | |||
data processing. In this case, the right to object to the treatment of | |||
the data for commercial purposes; and so it was marked on the document whose signature was | |||
required when downloading the APP. The download process offers the customer the possibility of | |||
decide on the treatments and purposes, as the claimant did, and report on the | |||
consequences of those decisions, without any of the messages that appear | |||
condition the interested party. The result was that, through the application, during the process of | |||
obtaining consent, was able to manage the use of data freely and in an informed manner. | |||
Provides a printed copy of the "become a customer" process that the application follows, which includes the | |||
hiring an online account. This process offers the interested party basic information on | |||
data protection, whose content coincides with that contained in Annex 1, and a | |||
link to extended information. Likewise, in both processes consent is requested | |||
to the interested party for the processing of their data ... and they are offered the possibility of marking | |||
different options on consent for the processing of your personal data, which | |||
coincide with those enabled in the "Declaration of Economic Activity and Policy of | |||
Data Protection". | |||
c) Contrary to what is indicated in the initiation agreement, BBVA responded to the transfer | |||
made by the AEPD of the claim submitted by claimant 3 (file | |||
E / 04690/2019) and also responded to the complainant himself, although these responses have not | |||
been incorporated into the file. BBVA blocked this client's account in accordance with | |||
provided for in Law 10/2010, of April 28, on the Prevention of Money Laundering and | |||
Financing of Terrorism, until the signing of the “Declaration of Economic Activity and | |||
Personal Data Protection Policy ” , which took place on two occasions (in the office and | |||
through the mobile application), and in both the interested party incorporated their preferences on the | |||
refusal to receive publicity. Raise again if action is not to be considered | |||
affirmative signing of the privacy policy and marking one of the boxes | |||
enabled, or if there is a difference between that action and the subscription of said policy without marking | |||
none of the boxes; all of them easily accessible, intelligible, simple and clear. | |||
It adds that there is no complaint from this client, beyond the claim made | |||
before the AEPD. | |||
Provide a copy of a written response to the transfer of the claim made within the framework | |||
of the file E / 4690/2019, dated 06/21/2019 and proof of sending it to this | |||
Agency via postal mail on the same date. This answer, whose content | |||
basically coincides with what has been stated above, accompanies a copy of the statements | |||
of economic activity and personal data protection policy completed with the | |||
Claimant 3's personal data, dated 01/17/2019 and 02/11/2019; the first of them | |||
signed and the second unsigned. In both declarations the option “No | |||
I want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others personalized for me by email ”. | |||
d) The background information regarding claimant 4 is contained in file E / 06420/2019, which | |||
sufficiently explain the facts. In this case, until the moment of opposition BBVA | |||
was authorized to send commercial communications such as the one denounced and ceased in | |||
these treatments after the exercise of the right, although an SMS was sent later | |||
It was due to a specific error of little interference, committed by an office manager, which was | |||
remedied immediately and led to the sending of communications on the policies adopted | |||
to the branch network. These facts do not justify the reproach that is claimed. Add that BBVA | |||
there was no record of the proceedings file or the admission for processing until the agreement of | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 11 | |||
11/124 | |||
initiation of the sanctioning file. | |||
It says Provide supporting documentation of the points indicated. However, only | |||
provides what appear to be messages addressed to private clients, SMEs or freelancers with | |||
information regarding the protection of personal, entity or commercial data. Some of | |||
They are dated May and July 2018, February 2019 and a final date of 09/24/2019, but not | |||
include no indication that relates these alleged messages to the complainant 4. | |||
e) It refers to the content of the information provided on the occasion of the file | |||
E / 08740/2019, which shows that BBVA was respectful of the claimant's decisions 5 | |||
in relation to the use of your data. In this case, claimant 5 signed the repeated | |||
statement on two occasions, not stating his refusal to the treatments in the first | |||
occasion and doing it in the second. | |||
3. On compliance with the principle of transparency and the right of information to its | |||
clients about the processing of their data, BBVA exposes the following: | |||
A) Previously, said entity refers to the scope, content and derived obligations | |||
of the principle of transparency, as regulated in the applicable regulations and | |||
interpreted by the AEPD itself, the set of European Authorities, the Working Group | |||
of article 29 and, subsequently, the European Committee for Data Protection. Make a | |||
statement on the information requirements derived from the aforementioned principle, the | |||
information to be provided, how it should be provided and the reporting system | |||
levels or layers that can be used. | |||
From what is expressed in these sections, it is worth mentioning the indications that BBVA includes on | |||
issues or aspects outlined in the agreement to initiate the procedure that, in their opinion, | |||
They do not correspond to the requirements established by the standards analyzed. Specific, | |||
BBVA points out that the obligation to inform interested parties about the data or categories | |||
data subject to treatment is not provided for in article 13 of the RGPD; and is only required in | |||
Article 14 of the same text for cases in which the data is not collected from the interested party, | |||
Although this obligation refers to the categories of data and not to the specific data object | |||
treatment. | |||
Likewise, it also highlights that articles 12 to 14 of the RGPD do not require “the person responsible for the | |||
treatment to provide interested parties with such detailed information that includes the | |||
characteristics that the treatment does not have, that is, it will not proceed to inform about, for | |||
For example, what data or categories of data are not subject to treatment or the purposes | |||
for which the data will not be processed, such as the fact that it is not produced | |||
profiles ” . | |||
And neither do those articles require, “when a treatment is based on the interest | |||
legitimate entity of the person in charge or of a third party, is included in the information provided to | |||
the interested parties the weighing trial carried out to verify that the rights or | |||
interests of those affected do not prevail over said legitimate interest, despite the fact that the AEPD | |||
reproaches this party in the Initiation Agreement for not having informed about the aforementioned | |||
weighting ” . | |||
B) (…) | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 12 | |||
12/124 | |||
C) Regarding the content of the Privacy Policy, it highlights that it follows the recommendations | |||
contained in the Guide prepared by the AEPD. It is organized around a series of questions | |||
and the purposes are grouped, with basic and additional information, both with the | |||
same sections. | |||
In relation to purpose 2 "To get to know you better and personalize the experience" , he warns | |||
that does not imply the referral of personalized commercial offers, but that the treatments | |||
that are described refer to the analysis and assessment of customer data, but not to the | |||
sending advertising. The only communications mentioned in this section are the | |||
Congratulations. In the extended information, it is reported that the legitimation basis is the interest | |||
legitimate and the specific interest pursued is indicated. In both sections the | |||
possibility to object to this treatment. | |||
Purpose 3 “To offer you products and services from BBVA, the BBVA Group and others | |||
personalized for you ” is the one that refers to the sending of all types of communications for | |||
commercial, through the channels indicated. | |||
Purpose 4 also refers to business purposes, but communication is described | |||
of the data to other entities of the Group so that they are the ones that directly | |||
communicate with the client, provided that they have authorized it. Entities are identified | |||
recipients, the purpose and the categories of data that will be communicated. | |||
Purpose 5 details the treatments carried out by BBVA to “Improve the quality of the | |||
products and services ” , although, as indicated in the “ Extended Information ” , the information | |||
obtained from the use of BBVA products, services and channels is anonymized and, therefore, | |||
excluded from the scope of the regulation. Even so, it was decided to submit this purpose to the | |||
consent of the client. | |||
D) In relation to the assessments carried out in the Initiation Agreement on the Policy | |||
of Privacy, BBVA states the following: | |||
. As a preliminary consideration, it reiterates that it does not understand the criteria that have determined the | |||
initiation of the procedure and the penalty amounts proposed for claims that are not | |||
they are related to the facts that justify said opening; and that among the different | |||
corrective powers has been chosen for the most serious, instead of other alternatives that | |||
would have allowed the correction of a hypothetical situation of default. | |||
Understand that it is necessary to bear in mind the environment and the problems that the | |||
interpretation of the provisions of the RGPD, to which the Agency itself has not been abstracted; and | |||
cites the “Report on privacy policies on the Internet. Adaptations to the RGPD ” to point out | |||
which is a sample of these difficulties, although their conclusions did not assume the same | |||
reproach. | |||
Furthermore, BBVA understands that the procedure is used to adopt criteria | |||
general interpretation of the protection norms, which is not admissible in light of the | |||
doctrine of the National Court. | |||
. This subsection is dedicated to analyzing the content of the Initiation Agreement as it relates to | |||
the information provided to customers by BBVA. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 13 | |||
13/124 | |||
The procedure begins for violation of article 13 of the RGPD, but refers to the | |||
breach of the obligation to inform the interested parties about the categories of | |||
Personal data processed, which is required in article 14 of said Regulation and not in 13. | |||
Even so, BBVA includes the data categories at the beginning of the extended information, following | |||
the example published in the AEPD's “Guide for compliance with the duty to inform” , | |||
adding, in addition, a description of the type of data, offering more information | |||
exhaustive of what the EAPD itself suggests in the aforementioned Guide. | |||
On the other hand, the Agency, in the repeated agreement, suggests that it should be informed | |||
on what specific data is used for each treatment, despite the fact that this requirement does not | |||
It is provided for in the RGPD or in any guideline published by the Agency, the GT29 or the EDPB. | |||
In the same way, neither text indicates that you should inform yourself about the data or | |||
treatments that the person in charge does not carry out. Consider mere conjecture without any proof | |||
indications about what could happen if the information collected by the Bank from the | |||
use of BBVA products, services and channels will include information related to “the share | |||
union ... or fees paid to political parties, or religious entities, or by the | |||
use of services provided by health or religious entities ” , that is, categories | |||
special personal data. The truth, adds BBVA, is that the privacy policy does not | |||
refers to these data or treatments simply because they are not carried out. | |||
If all the details that the AEPD now seem to require were added, it would lead to a text | |||
extensive and predictably not very understandable, leading to information fatigue or fatigue, | |||
proscribed by both the Agency and the GT29. | |||
Along the same lines, the Agency indicates that the information provided does not allow the interested party | |||
have a clear idea about the data that will be communicated to the Group's entities. To this | |||
In this regard, the aforementioned article 13 of the RGPD requires informing about the recipients or categories | |||
of recipients of personal data, not to mention the category of data. Still I know | |||
informs that the identification, contact and transactional data will be provided, to | |||
that the interested party may receive commercial offers. Transactional data is detailed in | |||
the description of purpose 4 (amounts of income and expenses, balances and use of our | |||
channels). | |||
The AEPD carries out an interpretation of article 13 of the RGPD that exceeds its | |||
content and their own interpretation. With this, he would be issuing new guidelines on the | |||
content of the duty to inform more demanding than that indicated in its Guide, using for this | |||
a sanctioning procedure clearly detrimental to BBVA. In this regard, he cites the Judgment of | |||
the National Court of 04/23/2019 (appeal 88/2017), which declared contrary to the principles | |||
of sanctioning law the establishment of general criteria within a | |||
sanctioning procedure. | |||
The Agency also considers inadequate or insufficient the information provided in relation to | |||
with the purpose 2 "To know you better and personalize your experience" , and indicates said Authority of | |||
control that is reported on the realization of personalized offers and the improvement of products | |||
and services with a legal basis in the consent of the interested party and in the legitimate interest. Without | |||
However, in the description of this purpose it is spoken of evaluating new functionalities, | |||
products and services and assess personalized offers, but no reference is made to the referral | |||
of commercial or advertising offers. Purpose 2 allows to know the channel that the | |||
customer, what products perform better, what new products could be | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 14 | |||
12/14 | |||
interesting for customers, respond to a customer who is interested in the products of the | |||
entity offering those that fit your needs. In this sense, the description | |||
carried out in purpose 2 refers only to the realization of an internal profiling of | |||
customers to personalize their experience or respond more efficiently to their requests. | |||
The referral of advertising, which may be based on said profile, is part of the purpose | |||
3, whose basis of legitimacy is consent. | |||
Only purpose 2 refers to the use of the profile. In this sense, adds BBVA, the expressions | |||
unclear and imprecise to which the Agency refers, such as " customize your | |||
experience ” , “ offer you personalized products and services ” or “ commercial profile ” , are | |||
substantially similar to those contained in the second layer example on page 11 | |||
of the "Guide for compliance with the duty to inform" of the AEPD: "to be able to offer you | |||
products and services according to your interests ” , “ improve your user experience ” , | |||
"We will develop a commercial profile . " | |||
In short, purpose 2 describes the treatments for profiling and their use does not | |||
commercial; while the purpose 3 the treatments that, being able to take advantage of said profile, | |||
involves the remission of commercial offers. | |||
Additionally, and contrary to what is stated by the AEPD, in purpose 2 it is reported how | |||
the client's profile is elaborated and that to achieve it different data are analyzed, which are detailed | |||
below, and the possibility of opposing the treatment is expressed. | |||
On the other hand, regarding the objections indicated by the AEPD for not reporting on the | |||
specific legitimate interests on which BBVA relies for these treatments, warns that | |||
This information is included in the section "Why do we use your personal data?" | |||
in which the bases that legitimize the treatment are detailed ( “… so that BBVA | |||
we can better meet your expectations and we can increase your degree of satisfaction | |||
as a customer by developing and improving the quality of own or third party products and services, | |||
as well as carry out statistics, surveys or market studies that may result from | |||
interest… to be a bank close to you as a client… ” ). | |||
Finally, it states that the privacy policy does not mention the existence of decisions | |||
automated regulated in article 22 of the RGPD since they are not carried out. The | |||
decisions referred to in the section on purpose 2 would not fit into the regime | |||
established in article 22 of the RGPD, since they would not produce legal effects in the | |||
recipients of the advertising that had been sent nor could it be considered that said | |||
Referral significantly affects customers in a similar way. | |||
4. On the existence of a legal basis for the treatment of customer data of | |||
BBVA. | |||
A) Legality of data processing carried out on the basis of legitimate interest | |||
prevalent. | |||
As indicated, this question has to do with the treatments that are carried out with the | |||
purpose of "Knowing you better and personalizing your experience" (purpose 2), which in no | |||
The moment refers to the sending of commercial communications that BBVA bases on the | |||
consent of the interested party. Those treatments consist only of the analysis of the | |||
customer behavior in relation to the channels, products and services offered | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 15 | |||
12/15 | |||
by BBVA to obtain indicators that will allow it to properly adjust its | |||
business, develop and improve its portfolio of products and services, adjusting them to the | |||
customer preferences, as well as the quality of services. Only if you have the | |||
consent of the interested party, you can apply the result of that treatment for the referral | |||
of commercial communications to clients (purpose 3). There is therefore no confusion | |||
some between both treatments | |||
In this regard, the Agency concludes that the legal basis of Article 6.1 f) of the GDPR is not | |||
applicable to these treatments considering that the interests are not clearly stated | |||
legitimate interests of BBVA (based on an incomplete definition of the legitimate interest contained in the | |||
glossary), the evaluation of the prevalence of legitimate interest is not reported and because the | |||
clause makes explicit the reasonable expectations of the interested parties that BBVA appreciates that | |||
concur in them. | |||
BBVA considers that none of these arguments allow reaching the intended conclusion | |||
by the Agency because the legitimate interest does not support, as has been said, the sending of | |||
commercial communications. | |||
In addition, the extended information details the legitimate interest of BBVA (better serve the | |||
customer expectations and increase their degree of satisfaction, develop and improve the | |||
quality of its products and services, as well as carrying out statistics, surveys or studies of | |||
market); the AEPD has not proven that the weighting test has not been carried out and the | |||
The regulation does not require that this information be passed on to the interested parties. BBVA considers that no | |||
it must be public knowledge. | |||
On the other hand, it understands that it is contradictory to object to the absence of the weighting and | |||
consider, at the same time, excessive for BBVA to make explicit what it understands that customers expect from | |||
your financial institution, what is your reasonable expectation, capital element to determine the | |||
prevalence of the legitimate interest of a data controller. | |||
Based on this, the Agency understands that said expectation is induced by BBVA and that the | |||
customers do not reasonably expect their data to be used to improve products and | |||
services and improve the customer experience. (…) | |||
Understand that the reasonable expectation must remain hidden, that by making it manifest | |||
in the informative clause it loses its character of expectation, it is contrary to logic and | |||
It undermines the obligation to guarantee the greatest clarity of information. | |||
In relation to the Agency's statements about the possibility that the use of the | |||
data in order to better know the customer can lead to an exhaustive analysis of | |||
the same, which is based on the possible use of data unrelated to the contracted products, | |||
collected from the use of BBVA products, services and channels; understand the entity that is | |||
It deals with mere conjectures that do not respond to the reality of the treatments carried out. | |||
BBVA does not carry out these treatments, (…) | |||
Thus, the treatment analyzed is linked to legitimate interest and allows BBVA | |||
optimize the business model; improve the quality of the products and services offered; | |||
perfect internal management and personalized relationship with the client; determine the | |||
propensity of customers to a certain product preferences in terms of channels to | |||
through which they are related and the groups to which they can offer certain | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 16 | |||
16/124 | |||
products (commercial communications are not sent to these unless they had granted | |||
your consent in accordance with purpose 3). | |||
In this sense, the existence of a reasonable expectation from customers is logical. | |||
about the processing of your data to design products that may be of interest to you. | |||
In addition, for this, data of third parties linked to the client are not processed in the | |||
transactions you make. Only data referring to behavior in relation to | |||
products and channels, which meet the principle of suitability and necessity. | |||
This conclusion coincides with the criteria supported by the AEPD in its report 195/2017, | |||
issued at the request of the Spanish Banking Association. In section VII he analyzes the | |||
prevalence of the legitimate interest of financial entities for the analysis of the | |||
transactional movements and / or customer savings capacity, to make observations | |||
and offer recommendations on products and services. And the same report also refers | |||
to the treatment of all transactions in order to be able to perform a more profiling | |||
detailed that allows to specify with precision the products to be offered. AND | |||
contemplates the adoption of additional guarantees, such as detailing in more detail the | |||
treatment to be carried out, and particularly the fact that the data | |||
Transactional will be used to create profiles and offer the interested party the | |||
possibility to specifically object to this treatment. Therefore, you understand that the Agency | |||
they would be acting against their own acts and violating the principle of legitimate expectations. | |||
Finally, on this issue, it points out that the Agency conjectures about the treatments that | |||
BBVA would be doing it, without having proof to prove it. | |||
B) Of the legality of the treatments carried out by BBVA based on the consent of | |||
their clients and the compliance of said consent with the data protection regulations. | |||
a) On the power of control of the affected party over their data | |||
The client, from the moment they manage their registration and while maintaining the relationship, | |||
has absolute power and control over the processing of your data, insofar as it is | |||
offers the possibility to opt and choose your preferences in relation to the operations of | |||
processing carried out, at any time and through the different channels | |||
made available to you in person and digitally. | |||
This power of control is what the regulations intend to guarantee and that is how the | |||
AEPD. In his recent document "User control in the personalization of ads in | |||
Android ” , referring to the duty to provide the user with real control over their data | |||
personal information, and in the document "Guide on the use of cookies" when it states "... the | |||
need to implement a system in which the user is fully aware of the | |||
use of those devices and the purpose of their use, being ultimately | |||
aware of the destination of their data and the incidents that this system implies in their | |||
privacy ” . | |||
This result is the one obtained with the processes and means enabled by BBVA, | |||
adjusted to the provisions of article 7.2 of the RGPD, in which the interested party has absolute | |||
freedom of choice and control over your data, the different options are presented for | |||
different treatments and purposes separately, does not refer to documents that are not | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 17 | |||
12/17 | |||
easily accessible and uses a granular structure when providing the information, | |||
promoted by the legislator, the AEPD and the GT29 in their “Guidelines on consent in | |||
the meaning of Regulation (EU) 216/679 ” in its revised version of 04/10/2018. | |||
The provisions of Recital 32 are also respected, which admits many and different | |||
formulas to obtain consent, insofar as it is clear that the interested party | |||
accepts the proposed treatment of your data, separately for the different | |||
processing activities carried out for the same or the same purposes; as well as the ban | |||
contained in article 7.4 of the RGPD, referring to the contingency of the execution of a | |||
contract to which the affected party consents to the processing of their data for purposes that | |||
are related to the maintenance, development or control of the contractual relationship; and the | |||
reference to Recital 43 when it states that “it is presumed that consent is not | |||
has freely given ... when the performance of a contract, including the provision of a | |||
service, is dependent on consent, even when it is not necessary for said | |||
compliance ” or the separate authorization of the different treatment operations | |||
of personal data. | |||
There is no reproach in the Initiation Agreement for these key issues, so | |||
only the way in which consent has been obtained seems to be disputed. | |||
b) On obtaining consent by taking an affirmative action of | |||
the clients. | |||
The GT29, in relation to the unequivocal nature of consent, refers to an action | |||
by the affected party that reveals a behavior, a manifestation of will or, as | |||
It is said in the RGPD, "a clear affirmative action" , which means that the interested party must | |||
having acted deliberately. For its part, the “RGPD Guide for Responsible for the | |||
Treatment ” of the AEPD refers to a manifestation of the interested party or a clear action | |||
affirmative. | |||
In this regard, BBVA points out that it has opted for this clear affirmative action: | |||
. Through any of the channels provided, BBVA enables the signing of the “Declaration | |||
of Economic Activity and Data Protection Policy ” , which offers the interested party the | |||
different options in relation to the purposes additional to the management of the relationship | |||
contractual. The signing of this document is a clear affirmative action, which is carried out | |||
carried out with full knowledge of the scope and consequences that it entails (the | |||
claimants have effectively managed their preferences). Furthermore, through the | |||
application, the interested party has at their disposal a simple procedure to manage in | |||
your preferences at all times (claimant 2). | |||
. The registration process, through the indicated digital and face-to-face channels, complies with the | |||
requirements expressed in the "GDPR Guide for data controllers" of the AEPD, | |||
which recalls that consent “can be unequivocal and be given implicitly | |||
when it is deduced from an action of the interested party ” . Furthermore, the Inception Agreement incurs | |||
contradiction given that the AEPD, in relation to claimant 2, has considered valid the | |||
process in which the client has checked any of the boxes enabled for the provision | |||
consent, but not when you have not checked those boxes and authorize with your signature the | |||
processing of your personal data for the purposes that are made available to you. The | |||
holographic or digital signature of the document is a clear affirmative action that is carried out with | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 18 | |||
18/124 | |||
full knowledge of its scope, considering the clear content of these boxes and that, for | |||
their positioning, are clearly visible and directly accessible. | |||
In the field of managing cookies or similar technologies, the control authority has | |||
admitted as affirmative actions such as navigating in a different section | |||
of the website that would use them, close the privacy notice of the first layer or click on | |||
some content of the service offered on the web. In this area, Document 02/2013 | |||
of the WG29 states that “ensure that the active behavior is close to the location | |||
where the information is presented is essential to be sure that the user must submit | |||
the action to the requested information ” . The Agency's "Guide on the use of cookies" | |||
supports as valid a link or button to manage preferences along with the possibility | |||
to "accept" or "reject" or support "pressing specific keys" as affirmative action. | |||
In the same way, the non-marking of the boxes and the subsequent subscription of the aforementioned | |||
document involve a “physical movement” that can be considered as an action | |||
clear affirmative in accordance with the RGPD, with which the interested party achieves control over their data | |||
personal. | |||
Moreover, in the regime of explicit consent, which reinforces "ordinary" consent | |||
in attention to the treatments and data submitted to it, the Guidelines on the | |||
consent of the GT29 admit as valid explicit consents formulas or | |||
less demanding processes than the one implemented by BBVA. Thus, in a written statement, | |||
These Guidelines cite an assumption that could be assimilated, in which it admits a “yes” or a “no” | |||
(example 17: “A data controller can also obtain explicit consent | |||
from a person visiting your website by offering an explicit consent screen | |||
that contains Yes and No boxes, as long as the text clearly indicates… ” ). I also know | |||
cites as an example, in the digital or online context, the one in which an interested party can issue | |||
the required declaration by filling in an electronic form, sending an email, | |||
uploading a scanned document with your signature or using an electronic form. | |||
. The consent provided by BBVA cannot be considered a consent by omission | |||
or due to inaction, as there is in any case an active behavior of the interested party: on paper | |||
insert the signature in the same place or having in sight the options offered; at | |||
digital channel, on many occasions the affected person will have accessed, browsed through the different | |||
Screens enabled to manage your consent, having chosen, or not, to reject | |||
certain treatments. | |||
In the latter case, the process involves carrying out two actions: | |||
First, the affected person has an interactive document included as a hyperlink | |||
in the text that accompanies a box ( "I have read and accept the data processing | |||
personal ” ), whose dialing is blocking to continue with the registration process; he | |||
The repeated document used in this channel is configured in two layers: a first | |||
that incorporates the boxes under discussion, and a second layer with expanded information; | |||
Second, after the collection of personal data, the interested party again has | |||
available the document with the result of the affirmative action so that, if it is | |||
agree, you must proceed to your signature. | |||
Therefore, there is no inactivity or “silence” that is interpreted as an act of acquiescence or | |||
acceptance, there is a specific activity or, at least, the option to carry it out. BBVA, | |||
nor any other responsible party, cannot materially assure that the client's signature has | |||
place after the leisurely reading of the privacy policy. However, in order to | |||
guarantee that this action takes place, facilitates repeated and insistent messages remembering | |||
this need, so that the interested party is responsible for their decisions. And he can't | |||
responsible to complete or replace the autonomy of the affected will. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 19 | |||
19/124 | |||
Neither does a presumed consent take place since there is no statement or act | |||
positive that implies acceptance of the privacy policy in its entirety. He | |||
interested party knows this policy and chooses to choose their preferences either by marking the | |||
boxes, either by subscribing to said privacy policy without checking them. | |||
There is no inaction, for the same reasons and it is not a case of squares either | |||
pre-marked, the continuity of a service or functionality as a result of silence or | |||
obtaining consent in the context of the acceptance of a contract or of the | |||
terms and conditions of a service. What's more, the subscription of the document is necessary | |||
to register as a BBVA customer, which implies the need for customers to | |||
access the documents, opt for any of the alternatives offered and | |||
sign the document, expressing their agreement or disagreement with the specific | |||
treatment operations subject to your consent. | |||
C) The consent requested by BBVA as a reinforcement of the clients' rights in | |||
treatments that could be based on the prevailing legitimate interest of the entity. | |||
The processing of the data for most of the purposes for which the | |||
Customer consent could have been based on BBVA's concurrence of interest | |||
legitimate prevailing law of BBVA, so that the entity, when obtaining the consent of the | |||
stakeholders has adopted strengthened active liability measures. | |||
The entity refers to purposes 3 and 5 of the Privacy Policy (offer products and | |||
personalized services from BBVA, the BBVA Group and others; and to improve the quality of | |||
products and services). | |||
In this regard, it recalls the 195/2017 report of the AEPD, cited in section A) of the | |||
present point 4, whose sections VII and VIII are applicable to the case now analyzed, | |||
referred to the treatments that a financial institution can protect the legitimate interest in | |||
relationship with purposes that, in BBVA's opinion, fit with those listed as 3 and 5 of the | |||
basic information contained in the informative clause. | |||
In view of what is stated in that report, it can be concluded that the AEPD considers that, in | |||
certain assumptions and under certain circumstances, the processing of data with the | |||
purpose of knowing the client's preferences and their behavior in relation to | |||
products, as well as for the establishment of profiles that allow the submission of | |||
personalized commercial communications, would be covered by article 6.1.f) of the | |||
GDPR, which would exclude the need for customers to give their consent. | |||
Thus, the entity has reinforced the power of disposition of the interested parties on their data | |||
personal, allowing you to express your refusal or opposition to the treatment from the same | |||
moment of the collection of your data, without having to make use of the right of opposition in a | |||
later moment. In addition, the exercise of this right must be justified in some | |||
assumptions ( "reasons related to your particular situation" ), while in the option | |||
offered by the client is based on his sole and exclusive will. | |||
Therefore, if the reasoning of the initiation agreement is followed, the AEPD would be considering | |||
more harmful to request consent when it is not required than to report on the | |||
treatments that the responsible entity intends to base on the prevailing legitimate interest. | |||
Based on everything set out in this point 4 of BBVA's allegations, this entity | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 20 | |||
12/20 | |||
concludes that the treatment carried out for purpose 2 is fully | |||
based on legitimate interest; those carried out for purposes 3, 4 and 5 are based on the | |||
consent granted by the interested parties with all the established requirements; and what in | |||
In the case of purposes 3 and 5, this request for consent constitutes a measure | |||
reinforced active responsibility adopted by BBVA. | |||
TENTH: By letter of 07/02/2020, notified to BBVA on the 6th of the same month, the | |||
The instructor of the procedure agreed to open a period of practice tests, | |||
Considering the claims filed and their | |||
attached documentation, as well as the documents and statements obtained by the | |||
Subdirectorate General for Data Inspection in relation to such claims in the | |||
information application process prior to admission for processing. Likewise, they were considered | |||
submitted the allegations to the initiation agreement formulated by BBVA and the documentation | |||
that accompanies them. | |||
On the other hand, it was agreed to require the entity BBVA so that within a period of ten days | |||
able to provide the following information and / or documentation: | |||
a) Copy of the record of all personal data processing activities carried out under the | |||
BBVA's responsibility mentioned in the personal data collection form | |||
called "Declaration of economic activity and personal data protection policy" , in its | |||
initial version, together with any addition, modification or exclusion in its content. | |||
b) Copy of the evaluation / s of the impact on the protection of personal data relative / s to any | |||
type of personal data processing operations carried out under the responsibility of BBVA, | |||
of those mentioned in the form “Declaration of economic activity and protection policy of | |||
personal data ” , which pose a high risk to the rights and freedoms of natural persons, | |||
in its initial version and, where appropriate, with details of the modifications or updates that could | |||
have been made. | |||
Likewise, if there has been a change in the risk represented by the processing operations | |||
and if deemed necessary, the result of the examination that BBVA may have carried out was requested | |||
to determine if the treatment is in accordance with the impact assessment related to the protection of | |||
data (article 35.11 of the RGPD). | |||
c) A copy of the documents stating the evaluation carried out by the BBVA entity on the | |||
prevalence or not of the interests and fundamental rights of the interested parties over the interests of | |||
BBVA in relation to the personal data processing operations carried out under the | |||
responsibility of BBVA, of those mentioned in the form “Declaration of economic activity and | |||
personal data protection policy ” , with which the satisfaction of interests | |||
legitimate laws pursued by the BBVA entity itself or by a third party. | |||
d) Copy of the report in which the results of the opinion study carried out among the | |||
months of January and February 2018 among new customers, to which BBVA refers on page 44 of its | |||
brief of allegations and Document 9 attached to said brief. | |||
In response to BBVA's request, the term granted was extended by five days | |||
skillful. | |||
Once the total term granted was exceeded, on 08/03/2020, a letter was received from | |||
response to which BBVA attached the following documentation: | |||
A) Impact evaluation on the protection of personal data of the treatments | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 21 | |||
12/21 | |||
related to the realization of commercial profiling. | |||
(…) | |||
B) Impact evaluation on the protection of personal data of the treatments | |||
related to carrying out risk profiling. | |||
(…) | |||
C) Report on the weighting of the prevalence of legitimate interest in the treatments to which | |||
the purpose numbered as 2 is referred to in the section “For what purposes are the | |||
we will use?" , contained in the personal data collection form "Declaration of | |||
economic activity and personal data protection policy ”. | |||
(…) | |||
ELEVENTH: By letter of 08/11/2020, notified to BBVA on 08/17/2020, | |||
granted BBVA a new period of five business days to provide a copy of the | |||
documentation indicated in section a) of the requirement indicated in the antecedent | |||
above (record of treatment activities), which was not incorporated by BBVA into its | |||
Answer from 08/03/2020. | |||
The response to this second requirement also occurred once the | |||
total term granted. On 09/16/2020, a letter was received from the aforementioned entity to which | |||
accompanied the record of treatment activities. | |||
(…) | |||
TWELFTH: On 10/07/2020, a resolution proposal was issued in the sense | |||
following: | |||
"1. That the Director of the Spanish Data Protection Agency sanctions the | |||
BBVA entity, for an infringement of articles 13 and 14 of the RGPD, typified in article | |||
83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD, | |||
with a fine of 3,000,000 euros (three million euros). | |||
2. That the Director of the Spanish Data Protection Agency sanction the | |||
BBVA entity, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and | |||
classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, | |||
with a fine of 3,000,000 euros (three million euros). | |||
3. That the Director of the Spanish Agency for Data Protection proceed to impose | |||
to the BBVA entity, within the period to be determined, the adoption of the necessary measures to | |||
adapt to the personal data protection regulations the processing operations that | |||
performs, the information offered to its clients and the procedure by which they | |||
must give their consent for the collection and processing of their personal data, with | |||
the scope expressed in Law Foundation X of the proposed resolution ” . | |||
THIRTEENTH: BBVA has been notified of the aforementioned resolution proposal, with | |||
On 11/03/2020, this Agency received a written statement of allegations requesting | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 22 | |||
12/22 | |||
once again that the nullity of the procedure is declared or, where appropriate, the | |||
expiration of the same. Alternatively, it requests that its file be agreed or, failing that, | |||
the penalty of warning or a significant reduction of the amount is imposed | |||
established in the proposed resolution. | |||
Declares reproduced in its entirety its allegations to the initiation agreement, that, in its opinion, the | |||
motion for a resolution does not take into account or contest; and formulates the considerations | |||
following, which basically reproduce those allegations at the opening of the | |||
process: | |||
1. Regarding the setting of the amount of the sanction in the commencement agreement, it indicates again that | |||
a substantial defect of nullity is incurred, produces defenselessness and breaks the principle of | |||
impartiality of the investigating body. It considers that this causes a confusion between the phases | |||
instruction and resolution, as evidenced by the fact that the proposed | |||
resolution sets an amount identical to that indicated by the sanctioning body in the | |||
start and reproduce the concurrent circumstances. This supposes a bankruptcy of the principles | |||
inspiring the sanctioning law that is not remedied by the mere fact that the entity | |||
has been able to issue arguments to the opening and to the resolution proposal. | |||
BBVA understands that the proposal incurs a contradiction when considering that the | |||
Determining the amount of the penalty is an obligation imposed by article 64.2 of the | |||
LPACAP and then point out that “not only are the requirements | |||
mentioned, but goes further by offering legal reasoning that justifies the | |||
possible legal classification of the facts assessed at the beginning and, even, the | |||
circumstances that may influence the determination of the sanction ” . BBVA considers that | |||
that rule imposes no such obligation nor is it possible for the Administration to "go beyond" what | |||
provided for in the standard, which constitutes an excess of the powers of the body | |||
sanctioner that violates the rights of the entity against which the procedure is directed. | |||
It warns that article 64.2 of the LPACAP does not represent an important innovation of the | |||
legal system regarding the sanctioning regime in force previously, which already | |||
indicated that the initiation agreement should incorporate “the sanctions that could | |||
correspond, without prejudice to what results from the instruction ” , under which the AEPD | |||
indicated in its initiation agreements the maximum and minimum limits of the aforementioned offense | |||
in the agreement, without establishing the exact amount or amount of the penalty. | |||
Likewise, neither article 85.1 of the LPACAP requires that prior determination of the amount, | |||
since it does not refer to a pre-established sanction, but to the imposition of the sanction that | |||
proceed. This norm, applicable “the procedure has begun” , provides that the recognition of | |||
responsibility may determine the imposition of the sanction "appropriate" , so that | |||
this fixation seems to be foreseen after the acknowledgment of responsibility itself. | |||
In its section 3, the same article provides that the reductions must be adopted on the | |||
“Proposed” sanction , which requires that it has actually been determined in the procedure | |||
what is that amount, and the diction of the precept itself seems to refer to the | |||
resolution proposal as the ideal place to determine the aforementioned amount, | |||
this power corresponding to the examining body. | |||
According to BBVA, this conclusion is not contradicted by the fact that the discounts | |||
would proceed for the recognition of responsibility and advance payment of the sanction | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 23 | |||
23/124 | |||
must be disclosed in the initiation agreement. Both benefits can be awarded | |||
although the sanction is not quantified. | |||
2. Regarding the non-existent link between what was attributed to my client and the claims against the | |||
referred to in the proposed resolution and on the inactivity of the AEPD. | |||
In relation to this issue, it considers that the arguments contained in the proposal for | |||
resolution are not admissible, as there is no doubt about the inactivity of the Administration, which has | |||
contributed to the maintenance of BBVA's conduct and affects the validity of the procedure. | |||
The AEPD expressly considers that there has been no phase of previous actions of | |||
investigation, prior to the adoption of the opening agreement, but that the claims | |||
were admitted for processing without any decision being made on them until | |||
initiation of this procedure, and that you can maintain that situation with the sole limitation | |||
that said decision does not violate the statute of limitations of the alleged | |||
infringement, which would not begin to be computed until BBVA modified its | |||
Privacy. However, this situation is contrary to the principles of the procedure | |||
sanctioning, generating a situation of legal uncertainty to the detriment of BBVA. | |||
In this sense, articles 64.2 and 67 of the LOPDGDD establish a regulated procedure | |||
with clearly marked time limits, differentiating those that are a consequence | |||
of a claim of those in which the AEPD decides on its own initiative. At | |||
In the first case, three successive phases are established, without a break in continuity: (i) admission to | |||
processing of the claim within a period of three months; (ii) the (optional) realization of | |||
investigation actions for a maximum period of twelve months; and (iii) the opening of a | |||
sanctioning procedure, which will last a maximum of nine months. | |||
The AEPD may choose to dispense with investigative actions, but | |||
that decision cannot imply a stoppage or stagnation of the claim admitted | |||
to process for an indefinite period of time, only limited by the statute of limitations, | |||
given that this availability contravenes the principle of legal security of the company. | |||
In case of deciding not to carry out any type of investigation, the | |||
claim must proceed immediately to the opening of sanctioning procedure. | |||
In this case, there has been a delay of ten months, without there being a decision to | |||
carry out investigative actions. The AEPD should have agreed to open the | |||
procedure at the time it decided to admit the claim of claimant 2, that is, | |||
on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without | |||
However, that opening took place on 12/02/2019, almost a month after the date on which | |||
the procedure should have concluded by means of the corresponding resolution. Understands | |||
BBVA that this unjustified inactivity results in the expiration of this procedure, | |||
given that the term to resolve would be expired on the same date that the | |||
start agreement. | |||
It is applicable to this case the doctrine established by the National Court (AN) in its | |||
Judgment of 10/17/2007 (appeal 180/2006), in which it revealed the illegality of the | |||
inadequate or unfounded prolongation of the preliminary investigation actions: | |||
“[…] When the delay in initiating the sanctioning procedure occurs, as in the present case, | |||
for a long period of time, in which the relevance or not of said | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 24 | |||
12/24 | |||
initiation, but no action is carried out by the Administration and ultimately, | |||
there is no justification for such delay, there is a spurious and fraudulent use of the | |||
provided for both in article 12 of RD 1398/1993 and in article 69.2 of the LRJ-PAC. | |||
[…] | |||
And this because, as has also been indicated, and once the AEPD had information and data | |||
sufficient, provided in the first two months of the processing of the repeated actions | |||
previous, and could now direct the accusation against [...] , complying with legal requirements, left without | |||
However, almost eleven more months go by without taking any action, maintaining such | |||
open request for information, but completely inactive. | |||
[…] | |||
We consider for all this, […] that there has been a fraudulent use of the institution of | |||
preliminary proceedings. Consequently, we are faced with an assumption of law fraud contemplated in | |||
Article 6.4 of the Civil Code, as it is intended to circumvent the application of Article 42.2 of the Law | |||
30/1992 using the request for information to avoid expiration of the file | |||
sanctioner. | |||
Fraudulent use that entails the invalidity of the sanctioning procedure and the consequent | |||
estimate of the claim of the claim, with revocation of the sanction imposed on […] in the | |||
contested resolution. " | |||
The AEPD deliberately decides not to process any procedure and wait for the moment | |||
that it deems appropriate to initiate the sanctioning procedure, which implies, taking into | |||
account of the doctrine supported by the SAN that has just been reproduced, a fraud of Law | |||
aimed at the violation of the regulations governing the terms and deadlines of | |||
resolution established in both the LPACAP and the LOPDGDD, with the consequent | |||
damage to BBVA. Faced with this, it cannot be argued that the AN doctrine cannot be extrapolated by | |||
the fact that it refers to a fraudulent use of the previous actions of | |||
investigation whose conduct was not agreed in this case, given that precisely the fraud of | |||
The law derives from the complete inaction of the Administration, which considers it possible to | |||
ad aeternum of the initiation of the sanctioning procedure for some facts regarding the | |||
that he has already collected all the information that, in his opinion, is relevant to direct the | |||
sanctioning action against BBVA. | |||
BBVA's conduct is aggravated by the continuing nature of the infringement, at least | |||
until the moment it proceeded to modify the aforementioned policy in July 2020. | |||
BBVA acted from the moment it responded to the requirements that it was | |||
led until the date on which the initiation of this procedure was agreed, in the confidence | |||
legitimate that the AEPD considered that its Privacy Policy was in accordance with the | |||
data protection legislation, having not directed any reproach or carried out, with | |||
knowledge of my client, no investigative action. | |||
All this results in the nullity of full right of the action of the Administration, which | |||
deliberately dispenses with the clearly and explicitly established legal procedure | |||
prejudice to the principles of legitimate confidence and legal certainty that assist BBVA. | |||
On the other hand, the aforementioned entity dedicates a section of this second allegation to the necessary | |||
link between the object of the sanctioning procedure and the claims made, in | |||
the assumptions of ex officio initiation of the complaint procedure, already made manifest | |||
in their arguments at the opening of the procedure. | |||
It questions whether the AEPD may decide to open a procedure in relation to the | |||
extremes that it deems appropriate (the resolution proposal itself allows | |||
on issues that are not subject to processing). | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 25 | |||
25/124 | |||
The relevant question is found in the factual account of the proposal, which founds the | |||
processing of the procedure in the existence of five claims against BBVA, and not in the | |||
Decision of the AEPD to initiate its processing on its own initiative, using its powers. | |||
Thus, once the claim is admitted for processing, you must continue with its processing and | |||
there must be a precise and direct link between the content of said claims and the | |||
sanctioning reproach. | |||
The AEPD equates the fact that the procedure is initiated ex officio with the beginning “by its own | |||
initiative ” . And in the present case, it begins as a result of five claims, a | |||
the terms of which the procedure must adjust, which cannot be a kind of | |||
general doctrine directed against BBVA. BBVA points out that this argument derives from the doctrine | |||
emanated from the Sentence of the AN of 04/23/2019, already exposed in the allegations to the | |||
opening, from which it follows that a proposal that does not refer in its foundation to | |||
The claims made exceed the necessary consistency required between the facts and the | |||
infractions, converting the five claims into a kind of general cause against | |||
BBVA. | |||
In BBVA's opinion, such a conclusion affects the principle of legal certainty and implies a | |||
flagrant violation of the principle of interdiction of the arbitrariness of public powers, | |||
enshrined in article 9.3 of the Constitution. | |||
3. On the change in the classification of the sanction imputed to BBVA and some considerations | |||
general information about the application of articles 13 and 14 of the RGPD. | |||
a) Regarding the change in the classification of the offense attributed to BBVA and the non-application to the | |||
present case of article 14 of the RGPD. | |||
While in the Initiation Agreement only Article 13 of the | |||
RGPD, the Proposed Resolution extends the sanctioning reproach to the provisions of the | |||
Article 14 of the aforementioned legal text, which is not applicable to this case, taking into account | |||
what is established in section 5 c) of the same article 14 and in article 2.1 of the RGPD: | |||
(…) | |||
The same argument supports the exclusion of the duty to inform with respect to the | |||
credit information, whose access is provided for in the aforementioned article 12.1 of the LCCI. | |||
BBVA adds that, however, in its Privacy Policy it informs about the treatment of | |||
these data and, within the categories of data that it submits to treatment, indicates | |||
expressly “[d] economic and financial solvency figures (including those relating to all | |||
the products and services that you have contracted with BBVA or for which BBVA is | |||
marketer) " . | |||
b) On the supposed obligation to include the categories of data in the information that must | |||
be provided to the interested party. | |||
BBVA has made an effort to clarify the preparation of its Policy on | |||
Privacy, incorporating the categories of data that would be subject to treatment, | |||
despite not being required in article 13 of the RGPD. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 26 | |||
26/124 | |||
The AEPD indicates that the aforementioned article 13 imposes the obligation to inform each and every one | |||
of the data subjected to treatment, breaking down that information for each of the | |||
specific purposes, regardless of whether the origin of the data is the | |||
interested party, in the cases in which the treatment is intended to be based on the legitimate interest of | |||
BBVA or in the consent of the interested parties. Go to what is indicated in the | |||
document "Guidelines on consent" , adopted by the European Committee of | |||
Data Protection (hereinafter, “EDPB”), “which has been updated | |||
by the European Data Protection Committee on 05/04/20 ” , that is, five months later | |||
of the initiation agreement, so this issue does not merit further consideration. | |||
An additional obligation is imposed that is not expressly included in the RGPD. And that | |||
It cannot be modified by the AEPD in a sanctioning resolution nor by the European Committee of | |||
Protection of Data in an Opinion, for the simple reason that they lack powers | |||
normative. The LOPDGDD (article 55) attributes to the AEPD the competence to set its | |||
criteria for action in Circulars, which will be mandatory, but this cannot | |||
imply the imposition of an obligation not recognized in the regulations. | |||
In this case, in addition, the AEPD modifies its criteria regarding what is supported in its “Guide | |||
on compliance with the duty to inform ” and it does so in a singular resolution, violating | |||
the principle of interdiction of the arbitrariness of public powers, by not exposing the | |||
motives underlying such a surprisingly novel criterion, and the principle of | |||
singular non-derogability of the regulations, enshrined by article 37 of the LPACAP. | |||
Finally, it invokes again what was indicated by the AN in Judgment of 04/23/2019, which | |||
admits that a sanctioning procedure is used to establish criteria | |||
interpretative. | |||
4. Regarding the AEPD's assessments regarding the alleged inadequacy, imprecision and | |||
intentional indeterminacy of the information provided by BBVA. | |||
a) Subjective evaluations made by the AEPD in relation to the transparency of the | |||
BBVA Privacy Policy. | |||
- Pronouncements regarding the terminology and expressions used. | |||
Despite the foregoing, BBVA makes allegations on the above issues in which | |||
limits itself to stating that the Agency bases its previous findings on appraisals | |||
subjective; that the terms used are clear and precise, widely used in the | |||
topicality and that meet the intelligibility requirement; that uses those expressions with the | |||
intention to provide its clients with a service adapted to their specific circumstances, | |||
for which it is essential to "know" them ; and that the context in which the | |||
information, which is determined by the contractual relationship, as well as the system of | |||
document in two layers, allow a better understanding of the expressions used. | |||
It provides an explanation of some expressions to which the AEPD refers: | |||
. "We will apply statistical and classification methods to correctly adjust your | |||
profile ” . It involves a specification of two of the techniques used to better understand the | |||
client, frame him appropriately and thus be able to offer him a service | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 27 | |||
12/27 | |||
properly adapted to your personal circumstances. | |||
. “Analyzing the uses of BBVA products, services and channels” , used in the | |||
BBVA's Privacy Policy in the context of personalizing the experience of the | |||
user, in order to be able to offer a service adapted to their circumstances and needs. | |||
The AEPD qualifies this expression as unclear, imprecise and ambiguous. However, in | |||
a later point of the Proposal (p. 73), she herself explains its meaning: “[t] odo | |||
this refers to the data processed by reason of the products and services contracted ” . | |||
Add that some of the expressions explained above are similar to | |||
expressions offered as examples in the "Guide on the use of cookies" : | |||
. "Carry out statistics, surveys, actuarial calculations, measurements and / or studies of | |||
market that may be of interest to BBVA or third parties ” , is similar to the | |||
expression “for analytical purposes” . | |||
. "Analyzing the uses of BBVA products, services and channels" is similar | |||
with the expression "show you personalized advertising based on a profile prepared by | |||
starting from your browsing habits ”. | |||
- Similarity between the expressions used in the BBVA Privacy Policy and the | |||
included in the AEPD's “Guide for compliance with the duty to inform” . Change | |||
of unjustified criteria: violation of legitimate expectations and of the jurisprudence of | |||
the AN | |||
The AEPD avoids ruling on the contradiction posed by the reproach made to BBVA | |||
and the recommendations included in the cited Guide, which offers examples of possible formulas | |||
to inform about the purposes of the treatment similar to those included in the Policy of | |||
Privacy. | |||
The publication of a Guide by the AEPD generates legitimate confidence in its | |||
recipients, who adapt their behavior in the belief that its application contributes to the | |||
compliance with the regulations, so that we now consider those | |||
expressions would mean acting against their own acts and would determine the violation of | |||
the legitimate expectations and legal certainty that documents must provide | |||
published by a supervisory authority, as well as the jurisprudence of the AN collected in the | |||
Judgment of 04/23/2019, already cited, which declared contrary to the principles of law | |||
sanctioning the establishment of general criteria within a procedure | |||
sanctioner. | |||
- Subrogation of the AEPD in the position of the interested parties. Reproach of an action of | |||
marketing carried out by BBVA under the protection of free enterprise. | |||
The AEPD engages in conduct similar to one of the reproaches it makes against me | |||
represented, the impersonation of the interested parties, when he puts himself in the place of | |||
recipients of the information to conclude is not easy to understand for any interested party or | |||
he can deduce the meaning of expressions from the context. | |||
In this regard, it is established as a proven fact that BBVA analyzed during 2017 and 2018 the | |||
impact of the RGPD on its activity and carried out two investigations by third-party experts to | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 28 | |||
28/124 | |||
assess the content and format of the text, or test its understanding, resulting in | |||
undisputed that he acted with proactive responsibility to know people about the | |||
that collects information and determine if said audience is capable of understanding, | |||
adapting the information provided and the terminology for it. | |||
The reproach of the Agency reaches the way of presenting the document to the interested parties, | |||
pointing out that it intends to offer an image of courtesy and good treatment to the client, criticizing with | |||
This is nothing more than a simple business decision by BBVA about how to present a | |||
document to its clients, for which the Bank is fully legitimized by virtue of its | |||
right to freedom of enterprise enshrined in article 38 of the EC. | |||
b) Excessive information requirements for interested parties that could | |||
cause information fatigue. | |||
(…) | |||
The incorporation of all that information related to the type of data to a document already | |||
already excessively long, it would be liable to cause information fatigue in the | |||
interested parties, contrary to the GT29 Guidelines, which recommends efficient information | |||
and succinct; or the AEPD itself, which has highlighted the importance of not overwhelming with the | |||
information, as in the "Guide on the use of cookies" . | |||
c) Supposed lack of determination of the interested parties affected by the communication of data | |||
to the BBVA Group companies. | |||
As indicated in the Privacy Policy, the data of representatives, guarantors, | |||
authorized or beneficiaries are treated only for the management of the contract in which | |||
intervene as a result of their legal relationship with a client of the Bank. In no case | |||
these data are communicated to the BBVA Group companies. | |||
5. About profiling. | |||
Purpose 2 of the Privacy Policy seeks to personalize the experience of its customers | |||
and concludes by indicating the usefulness of said profiles. | |||
The treatment carried out is detailed (analyze and assess the data), the type of data that is | |||
uses in said treatment (data that allows you to be identified, financial evolution and | |||
products and services contracted, operations - payments, income, transfers, debts, | |||
receipts- as well as the uses of BBVA products, services and channels) and the purpose for | |||
the one in which said analysis is carried out (elaborating a profile and using it in business models). | |||
This entity considers that the knowledge of the clients, the analysis of their interrelation with | |||
the products and services offered and the assessment of their preferences expressed to | |||
through the use or not of them, and the way they are used, is the basis of the information | |||
that any company uses to assess its business strategy and improve it, in short, | |||
to design their business models and for customer relationship management. | |||
This treatment in no case will imply an individualized analysis for the performance of | |||
commercial communications, which involves additional and differentiated treatment, which only | |||
It could be done with clients who have given their consent to do so. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 29 | |||
29/124 | |||
This AEPD seems to understand that the only purpose of profiling is to | |||
personalization of the offers, when said treatment may also be aimed at | |||
many other purposes, such as improving the business model, the portfolio of | |||
products and services offered by the person in charge or the customer's experience. For this, | |||
reason this part understands that the Agency confuses in this point two purposes that | |||
are listed in two different sections of the Privacy Policy. | |||
6. On the legality of the treatments that BBVA protects in the legitimate interest in its policy | |||
Of privacy. | |||
The arguments on this issue included in the proposal are presented in a | |||
dispersed, making it difficult for BBVA to really understand the reasons why the AEPD | |||
found their reproach. However, it seems to be concluded that, in the opinion of the Agency, they would not attend | |||
in this case, the requirements derived from Recitals 41 and 47 of the RGPD. Understands | |||
BBVA that the AEPD intends to highlight that legitimate interests are not clearly | |||
described, the treatment described in purpose 2 does not comply with the principle of necessity, | |||
the reasonable expectation of the interested party concurs and, ultimately, a | |||
adequate weighting of the rights and interests at stake. | |||
a) On the concepts of legitimate interest and purpose and their supposed confusion on the part of | |||
BBVA. | |||
The AEPD in its Proposed Resolution highlights the, in its opinion, substantial | |||
difference between the legal concepts of purpose and legitimate interest. BBVA understands that | |||
it deals with elements inextricably linked to each other. Only in this way can the article be understood | |||
6.1 f), which considers the treatment based on legitimate interest lawful; that is, the interest | |||
Legitimate is the purpose (to be satisfied) for which the data is processed. | |||
Following the reasoning of the AEPD, any treatment carried out on the basis of the | |||
legitimate interest in a business environment is illicit because the sole purpose is the mere | |||
obtaining an economic benefit (or reducing a loss). Even the treatments | |||
that the AEPD has considered based on legitimate interest would be contrary to the Law, since | |||
all would fit into the assumption outlawed by the STS of 06/20/2020, which refers to | |||
data processing of people receiving jokes for the purpose merely | |||
chrematistics. And the same can be said of assumptions accepted by the CJEU, the AN or the AEPD | |||
when the treatment is carried out by a company (cites several examples: treatment for | |||
the promotion of free competition in a given sector - for example, access by | |||
electrical traders to the Information System of Supply Points of the | |||
dealers; data processing by search engines; treatments based on | |||
freedom of information from the media; treatments carried out in the | |||
exercise by the employer of his business control functions; creating systems | |||
common fraud prevention; credit information systems; even the | |||
treatments for management and internal administration of business groups or the | |||
processing of personal data for marketing purposes - indicated in Recital 47 | |||
of the RGPD). | |||
The legitimate interest that BBVA intends to fulfill is to continuously improve the relationship | |||
with its clients and the portfolio of products and services it offers, being able to respond | |||
diligently to your needs in case they require them. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 30 | |||
12/30 | |||
Obviously, this legitimate interest is aimed at the continuous improvement of the | |||
business and ensure that customers are satisfied with the service provided. Otherwise | |||
would choose to break the business relationship with the entity and hire the services of a | |||
competitor. | |||
As is logical, this circumstance will entail a loss for BBVA that, lawfully, | |||
intends to avoid. But that does not mean that the legitimate interest that justifies the treatment of | |||
data by BBVA is not to provide the best service to its customers, to be able to | |||
anticipate their needs, offer them, if they consent, products that can | |||
better match your profile and, consequently, continually improve and refine | |||
your business model. | |||
BBVA has a legitimate interest in knowing its clients as well as possible in order to provide | |||
their services with the highest degree of excellence possible, even when this leads, in | |||
his case, coupled (obvious that is to say in the case of a mercantile) the consequence of obtaining | |||
an economic benefit. (…) | |||
b) Regarding the reference to the principle of necessity made in the Proposed Resolution. | |||
The AEPD considers that the principle of necessity required in article 6.1 f) of the RGPD in | |||
relationship with the satisfaction of legitimate interest, does not occur in this case. And part of the doctrine | |||
sitting in the ECHR Judgment of 03/25/1983, referring to an assumption of possible | |||
violation of the secrecy of communications, in which the term "need" is not | |||
corresponds to the one that results from the application of the RGPD. | |||
As regards the principle of necessity, the interpretation is much simpler and | |||
also of the doctrine of the ECHR, which has been repeatedly applied and summarized in | |||
Spain by our Constitutional Court when analyzing the proportionality of a | |||
restrictive measure of a fundamental right. | |||
STC 207/1996, cited by the AEPD in the statement of reasons for its Instruction 1/2006, | |||
notes: | |||
“[…] To verify whether a restrictive measure of a fundamental right exceeds the judgment of | |||
proportionality, it is necessary to verify whether it meets the following three requirements or conditions: "if such | |||
measure is capable of achieving the proposed objective (suitability judgment); yes, in addition, it is | |||
necessary, in the sense that there is no other more moderate measure to achieve such | |||
purpose with equal effectiveness (judgment of necessity); and, finally, if it is weighted or balanced, | |||
for deriving from it more benefits or advantages for the general interest than damages on others | |||
goods or values in conflict (judgment of proportionality in the strict sense) ”. | |||
Well, in the present case, the purpose pursued by BBVA can only be carried out | |||
with the same probabilities performing the treatment that has been described and establishing | |||
models that allow you to really know the preferences of your customers. | |||
(…) | |||
c) On the application to the present case of the principle of reasonable expectation of the interested party. | |||
As already stated in our submissions to the Initiation Agreement, the reasoning of the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 31 | |||
12/31 | |||
Proposed Resolution can only be classified as contradictory: | |||
. The AEPD considers that the treatment must be directly foreseen by the interested party, | |||
without this forecast being mediated by the indications of the person in charge. However, the | |||
Article 13 of the RGPD imposes on that person in charge the obligation to inform about the | |||
treatment and indicate that it is based on a prevailing legitimate interest under penalty of | |||
breach said rule. BBVA wonders if the AEPD intends to say that they should not be informed | |||
treatments based on legitimate interest. Once the information is produced, | |||
It is impossible to know whether or not the interested party was able to foresee the treatments in advance. | |||
. The assessment of the concurrence of the reasonable expectation can be derived from the relationship | |||
of the affected party with the person responsible. However, the AEPD considers that the interested party is | |||
irrelevant the excellence that may exist in the Bank's relationship with him. | |||
(…) | |||
d) (…) | |||
A different matter is that the data collection form of the interested party is used not only | |||
as the initiator of the client's relationship with BBVA, but also to comply with the | |||
Due diligence obligations established in the anti-money laundering legislation | |||
capitals. The data is kept for the period established in this legislation, for the purposes | |||
provided therein, but not for the controversial treatment. | |||
However, as it appears to be clear from the Motion for a Resolution, the subjects | |||
Obligors should request the same data from the affected party on as many occasions as | |||
treatments of the same to be carried out, which obviously does not conform to the norm, nor | |||
it would be reasonable. | |||
Finally, the Proposal for Resolution considers the reference to the Report | |||
195/2017 of the Legal Office of the AEPD, considering that “the premises valued in | |||
This report does not fit the present assumption. In the aforementioned aspects, this report | |||
analyzes the performance of treatments for marketing purposes, provided that the offer is | |||
refer to products similar to those contracted by the interested party, and only use the | |||
information available as a consequence of product management ” . BBVA declares | |||
not understanding how the aforementioned assumption differs from the one currently | |||
analysis. | |||
7. On obtaining consent and its compliance with the RGPD and the LOPDGDD. | |||
a) Previous considerations; precise identification of the eventual illicit. | |||
In relation to the informed condition that is required regarding consent, it is | |||
BBVA refers to what is indicated in the previous sections. | |||
Regarding the form of obtaining consent, it refers firstly to the | |||
considerations formulated by this Agency regarding the “conscious design” carried out by BBVA | |||
with the purpose of favoring the consent of the majority of its clients, | |||
which that entity does not consider legally relevant. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 32 | |||
32/124 | |||
(…) | |||
Lawfully pretending to process large amounts of data for as many more purposes is legitimate, | |||
It is in the interest of the interested party and does not imply the non-observance of the regulations, so | |||
it cannot be subject to sanction or be considered in the graduation of responsibility. | |||
It would be relevant to assess the element of fault, if BBVA had designed the mechanism | |||
"Knowingly" that he was breaking the rules, which he categorically denies. | |||
b) On the characteristics that consent must meet (other than the form, | |||
mechanism or formula for obtaining it). | |||
The AEPD considers that the criteria contained in recital 43 of the RGPD are not met, | |||
that requires that the processes to accept the treatments allow “to authorize separately | |||
the different personal data processing operations ” , and reproaches that there is no | |||
adequate separation of the different treatments, understanding that the signing of the | |||
Privacy is the consent or the "only action" that the interested party performs to authorize the | |||
treatments whose consent BBVA requests. | |||
It is paradoxical that “inaction” is argued as the basis for the responsibility that | |||
imputes and it is also pointed out that said "sole action" is also punishable. | |||
In any case, it is irrefutable that the different purposes for which the | |||
sought the consent of the interested party, as can be seen from the mere reading of the text, which | |||
foresees varied and different purposes. As many consents as purposes or | |||
uses is intended. | |||
c) On the way in which consent has been obtained. | |||
The Agency considers that consent is not unequivocal. Estimate that we | |||
We are faced with a statement or a clear affirmative action, which is intended to obtain a | |||
consent through the inaction of the interested party ( “do not check the boxes in which | |||
indicates “I don't want to…” ” ). | |||
The BBVA entity does not share this criterion, as anticipated in the brief of allegations to the | |||
Initiation Agreement, in which he presented a series of considerations in relation to the so-called | |||
power of control of the interested party over their data, which is respected if we analyze the | |||
mechanism devised as a whole and not in isolation, paying attention only to the boxes | |||
contained in the Privacy Policy. This question is on which the AEPD does not argue. | |||
And, as already indicated, the RGPD admits many and different formulas to obtain the | |||
consent, provided that it is clearly derived from them that the interested party "accepts the | |||
proposed treatment of your data ” . | |||
The AEPD is based exclusively on the "negative" character of the boxes without analyzing whether the | |||
set of actions that the interested party can perform allows to conclude whether or not there is a will | |||
deliberate to consent or not to certain treatments, knowing that it can never be achieved | |||
absolute certainty of the motivation of the interested party. In this case, whatever the | |||
option of the interested party (whether or not the boxes are marked), it will never be possible to consider that | |||
there has been an inaction of it, since that specific inactivity cannot be isolated from the | |||
set of actions that the interested party must carry out to register as a client. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 33 | |||
33/124 | |||
Next, it highlights some essential aspects of any registration process of a | |||
interested as a BBVA client: | |||
. In any registration process, the subscription and signing of the Policy of | |||
Privacy, in which the options offered, manifest and | |||
obvious to the interested party. It is a clear affirmative action carried out with full | |||
knowledge of the scope and consequences. In addition, the client has at his disposal, at | |||
through the application, a procedure to manage your preferences. | |||
. The established formula allows the interested party to make different decisions in relation to the | |||
processing of your data, it being obvious that if the interested party does not use them, they will not | |||
it is reprehensible to the entity. | |||
There is a clear affirmative action, since all interested parties subscribe digitally or | |||
in person the Privacy Policy, but, previously, the interested party takes | |||
various decisions, choosing options or preferences. On paper, the signature is | |||
inserted in a place where the options offered are visible, then there is a | |||
conduct that implies acceptance of what is signed; in digital form, the affected party agrees | |||
to different screens enabled to manage your consent, you have a “Check | |||
acceptance ” and after collecting the data the document is available again | |||
to proceed with your signature, if you agree. | |||
Neither does a presumed consent take place since in no case does a | |||
declaration or act of "positive silence" that implies acceptance of the Policy of | |||
Privacy in its entirety; These are not already marked boxes; nor the inactivity | |||
supposes the continuity of a service or functionality. | |||
The claim made by the claimant 3 is a sample of the fulfillment by BBVA | |||
of their obligations. | |||
In short, the registration processes through digital and face-to-face channels comply with | |||
the requirements expressed in the Guide for heads of the AEPD, which recalls that the | |||
consent “may be unequivocal and be given implicitly when it is deduced from | |||
an action of the interested party ” . | |||
Finally, it deserves to pay further attention, in relation to the written statement, to | |||
case referred to as “example 17” in the EDPB Consent Guidelines, | |||
since it is a case that can be assimilated to the one that is the subject of this file, | |||
by supporting a scenario that contains the dialing options of a "yes" and a "no" . So, | |||
notes that: | |||
“A data controller can also obtain explicit consent from a person who | |||
visit your website by offering an explicit consent screen that contains Yes and No boxes, | |||
provided that the text clearly indicates consent, for example, “I, give my consent to the | |||
treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike | |||
say that the conditions of informed consent must be met, as well as the rest of the | |||
conditions necessary to obtain valid consent ” . | |||
8. Application to the present case of the principles of guilt proportionality and | |||
modifying circumstances of the concurrent responsibility in the same. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 34 | |||
34/124 | |||
a) Of the non-concurrence of guilt in the actions of BBVA. | |||
Has acted at all times with full diligence, following the guidelines of the AEPD and | |||
including in its Privacy Policy the mandatory content established in article 13 | |||
of the RGPD and extremes that neither the norm nor its interpretation impose; and in the conviction, | |||
after it reported on the claims made, that the Agency had not | |||
warned element that contravenes the provisions of the RGPD and LOPDGDD. | |||
It invokes the Sentence of the AN of 11/19/2008, in which the concurrence of the principle is justified | |||
of legitimate confidence, having acted in the belief that their conduct conformed to the | |||
legality. | |||
And the Sentence, also of the AN, of 10/15/2012 (resource 608/2011), which assesses “the | |||
active participation of the Administration ”, which could lead the interested party to the conclusion that | |||
his performance was in accordance with the law; that his conduct is not covered by a | |||
reasonable legal interpretation of the applicable rules; and the difficulties in | |||
interpretation described by the Administration. | |||
b) The application of the principle of proportionality. | |||
BBVA considers that certain aggravating factors appreciated by the Agency would not be applicable to the | |||
conduct of BBVA and that certain circumstances concur that reduce its | |||
responsibility. | |||
c) Aggravating circumstances appreciated by the AEPD. | |||
- Nature, seriousness and duration of the infringement (article 83.2 a) of the RGPD). | |||
The Agency considers an element of the type as an aggravating circumstance, such as the | |||
alleged breach of the principle of transparency, intrinsically related to the | |||
non-compliance with articles 13 and 14 of the RGPD, which is not acceptable in law. And the | |||
The same can be said in relation to the violation of article 6 of the RGPD, which according to the | |||
Agency is aggravated by affecting the principle of transparency. | |||
- Supposed absence of adequate procedures for action in the collection and | |||
processing of personal data (article 83.2 k) of the RGPD). | |||
It can be concluded in the same sense expressed in the previous subsection, since the | |||
fact that the Agency considers that BBVA does not have procedures in place | |||
appropriate course of action derives from your understanding that the Privacy Policy does not | |||
complies with the information obligations or with the requirements for obtaining the | |||
consent. | |||
- Presumed intentionality in the commission of the offense (article 83.2 b) of the RGPD). | |||
(…) | |||
All of this, which appears in the Bank's annual reports from 2016 to 2019, is | |||
proof of BBVA's firm and determined will to achieve full compliance with the RGPD and | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 35 | |||
35/124 | |||
since before its application, as well as the LOPDGDD. The advance with which they started | |||
the aforementioned works, as well as the fact of having involved the stakeholders themselves in the | |||
development of the new privacy policy, attest to goodwill, responsibility | |||
proactive and diligence of BBVA in terms of compliance with the regulations on the protection of | |||
data. | |||
The good faith of the Bank and the will to adapt its activities to the aforementioned is shown | |||
normative. If the Agency considers that the work of adaptation to the RGPD and the LOPDGDD | |||
are irregular or insufficient, the aforementioned regulation contemplates other mechanisms | |||
other than the imposition of a fine to correct the deficiencies that could be appreciated | |||
by the supervisory authority. | |||
It cannot be accepted that having developed diligent and proactive actions in order to | |||
adapt their activities to the new regulatory framework is used against them and considered | |||
as an aggravating circumstance of their alleged responsibility. Especially, having | |||
note that BBVA has adjusted its actions to the guidelines issued by the AEPD. | |||
- Supposed continuous nature of the offense. | |||
The Agency was perfectly aware of BBVA's Privacy Policy for almost a year | |||
before agreeing to start this sanctioning procedure. He let ten months go by | |||
between the first admission for processing and the start of the procedure, without making any reproach | |||
formally to BBVA, which acted with the confidence that it was not appreciated by the supervisory authority | |||
the existence of any violation. | |||
Well, the reproach derived from the maintenance over time of the Privacy Policy | |||
BBVA should only be attributable to those who, knowing that they considered the conduct as | |||
Reprehensible, he kept that opinion hidden for such a long period of time. The | |||
AEPD, through its inaction, made it possible for BBVA not to adopt any measure to correct or | |||
modify the Privacy Policy. | |||
d) Extenuating circumstances concurrent in the alleged object of this procedure. | |||
- Intentionality or negligence in the infringement (article 83.2 b) of the RGPD) and degree of | |||
BBVA's responsibility taking into account technical or organizational measures | |||
applied (article 83.2 d) of the RGPD): adaptation work to the RGPD and the | |||
LOPDGDD. | |||
The actions carried out since 2016 to adapt its activities to the RGPD, | |||
already exposed, give account of the special diligence and proactivity with which it faced the | |||
approval and entry into force of the new regulatory framework. Such actions cannot | |||
used against them as an aggravating circumstance, even less to indicate that they were | |||
made with the intention of violating the rule. | |||
He understands that the lack of intentionality in the commission of | |||
the infractions that are imputed and the high degree of proactive responsibility shown to | |||
through the aforementioned works. | |||
- Measures taken by BBVA to mitigate the effects of the alleged infractions. | |||
Diligent regularization (article 83.2 c) of the RGPD). Regularization measures | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 36 | |||
36/124 | |||
taken in relation to claims. Development of a new version of the | |||
BBVA Privacy Policy. | |||
BBVA has developed a large number of actions to fully comply with the | |||
regulations on data protection and correcting any failures revealed | |||
for the aforementioned claims. It may be mentioned that the Bank met the wishes of | |||
each of the claimants as soon as they became aware of them, with | |||
independence of the validity or correctness of the arguments put forward by them, | |||
immediately implementing the precise and sufficient actions to prevent your data from | |||
were treated against their will. | |||
Likewise, BBVA carried out a whole set of internal actions aimed at | |||
repeatedly remind the whole of its commercial network, the policies adopted in | |||
data protection matters; one more sample of the diligence employed. | |||
Known the opening of the procedure, it has intensified its activity with the purpose of | |||
reinforce the information provided to customers and has developed a new version of the | |||
Privacy Policy, without this implying in any case the recognition of the | |||
infractions that are imputed. | |||
According to BBVA, this new version of BBVA's Privacy Policy would leave the content of the | |||
all the reproaches made by the AEPD in relation to the transparency of the | |||
herself. It highlights the following aspects: | |||
. It exposes in an even more clear and differentiated way the purposes of the treatment of | |||
data of representatives, guarantors, authorized or beneficiaries, separate from customers | |||
(In this way, the communication of data is only one of the purposes of the | |||
treatment of customer data). Likewise, the New Privacy Policy | |||
specifies the categories of data affected in each case. | |||
. It offers more detailed information in relation to the categories of personal data of | |||
clients subject to treatment, distinguishing between those provided directly | |||
by the interested party, those collected or generated by BBVA and those obtained from other sources. | |||
. The purposes related to the development of commercial profiles and | |||
risk, systematically indicating the types and purposes, the basis of legitimation - | |||
describing, where appropriate, the legitimate interest of BBVA-, the data used and the period | |||
time they understand, as well as the sources of such data. | |||
. Indicates what personal data of customers will be communicated to third parties, who can | |||
being said third parties, the purpose of the communication and the basis of legitimacy for the | |||
herself. For this, communications are referred to as a specific purpose. | |||
and differentiated from the treatment of BBVA customer data. | |||
Finally, BBVA points out that, despite what is alleged in this sanctioning file, given | |||
that the Agency does not share the criteria of that entity (despite the full legality of its | |||
action), and exclusively taking into account the very serious consequences that for BBVA | |||
may imply the maintenance by the Agency of this criterion, the | |||
mechanism for obtaining the consent of the interested party, including in the first layer | |||
informative differentiated and granular boxes that the interested party must mark if they wish | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 37 | |||
37/124 | |||
authorize BBVA to process your data for each of the purposes indicated. Each | |||
box is accompanied by a description of the treatment and a referral to the | |||
additional information on the purpose contained in the second layer. | |||
BBVA considers that all of the above shows the diligence, proactivity and speed shown | |||
to improve the information provided to clients, representatives, guarantors, | |||
authorized and beneficiaries and rectify the defects of which, in the opinion of the Agency, | |||
such information. Consequently, in BBVA's opinion, in the event that the AEPD | |||
consider that you are responsible for the two offenses that are charged, the measures | |||
taken by the Bank should be taken into account as extenuating circumstances of its | |||
eventual liability. | |||
Of the actions carried out in this procedure and of the documentation | |||
Obrante in the file, the following have been accredited: | |||
PROVEN FACTS | |||
1. On 10/16/2018, a claim made by the | |||
Claimant 1 against BBVA, for sending to his mobile phone line, on 10/11/2018, of | |||
a promotional SMS without your authorization. | |||
In relation to this claim, BBVA informed this Agency that claimant 1 provided his | |||
compliance with the sending of advertising by subscribing, on 06/07/2016, of the | |||
document "Customer identification, processing of personal data and digitized signature" , | |||
contributed to the actions by the entity itself. | |||
2. On 12/09/2018, a claim made by the | |||
claimant 2 against BBVA, noting that the BBVA App does not meet the legal requirements | |||
related to free and informed consent. | |||
In relation to his complaint, complainant 2 provided a copy of an email addressed to | |||
to BBVA, dated 11/09/2018, in which it expressly indicates the following: | |||
“Dear BBVA DPO | |||
The document attached to the previous message comes from the BBVA APP offered on the Android platform. | |||
The aforementioned application requires the user, as a step prior to its use, to provide consent through the | |||
electronic signature of a document that only offers the possibility of opposing data processing | |||
personal for purposes other than those necessary for the purposes of providing financial services if the | |||
Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the | |||
GDPR) should be considered as activated. The informative text is inconsistent with the | |||
transparency principle of article 12 of the RGPD… ”. | |||
BBVA responded to this email through another dated 11/29/2018 in which literally | |||
indicates: | |||
“The way in which the consent to which you refer is obtained has been considered valid | |||
not only in the internal analyzes of our own entity, but in all those forums where it has been | |||
raised the question, since the interested party has the option of choosing in a simple and | |||
easily understandable the option you prefer ”. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 38 | |||
38/124 | |||
The claimant contributed a copy of the document generated by the App to the proceedings, with the | |||
"Declaration of economic activity and personal data protection policy" label , at | |||
whose section 1 contains the identification data of the client (the claimant 2) and his declaration | |||
of economic activity. In this document, all the enabled options are checked | |||
so that the interested party gives their consent to the processing of personal data with | |||
the purposes expressed in said options ( "I don't want ..." ). | |||
3. On 02/13/2019, a claim made by the | |||
claimant 3 against BBVA, in which it shows that the aforementioned entity required it, to | |||
unlocking your account, signing the personal data protection document. | |||
Said document, which is provided to the proceedings by the claimant 3, corresponds | |||
with the so-called "Declaration of Economic Activity and Data Protection Policy | |||
Personal ” . This document appears dated 02/11/2019 and without the interested party's signature. Of | |||
the options enabled in this document for the interested party to give their consent | |||
to the processing of your personal data for the purposes that are expressed in each case, | |||
The option “I do not want BBVA to process my data to offer me products and | |||
BBVA, the BBVA Group and other personalized services for me by email ”. | |||
With its brief of allegations, BBVA also provided another copy of the aforementioned "Statement" | |||
signed by claimant 3 on 01/17/2019 and with the mark in the same option of the | |||
consents. | |||
4. On 05/23/2019, a claim made by the | |||
Claimant 4 against BBVA, for sending commercial communications that have not been requested | |||
nor authorized. | |||
In relation to this claim, BBVA informed this Agency that claimant 4 was not | |||
opposed the data processing reported in the document "Declaration of Activity | |||
Economic and Data Protection Policy ” , signed by the same on 11/26/2018. | |||
In the cited document, which has been contributed to the proceedings by BBVA, there is no marked | |||
none of the options offered to the interested party to consent to the treatment of their | |||
personal information. | |||
5. On 08/27/2019, a claim made by the | |||
Claimant 5 against BBVA, for making phone calls and sending SMS | |||
advertising. | |||
In relation to this claim, BBVA informed this Agency that the claimant 5, on the date | |||
06/18/2018, signed the document “Declaration of Economic Activity and Protection Policy | |||
Personal Data ” , consenting to the processing of your data for commercial purposes. Add | |||
that said document was signed a second time by claimant 5, on 05/27/2019, | |||
expressing their opposition to the aforementioned treatments. | |||
Both documents are provided to the proceedings by the entity BBVA. In the first | |||
of them there is no mark in the boxes enabled for the client to express their | |||
consent to the treatments indicated and in the second the interested party marked all | |||
the options ("I don't want ..."). | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 39 | |||
39/124 | |||
6. To adapt its actions to the RGPD, the BBVA entity enabled the form of | |||
collection of personal data called "Declaration of economic activity and policy of | |||
protection of personal data ” . Section 1 of this document contains the data | |||
identification of the client and its declaration of economic activity. Other data include | |||
those related to name, surname, tax identifier, date of birth, nationality, | |||
address, marital status, matrimonial status, contact details, fixed and variable income, | |||
entity in which it provides service or gross annual income. | |||
Through this document, established by BBVA as mandatory for all customers, the | |||
said entity discloses the terms of its privacy policy and establishes the | |||
mechanisms so that clients can give their consent for the treatment of | |||
your personal data for the purposes indicated in the aforementioned document. | |||
The signature of the document by the client and the date is included at the end of section 2 " | |||
protection of personal data ” , expressly indicating to the interested party that with the process of | |||
signature agrees to the "Declaration of economic activity and protection policy | |||
of personal data ” . | |||
Immediately after signing, the "Extended Information" on the subject of | |||
protection of personal data and a glossary of terms. | |||
In relation to the provision of consent, immediately before the space provided | |||
For the signature, interested parties are offered the possibility of marking the following options: | |||
"We inform you that if you do not agree with the acceptance of any of the following purposes, | |||
you can select them below. | |||
. Products and prices more adjusted to you | |||
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make your data ". | |||
(The content of the form "Declaration of Economic Activity and Protection Policy of | |||
Personal Data ” provided by the claimant 3 is similar to that reproduced in Annex 1, except | |||
the detail relating to the box through which the customer is offered the option "I do not want | |||
BBVA treats my data to offer me products and services from BBVA, Grupo BBVA and others | |||
personalized for me ” , which allows you to mark the following channels: | |||
[ ] By email | |||
[] By SMS | |||
[] By phone (phone call) | |||
[] By post) | |||
The entire content of this "Declaration of economic activity and policy for the protection of | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 40 | |||
40/124 | |||
personal data ” is declared reproduced in this act for evidentiary purposes (section 2 | |||
"Personal Data Protection Policy" and "Extended Information" is included as | |||
Appendix 1). | |||
7. (…) | |||
8. (…) | |||
9. In response to the test requirement that was made by the instructor of the | |||
procedure, BBVA provided the following documents for the proceedings: | |||
. Impact evaluation on the protection of personal data of the treatments | |||
related to the realization of commercial profiling (The detail of the content of this | |||
document, as far as the present procedure is concerned, is outlined in the Antecedent | |||
Eighth). | |||
. Impact evaluation on the protection of personal data of the treatments | |||
related to the performance of risk profiling (The detail of the content of this | |||
document, as far as the present procedure is concerned, is outlined in the Antecedent | |||
Eighth). | |||
. Report on the weighting of the prevalence of legitimate interest in the treatments to which | |||
the purpose numbered as 2 is referred to in the section “For what purposes are the | |||
we will use?" , contained in the personal data collection form "Declaration of | |||
economic activity and personal data protection policy ” (The content of this | |||
document is also outlined in Antecedent Eight). | |||
. Record of treatment activities (the content of this document is extracted from | |||
in Antecedent Ninth). | |||
These documents are declared reproduced in this act for evidentiary purposes. | |||
10. BBVA has stated in its brief of allegations that the total number of natural person clients | |||
it amounts to eight million thirty-one thousand. On the entity's website it is reported that the number | |||
customers exceeds ten million. | |||
FOUNDATIONS OF LAW | |||
I | |||
By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of | |||
Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the | |||
Director of the Spanish Agency for Data Protection is competent to initiate and | |||
solve this procedure. | |||
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the | |||
Spanish Agency for Data Protection will be governed by the provisions of Regulation (EU) | |||
2016/679, in this organic law, by the regulatory provisions issued in its | |||
development and, insofar as they are not contradicted, in the alternative, by the general rules | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 41 | |||
41/124 | |||
on administrative procedures. " | |||
II | |||
Previously, it is deemed appropriate to analyze the formal questions raised | |||
by BBVA in its brief of allegations. | |||
First of all, BBVA considers that the initiation agreement is invalid. | |||
due to the defenselessness produced by the setting of the amount of the sanction in the | |||
openness, instead of expressing only the limits of the possible sanction, and without | |||
The aggravating factors have been motivated, nor has the entity had the opportunity to express itself | |||
respect. For this same circumstance, it considers that the initiation agreement exceeds the | |||
legally foreseen content, violated article 68 of the LOPDGDD, and understands affected | |||
the impartiality of the investigating body, which knows before starting the procedure the criteria | |||
of the body to which the file must be submitted, in clear breach of the principle of separation of | |||
the investigation and sanction phase (article 63.1 of the LPACAP). | |||
In this regard, BBVA adds that article 85 of the LPACAP, which is invoked in the | |||
operative part of the agreement to open the procedure to specify the reductions | |||
that entails the acknowledgment of responsibility, determines that the amount of the sanction | |||
pecuniary may be determined "initiated the sanctioning procedure" and that is only applicable | |||
to cases that give rise to the imposition of a fine of a fixed and objective nature. | |||
This Agency does not share the position expressed by BBVA in relation to the | |||
content of the agreement to open this sanctioning procedure. | |||
In the opinion of this Agency, the initiation agreement issued is in accordance with the provisions of the | |||
Article 68 of the LOPDGDD, according to which it will be enough that the agreement to initiate the | |||
procedure specify the facts that motivate the opening, identify the person or entity | |||
against which the procedure is directed, the offense that could have been committed and its possible | |||
sanction (in this case, of the different corrective powers contemplated in article 58.2 of the | |||
RGPD, the Agency deemed appropriate the imposition of a fine, in addition to the adoption of | |||
measures to adjust its performance to the regulations, without prejudice to what may result from the | |||
procedure instruction). | |||
In the same sense, article 64.2 of the LPACAP is expressed, which establishes | |||
expressly the minimum content of the initiation agreement. According to this precept, among others | |||
details, must contain “the facts that motivate the initiation of the procedure, its possible | |||
legal qualification and the penalties that may correspond, without prejudice to what results | |||
of the instruction ” . | |||
In this case, not only are the aforementioned requirements fully met, but also | |||
that goes further by offering reasons that justify the possible legal qualification of | |||
the facts assessed at the beginning and even mention the circumstances that may influence the | |||
the determination of the sanction. | |||
In accordance with the foregoing, it cannot be said to indicate the possible sanction that | |||
may correspond for the imputed infractions is determining of defenselessness or that | |||
suppose a break of the principle of separation of the phases of instruction and resolution. To the | |||
On the contrary, this complies with one of the requirements set forth in the regulations | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 42 | |||
42/124 | |||
reviewed. | |||
It cannot be forgotten, likewise, that article 85 of the LPACAP contemplates the | |||
possibility of applying reductions on the amount of the sanction if the offender recognizes his | |||
responsibility and in case of voluntary payment of the penalty. This precept establishes the | |||
obligation to determine those reductions in the notification of initiation of the procedure, | |||
which entails the need to set the amount of the penalty corresponding to the facts | |||
accused. | |||
Contrary to what BBVA has stated, this article 85 of the LPACAP does not establish that the | |||
amount of the sanction is determined once the procedure has started. It is the recognition of | |||
the responsibility and the voluntary payment of the sanction, which must occur subsequently | |||
at that time, and not the setting of the amount of the penalty, as stated by BBVA. | |||
If this acknowledgment of responsibility or voluntary payment does not occur, which | |||
would determine the termination of the procedure, it is instructed and subsequently dictated | |||
the proposed resolution, in which the facts that are | |||
considered proven and their exact legal qualification, the infringement that, in its | |||
case, those constitute, the person or persons responsible and the sanction that | |||
propose, the assessment of the tests carried out, especially those that constitute the | |||
basic fundamentals of the decision. This must be notified to the interested party, | |||
granting him a period of time to formulate allegations and present the documents and | |||
information deemed relevant. In no case will a resolution be adopted without the | |||
interested party have the opportunity to express themselves on all the points considered. | |||
No argument contains the brief of allegations to the resolution proposal | |||
presented by BBVA that modifies this approach and the conclusion set forth. | |||
BBVA, in this case, has seen all the guarantees of the interested party that it provides for | |||
the procedural regulations and it cannot be said that the determination of the amount of the fine in the | |||
The opening agreement does not imply any loss of said guarantees causing defenselessness. | |||
Nor does this circumstance break the impartiality of the investigating body, which has | |||
all the powers conferred by the regulations in question and full freedom to dictate its | |||
motion for resolution. You just have to go to the Agency website, where they are published | |||
all resolutions issued in sanctioning procedures, to verify the great | |||
number of them that end with a resolution of the action file, following the | |||
proposal issued by the procedure instructor, as well as those others in which | |||
said proposal increased or decreased the amount of the penalty set in the opening agreement | |||
or even proposed the application of a corrective power other than the fine. | |||
The interested entity also questions that the initiation agreement is "exceeded" | |||
adding to its content a brief statement of the circumstances that in the opinion of the body | |||
sanctioner justify the initiation of the procedure, understanding that this violates their rights. | |||
This Agency does not understand this argument, especially if it is considered that BBVA has | |||
alleged the concurrence of some reason causing defenselessness on several occasions. | |||
Article 68 regulates the content that the agreement to initiate the | |||
procedure for the exercise of the sanctioning power, stating that | |||
the facts, the identification of the person or entity against whom the procedure is directed, | |||
the infraction that could have been committed and its possible sanction. However, it is the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 43 | |||
43/124 | |||
minimum content required, of the elements that must be detailed in the aforementioned agreement | |||
to determine its validity. But nothing prevents that, as indicated above, | |||
offer reasoning regarding the possible legal classification of the facts assessed at the | |||
initiation or mention of the circumstances that may influence the determination of the sanction, | |||
which will undoubtedly benefit the interested party, who sees their | |||
right of defense. | |||
It is true, on the other hand, that during the validity of the sanctioning regime prior to the | |||
LPACAP this Agency did not set the amount of the possible sanction in the initiation agreement, | |||
indicating instead the minimum and maximum limits that corresponded to the infraction | |||
charged. And so it was until the entry into force of the aforementioned LPACAP in October 2016; | |||
moment in which that approach was modified, precisely to address the | |||
established in article 85 of said Law and offer the interested party the alternatives that | |||
establishes. | |||
Likewise, BBVA understands that the provisions of this article 85 of the LPACAP | |||
It means that the amount of the fine is determined once the procedure has started. So, | |||
warns that this standard provides that the acknowledgment of responsibility may determine the | |||
imposition of the " appropriate " sanction , so that such fixation seems to be foreseen with | |||
subsequent to the acknowledgment of responsibility; and that in its section 3 establishes | |||
that the reductions should be adopted on the “proposed” sanction , which seems to refer | |||
to the proposed resolution as the ideal place to determine the aforementioned amount. | |||
This Agency cannot share this argument. Suffice it to point out that the payment | |||
Voluntary can be done by the interested party at any time during the previous procedure | |||
to the resolution and implies its termination. This being the case, so that the interested party can use | |||
of this option, the amount of the sanction must be established at the beginning. In the same way, | |||
it will be difficult for said interested party to recognize their responsibility by initiating a procedure | |||
sanctioning if the agreement that determines that initiation does not indicate the scope that will be attributed to that | |||
acknowledgment of responsibility. | |||
On the other hand, BBVA alleges that the AEPD has shown a manifest inactivity, | |||
having limited itself to transferring the claims, and not all, to the DPD of the entity already | |||
agree to its admission for processing. It considers that the previous phase of | |||
investigation for ten months without carrying out any activity aimed at investigating the | |||
content of the claims, and that it waited for a significant number of | |||
claims to reactivate a procedure that had been "suspended" since the | |||
first admissions to process, which deals only with the "Declaration of Activity | |||
Economic and Data Protection Policy ” , held by the Agency from the presentation | |||
of the claim by the claimant 2. It adds that during that time BBVA acted in the | |||
confidence that there was no irregularity, so that the inaction of the AEPD has | |||
aggravated the reproach. Finally, in relation to these questions, it indicates that it gave an answer | |||
to the transfer of the claim made by the claimant 3, contrary to what is indicated in the | |||
agreement to open the procedure, in which it is indicated that the Agency did not receive | |||
reply. | |||
The procedures carried out by this Agency to which BBVA refers in its allegation | |||
above have to do with the process of admission for processing of the claims received, | |||
which included for four of the five claims received their transfer to the person responsible, | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 44 | |||
44/124 | |||
prior to the agreement to admit the claim. | |||
In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for | |||
Data Protection is competent to perform the functions assigned to it in its | |||
Article 57, including that of enforcing the Regulation and promoting awareness of the | |||
controllers and data processors about their obligations, | |||
as well as dealing with claims submitted by an interested party and investigating the reason for the | |||
themselves. | |||
Correlatively, article 31 of the RGPD establishes the obligation of those responsible | |||
and those in charge of the treatment to cooperate with the control authority that requests it in the | |||
performance of their duties. In the event that they have designated a delegate of | |||
data protection, article 39 of the RGPD attributes to it the function of cooperating with said | |||
authority. | |||
Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, | |||
has provided a mechanism prior to the admission for processing of claims that are | |||
made before the Spanish Data Protection Agency, which consists of transferring | |||
the same to the data protection delegates designated by those responsible or | |||
responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or | |||
these when they have not designated them, so that they proceed to the analysis of said | |||
complaints and to respond to them within a month. It is an optional procedure, | |||
so that this transfer is carried out if the Agency so deems it. | |||
In accordance with these regulations, prior to the admission for processing of the | |||
claims that give rise to the present procedure, in four of them a transfer of | |||
the same to the responsible entity so that it could proceed to its analysis, respond to this | |||
Agency within a month and certify having provided the complainant with the proper response. | |||
The result of said transfer was not satisfactory, therefore, for the intended purposes | |||
In its article 64.2 of the LOPDGDD, it was agreed to admit the claims for processing | |||
presented through agreements that were duly notified to the claimants, and not to | |||
BBVA, in accordance with the provisions of article 65.5 of the LOPDGDD. In this regard, | |||
said entity has stated that it responded to the transfer of the claim made by | |||
claimant 3 and provides proof of its posting, although said response does not | |||
It is included in the corresponding file for admission to processing. | |||
On the other hand, BBVA makes a mistake when stating that the previous phase of | |||
investigation was kept open for ten months without any activity, without | |||
no specific investigative action is recorded. In this case, it should be clarified, not | |||
agreed to open a preliminary investigation phase, established as optional in the | |||
Article 67 of the LOPDGDD. | |||
No legal consequence can be attributed to this fact, nor to the time | |||
elapsed between the admission to processing of the claims and the opening of the procedure, | |||
as there is no regulation that limits the time that the Administration has to start | |||
this type of procedure, beyond the rule of prescription and the effects | |||
attribute. During that time interval there was no procedure in progress that | |||
It could be understood as suspended, as indicated by the responsible entity, nor can it be sustained | |||
that said period endorses BBVA's privacy policy or that during that time the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 45 | |||
45/124 | |||
responsibility of the entity in compliance with regulations. Regardless of | |||
effect that can be attributed to the time interval prior to the opening of the procedure | |||
sanctioner, there can be no doubt about the inexistence of circumstances that | |||
have allowed BBVA during that time frame to understand, even incidentally, | |||
that there was no reproach on the part of this Agency in relation to the issues | |||
raised by the claims submitted. BBVA was aware of the claims made and | |||
He also knew that there was no statement from this Agency in this regard. | |||
Nor is there any rule that prevents the opening of a single procedure | |||
sanctioner originating from several claims directed against the same | |||
responsable. | |||
In its brief of allegations to the resolution proposal, BBVA reiterates its protest | |||
on the inactivity of the Administration. In his understanding, this inactivity is | |||
manifest, once the AEPD agreed to dispense with the performance of previous actions | |||
of investigation, for the entire period between the admission for processing of the | |||
claim made by claimant 2, on 02/01/2019, and the opening of the procedure on | |||
12/02/2019, ten months later. | |||
On the other hand, it rejects the approach set out above, according to which the | |||
The only time limitation for the opening of the sanctioning procedure is determined | |||
for the limitation periods of the alleged infringement. Consider that articles 64.2 and 67 | |||
of the LOPDGDD establish three successive phases without solution of continuity (admission to | |||
procedure, preliminary investigation actions and opening of the sanctioning procedure), each | |||
one of them with marked time limits, so that, if you choose not to | |||
preliminary investigation actions, once the claim has been admitted for processing, | |||
proceed immediately to the opening of the sanctioning procedure. | |||
In this case, according to BBVA, the AEPD should have agreed to open the | |||
procedure at the time it decided to admit the claim of claimant 2, that is, | |||
on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without | |||
However, that opening took place on 12/02/2019, almost a month after the date on which | |||
the procedure should have concluded by means of the corresponding resolution. Understands | |||
BBVA that this unjustified inactivity results in the expiration of this procedure, | |||
given that the term to resolve would be expired on the same date that the | |||
start agreement. | |||
It should be noted that BBVA's approach to this issue in its | |||
allegations to the opening does not conform to law. On the one hand, it should be noted that there is no | |||
no rule applicable to the sanctioning procedure in terms of data protection | |||
personnel that establish a preclusive period to agree to its opening; and, on the other hand, that | |||
the expiration period of this procedure, established in nine months, is computed from | |||
the date on which its start is agreed, making it inappropriate to add to that computation, | |||
effects of measuring the duration of the administrative file, no other period, such as the | |||
time of the preliminary investigation actions, in the event that their | |||
completion, or, in this case, the time corresponding to the phase of admission for processing of the | |||
claims filed. | |||
This has been repeatedly stated by our Supreme Court. In Judgment of | |||
10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following: | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 46 | |||
46/124 | |||
“[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which | |||
obviously excludes from the computation the time of the reserved information ";" […] The major or minor | |||
duration of the preliminary phase does not entail the expiration of the subsequent procedure " . | |||
Also in the Supreme Court Judgment of 10/13/2011 (resource 3987/2008) that | |||
examines a ground of appeal relating to the computation of the expiration period of the procedure, | |||
the following is declared: | |||
“We cannot share the reasoning presented by the Court of Instance to establish a dies a quo | |||
different from that established by law, indicating as the initial date of the computation the day following the | |||
completion of preliminary informational proceedings. | |||
[…] | |||
Well, once these previous actions have been carried out, the time it takes the Administration to | |||
agreeing to initiate the procedure […] may have the appropriate consequences regarding the | |||
calculation of the prescription (extinction of the right); but it cannot be taken into consideration | |||
effects of expiration, since this figure is intended to ensure that once the | |||
procedure the Administration does not exceed the term available to resolve. On the foundation | |||
third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not | |||
according to the nature of the institution of expiration, since unlike the prescription, which is | |||
cause of extinction of the right or responsibility in question, expiration is a way of | |||
termination of the procedure due to the expiration of the period established in the norm, so its appreciation | |||
does not prevent, if the period established for the prescription of the action of | |||
restoration of urban legality by the Administration, the initiation of a new | |||
process". | |||
On this same issue, BBVA invokes the doctrine established by the National High Court | |||
(AN) in its Judgment of 10/17/2007 (appeal 180/2006), which is outlined in the | |||
Background, in which it revealed the illegality of the inappropriate extension or | |||
unfounded of the previous investigation actions. This Judgment refers to a | |||
assumption processed by the AEPD in which the preliminary investigation actions are | |||
remained inactive for almost eleven months, when the entity in question had attended | |||
the request for information in the first two months of the processing of said actions. | |||
The National Court concluded that there was a “[…] fraudulent use of the | |||
institution of preliminary proceedings. We are therefore faced with an assumption of | |||
fraud of Law contemplated in article 6.4 of the Civil Code, inasmuch as it is intended to circumvent the | |||
application of Art. 42.2 of Law 30/1992 using the request for information to, with it, | |||
avoid the expiration of the sanctioning file ”. | |||
It is necessary to specify that the National Court modified this criterion based on the | |||
Judgment of 11/19/2008 (appeal 90/2008). | |||
In any event, this file does not conform to the assumption analyzed in the | |||
Judgment invoked, not only because it refers to a case of fraudulent use of the | |||
previous investigation actions, which have not been carried out in the event that we | |||
occupies; but because in this case no procedure has been used nor has any | |||
precept to avoid the expiration of the procedure, which has not occurred. It is not breached | |||
the provisions of article 6.4 of the Civil Code, according to which "Acts carried out under | |||
of the text of a norm that pursue a result prohibited by the legal system, or | |||
contrary to it, they will be considered executed in fraud of law and will not prevent the due | |||
application of the rule that has been tried to evade ” . | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 47 | |||
47/124 | |||
Furthermore, in that case it cannot even be said that the period to which BBVA refers, | |||
which includes the time elapsed between the admission for processing of the claim of the | |||
claimant 2 (02/01/2019) and the opening of the procedure (12/02/2019), in the case of a | |||
period of inactivity of the Administration, since during that time the | |||
Admission procedures for the rest of the claims. Claims submitted by | |||
Claimants 3 to 5 had entry into this Agency on 02/13/2019 (a few days | |||
after that admission for processing on 02/01/2019), 05/23/2019 and 08/27/2019; and | |||
admitted for processing through agreements of 08/06/2019, 09/13/2019 and 10/30/2019, | |||
respectively. | |||
On the other hand, BBVA understands that the procedure is used to adopt | |||
general criteria for interpreting the rules to the detriment of BBVA. In this regard, quote | |||
the Judgment of the National High Court of 04/23/2019 (appeal 88/2017), which declared contrary | |||
to the principles of sanctioning law the establishment of general criteria within the | |||
of a sanctioning procedure. | |||
This Agency does not share the conclusion expressed by BBVA. How can | |||
be verified in the opening agreement, and much more in this act, the agreements that are | |||
adopt are based on what is expressed in the applicable regulations and in consolidated | |||
interpretations of it. | |||
III | |||
Taking into account the regulatory change that the approval of the RGPD has entailed, | |||
applicable as of May 25, 2018, these actions are carried out for the | |||
analysis of the personal data collection form used by the BBVA entity with | |||
after that date, called by said entity as "Declaration of activity | |||
economic and personal data protection policy ” , to determine the scope of said | |||
document and possible irregularities that may be appreciated from the point of view of the | |||
personal data protection regulations. Therefore, any reference to the | |||
document regarding the processing of personal data signed by the claimant 1 in the year | |||
2016. | |||
From the perspective of personal data protection regulations, it will be analyzed | |||
In this resolution, the information offered by BBVA to its clients on the subject of | |||
protection of personal data through said document, and specifically: (1) the | |||
compliance by BBVA with the principle of transparency established in articles 5, | |||
12 and following of the RGPD, and related precepts; (2) the different data processing | |||
personal data of its clients that the entity carries out according to the information provided; and | |||
(3) the analysis of the mechanisms used to obtain the consent of | |||
the interested. | |||
All this, within the framework of the new regulations, constituted by the RGPD, applicable | |||
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in | |||
the Official State Gazette, which took place on 12/06/2018. | |||
The information offered in this matter through any | |||
another channel or document, such as the forms used to contract | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 48 | |||
48/124 | |||
products or services that, due to their specialty, include their own | |||
Data Protection. | |||
Nor is it examined the actions that the companies that make up | |||
the so-called “BBVA Group” in relation to the personal data that is communicated to them | |||
by BBVA in accordance with the provisions of the "Declaration of economic activity and policy of | |||
protection of personal data ” . | |||
The analysis of the procedures established by BBVA for the | |||
management of customer rights, as well as the mechanisms used by the aforementioned | |||
entity for the modification of the consents given through the repeated | |||
form. | |||
Likewise, although the information contained in the Evaluations of | |||
Impact provided by BBVA, which has been outlined in the Background, is not carried out | |||
any analysis on data security. | |||
In accordance with the foregoing, the conclusions that could be derived from this | |||
procedure will not suppose any pronouncement regarding the previous aspects | |||
discarded, or in relation to the entities of the BBVA Group. | |||
It constitutes, therefore, the object of the procedure, thus expressly stated in the | |||
opening agreement, the form that discloses the terms applicable to the protection of | |||
personal data and requires the consent of the interested parties. | |||
In BBVA's opinion, the non-existent cause is justifying the filing of the proceedings. | |||
link between the claims made and the stated object of the procedure, for | |||
as the allegedly infringing facts that are invoked cannot be the basis in | |||
that the AEPD supports the opening of this procedure. Understand what is analyzed | |||
the scope of the Privacy Policy contained in that form without linking any | |||
reasoning to the content of the claims, and invokes the same Judgment of | |||
the National Court cited in the previous Law Foundation (SAN of 04/23/2019; | |||
appeal 88/2017), which annuls the sanction of the AEPD, among other reasons, due to | |||
discrepancy between the complaint and the object of the sanctioning resolution. | |||
This claim should also be rejected for several reasons, the first being | |||
of them (i) that the doctrine established in the cited judgment is applicable to events prior to the | |||
RGPD, which establishes a new and different legal regime that must be taken into account in | |||
The procedure; (ii) in addition, the facts revealed in the claims of the | |||
claimants / complainants are closely linked to the document containing the | |||
privacy policy and through which BBVA collects the consents for the | |||
activities carried out, and the examination of said claims, documentation | |||
provided by BBVA, and the form used shows that BBVA's actions transcend | |||
of the five claims presented, since his performance in those five proceedings | |||
described by each of the claimants responds to the general policy of the entity in | |||
data protection matter, which this AEPD understands is carried out, in the words of the | |||
RGPD itself, "in violation of the Regulation"; and (iii) that unlike what was reported in the | |||
sentence of such repeated appointment of the National High Court (see its legal basis | |||
Ninth), in this resolution reference is made to the specific complaints, a | |||
assessment of the tests carried out around them, which are specific behaviors and | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 49 | |||
49/124 | |||
individualized in relation to certain natural persons, but also | |||
these complaints transcend. | |||
The RGPD has established its own and specific regime regarding | |||
procedures before the control authorities in matters of data protection. The chapter | |||
VIII of the RGPD is entitled "Resources, responsibility and sanctions", and the first of the | |||
Articles of said Chapter VIII, Article 77, establishes the right to present a | |||
claim before a control authority. Art. 77.1 Without prejudice to any other resource | |||
administrative or judicial action, any interested party will have the right to file a claim | |||
before a supervisory authority, in particular in the Member State where it has its | |||
habitual residence, place of work or place of the alleged offense, if you consider that the | |||
processing of personal data that concerns you violates this Regulation. At the same time, | |||
the art. 79 RGPD establishes that [s] without prejudice to administrative or extrajudicial remedies | |||
available, including the right to file a claim with a supervisory authority in | |||
By virtue of article 77, all interested parties shall have the right to effective judicial protection when | |||
consider that your rights under this Regulation have been violated as | |||
consequence of a processing of your personal data. | |||
We therefore see that a "claim" from an individual can give rise to two types | |||
of procedures, one of them related to violations of the RGPD, in general, and another | |||
for violation of their rights. | |||
In the LOPDGDD this distinction has been reflected in Title VIII, which regulates | |||
jointly the procedures in case of possible violation of the regulations of | |||
Data Protection. Thus, its art. 63.1, Legal regime, includes (a) the procedures in case | |||
of infringement of the RGPD and the LOPDGDD itself and (b) those derived from a possible violation | |||
of the rights of the interested parties. The LOPDGDD does not foresee any additional type of | |||
procedure in case of possible violation of data protection regulations, of | |||
so that all the functions and powers that the RGPD grants to the control authorities | |||
in arts. 57 and 58 RGPD will have to be exercised through said procedures in case | |||
possible violation of data protection regulations. There are no others. | |||
It follows from this, also taking into account art. 64 LOPDGDD, which | |||
when the procedure is directed exclusively to the lack of attention of a request from the | |||
rights articles 15 to 22 RGPD a claim will be necessary, but that (art. 64.2 | |||
LOPDGDD) [ when the purpose of the procedure is to determine the possible | |||
existence of an infringement of the provisions of Regulation (EU) 2016/679 and in this | |||
Organic law, will be initiated through an initiation agreement adopted on its own initiative or as | |||
consequence of claim. That is, both the RGPD and the LOPDGDD consider that | |||
a claim by an affected party may be the way or the means of bringing the | |||
control authority a possible infringement of data protection regulations but in | |||
no case restricts the action of the supervisory authority to the specific and concrete complaint | |||
of those affected. And this for many reasons, among which stands out, as may be the case in | |||
the present procedure, that from the confluence of several claims of persons | |||
affected individuals, an action of the person in charge that with | |||
general character (that is, not only in the specific cases presented by the claimants) | |||
from which it turns out that these specific cases are the reflection of a common guideline or policy | |||
applied to all those affected who are in the same case as the | |||
interested. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 50 | |||
50/124 | |||
With a different example of the current procedure, it can be understood more clearly. | |||
An entity could be considered to be in breach of protection regulations | |||
of data in a specific case when said action individually considered involves a | |||
deviation from the norm or general company policies (for example, the introduction of | |||
a debt in a delinquent file in a specific case in breach of your own | |||
Privacy); but when an action that is considered incorrect derives from a policy | |||
adopted by the controller, so that it is not about errors | |||
in five cases, but these five cases are only the button or the sample of | |||
a general policy adopted that is considered in violation of the GDPR, the violation does not | |||
resides exclusively in the five cases examined but in the privacy policy | |||
adopted by the person in charge. It will be said privacy policy that constitutes a | |||
infringement of the RGPD, and not only specific infringements based on said privacy policy | |||
Privacy. | |||
The opposite would be inconsistent with the purpose and will of the community legislator, | |||
expressly set forth in the RGPD that the control authorities control and make | |||
apply the RGPD, and with the provisions of the RGPD that can be revealed | |||
"Infractions" of the data protection regulations through "claims" that may | |||
transcend the individual claims made. | |||
It is enough to point out in this regard, already in this specific case, that all the actions of | |||
processing of personal data that are the subject of the claims made are justified | |||
by BBVA with the aforementioned document "Declaration of Economic Activity and Policy of | |||
Data Protection ”and its signature by the claimants, as recorded in the Proven Facts. | |||
The BBVA entity itself declares in its allegations that the claim made by the | |||
Complainant 2 refers to the content of the privacy policy and the process of obtaining the | |||
consent; makes a general reference to “those cases in which the claimant | |||
has shown its disagreement with the way to obtain consent ” ; and also in | |||
relationship with the claimant 2 BBVA expresses itself by referring to the “accusations | |||
made on the privacy policy… or the legality of the data processing ” ; what | |||
dismantles his argument about the lack of relationship between the claims and the settlement of | |||
start. In this case, claimant 2 expressly warned that to give consent | |||
"It only offers the possibility of opposing the processing of personal data for different purposes | |||
to those necessary for the purposes of providing financial services if the client activates the | |||
Boxes of opposition to a treatment that BY DEFAULT (see article 25 of the RGPD) | |||
should be considered as activated ” and that “ The informative text is inconsistent with | |||
the principle of transparency of article 12 of the RGPD ”. | |||
In the case of claimant 1, the sending to his mobile phone line of a | |||
Promotional SMS, which is justified by BBVA stating that claimant 1 provided his | |||
consent by signing, on 06/07/2016, the document “Identification of the | |||
client, processing of personal data and digitized signature ” . | |||
The claim made by the claimant 3 refers specifically to the | |||
"Declaration of Economic Activity and Personal Data Protection Policy" . | |||
Claimant 4, for his part, denounces the sending of commercial communications that | |||
has not requested or authorized, which is also justified by BBVA noting that this | |||
The claimant did not object to the data processing reported in the document “Declaration of | |||
Economic Activity and Data Protection Policy ” , signed by the same on the date | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 51 | |||
51/124 | |||
11/26/2018. | |||
And, finally, the claimant 5 makes a claim against BBVA for the receipt of | |||
telephone calls and advertising SMS, also justified by that entity based on the | |||
consent given by the claimant with the signature of the document “Declaration of | |||
Economic Activity and Personal Data Protection Policy ” for the treatment of your | |||
data for commercial purposes. | |||
Based on the foregoing, all these claims have to do with treatment of | |||
personal data of the claimants that BBVA protects in the consent given by the | |||
holders of the data by signing the repeated "Declaration of Economic Activity and | |||
Data protection policy". To assess the regularity of these treatments it is | |||
It is essential to analyze the consent given and its validity, for which it is | |||
decisive, in particular, check the information offered on the protection of | |||
personal data and the mechanisms enabled to obtain the consent of the | |||
affected, without forgetting the rest of the principles and guarantees established in the applicable regulations. | |||
Consequently, the AEPD has decided to analyze the impact of the repeated document | |||
"Declaration of economic activity and personal data protection policy" , which | |||
contains the information that BBVA provides as a priority to its customers and the mechanisms of | |||
collection of consents. In view of the deficiencies noted in the same regarding | |||
the data protection regulations, it turns out that such deficiencies have a general scope, | |||
so that all the clients of the entity are affected, and not just the five | |||
claimants, which would result, as has been stated, that the infringement does not occur | |||
exclusively with respect to the five claimants, but generally as | |||
consequence of said privacy policy. | |||
It cannot be said, therefore, that there is no link between the object of the | |||
procedure and claims. Proof of this is the definition of the object of the file | |||
contained in the initial paragraphs of this Legal Basis. | |||
As the sentence of the AN so merited states, “the account of" proven facts ", | |||
both in criminal and administrative sanctioning proceedings, it is essential | |||
to establish the facts and the typified conducts, since only in this way will the | |||
principle of typicity, which, according to the doctrine is "the legal description of a conduct | |||
specific to which the administrative sanction will be connected. "In the present case, it is reiterated, | |||
The proven facts are clear in that it is BBVA itself that highlights | |||
that its action responds to the fact that all the claimants agreed to and signed the | |||
"Declaration of economic activity and personal data protection policy", therefore | |||
in no case is there helplessness. | |||
In any case, no rule prevents the body that exercises the power | |||
sanctioning procedure, when it determines the opening of a sanctioning procedure, always | |||
official letter (art. 63.1 law 39/2015, of October 1), determine its scope in accordance with the | |||
revealed circumstances, although they do not strictly conform to the | |||
manifestations and claims of the complainant. That is, the agreement to initiate the | |||
sanctioning procedure is not constrained by the complaint (the “claim”) presented | |||
by the individual. This is not the case in the case of procedures processed at the request of the | |||
interested party, in which article 88.2 of the LPACAP requires that the resolution be congruent | |||
with the requests made by him. Even in this case, the authority of the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 52 | |||
52/124 | |||
Administration to initiate a new procedure ex officio. | |||
This same article 88 of the LPACAP, referring to the content of the resolution, in its | |||
paragraph 1 establishes the obligation to decide all questions raised by the | |||
interested parties and those others that derive from the procedure, including related matters not | |||
raised by interested parties. This article expressly states the following: | |||
"1. The resolution that puts an end to the procedure will decide all the questions raised by the | |||
interested parties and those others derived from it. | |||
In the case of related questions that have not been raised by the interested parties, the body | |||
competent authority may rule on them, making it clear to them by a | |||
term not exceeding fifteen days, so that they formulate the allegations that they consider pertinent and contribute, | |||
where appropriate, the means of proof ”. | |||
In the sanctioning procedure, even the facts that are | |||
revealed during their instruction, which will be determined in the | |||
resolution, and may motivate the modification of the allegations contained in the | |||
initiation of the procedure or its legal qualification. | |||
In this sense, when referring to the specialties of the resolution in the | |||
sanctioning procedures, article 90 of the LPACAP establishes: | |||
"2. In the resolution, events other than those determined in the course of the | |||
procedure, regardless of its different legal assessment… ”. | |||
IV | |||
The aforementioned form enabled by BBVA to collect personal data from | |||
its clients disclose the new terms applicable to the protection of said data | |||
personal due to the contracted services and the consent of the | |||
interested parties for use for the purposes indicated in the document. He | |||
The full content of this information is reproduced in Annex 1 to this agreement of | |||
opening of proceedings. | |||
However, it is considered relevant to highlight the following aspects: | |||
In the information provided to customers, the BBVA entity is identified as | |||
data controller, the types of personal data that will be | |||
object of treatment, the treatment operations that will be carried out, including the | |||
data communications, and the purposes for which the data in question are processed, | |||
as well as the legitimizing basis of the treatment. The final two sections are dedicated to the | |||
conservation of personal data and the rights of the interested parties. | |||
On the types of data of clients, representatives, guarantors, authorized or | |||
beneficiaries, in the section "What personal data does BBVA process about you?" , included in the | |||
"Extended information", the following categories are expressly specified: | |||
". Identification and contact data (including postal and / or electronic addresses). | |||
. Signature data (including the digitized and electronic signature that we will comment on later). | |||
. Codes or identification keys for access and operation in the remote channels that you use in | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 53 | |||
53/124 | |||
your relationship with BBVA. | |||
. Economic and financial solvency data (including those related to all products and services | |||
that you have contracted with BBVA or of which BBVA is a marketer). | |||
. Transactional data (income, payments, transfers, debits, receipts, as well as any other | |||
operation and movement associated with any products and services that you have contracted with | |||
BBVA or of which BBVA is a marketer). | |||
. Sociodemographic data (such as age, family situation, residences, studies and occupation) ”. | |||
Regarding the purposes for which the personal data of clients will be used | |||
the document lists the following: | |||
1. Manage the products and services that you have, request or contract with BBVA. | |||
2. Get to know yourself better and personalize your experience. | |||
"At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is more adapted to your customer profile and your needs. | |||
To achieve this we have to know you better, analyzing not only the data that allow us to identify you | |||
as a client, but also your financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. income, | |||
transfers, debts, receipts- as well as the uses of BBVA products, services and channels. | |||
Additionally, we will apply statistical and classification methods to correctly adjust your | |||
profile. Based on the above, we managed to develop our business models. | |||
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and | |||
services that we consider according to your profile (own or marketed by BBVA), as well as offers | |||
personalized with more adjusted prices for you. As we will know you better, we can congratulate you | |||
for your anniversary, wish you a good day or happy holidays. | |||
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or | |||
at any of our offices. | |||
This section is only applicable to BBVA clients ”. | |||
3. Offer you products and services from BBVA, the BBVA Group and others, customized for you. No | |||
we are going to flood you with information. | |||
“Offer you BBVA products and / or services | |||
We would like to keep you up to date on new BBVA products and services, as well as give you advice | |||
recommendations to better manage your financial situation. | |||
We can also send you information about BBVA products and services with prices more | |||
adjusted to your profile, informing you of what may interest you as a client. | |||
Offer of products and / or services of the BBVA Group and third parties | |||
We can send you information, according to your customer profile, about products, services and offers | |||
financial and non-financial activities of BBVA Group companies and third parties (including products and | |||
services of which BBVA is a marketer) belonging to these sectors of activity: financial, | |||
parabanking, insurance, automotive travel, telecommunications, supplies, security, IT, | |||
education, real estate. consumer products, leisure and free time, professional services and services | |||
social. | |||
Channels for sending commercial information | |||
We will contact you through different channels: postal mail, email | |||
push notifications, SMS, social networks, banners, web pages or other means of communication | |||
equivalent electronics. | |||
This section only applies to BBVA customers ”. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 54 | |||
54/124 | |||
4. Communicate your data to BBVA Group companies so that they can offer you products and services | |||
own personalized for you. | |||
“If you want the BBVA Group companies included in this address | |||
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services | |||
personalized in characteristics and price, we need your authorization to communicate data | |||
related to your customer profile (amount of income and expenses, balances and use of our channels). | |||
This information will be processed to try to improve the characteristics and prices of the product offering and | |||
services. The BBVA Group companies will only process your data for that purpose ”. | |||
5. Improve the quality of products and services. | |||
"We need to use your information anonymously without any characteristics that can | |||
identify, because at BBVA we want to: | |||
Increase your degree of customer satisfaction. | |||
Meet your expectations. | |||
Perfect our internal processes. | |||
Improve the quality of existing products and services. | |||
Develop new products and services of your own or of third parties. | |||
Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be | |||
of interest of BBVA or third parties. | |||
Improve instruments to combat fraud. | |||
This information is obtained from the use of BBVA products, services and channels. Throughout | |||
At the moment, we process the data using secure and up-to-date internal protocols. | |||
This section only applies to BBVA customers ”. | |||
BBVA refers to the legitimate interest as a legitimate basis for the use of the data | |||
with the purpose indicated with number 2 and the consent in relation to the purposes | |||
3, 4 and 5. | |||
Regarding the use of data based on legitimate interest, it is warned about the | |||
possibility to object by sending an email to the address indicated or in any of the | |||
entity offices. And it adds: | |||
“For the legitimate interest of BBVA, so that from BBVA we can better meet your expectations and | |||
we can increase your level of customer satisfaction by developing and improving the quality of | |||
own or third-party products and services, as well as perform statistics, surveys or studies of | |||
market that may be of interest. | |||
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to | |||
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a | |||
good day or happy holidays. | |||
These legitimate interests respect your right to the protection of personal data, to honor and to | |||
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation | |||
reasonable to have your data used so that we can improve products and services and you can | |||
enjoy a better customer experience. In addition, we estimate that you also have a | |||
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or | |||
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise | |||
your right to object if you consider it appropriate at the following address: | |||
rightsprotecciondatos@bbva.com or at any of our offices ”. | |||
On the data of representatives, guarantors, authorized or beneficiaries, it is reported | |||
that will be treated solely for the management of the contract. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 55 | |||
55/124 | |||
On the other hand, in the repeated document it is reported that | |||
communication of personal data to the BBVA Group companies, basing this | |||
communication of data in the consent of the interested party. In this case, it is not distinguished whether | |||
The data that will be communicated correspond to clients or representatives, guarantors, | |||
authorized and beneficiaries, but since the data of these interested parties is only | |||
used for the fulfillment of the contractual relationship, it is understood that the information about | |||
the communication of data to the companies of the Group does not refer to them. | |||
In relation to the communication of personal data, in the "extended information" is | |||
indicates the following: | |||
"We will not transfer your personal data to third parties, unless we are required by law or you do | |||
you have previously agreed with BBVA | |||
As we have indicated, if you consent previously, we may communicate to the companies of the | |||
BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus | |||
identification, contact and transactional data so that you can receive offers | |||
personalized. | |||
In order to provide you with an adequate service and manage the relationship that we maintain with you as | |||
client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by | |||
categories of companies that process your data on behalf of BBVA, as part of the provision of | |||
services that we have contracted. | |||
We also inform you that, for the same purpose as that indicated in the previous paragraph, | |||
certain companies that provide services to BBVA may access your personal data | |||
(international data transfers). | |||
These transfers are made to countries with a level of protection comparable to that of the Union | |||
European (adaptation decisions of the European Commission, standard contractual clauses as well as | |||
certification mechanisms) For more information you can contact the Delegate for the Protection of | |||
BBVA data at the following email address: dpogruppbbva@bbva.com ”. | |||
The signature of the document by the client and the date is included at the end of section 2 | |||
"Personal data protection policy" , in which it is indicated that with the process of | |||
signature agrees to the Declaration of Economic Activity and Protection Policy | |||
of data. | |||
Immediately before the space provided for signature, it is reported as follows: | |||
"We inform you that if you do not agree with the acceptance of any of the following purposes, | |||
you can select them below. | |||
. Products and prices more adjusted to you | |||
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make your data ". | |||
V | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 56 | |||
56/124 | |||
Article 5 "Principles relating to treatment" of the RGPD establishes: | |||
"1.The personal data will be: | |||
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and | |||
transparency"); | |||
b) collected for specific, explicit and legitimate purposes, and will not be further processed as | |||
way incompatible with said purposes; according to Article 89 (1), further processing | |||
of personal data for archival purposes in the public interest, scientific research purposes and | |||
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of | |||
purpose "); | |||
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed | |||
("Data minimization"); | |||
d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that | |||
delete or rectify without delay personal data that are inaccurate with respect to the purposes | |||
for which they are processed ("accuracy"); | |||
e) maintained in a way that allows the identification of the interested parties for no longer than | |||
necessary for the purposes of processing personal data; personal data may | |||
be kept for longer periods provided they are treated exclusively for archival purposes | |||
in the public interest, scientific or historical research purposes or statistical purposes, in accordance with | |||
Article 89 (1), without prejudice to the application of technical and organizational measures | |||
regulations imposed by this Regulation in order to protect the rights and freedoms of the | |||
data subject ("limitation of the conservation period"); | |||
f) processed in such a way as to guarantee adequate security of personal data, including the | |||
protection against unauthorized or illegal processing and against its loss, destruction or damage | |||
accidental, through the application of appropriate technical or organizational measures ('integrity and | |||
confidentiality '). | |||
2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and | |||
able to prove it ('proactive responsibility') ”. | |||
In relation to the aforementioned principles, what is stated in the | |||
Recital 39 of the aforementioned RGPD: | |||
"39. All processing of personal data must be lawful and fair. For natural persons it should be | |||
totally clear that data is being collected, used, consulted or otherwise processed | |||
personal information concerning them, as well as the extent to which said data is or will be processed. He | |||
The principle of transparency requires that all information and communication regarding the treatment of said | |||
data is easily accessible and easy to understand, and that simple and clear language is used. Saying | |||
The principle refers in particular to the information of the interested parties about the identity of the person in charge | |||
treatment and the purposes thereof and the information added to ensure fair treatment and | |||
transparent regarding the affected natural persons and their right to obtain confirmation and | |||
communication of personal data concerning them that are subject to treatment. The | |||
natural persons must be aware of the risks, regulations, safeguards and rights | |||
relating to the processing of personal data as well as how to enforce your rights in | |||
relation to treatment. In particular, the specific purposes of the processing of personal data | |||
must be explicit and legitimate, and must be determined at the time of collection. The data | |||
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which | |||
be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum. | |||
conservation. Personal data should only be processed if the purpose of the treatment could not | |||
be reasonably accomplished by other means. To ensure that personal data is not kept | |||
longer than necessary, the controller must establish deadlines for its deletion or | |||
Periodic revision. All reasonable steps should be taken to ensure that they are rectified or | |||
delete personal data that are inaccurate. Personal data must be treated in a way | |||
that guarantees adequate security and confidentiality of personal data, including for | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 57 | |||
57/124 | |||
prevent unauthorized access or use of said data and the equipment used in the treatment ”. | |||
SAW | |||
Article 4 of the RGPD, under the heading "Definitions", provides the following: | |||
"2)" treatment ": any operation or set of operations carried out on personal data or | |||
sets of personal data, whether by automated procedures or not, such as collection, | |||
registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, | |||
use, communication by transmission, broadcast or any other form of access authorization, | |||
collation or interconnection, limitation, deletion or destruction ”. | |||
In accordance with these definitions, the collection of personal data through | |||
of forms enabled for this purpose constitutes data processing, with respect to which the | |||
data controller must comply with the principle of transparency, established | |||
in article 5.1 of the RGPD, according to which personal data will be “treated in a manner | |||
lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and | |||
developed in Chapter III, Section 1, of the same Regulation (articles 12 and following). | |||
Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for | |||
treatment of taking the appropriate measures to "provide the interested party with all information | |||
indicated in articles 13 and 14, as well as any communication in accordance with articles | |||
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way | |||
access, in clear and simple language, in particular any information addressed to a | |||
child". | |||
In the same sense, article 7 of the RGPD is expressed for cases in which the | |||
consent of the interested party is given in the context of a written statement, such as | |||
occurs in the present case. According to this article, said request for consent “is | |||
presented in such a way that it is clearly distinguished from other matters, in an intelligible way | |||
and easily accessible and using clear and simple language ” . It is added in this precept that | |||
no part of the declaration that constitutes an infringement of these Regulations will be | |||
binding. | |||
Article 13 of the aforementioned legal text details the “information that must be provided | |||
when the personal data is obtained from the interested party ” and the aforementioned article 14 is | |||
refers to the “information that must be provided when personal data has not been | |||
obtained from the interested party ” . | |||
In the first case, when the personal data is collected directly from the | |||
interested party, the information must be provided at the same time that that | |||
data Collect. Article 13 of the RGPD details this information in the following terms: | |||
1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment, | |||
at the time these are obtained, you will provide all the information indicated below: | |||
a) the identity and contact details of the person in charge and, where appropriate, of their representative; | |||
b) the contact details of the data protection officer, if applicable; | |||
c) the purposes of the treatment to which the personal data are intended and the legal basis of the treatment; | |||
d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the | |||
responsible or a third party; | |||
e) the recipients or categories of recipients of the personal data, if applicable; | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 58 | |||
58/124 | |||
f) where appropriate, the intention of the person responsible to transfer personal data to a third country or | |||
international organization and the existence or absence of an adequacy decision of the Commission, or, | |||
in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph | |||
second, reference to adequate or appropriate warranties and means of obtaining a copy of | |||
these or the fact that they have been borrowed. | |||
2. In addition to the information mentioned in section 1, the data controller will provide the | |||
interested, at the time the personal data is obtained, the following information | |||
necessary to guarantee fair and transparent data processing: | |||
a) the period during which the personal data will be kept or, when this is not possible, the criteria | |||
used to determine this term; | |||
b) the existence of the right to request the data controller access to personal data | |||
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the | |||
treatment, as well as the right to data portability; | |||
c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, | |||
letter a), the existence of the right to withdraw consent at any time, without affecting | |||
the legality of the treatment based on the consent prior to its withdrawal; | |||
d) the right to file a claim with a supervisory authority; | |||
e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement | |||
to sign a contract, and if the interested party is obliged to provide personal data and is | |||
informed of the possible consequences of not providing such data; | |||
f) the existence of automated decisions, including profiling, referred to in article | |||
22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as | |||
as the importance and expected consequences of said treatment for the interested party. | |||
3.When the controller plans the further processing of personal data for a | |||
purpose other than that for which they were collected, will provide the interested party, prior to said | |||
further processing, information on that other purpose and any additional information relevant to the | |||
of section 2. | |||
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the | |||
interested party already has the information ”. | |||
Article 14 regulates the information that must be provided in relation to the data that | |||
are not collected directly from the interested party: | |||
"1. When the personal data has not been obtained from the interested party, the person responsible for the treatment | |||
will provide you with the following information: | |||
a) the identity and contact details of the person in charge and, where appropriate, of their representative; | |||
b) the contact details of the data protection officer, if applicable; | |||
c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the | |||
treatment; | |||
d) the categories of personal data in question; | |||
e) the recipients or categories of recipients of the personal data, if applicable; | |||
f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third | |||
country or international organization and the existence or absence of a decision on the adequacy of the | |||
Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, | |||
Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to | |||
obtain a copy of them or the fact that they have been loaned. | |||
2. In addition to the information mentioned in section 1, the data controller will provide the | |||
interested party the following information necessary to guarantee fair data processing and | |||
transparent with respect to the interested party: | |||
a) the period during which the personal data will be kept or, when that is not possible, the | |||
criteria used to determine this term; | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 59 | |||
59/124 | |||
b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the | |||
responsible for the treatment or a third party; | |||
c) the existence of the right to request the data controller access to personal data | |||
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the | |||
treatment, as well as the right to data portability; | |||
d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, | |||
letter a), the existence of the right to withdraw consent at any time, without affecting | |||
to the legality of the treatment based on the consent before its withdrawal; | |||
e) the right to file a claim with a supervisory authority; | |||
f) the source from which the personal data come and, where appropriate, if they come from access sources | |||
public; | |||
g) the existence of automated decisions, including profiling, referred to in the | |||
Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic | |||
applied, as well as the importance and expected consequences of such treatment for the | |||
interested. | |||
3.The person responsible for the treatment will provide the information indicated in sections 1 and 2: | |||
a) within a reasonable period, once the personal data has been obtained, and at the latest within a | |||
month, taking into account the specific circumstances in which said data is processed; | |||
b) if the personal data are to be used for communication with the interested party, no later than the | |||
moment of the first communication to said interested party, or | |||
c) if it is planned to communicate them to another recipient, at the latest at the time the data | |||
personal information are communicated for the first time. | |||
4. When the person responsible for the treatment plans the subsequent treatment of personal data for | |||
a purpose other than that for which they were obtained, will provide the interested party, before said | |||
further processing, information on that other purpose and any other relevant information indicated in the | |||
section 2. | |||
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that: | |||
a) the interested party already has the information; | |||
b) the communication of such information is impossible or involves a disproportionate effort, | |||
in particular for the treatment for archival purposes in the public interest, scientific research purposes | |||
or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89, | |||
paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article | |||
may prevent or seriously impede the achievement of the objectives of such treatment. In such | |||
cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests | |||
legitimate interests of the interested party, including making the information public; | |||
c) the obtaining or the communication is expressly established by the Law of the Union or of the | |||
Member States that applies to the controller and that establishes appropriate measures | |||
to protect the legitimate interests of the data subject, or | |||
d) when personal data must continue to be confidential on the basis of a | |||
obligation of professional secrecy regulated by the law of the Union or of the Member States, | |||
including an obligation of secrecy of a statutory nature ” . | |||
For its part, article 11.1 and 2 of the LOPDGDD provides the following: | |||
"Article 11. Transparency and information to the affected | |||
1. When personal data are obtained from the affected party, the person responsible for the treatment may give | |||
compliance with the duty of information established in article 13 of Regulation (EU) 2016/679 | |||
providing the affected party with the basic information referred to in the following section and indicating a | |||
electronic address or other means that allows easy and immediate access to the remaining | |||
information. | |||
2. The basic information referred to in the previous section must contain, at least: | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 60 | |||
60/124 | |||
a) The identity of the person responsible for the treatment and their representative, if applicable. | |||
b) The purpose of the treatment. | |||
c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) | |||
2016/679. | |||
If the data obtained from the affected party were to be processed for profiling, the information | |||
You will also understand this circumstance. In this case, the affected party must be informed of | |||
your right to object to the adoption of automated individual decisions that produce effects | |||
legal acts on him or significantly affect him in a similar way, when this right to | |||
in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” . | |||
In relation to this principle of transparency, it also takes into account the | |||
expressed in Recitals 32, 39, reproduced in the previous Legal Basis, | |||
42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below | |||
Considering ourselves: | |||
(32) Consent must be given by a clear affirmative act that reflects a manifestation of | |||
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from | |||
personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not | |||
they must constitute consent. Consent must be given for all activities of | |||
treatment carried out for the same or the same purposes. When the treatment has several purposes, you must | |||
give consent for all of them ... | |||
(42)… In particular in the context of a written statement made on another matter, you must | |||
have guarantees that the interested party is aware of the fact that he gives his consent and of the | |||
extent to which it does. According to Council Directive 93/13 / EEC (LCEur 1993, 1071), you must | |||
provide a model declaration of consent previously prepared by the person in charge | |||
treatment with an easily accessible and intelligible formulation that uses clear language and | |||
simple, and that does not contain abusive clauses. For the consent to be informed, the | |||
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the | |||
treatment for which the personal data is intended. Consent must not | |||
be considered freely provided when the interested party does not have a true or free choice or not | |||
You can deny or withdraw your consent without suffering any harm. | |||
(47) The legitimate interest of a data controller, including that of a controller who is | |||
may communicate personal data, or that of a third party, may constitute a legal basis for the | |||
treatment, provided that the interests or rights and freedoms of the interested party do not prevail, | |||
taking into account the reasonable expectations of the interested parties based on their relationship with the | |||
responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and | |||
appropriate between the interested party and the controller, as in situations in which the interested party is a client | |||
or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a | |||
meticulous evaluation, even if a data subject can reasonably foresee, at the time and in | |||
the context of the collection of personal data, which may be processed for this purpose. In | |||
In particular, the interests and fundamental rights of the interested party could prevail over the | |||
interests of the data controller when the personal data is processed in | |||
circumstances in which the interested party does not reasonably expect a treatment to take place | |||
further ... The processing of personal data strictly necessary for the prevention of | |||
Fraud also constitutes a legitimate interest of the person responsible for the treatment in question. He | |||
processing of personal data for direct marketing purposes can be considered carried out by | |||
legitimate interest. | |||
(58) The principle of transparency requires that all information directed to the public or the interested party be | |||
concise, easily accessible and easy to understand, and use clear and simple language, and, | |||
also, if applicable, it is displayed ... | |||
(60) The principles of fair and transparent treatment require that the interested party be informed of the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 61 | |||
61/124 | |||
existence of the treatment operation and its purposes. The controller must provide the | |||
interested party as much additional information is necessary to guarantee fair treatment and | |||
transparent, taking into account the specific circumstances and context in which the data is processed | |||
personal. The interested party must also be informed of the existence of profiling and | |||
the consequences of such elaboration. If the personal data is obtained from the interested parties, | |||
They should also be informed of whether they are obliged to provide them and of the consequences in the event that | |||
don't ... | |||
(61) Data subjects should be provided with information on the processing of their personal data in | |||
the time they are obtained from them or, if they are obtained from another source, within a reasonable time, | |||
depending on the circumstances of the case ... | |||
(72) Profiling is subject to the rules of this Regulation that govern the | |||
processing of personal data, such as the legal bases of the processing or the principles of | |||
Data Protection… | |||
BBVA, according to proven facts, processes personal data | |||
obtained from customers, directly or "indirectly" , as well as personal data | |||
Obtained from sources other than those interested or inferred by the entity itself. Comes | |||
Therefore, obliged to provide information on all the aspects included in the aforementioned | |||
Articles 13 and 14 of the RGPD. | |||
After analyzing the information offered by BBVA, it is verified that it is | |||
incomplete or inadequate in relation to the provisions of articles 13 and 14 of the RGPD. | |||
- | |||
Use of imprecise terminology and vague formulations | |||
In accordance with the foregoing, at the time of collecting personal data the | |||
responsible for the treatment must provide the interested parties with the information established in | |||
the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a | |||
clear and simple language ” . | |||
BBVA does not report clearly and systematically on data processing | |||
personal or the purposes for which they will be used; nor does it delimit the nature of | |||
the information submitted to treatment and its subsequent use. | |||
When referring to these questions, he uses imprecise terminology and | |||
vague formulations, alien to strict compliance with the principle of transparency, preventing | |||
interested parties to know the meaning and real meaning of the indications provided and the | |||
real scope of the consents that may be given. | |||
The privacy policy analyzed contains imprecise formulas and expressions and | |||
vague throughout the entire text: | |||
. "Get to know yourself better and improve your experience." | |||
. "Offer you products and services ... personalized for you." | |||
. "Improve the quality of products and services." | |||
. "Your data is yours and you control it." | |||
. "... make your experience more personalized." | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 62 | |||
62/124 | |||
. "Products and prices more adjusted to you." | |||
. "I DO NOT want BBVA to process my data to offer me products and services ... personalized for me." | |||
. “I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
to offer products and personalized services for me ”. | |||
. “I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing ”. | |||
. "Properly manage the products and services that you request and hire us." | |||
. "Follow the relationship we maintain with you and your financial evolution." | |||
. “At BBVA we treat your personal data to always serve you with the same level of quality, and thus | |||
to be able to offer you a better treatment and service appropriate to your condition of client ”. | |||
. "If you want to streamline the application process, we will need." | |||
. “At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is more adapted to your customer profile and your needs. To make it | |||
we have to get to know you better… ”. | |||
. “Thanks to this analysis we will be able to get to know you better, assess new features for you… as well as | |||
personalized offers with more adjusted prices for you ”. | |||
. “We would like to keep you up to date on new BBVA products and services, as well as give you | |||
advice recommendations to better manage your financial situation. | |||
We can also send you information about BBVA products and services with prices more | |||
adjusted to your profile, informing you of what may interest you as a client ”. | |||
. “If you want the BBVA Group companies… to offer you products and services | |||
personalized in characteristics and price, we need your authorization to communicate data | |||
related to your customer profile ... This information will be processed to try to improve the characteristics and | |||
prices of the supply of products and services ”. | |||
. “… So that BBVA can better meet your expectations and increase your grade | |||
of satisfaction". | |||
. “… To be a bank close to you as a client and to be able to accompany you during our relationship | |||
contractual, we could congratulate you on your anniversary, wish you a good day or happy holidays ”. | |||
. “At BBVA we consider that, as a customer, you have a reasonable expectation that your | |||
data so that we can improve products and services and you can enjoy a better experience | |||
as a customer ”. | |||
. "In addition, we believe that you also have a reasonable expectation to receive congratulations on the occasion | |||
of your anniversary. wish you a good day or happy holidays ”. | |||
. "In order to provide you with an adequate service and manage the relationship that we maintain with you as | |||
client…". | |||
It follows that the data protection policy is shown as a | |||
benefit for the client, implying that its non-acceptance will mean the loss of | |||
advantages as a customer. | |||
(…) | |||
In addition, the information is indeterminate, considering those generic expressions and | |||
unclear what it uses, which is why the privacy policy is not easy to | |||
understood by any interested party, regardless of their qualification, and shows up to | |||
what point it takes to be an expert to understand such information and its scope. It | |||
supposes to understand violated the right to the protection of personal data, understood as | |||
the ability of the affected person to decide on treatment. | |||
Information on key aspects such as categories of personal data | |||
treaties, the purposes or the legal basis that enables the treatment uses little expressions | |||
clear and imprecise, with ambiguous meanings in some cases, whose true scope does not | |||
it develops; expressions that are repeated throughout the text, as indicated, and | |||
that BBVA uses to support different actions, treatments, purposes or | |||
legitimations. Expressions such as “meet you | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 63 | |||
63/124 | |||
better ”“ personalize your experience ”,“ offer you personalized products and services ”, | |||
"Improve product quality", "relationship adapted to your profile", "prices adjusted to your | |||
profile "," develop our business models "," analyzing the uses of the products, | |||
BBVA's services and channels ”,“ we will apply statistical and classification methods to | |||
correctly adjust your profile "or" perform statistics, surveys, actuarial calculations, | |||
media and / or market studies that may be of interest to BBVA or third parties ”. | |||
Nor can the interested party clearly deduce the meaning of these expressions from | |||
starting from the context in which the information is offered and the expression of will is collected | |||
of the interested party, or from the context of the contractual relationship that binds the | |||
interested party with the responsible entity. On this contextual basis or factual context, the | |||
client is not able to understand the meaning of the purposes pursued by BBVA with the | |||
processing of your personal data, such as "knowing you better" , "developing our | |||
business models ” or “ improve the quality of products and services ” . | |||
The expressions that are so often repeated by BBVA throughout the document “Declaration | |||
of Economic Activity and Personal Data Protection Policy ” are included as | |||
examples of bad practices in the Article 29 Working Group document | |||
"Guidelines on transparency under Regulation 2016/679" , adopted on | |||
11/29/2017 and revised on 04/11/2018. | |||
These Guidelines analyze the scope to be attributed to the elements of | |||
transparency established in article 12 of the RGPD, according to which the person responsible for | |||
treatment will take the appropriate measures to "provide the interested party with all information | |||
indicated in articles 13 and 14, as well as any communication in accordance with articles | |||
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way | |||
access, with clear and simple language ” , which must be related to what is expressed in | |||
Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is | |||
highlight at this time the following: | |||
"The requirement that the information be" intelligible "means that it must be understandable to the | |||
average member of the target audience. Intelligibility is closely linked to the requirement of | |||
use clear and simple language. A data controller who acts responsibly | |||
You will proactively get to know the people you collect information about and can use this | |||
knowledge to determine what said audience is likely to understand… ”. | |||
<< Clear and simple language | |||
In the case of “written” information »(and when written information is communicated verbally, or | |||
through auditory or audiovisual methods, also for people with vision problems), have | |||
to follow best practices to write clearly. The EU legislator has already used | |||
previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and | |||
it is also explicitly mentioned in the context of consent in recital 42 | |||
of the RGPD. The obligation to use clear and simple language implies that the information must | |||
be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The | |||
information must be concrete and categorical; should not be formulated in abstract or ambivalent terms | |||
nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment | |||
of personal data must be clear. | |||
Examples of Poor Practice | |||
The following statements are not clear enough regarding the purpose of the treatment: | |||
. "We may use your personal data to develop new services" (since it is not clear | |||
what “services” are treated and how the data will help to develop them); | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 64 | |||
64/124 | |||
. "We may use your personal data for research purposes" (since it is not clear what type | |||
of "research" refers); and | |||
. "We may use your personal data to offer you personalized services" (since there is no | |||
clear what this "customization" implies). | |||
Examples of good practices | |||
. "We will retain your purchase history and use details of the products you have purchased | |||
above to suggest other products that we think might also interest you ”(it is clear that | |||
types of data will be processed, that the interested party will be the object of personalized product advertising and | |||
that your data will be used in this regard); | |||
. “We will retain and evaluate information about your recent visits to our website and how | |||
navigate through the different sections of the same in order to analyze and understand the use that | |||
people make our website and be able to make it more intuitive ”(it is clear what type of data is | |||
will treat and the type of analysis that the person in charge will carry out); and | |||
. “We will keep a record of the articles on our website that you have clicked on and we will use | |||
that information to personalize, from the articles you have read, the advertising that we show you | |||
on this website to suit your interests ”(it is clear what personalization entails and | |||
how the interests attributed to the interested party have been identified) >> . | |||
The foregoing must be interpreted, in any case, taking into account the principles | |||
established in article 5 of the RGPD, especially the principle of loyalty. Recital 42 | |||
of the same text also refers that the form in which the information is offered in | |||
Personal data protection matter must not contain unfair terms. | |||
BBVA alleges that the “Guide for compliance with the duty to inform”, published by this | |||
Agency, contains some examples when referring to the information on the purpose ( “to facilitate | |||
the interested parties offers of products and services of their interest ” ; "To be able to offer you products and | |||
services according to your interests ” ; "Improve your user experience" ) that can | |||
be considered similar to the expressions used in the Privacy Policy. However, | |||
this circumstance does not have enough potential to overcome the important objections that here | |||
They describe. | |||
In this regard, it should be noted that, although it is true that these expressions are | |||
similar to those used in some specific examples of the aforementioned guide, BBVA does not | |||
reference or has taken into account other statements in the guide that are basic to | |||
frame and interpret the meaning of those that the entity reproduces. | |||
Thus, it omits that these examples are included in the rubric “What | |||
information should be included in each heading? " ; rubric that begins by establishing criteria | |||
general that conditions the application of the examples included in it (such as the | |||
cited by BBVA) when noting that “the extent and level of detail of each heading | |||
will depend on the complexity of their particular circumstances ” (the underlining is from the | |||
AEPD). | |||
Then adding another important qualification such as that the examples | |||
Practices included in the guide are “related to the previous hypothetical cases | |||
( “Warren & Brandeis SA editions” ) ”(Page 9). | |||
On the other hand, the reference expressions are found in the example included in | |||
section 7.2 "purpose" of the guide, which links the purpose of "... to provide interested parties | |||
offers of products and services of your interest… ” and “… according to your interests… ” | |||
exclusively to "the information provided by the interested parties" (the underlining is from the AEPD). | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 65 | |||
65/124 | |||
Finally, the Guide completes the aforementioned section with a new warning by pointing out | |||
that “practices such as including overly generic purposes or | |||
nonspecific, which may lead to further treatments that exceed expectations | |||
reasonable of the interested party ” . | |||
The framework of the Guide, which has been described in its entirety and not with a partial citation and | |||
selective as in BBVA's allegations, it presents substantial differences with that of the | |||
informative clauses of this entity, such as the following: the variety of the data | |||
object of treatment; the diversity of sources from which they are obtained, which go beyond | |||
the data provided by the interested party, including even those obtained in their condition of | |||
mere person in charge of the treatment; as well as the variety and complexity of the purposes object | |||
processing of personal data in its capacity as a financial entity that occupies a | |||
relevant position in the market, unlike the more schematic of an editor, | |||
which is the example cited in the Guide (the details of said data and treatments are described | |||
in different sections of the resolution omitting here to avoid repetitions). | |||
Additionally, it should be noted that the guidelines in the guide do not | |||
may be taken as final, since the aforementioned guide expressly advises that the | |||
The only specific objective it covers is to provide guidance on best practices and adds that it should | |||
be completed with other guides that the Data Protection Authorities may issue, in | |||
relation with the application of the GDPR. | |||
The previous argument about the terminology used in the Privacy Policy | |||
it is not taken into account by BBVA when making its allegations. This entity is limited to performing | |||
statements such as qualifying the arguments of this Agency as appraisals | |||
subjective; affirm that the terms used are clear and precise; who uses those | |||
expressions with the intention of providing their clients with a service adapted to their | |||
specific circumstances, for which it is essential to "know" them ; and that the context in | |||
the one who provides the information, which is determined by the contractual relationship, as well as the | |||
systematic document in two layers, allow a better understanding of the | |||
expressions used. | |||
It has been previously denied that the context in which the information is offered and | |||
collects the manifestation of will allow the interested party to know the meaning and scope of the | |||
expressions that have been pointed out. And, on the other hand, it cannot be said that the end cited by | |||
BBVA (know the customer better) justify the use of unclear expressions and | |||
indeterminate. | |||
It also tries to explain two of the many referenced | |||
above, which, obviously, does not resolve the deficiencies noted in the entire text of | |||
the Privacy Policy. | |||
Specifically, BBVA refers to the expression “we will apply statistical and | |||
classification to correctly adjust your profile ” , which he tries to explain without success, highlighting | |||
that with this expression two of the techniques used to better understand the | |||
client. | |||
Secondly, it refers to the indication “analyzing the uses of the products, | |||
BBVA services and channels ” , which according to BBVA is explained by this Agency in the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 66 | |||
66/124 | |||
motion for a resolution stating that “[t] he all refers to the data processed by reason of | |||
the products and services contracted ” . | |||
This Agency does not share the idea put forward by BBVA. In the first case, the simple | |||
Reference to the techniques used does not help the interested party the scope of the information when | |||
signals that the profile will be adjusted. Regarding the second expression, it was already indicated in the | |||
opening of the procedure and in the proposed resolution, the interested party has no opportunity | |||
to know the true scope of that expression, starting with the specific information | |||
the one referred to. | |||
Add that some of the expressions explained above are similar to | |||
expressions offered as examples in the "Guide on the use of cookies" (in the opinion of | |||
BBVA, “carry out statistics, surveys, actuarial calculations, measurements and / or studies of | |||
market that may be of interest to BBVA or third parties ” , is similar to the expression | |||
"For analytical purposes" ; and "analyzing the uses of BBVA products, services and channels" | |||
is similar to the expression "show you personalized advertising based on a profile | |||
elaborated from your browsing habits ” ) . | |||
Regarding the quotes that have been transcribed verbatim and in quotation marks, it is striking, | |||
First of all, that at the time BBVA carries out the process of | |||
adaptation to the RGPD, including informative clauses, the Guide on cookies published by | |||
the Agency at that time was the one presented on April 29, 2013 and it did not include | |||
the literality of said expressions. | |||
The only example of an informative clause included in said Guide literally indicated | |||
that “we use our own and third-party cookies to improve our services and show them | |||
advertising related to your preferences by analyzing your habits | |||
navigation ” . | |||
Therefore, BBVA could not, in any way, take this text into account as a reference | |||
when preparing its informative clauses. | |||
The examples referred to by BBVA literally reproduce the wording included in | |||
the "Guide on the use of cookies" published in November 2019 (both the one relating to cookies | |||
analytical purposes such as that related to personalized advertising based on the habits of | |||
navigation in example number 2 on page 20). | |||
However, his claim when taking as reference said legends in order to | |||
justifying the information clauses of the entity is again partial, since it is limited to | |||
collect only two limited subsections of the examples in the Guide. | |||
But without taking into account other substantive considerations included in the Guide that | |||
allow to substantiate an assessment contrary to the exculpatory effect intended by the | |||
entity. And, in particular, those that refer to the requirement to “use clear language | |||
and simple, avoiding the use of phrases that lead to confusion or distort the clarity of the | |||
message ” . | |||
In this sense, the Guide specifically indicates in section 3.1.2.b) the following | |||
(page 18): | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 67 | |||
67/124 | |||
<< b) Clear and simple language must be used, avoiding the use of phrases that induce confusion or | |||
detract from the clarity of the message. | |||
For example, phrases such as “we use cookies to personalize your content and create | |||
a better experience for you "or" to improve your navigation ", or phrases such as" we can use your | |||
personal data to offer personalized services ”to refer to advertising cookies | |||
behavioral. Terms such as “may”, “could”, “some”, “often”, and | |||
"Possible" >>. | |||
Expressions that come to confirm the foundations for the declaration of the | |||
BBVA's information clauses as illegal in this procedure. | |||
Based on the foregoing, BBVA's allegation regarding the application of the | |||
principle of legitimate expectations. | |||
Regarding the above issues, BBVA also adds in its allegations that it acted | |||
with proactive responsibility, (…); and that offering a courtesy image is a decision | |||
commercial, a “marketing action” , according to its own terms, for which it is legitimized | |||
by virtue of their right to free enterprise. | |||
(…) | |||
On the other hand, it is clear and indisputable that the Privacy Policy cannot | |||
used as a “marketing action” . This is how BBVA has rated it and the result is | |||
the one that has been described in the previous paragraphs. | |||
- Information on the categories of personal data subjected to treatment; | |||
and on the specific categories of personal data that will be processed for each | |||
one of the specific purposes. | |||
On the other hand, it is verified that the information offered is incomplete in relation to | |||
with key aspects established in the repeated articles, such as the categories of the data | |||
treated personnel. | |||
In accordance with the criteria stated by the European Committee for the Protection of | |||
Data, information on the type of personal data would be necessary in relation to | |||
those data processing whose legal basis is determined by the consent of the | |||
interested. This is how the Article 29 Working Group understood it in its document “Guidelines | |||
on consent under Regulation 2016/679 ” , adopted on 11/28/2017, | |||
revised and approved on 04/10/2018 (these Guidelines have been updated by the Committee | |||
European Data Protection Regulation on 05/04/2020 through the document “Guidelines 05/2020 | |||
on consent pursuant to Regulation 2016/679 ” , which literally maintains | |||
identical the parts that are transcribed below). | |||
The Article 29 Working Group draws its conclusions from the definition | |||
of the "consent" contained in article 4 of the RGPD, which is expressed in the terms | |||
following: | |||
"11)" consent of the interested party ": any manifestation of free will, specific, informed and | |||
unequivocal by which the interested party accepts, either through a declaration or a clear action | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 68 | |||
68/124 | |||
affirmative, the processing of personal data that concerns him ” . | |||
From this definition, they are specified as necessary elements for the validity of the | |||
consent to the following: | |||
. Manifestation of free will | |||
. specific | |||
. informed and | |||
. unequivocal by which the interested party accepts, either through a statement or a clear | |||
affirmative action, the processing of personal data concerning you. | |||
In relation to the element "manifestation of specific will" it is said: | |||
“3.2. Specific manifestation of will | |||
(…) | |||
Ad. ii) The consent mechanisms should not only be separated in order to comply with the | |||
"free" consent requirement, but must also comply with the consent requirement | |||
"specific". This means that a data controller seeking consent to | |||
several different purposes, it must facilitate the possibility of opting for each purpose, so that users | |||
can give specific consent for specific purposes. | |||
Ad. iii) Finally, the data controllers must provide, with each request for | |||
separate consent, specific information on the data that will be processed for each purpose, with the | |||
In order for the interested parties to know the impact of the different options they have. Of this | |||
Thus, data subjects are allowed to give specific consent. This question overlaps with the | |||
requirement that those responsible provide clear information ”. | |||
Furthermore, consent, to be valid, must be informed. This item is | |||
analyzed in the aforementioned "guidelines" as follows: | |||
3.3. Informed manifestation of will | |||
The GDPR reinforces the requirement that consent must be informed. In accordance with the | |||
Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles, | |||
closely related to the principles of loyalty and legality. Provide information to interested parties | |||
before obtaining their consent is essential so that they can make informed decisions, | |||
understand what they are authorizing and, for example, exercise your right to withdraw your | |||
consent. If the person in charge does not provide accessible information, the user's control will be | |||
Illusory and consent will not constitute a valid basis for the processing of the data. | |||
If the requirements for informed consent are not met, the consent will not be valid | |||
and the person in charge may be in breach of article 6 of the RGPD. | |||
3.3.1. Minimum content requirements for consent to be "informed" | |||
In order for consent to be informed, it is necessary to communicate to the interested party certain elements that | |||
they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information | |||
following to obtain valid consent: | |||
i) the identity of the data controller, | |||
ii) the purpose of each of the processing operations for which consent is requested, | |||
iii) what (type of) data will be collected and used, | |||
iv) the existence of the right to withdraw consent, | |||
v) information on the use of the data for automated decisions in accordance with article | |||
22, paragraph 2, letter c), where relevant, and | |||
vi) information on the possible risks of data transfer due to the absence of a | |||
decision of adequacy and adequate guarantees, as described in article 46 >> . | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 69 | |||
69/124 | |||
In view of the interpretive criteria on the notion of "informed consent" | |||
offered by the European Data Protection Committee, it is considered that BBVA does not | |||
provides sufficient information on the type of data that will be submitted to | |||
treatment in relation to all those treatments whose legal basis is the | |||
consent of the interested parties. | |||
This insufficiency is observed in relation to the purpose “To improve the quality of | |||
products and services ” , where it is indicated again that: “ Said information is obtained from | |||
from the use of BBVA products, services and channels ” ). All this refers to the data | |||
treated by reason of the products and services contracted, so that, although these are | |||
known to the user, he cannot know which ones will be selected from the use of such | |||
products and services. The same can be said regarding the use of BBVA channels. | |||
In relation to the category of personal data that may be processed, BBVA | |||
warns the interested party, in a generic way, that they may process "Economic and solvency data | |||
patrimonial (including those related to all the products and services that you have contracted | |||
with BBVA or of which BBVA is a marketer); Transactional data (income, payments, | |||
transfers, debts, receipts, as well as any other operation and movement associated with | |||
any products and services that you have contracted with BBVA or for which BBVA is | |||
marketer); Sociodemographic data (such as age, family situation, residences, | |||
studies and occupation). | |||
In view of this information, it is not clear whether BBVA will process economic data | |||
unrelated to the products contracted with or marketed by the entity, what data | |||
personnel will register for each transaction (will the corresponding concept and issuer register | |||
to the payment of a union dues?); or what sociodemographic data will be processed, in addition to those | |||
cite as an example. It could even happen that the information collected by the entity | |||
responsible "from the use of BBVA products, services and channels" was integrated | |||
for sensitive data or special categories of personal data, for example, the quota | |||
aforementioned union or fees paid to political parties, or entities of a | |||
religious, or for the use of services provided by health or religious entities. | |||
It is not concluded that BBVA processes personal data such as | |||
indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the | |||
information offered by BBVA to its customers, that this information is faulty in the | |||
insofar as it does not allow the recipient of the information to know with certainty all the | |||
categories of personal data that will be used by that entity and that, even, the | |||
repeated information, due to its lack of specificity, could be covering a collection | |||
and unacceptable processing of personal data. | |||
Also when referring to the personal data that will be used to carry out | |||
data processing based on the legitimate interest of the entity, reference is made | |||
back to the "uses of BBVA products, services and channels" , as well as to | |||
information regarding the “financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. | |||
income, transfers, debts, receipts ”. In this case, insufficient information on the | |||
categories of data to be processed is not related to the need for consent | |||
be informed, given that these are treatments based on the legitimate interest of the entity. | |||
However, in these treatments data not provided by the interested parties will be used, | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 70 | |||
70/124 | |||
so that the obligation contained in article 14.1.d) of the RGPD would be applicable. | |||
All this without prejudice to the relationship between data processing based on the | |||
consent of the interested parties to which reference is subsequently made. | |||
(…) | |||
In another vein, at this time, it is interesting to note that the use of data | |||
Personal based on legitimate interest gives rise to the creation of profiles, which are | |||
subsequently used to offer products and services (purpose 3) to customers who | |||
give their consent to do so, and that said profile is communicated to the companies of the | |||
BBVA Group, also based on the consent of the interested party. This being the case, the defects in | |||
information in relation to the processing of data based on legitimate interest affect by | |||
equal to the validity of the consent. | |||
It is also interesting to note that the information offered on the data | |||
subject to treatment by BBVA to which reference has been made includes “those related to | |||
all the products and services… of which BBVA is a marketer ” . This Agency | |||
questions the use of these data by the aforementioned entity and for the purposes that | |||
are indicated, considering that they are not own products, but third party products | |||
marketed by it. BBVA intervenes in the commercialization of these products under | |||
the status of data processor, which limits the possibility of using the information | |||
in question for its own purposes. | |||
Likewise, failure to comply with the obligation to report on the category of | |||
data that will be subjected to treatment is also breached in relation to data that is not | |||
are provided to the person in charge by the interested party, but are obtained by the latter from sources | |||
external or inferred by the entity itself. As has been exposed, in these cases, | |||
Article 14 of the RGPD requires you to provide this information. | |||
Among this information from third parties is that obtained from | |||
products and services marketed by BBVA, but which are not its own, to the | |||
which has already been referenced. | |||
It follows that BBVA processes personal data that it does not obtain | |||
directly from the interested parties under the condition of data controller. I know | |||
consider personal data from third parties that BBVA uses for the purposes | |||
expressed in the Privacy Policy. | |||
The responsibility for these personal data corresponds to the entity that owns the | |||
product purchased by the interested party or provider of the service contracted by the same. BBVA | |||
access such data under the condition of person in charge of treatment, by their intervention | |||
mediator in the commercialization of the product. | |||
In the Privacy Policy, in the section “What personal data does yours treat? | |||
BBVA? " , the following are mentioned: | |||
". Economic and financial solvency data (including those related to all products | |||
services that you have contracted with BBVA or of which BBVA is a marketer); | |||
. Transactional data (income, payments, transfers, debits, receipts, as well as | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 71 | |||
71/124 | |||
any other operation and movement associated with any products and services that | |||
you have contracted with BBVA or of which BBVA is a marketer) ”. | |||
As mentioned above, in relation to data processing based on | |||
the legitimate interest also mentions the information regarding the “financial evolution and | |||
that of the products and services that you have contracted ... through BBVA as | |||
marketer, | |||
With the information provided, as indicated above, it is not clear what | |||
financial and solvency personal data are processed or what data will BBVA record by | |||
every transaction. | |||
(…) | |||
The use by BBVA of personal data from products and services of | |||
Third parties require that the interested parties be provided with the appropriate information and have a | |||
legal basis that protects the treatment. | |||
(…) | |||
The only reference to the information coming from files of patrimonial solvency and | |||
credit and to CIRBE in this privacy policy is contained in the information regarding the | |||
use of personal data to manage the products and services contracted, | |||
legitimized as it is necessary for the execution of the contract. | |||
Even so, the consultation of the client's data in solvency and credit files is | |||
submits to the consent of the interested party “to analyze the economic viability of your | |||
requests and operations ” ; and in the second case, it indicates “We can consult the data that | |||
can appear on you in the CIRBE to assess your solvency, if you request or maintain | |||
financing products or services with us ” . | |||
Nothing is indicated in the privacy policy about this personal data and its | |||
use in the elaboration of profiles based on legitimate interest. | |||
In its brief of allegations to the proposed resolution, BBVA does not make any | |||
mention of personal data obtained from third party products and services | |||
marketed by BBVA. It only states that the obligation to inform about the | |||
categories of sociodemographic data, those obtained from CIRBE and from files of | |||
Solvency is not applicable in this case, by virtue of the provisions of section 5 c) of said | |||
precept, taking into account that such personal data is obtained by BBVA from | |||
conformity with the indicated standards. | |||
The obtaining of such data by BBVA is not questioned in this case. As said | |||
above, the use of personal data from | |||
patrimonial and credit solvency files and CIRBE files to manage the products and | |||
contracted services, provided that it is necessary for the execution of the contract. This is the | |||
foundation that determines access to information provided in the rules that are | |||
they invoke. | |||
However, the use of this personal data by BBVA is not limited to | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 72 | |||
72/124 | |||
check the situation of the interested party for the formalization of a risk operation, but | |||
also for other purposes based on legitimate interest, as well as for the preparation of | |||
Profiles that are used for commercial purposes, to offer products and services. | |||
In addition, in relation to data from solvency and credit files, | |||
The Privacy Policy informs that they will only be consulted with the consent of the interested party | |||
and that the rule invoked by BBVA refers exclusively to the duty to consult the | |||
information on a specific type of operations, such as granting loans with | |||
real collateral or whose purpose is to acquire or retain property rights over land | |||
and real estate; not just any risky operation. | |||
(…) | |||
And not only does it not specify what data will be processed, but it also does not | |||
duly informs about the specific categories of personal data that will be processed for | |||
each of the specified purposes. | |||
The need to complete the information offered to customers in the sense | |||
expressed is especially relevant when it comes to data not provided by the | |||
customer, but inferred by the entity itself from the use of products, services and channels. | |||
It cannot be accepted that all information is intended for all uses, that all data | |||
collected or inferred can be used for all purposes, without delimiting. This serves | |||
The same in relation to the personal data that will be communicated to third parties. | |||
In this regard, the Opinion of the aforementioned Article 29 Working Group, | |||
"Guidelines on consent under Regulation 2016/679" , adopted on | |||
11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020, | |||
When referring to the obligation to inform about the data that will be collected and used, it refers to | |||
Opinion 15/2011 on the definition of consent, as “manifestation of | |||
specific will ” : | |||
“To be valid, consent must be specific. In other words, consent | |||
indiscriminate without specifying the exact purpose of the treatment is not admissible. | |||
To be specific, consent must be understandable: clearly and precisely refer to the | |||
scope and consequences of data processing. It cannot refer to an indefinite set of | |||
treatment activities. This means, in other words, that consent applies in a | |||
limited context. | |||
Consent must be given in relation to the various aspects of the treatment, clearly | |||
identified. This implies knowing what the data is and the reasons for the treatment. This knowledge | |||
It should be based on the reasonable expectations of the parties. Therefore, the "specific consent" | |||
it is intrinsically related to the fact that consent must be informed. Exists | |||
a requirement of precision of consent with respect to the different elements of the treatment of | |||
data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller | |||
treatment. The consent must refer to the treatment that is reasonable and necessary in | |||
relationship with the purpose ”. | |||
In General, as has been said, the principle of transparency should be understood as a | |||
fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate | |||
expressed in Considering paragraphs 39 and 60 and the references they contain to the need to | |||
provide information to ensure fair and transparent treatment: | |||
"39. All processing of personal data must be lawful and fair. For natural persons it should be | |||
totally clear that data is being collected, used, consulted or otherwise processed | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 73 | |||
73/124 | |||
personal data that concern them, as well as the extent to which said data is or will be processed ... Said | |||
The principle refers in particular to the information of the interested parties about the identity of the person in charge | |||
treatment and the purposes thereof and the information added to ensure fair treatment and | |||
transparent regarding the affected natural persons and their right to obtain confirmation and | |||
communication of personal data concerning them that are subject to treatment. The | |||
natural persons must be aware of the risks, regulations, safeguards and rights | |||
relating to the processing of personal data ”. | |||
"60. The principles of fair and transparent treatment require that the interested party be informed of the | |||
existence of the treatment operation and its purposes. The controller must provide the | |||
interested party as much additional information is necessary to guarantee fair treatment and | |||
transparent, taking into account the specific circumstances and context in which the data is processed | |||
personal ”. | |||
And in the also cited document of the Article 29 Working Group “Guidelines | |||
on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and | |||
revised on 04/11/2018, which analyzes the scope to be attributed to the principle of | |||
transparency, it indicates: | |||
“A fundamental consideration of the principle of transparency outlined in these provisions is that | |||
the interested party must be able to determine in advance the scope and consequences derived from the | |||
treatment, and that you should not be surprised at a later time by the use that has been made of | |||
your personal information. It is also an important aspect of the principle of loyalty by virtue of | |||
of article 5 (1) of the GDPR and, indeed, it is related to recital 39, which | |||
establishes that “natural persons must be aware of the risks, regulations, | |||
safeguards and rights relating to the processing of personal data [...] ”. Specifically, the posture | |||
of GT29 regarding complex, technical or unforeseen data processing is that, in addition to facilitating | |||
the information prescribed in articles 13 and 14 (aspect that will be dealt with later in these | |||
guidelines), data controllers should also detail separately and in plain language. | |||
ambiguities what will be the most important “consequences” of the treatment: in other words, | |||
What kind of repercussions will the specific treatment described in | |||
a privacy statement / notice? In accordance with the principle of proactive responsibility, and in | |||
In line with recital 39, data controllers should assess whether this type of | |||
treatment poses some specific risk to natural persons that must be put into | |||
knowledge of stakeholders. This can help to get an overview of the types of | |||
treatment that could have a greater impact on the fundamental rights and freedoms of | |||
interested parties in relation to the protection of their personal data ”. | |||
In short, personal data is collected and processed without the owners of the same | |||
are aware that BBVA is accessing them to register them in their | |||
information systems, subjects them to treatments about which the client is not informed | |||
clearly, precisely and simply, and with non-explicit and undetermined purposes, against | |||
of the principles relating to the treatment established in article 5 of the RGPD (loyalty, | |||
limitation of the purpose and minimization of data), since, from the information | |||
provided, considering their lack of discretion, the interested party cannot know, as the | |||
Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose | |||
that possession and uses ” . This lack of precision renders the information provided ineffective | |||
about the data processing that is intended. | |||
The same objection must be expressed in relation to the communication of data | |||
personal to BBVA Group companies. With the information offered it is not possible | |||
that the interested party has a clear idea about the information that will be transferred to the entities that | |||
make up the Group (“… communicate data related to your customer profile -income amount and | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 74 | |||
74/124 | |||
expenses, balance and use of our channels ” ; “… Your identification, contact and | |||
transactional data ” ). | |||
The BBVA entity considers in its allegations that the incorporation of all those | |||
Information regarding the type of data in an already excessively long document would be | |||
liable to cause information fatigue in the interested parties. The GT29 Guidelines | |||
recommend avoiding that consequence, but such a purpose cannot be taken as a | |||
justification for omitting necessary information. It forces to structure the information | |||
adequately, but not to limit it. | |||
On the other hand, BBVA has stated that it cannot be required to report on the | |||
personal data subjected to treatment and that this information is broken down for each one | |||
of the purposes based on the guidelines that have been mentioned, which do not have | |||
normative character. However, it should be noted that the Working Group of the | |||
Article 29 was established by Directive 95/46 / EC on an advisory and | |||
independent, and whose opinions and recommendations serve as an interpretive element | |||
in the matter at hand, admitted by jurisprudence. At present it is the Committee | |||
European Data Protection the body with competence to issue guidelines, | |||
recommendations and good practices in order to promote the consistent application of the GDPR. | |||
Regarding the above questions, it claims again that the conclusions presented | |||
modify what is stated in the "Guide on compliance with the duty to inform" and that no | |||
the establishment of interpretive criteria in a procedure can be admitted | |||
sanctioner. | |||
Both questions have been answered previously, pointing out, on the one hand, the | |||
terms in which the expressions of the "Guides" edited by this Agency should be considered | |||
and, on the other hand, that this resolution is based on widely consolidated criteria | |||
for a long time, as has been well exposed. | |||
- Information on the purposes to which the personal data of the | |||
clients and the legal basis of the treatment | |||
Regarding the purposes to which the personal data of the clients will be used and | |||
the legal basis of the treatment of the treatment, the entity BBVA, in the document through the | |||
that facilitates information on the protection of personal data, refers treatments | |||
similar in relation to different purposes, protected by the legitimate interest in some cases | |||
and in consent in another. This may mean that an average citizen understands that a | |||
Non-consensual treatment is finally carried out under the legitimate interest of the | |||
responsible, and your ability to decide on the destination of your data is undermined | |||
personal. | |||
Specifically, BBVA reports on the realization of personalized offers and the | |||
use of data to improve its products and services as treatment of | |||
data with legal basis in the consent of the interested party and, at the same time, such | |||
treatments are also mentioned among those that can be performed to know | |||
better customer and enhance your experience, based on legitimate interest. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 75 | |||
75/124 | |||
On the treatments based on legitimate interest, information is provided in the | |||
following terms: | |||
. "Know you better and personalize your experience" | |||
. "May your experience be as satisfactory as possible" | |||
. "Get to know yourself better by analyzing your financial evolution ... the uses of products, services and channels." | |||
. "Assess new functionalities ..., products and services" | |||
. "Rate ... personalized offers with more adjusted prices for you" | |||
. "Better meet your expectations and we can increase your degree of customer satisfaction" | |||
. "Improve the quality of products and services" | |||
. "Carry out statistics, surveys or market studies that may be of interest." | |||
Information on consent-based treatment is provided in the | |||
following terms: | |||
. "Offer you products and services from BBVA, the BBVA Group and others, customized for you" | |||
. "Give you advice and recommendations to better manage your financial situation" | |||
. "Improve the quality of products and services" | |||
. "Increase your degree of customer satisfaction." | |||
. "Meet your expectations." | |||
. "Improve the quality of existing products and services." | |||
. Develop new products and services ”. | |||
. "Carry out statistics, surveys, actuarial calculations, averages and / or market studies that can | |||
be of interest to BBVA or third parties. | |||
. "This information is obtained from the use of BBVA products, services and channels." | |||
It is not concluded that they are similar treatment operations, but rather that the | |||
information offered may cause confusion, to an average citizen, on the legal basis | |||
that justifies the treatment, in the sense expressed. | |||
The information on the purposes, in general, is closely linked to the principle of limitation of | |||
the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following: | |||
"1. The personal data will be: | |||
b) collected for specific, explicit and legitimate purposes, and will not be further processed as | |||
way incompatible with said purposes; according to Article 89 (1), further processing | |||
of personal data for archival purposes in the public interest, scientific research purposes and | |||
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of | |||
purpose ")". | |||
The importance of this principle is determined by its object, which is none other than | |||
establish the limits within which personal data can be processed and the | |||
extent to which they can be used, as well as determining the data that can be collected. | |||
To be "explicit" , an end must be unequivocal and clearly stated, in detail | |||
enough for the interested party, any interested party, to know in a certain way how they will be or | |||
data not processed and favoring the exercise of their rights and the evaluation of the | |||
compliance with regulations. To be "explicit" , the purpose must also be disclosed, as | |||
which must take place at the time the personal data is collected | |||
On this issue, the Article 29 Working Group ruled in its Opinion | |||
03/2013, on limitation of purposes. In this work, it was considered that they should be rejected, | |||
by nonspecific, the purposes expressed with vague or too general formulas, | |||
such as "improving user experience" , "marketing purposes" or | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 76 | |||
76/124 | |||
"Future research". | |||
This Opinion indicates that the more complex the data processing is | |||
personal, the purposes should be specified in a more detailed and exhaustive manner, "including, | |||
among other things, the way in which personal data is processed. They must also | |||
to reveal the decision criteria used for the elaboration of customer profiles ” . | |||
In accordance with the foregoing, the purposes for which the data will be processed | |||
personal information about which BBVA informs its clients, except for the management of | |||
products, do not conform to the aforementioned transparency requirements, especially if | |||
We consider the huge amount of personal data that it submits to treatment, individual or | |||
globally considered, and the complex technical processes to which they are subjected, on | |||
all for the elaboration of profiles, which are used for all the purposes described in | |||
the privacy policy: | |||
"2. To get to know you better and personalize your experience. | |||
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No | |||
we are going to flood you with information. | |||
4. To communicate your data to BBVA Group companies so that they can offer you products and | |||
own personalized services for you. | |||
5. To improve the quality of products and services ”. | |||
- Information on the legitimate interest of the person in charge and third parties | |||
Likewise, the aforementioned precepts establish the obligation of the person responsible to inform | |||
on the legitimate interests on which the processing of personal data is based (the | |||
Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests | |||
of the person in charge or of a third party ” ). However, the information provided by BBVA remains | |||
indefinite regarding the basis of the treatment, so that it does not properly support this | |||
authorization for the processing of data, resulting, therefore, contrary to the principle of | |||
transparency. The definition of “legitimate interest” that BBVA | |||
includes in the "Glossary of terms" : "Legitimate interest is one of the legal bases that | |||
authorize BBVA to process your data. This means that BBVA can process your data because | |||
have an interest in doing so, as long as that interest does not harm your rights ”. | |||
Recital 47 of Regulation (EU) 2016/679 are especially clarifying | |||
in the task of specifying the content and scope of this legitimizing basis of the treatment, | |||
described in letter f) of article 6.1 of the RGPD. From what is stated in this Recital, | |||
It is interesting to highlight as an interpretive criterion that the application of this legitimizing base has | |||
to be predictable for your recipients, taking into account their reasonable expectations. | |||
The Article 29 Working Group prepared Opinion 6/2014 regarding the “ Concept of | |||
legitimate interest of the person responsible for data processing under article 7 of the | |||
Directive 95/46 / CE ”, dated 04/09/2014. Although Opinion 6/2014 was issued for | |||
favor a uniform interpretation of Directive 95/46 then in force, repealed by the | |||
RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having | |||
Note that the reflections that the Opinion offers are an exponent and application of principles | |||
that also inspire the GDPR -such as the principle of proportionality- or of principles | |||
principles of Community law - the principle of fairness and respect for the law and | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 77 | |||
77/124 | |||
Law- many of his reflections can be extrapolated to the application of current regulations, | |||
Regulation (EU) 2016/679. | |||
The said Opinion refers to the "Concept of interest" in the following Terms: | |||
"The concept of" interest "is closely related to the concept of" purpose "mentioned in | |||
Article 6 of the Directive, although these are different concepts. In terms of protection of | |||
data, "purpose" is the specific reason why the data is processed: the purpose or intention of the | |||
data processing. An interest, on the other hand, refers to a greater involvement than the | |||
responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the | |||
treatment obtains -or that the company can obtain- from the treatment. | |||
For example, a company may have an interest in ensuring the health and safety of personnel who | |||
work at your nuclear power plant. Therefore, the company may have the purpose of applying | |||
specific access control procedures that justify the processing of certain data | |||
specific personnel in order to ensure the health and safety of personnel. | |||
An interest must be articulated clearly enough to allow the balancing test | |||
It is carried out contrary to the interests and fundamental rights of the interested party. | |||
Furthermore, the interest at stake must also be "pursued by the controller." This | |||
requires a real and current interest, which corresponds to present activities or benefits that are | |||
wait in the very near future. In other words, interests that are too vague or | |||
speculative will not be enough. | |||
The nature of the interest can vary. Some interests may be compelling and beneficial to | |||
society in general, such as the interest of the press in publishing information on corruption | |||
government or interest in conducting scientific research (subject to appropriate safeguards). | |||
Other interests may be less pressing for society as a whole or, in any case, | |||
the impact of your search on society may be more disparate or controversial. This can, for | |||
For example, apply to the economic interest of a company in learning as much as possible about its | |||
potential clients in order to better target advertising on their products and services ”. | |||
In the conclusions section of this Opinion the following is added: | |||
"The concept of" interest "is the broadest implication that the controller may have | |||
in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment. | |||
This can be compelling, clear, or controversial. The situations referred to in the article | |||
7, letter f), may therefore vary from the exercise of fundamental rights or the protection of | |||
important personal or social interests to other less obvious or even problematic contexts. | |||
… It must also be articulated with sufficient clarity and must be specific enough to | |||
allow the balancing test to be performed against interests and rights | |||
fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be | |||
speculative". | |||
The "interest" goes beyond the "purpose" . in terms of the GT29 it represents "a greater | |||
implication that the controller may have in the treatment, or the benefit | |||
that the data controller obtains ” ; while "purpose", in terms of | |||
data protection, “is the specific reason why the data is processed: the objective or the | |||
intention to process the data. | |||
In this case the "interest" is not expressed. The entity does not inform in its policy of | |||
privacy on any specific interest when referring to the data processing that has | |||
planned to be carried out under this legal basis. It is limited to indicating purposes and objectives | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 78 | |||
78/124 | |||
intended with these data processing, but no interest in the sense expressed. | |||
BBVA has stated in its brief of allegations that the information on the | |||
specific legitimate interests on which it is based for these treatments is included in the | |||
section "Why do we use your personal data?" of the "Extended Information" , in | |||
which details the bases that legitimize the treatment ( “… so that from BBVA we can | |||
better meet your expectations and we can increase your degree of customer satisfaction | |||
when developing and improving the quality of own or third party products and services, as well as | |||
carry out statistics, surveys or market studies that may be of interest ... to | |||
be a bank close to you as a customer… ” ). This is also indicated in the "Basic information" | |||
of the privacy policy when it states “for what reason do we use your personal data | |||
(legal base)? Get to know yourself better and make your experience more personalized. Legitimate interest | |||
BBVA is explained in the "Extended information" section. | |||
It can be easily verified that this information on "interest" is similar to the | |||
expressed when describing the purposes: | |||
The basic information indicates: | |||
For what purposes will we use them? | |||
2. To get to know you better and personalize your experience . | |||
And in the extended information: | |||
What do we use your personal data for? | |||
2. Get to know yourself better and personalize your experience | |||
At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is more adapted to your customer profile and your needs. | |||
To achieve this we have to know you better, analyzing not only the data that allow us to identify you | |||
as a client, but also your financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. income, | |||
transfers, debts, receipts- as well as the uses of BBVA products, services and channels. | |||
Additionally, we will apply statistical and classification methods to correctly adjust your | |||
profile. Based on the above, we managed to develop our business models. | |||
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and | |||
services that we consider according to your profile (own or marketed by BBVA), as well as offers | |||
personalized with more adjusted prices for you. As we will know you better, we can congratulate you | |||
for your anniversary, wish you a good day or happy holidays ”. | |||
(…) | |||
In any case, the use of personal data in order to "know" better | |||
to the client, as stated, can be understood as a follow-up of the interested party | |||
without a justifiable reason, which cannot be protected by the legitimate interest. This follow-up | |||
involves a thorough analysis of customer information, which is intended to be justified with | |||
the mention of a generic and simple purpose ( "to know you better" ), whose consequences | |||
can be much more serious than those mentioned as examples (congratulations on the | |||
birthday). | |||
The same can be said about using customer data to “improve | |||
products and services ” of BBVA, which this entity also bases on the interest | |||
legitimate, considering, as indicated by it, that the interested party has an expectation | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 79 | |||
79/124 | |||
reasonable for your personal data to be used for that purpose. | |||
This Agency considers that this treatment of the data, as it appears | |||
based on BBVA's privacy policy, it cannot rely on the legal basis | |||
legitimate interest, which requires an evaluation to determine the interests or rights that | |||
prevail. This weighting must take into account, indeed, "the expectations | |||
reasonable of the interested parties based on their relationship with the person in charge ” , but understood | |||
as what the interested party can perceive or deduce as reasonable by itself based on | |||
the specific circumstances that occur in each case, what he could foresee at the time of | |||
collecting data reasonably. Not what the responsible entity understands as a | |||
“Reasonable expectation” of the client, nor what it informs the client about | |||
meets those expectations. | |||
The term “reasonable expectation” should always be used sparingly, | |||
taking into account the position held responsible and interested and the legal nature of | |||
the relationship or service that links them, which could lead to the subsequent use of the data | |||
personal of it. Context, already referred to, is taken into account | |||
above, in order to define, based on all this, the subsequent processing of the data | |||
that the interested party can expect to be done. This "reasonable expectation" of the customer is | |||
has to deduce by itself, without the need for the information provided by the | |||
responsible to the interested party or client defines or specifies said expectation, as this | |||
assumes that the Bank impersonates the customer, trying to clarify the expectation that | |||
expect precisely because it does not emerge by itself from the information it offers or from | |||
the relationship that unites responsible and interested. It is intended, with this, to convey an appearance | |||
reasonable expectation and displace the interested party in this deduction. | |||
Therefore, the information offered by | |||
BBVA on data uses based on the expectation that the recipient of the | |||
information you have as a customer. | |||
The specific determination of BBVA's interest, articulated with sufficient clarity, | |||
It will allow the interested party to oppose their own interests. It also enables a better | |||
analysis of the reality and actuality of said interest. | |||
On the legitimate interest of the person in charge and the weighting test, the document | |||
of the Working Group on Article 29 “Guidelines on transparency under the | |||
Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the | |||
following criteria: | |||
“The specific interest in question must be identified for the benefit of the interested party. As a matter of | |||
good practice, the data controller can also provide the data subject with the information | |||
resulting from the "weighting test" that must be carried out in order to benefit from the provisions | |||
in article 6, paragraph 1, letter f), as a lawful basis for the treatment, prior to any | |||
collection of the personal data of the interested parties. To avoid information fatigue, this can | |||
be included within a tiered privacy statement / notice (see section 35). | |||
In any case, the position of the WG29 is that the information addressed to the interested party must make clear | |||
that he can obtain information on the weighting test upon request. This turns out | |||
essential for transparency to be effective when stakeholders doubt whether the examination of | |||
weighting has been carried out loyally or wish to file a claim with the | |||
control". | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 80 | |||
80/124 | |||
In this brief of allegations it indicates that the legitimate interest that it intends to fulfill is the | |||
to continuously improve the relationship with its customers and the portfolio of products and services | |||
What it offers, and thus anticipate their needs in case they require them; what | |||
this interest is aimed at the continuous improvement of the business model and achieving satisfaction | |||
of the client with the service provided; provide the best service to its customers and offer them | |||
products that can better fit your profile; get to know your customers as well as possible to | |||
be able to provide them with their services with the highest degree of excellence possible. | |||
(…) | |||
As can be seen, the legitimate interest is not clearly described, but rather | |||
The purposes about which customers are informed in the Privacy Policy are reiterated | |||
Privacy. According to the above, and contrary to what BBVA stated in its allegations to | |||
the resolution proposal, the legitimate interest is not the purpose for which the data is processed | |||
personal. | |||
All this without forgetting what has already been indicated in relation to the use of imprecise terms | |||
and vague formulations in the information provided, in particular with regard to the definition of | |||
the purposes. | |||
In relation to the previous indications regarding the reasonable expectation of the | |||
interested in the subsequent use of their personal data, BBVA has stated that the | |||
References to this expectation contained in the Privacy Policy are a consequence of the | |||
compliance with the obligations imposed by article 13 of the RGPD on information | |||
about the treatment based on a prevailing legitimate interest; and wonders if the AEPD | |||
It is intended to say that treatments based on legitimate interest should not be reported. | |||
BBVA's interpretation of legitimate interest and expectations | |||
reasonable clients' reasons cannot be shared by the AEPD, for the reasons already | |||
exposed. What this Agency has questioned is that the Privacy Policy defines or | |||
try to define to the data subject what their reasonable expectation is. | |||
- Information on profiling | |||
Another important aspect related to the subject analyzed has to do with the use of | |||
personal data for the preparation of customer profiles, understood as any | |||
form of personal data processing that evaluates personal aspects related to a | |||
Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of | |||
the purposes of the treatment, as well as its legal basis, which means that you must inform | |||
on the elaboration of profiles when the person in charge has foreseen such purpose and specify the | |||
legal basis that protects the treatment for that purpose. | |||
Article 11 of the LOPDGDD establishes the minimum content of the basic information | |||
to be provided to the interested party: | |||
"2. The basic information referred to in the previous section must contain, at least: | |||
(…) | |||
If the data obtained from the affected party were to be processed for profiling, the information | |||
basic knowledge will also understand this circumstance ”. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 81 | |||
81/124 | |||
Recital 60 of the RGPD also refers to the obligation to “inform the | |||
interested party about the existence of profiling and the consequences of said | |||
elaboration". | |||
On the principles relating to the processing of personal data, when these | |||
consist of profiling, the Guidelines of the Article 29 Working Group | |||
on automated individual decisions and profiling for the purposes of | |||
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what | |||
following: | |||
“Transparency of treatment is a fundamental requirement of the GDPR. | |||
The profiling process is usually invisible to the person concerned. It works by creating data | |||
derived or inferred about people ("new" personal data that have not been directly | |||
provided by the interested parties themselves). People have different levels of understanding and | |||
It can be difficult to understand the complex techniques of profiling processes and | |||
automated decisions ”. | |||
“Taking into account the basic principle of transparency that underpins the RGPD, those responsible for the | |||
treatment must ensure that they clearly and easily explain to people the operation | |||
profiling or automated decisions. | |||
In particular, when the treatment involves decision-making based on the preparation of | |||
profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must | |||
clarify to the user the fact that the treatment is for both a) profiling and | |||
of b) adoption of a decision based on the profile generated | |||
Recital 60 establishes that providing information about profiling is part of the | |||
of the transparency obligations of the data controller according to article 5, paragraph 1, | |||
letter a). The interested party has the right to be informed by the person responsible for the treatment, in | |||
certain circumstances, about your right to object to "profiling" | |||
regardless of whether individual decisions have been made based solely on the | |||
automated processing based on profiling ”. | |||
“The person responsible for the treatment must explicitly mention to the interested party details about the right | |||
opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any | |||
other information (Article 21, paragraph 4). | |||
According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration | |||
of profiles) for reasons related to your particular situation. Those responsible for the treatment | |||
are specifically obliged to offer this right in all cases in which the treatment is | |||
based on article 6, paragraph 1, letters e) or f) ”. | |||
The BBVA privacy policy that is the subject of these actions refers to the | |||
profiling on numerous occasions when describing the purposes for which the | |||
will use the data, or include indications that lead to the conclusion that it will perform operations | |||
profiling. This can be understood in relation to the realization of product offers and | |||
personalized services or price offers tailored to the customer's profile; or when I know | |||
informs about the communication to the BBVA Group companies of personal data | |||
related to the client's profile. | |||
Excluding those carried out for the execution of the contract between the client and | |||
responsible, the following are cited: | |||
b) Get to know you better and personalize your experience. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 82 | |||
82/124 | |||
. “At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is best adapted to your customer profile and your needs. | |||
To achieve this we have to know you better, analyzing not only the data that allow us to identify you | |||
as a client, but also your financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. income, | |||
transfers, debts, receipts- as well as the uses of BBVA products, services and channels. | |||
Additionally, we will apply statistical and classification methods to correctly adjust your | |||
profile. Based on the above, we managed to develop our business models. | |||
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and | |||
services that we consider according to your profile (own or marketed by BBVA), as well as offers | |||
personalized with more adjusted prices for you… ”. | |||
c) Offer products and services from BBVA, the BBVA Group and others, customized for the client: | |||
“… We can send you information about BBVA products and services with prices more adjusted to your | |||
profile, informing you of what may interest you as a client ”; | |||
"We can send you information, according to your customer profile, about products, services and offers | |||
financial and non-financial of the BBVA Group companies and third parties… ”. | |||
d) To communicate customer data to BBVA Group companies so that they can offer | |||
products and services customized for it. | |||
“If you want the BBVA Group companies included in this address | |||
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services | |||
personalized in characteristics and price, we need your authorization to communicate data | |||
related to your customer profile (amount of income and expenses, balances and use of our channels). | |||
This information will be processed to try to improve the characteristics and prices of the product offering and | |||
services. The BBVA Group companies will only process your data for that purpose ”. | |||
Therefore, BBVA processes the personal data of its customers to | |||
proceed to its profiling, which is subsequently used for the stated purposes. In all | |||
the cases in which it refers to the elaboration of profiles or the use of data that | |||
are the result of profiling activities, the basis of their action is based, | |||
in accordance with the information provided to interested-clients, in the consent of | |||
these; Except in what refers to the use of the data in order to better know | |||
the customer and improve their experience, which BBVA protects in the legitimate interest. | |||
For the reasons already expressed in relation to the lack of justification of interest | |||
legitimate, processing operations that include the preparation of | |||
profiles or that are based on these profiles and that have a legal basis in the legitimate interest | |||
of the person in charge. | |||
Furthermore, in this case, in the opinion of this Agency, the requirements of | |||
information described above. BBVA limits itself to reporting on actions that may be | |||
develop adapted to the "customer profile" or "personalized" , but does not offer information | |||
on the type of profiles to be made, the specific uses to which they will be put | |||
these profiles or the possibility that the interested party can exercise the right of opposition in | |||
application of article 21.2 RGPD, when profiling is related to activities of | |||
direct marketing. | |||
In the terms of the GT29, it is not “ explained to people in a clear and simple way the | |||
profiling ” nor are they warned about adopting | |||
decisions “on the basis of the generated profile” , regardless of whether they fall within the scope | |||
of the provisions of article 22. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 83 | |||
83/124 | |||
The concept of profiling is not treated in a systematic way in the privacy policy | |||
of BBVA. In fact, the first layer only talks about “knowing you better and personalizing your | |||
experience ” , omitting the elaboration of profiles, despite the fact that this purpose, according to | |||
appears stated, it is necessary to do a previous profiling of each and every one of the clients. | |||
This is a breach of the provisions of article 11 of the LOPDGDD. | |||
In the second layer or "extended information" , when describing the purpose "To know you | |||
better and personalize your experience ” , the concept profile is only mentioned twice, one of | |||
them qualified with the expression "customer profile" and another when it is indicated that "it will be adjusted | |||
correctly ” the profile with the application of statistical and classification methods, without | |||
describe what these methods will consist of and the consequences of their application, and | |||
presenting this type of action as if it were something alien to the activity of the | |||
responsible whose result is precisely that profiling. In this case, in addition, | |||
treatment operations based on customer profiling referred to in section | |||
a) above go beyond the improvement of the experience of the latter, to the point that said | |||
profiling is used by BBVA to develop its business model, assess new | |||
functionalities and products and make personalized offers. | |||
BBVA dedicates a section of its brief of allegations to the resolution proposal to | |||
this question regarding profiling, but without offering any explanation about | |||
the deficiencies appreciated, to which it does not refer. He simply tries to justify | |||
the use of personal data for the design of its business model and to point out that | |||
informs the interested parties about the treatment carried out (analyze and assess the data), the | |||
data typology and purpose. | |||
On this same question, he reiterates that within the framework of goal 2 "Know you better | |||
and personalize your experience ” no offers or commercial communications are sent and that the | |||
Agency confuses both purposes. However, in the foregoing it is not | |||
produces no confusion in the sense expressed by BBVA. What stands out in the | |||
previous paragraphs are those parts of the text that refer to data processing | |||
that involve the elaboration of profiling operations, about which there is no information | |||
duly, as has been said. | |||
Finally, it is interesting to point out that the Privacy Policy does not warn in | |||
in no case if those profiling operations correspond to the decisions | |||
individual automated regulated in article 22 of the RGPD, if said profiles are to | |||
serve to make automated decisions with legal effects for the interested party or that | |||
will significantly affect in a similar way, in which case the interested party would have | |||
right to be informed by virtue of the provisions of article 13.2.f) of the RGPD, | |||
including in that information all the issues that that letter mentions (the logic | |||
applied, the importance and the expected consequences of such treatment for the | |||
interested party, also warning about the possibility of opposing the adoption of these | |||
automated individual decisions), and the right to have all the guarantees | |||
provided (in addition to the information specific to the interested party, the right to obtain | |||
human intervention, to express their point of view, to receive an explanation of the decision | |||
taken after such evaluation and to challenge the decision). Although it is not said | |||
On the contrary, that is, it is not said that any interested party will be the subject of an individual decision | |||
automated system of this nature, it should be understood that such actions are not carried out | |||
cape. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 84 | |||
84/124 | |||
No imputation is made for regulated automated individual decisions | |||
in the aforementioned article 22 (nor on the treatment of category data | |||
special). This comment is included as a mere warning, considering that the policy of | |||
Privacy informs about data processing that involves the use of profiles of the | |||
that could result discriminatory effects for the interested parties (such as, for example, credits | |||
pre-granted, prices adjusted to the client's profile). | |||
In accordance with the foregoing, the facts set forth imply a violation of the | |||
principle of transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the | |||
application of the corrective powers that article 58 of the aforementioned Regulation grants to the | |||
Spanish Agency for Data Protection. | |||
VII | |||
On the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the | |||
"Legality of the treatment" and the "Conditions for consent": | |||
Article 6 of the RGPD. | |||
"1. The treatment will only be lawful if at least one of the following conditions is met: | |||
a) the interested party gave their consent for the processing of their personal data for one or more | |||
specific purposes; | |||
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for | |||
the application at his request of pre-contractual measures; | |||
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the | |||
treatment; | |||
d) the treatment is necessary to protect vital interests of the interested party or of another natural person; | |||
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the | |||
exercise of public powers conferred on the data controller; | |||
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller | |||
treatment or by a third party, provided that the interests or interests do not prevail over said interests. | |||
fundamental rights and freedoms of the interested party that require the protection of personal data, | |||
in particular when the interested party is a child. | |||
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the | |||
public authorities in the exercise of their functions. | |||
2. Member States may maintain or introduce more specific provisions in order to adapt | |||
the application of the rules of this Regulation with respect to the treatment in compliance with the | |||
section 1, letters c) and e), setting more precisely specific treatment requirements and other | |||
measures to ensure lawful and equitable treatment, including other specific situations | |||
treatment in accordance with Chapter IX. | |||
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: | |||
a) Union law, or | |||
b) the law of the Member States that applies to the controller. | |||
The purpose of the treatment must be determined in said legal basis or, in relation to the | |||
Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission | |||
carried out in the public interest or in the exercise of public powers conferred on the person responsible for | |||
treatment. Said legal basis may contain specific provisions to adapt the application of | |||
rules of this Regulation, among others: the general conditions that govern the legality of the | |||
treatment by the person in charge; the types of data being processed; the interested | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 85 | |||
85/124 | |||
affected; the entities to which personal data may be communicated and the purposes of such | |||
communication; the limitation of the purpose; the data conservation periods, as well as the | |||
processing operations and procedures, including measures to ensure processing | |||
lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter | |||
IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be | |||
proportional to the legitimate aim pursued. | |||
4. When the treatment for a purpose other than that for which the personal data was collected | |||
is not based on the consent of the interested party or on the law of the Union or of the States | |||
members that constitute a necessary and proportionate measure in a democratic society to | |||
safeguard the objectives indicated in article 23, paragraph 1, the data controller, with | |||
in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected | |||
initially personal data, will take into account, among other things: | |||
a) any relationship between the purposes for which the personal data was collected and the purposes | |||
the planned further treatment; | |||
b) the context in which the personal data was collected, in particular with regard to the | |||
relationship between the interested parties and the data controller; | |||
c) the nature of the personal data, specifically when special categories of data are processed | |||
personal data, in accordance with article 9, or personal data regarding convictions and offenses | |||
criminal, in accordance with article 10; | |||
d) the possible consequences for the data subjects of the planned further processing; | |||
e) the existence of adequate guarantees, which may include encryption or pseudonymization ”. | |||
Article 7 of the RGPD. | |||
"1. When the treatment is based on the consent of the interested party, the person in charge must be | |||
capable of demonstrating that he consented to the processing of his personal data. | |||
2. If the consent of the interested party is given in the context of a written statement that is also | |||
refer to other matters, the consent request will be presented in such a way that it distinguishes | |||
clearly of the other matters, in an intelligible and easily accessible way and using clear and | |||
simple. Any part of the declaration that constitutes infringement of this will not be binding. | |||
Regulation. | |||
3. The interested party will have the right to withdraw their consent at any time. The withdrawal of | |||
Consent will not affect the legality of the treatment based on the consent prior to its withdrawal. | |||
Before giving consent, the interested party will be informed of this. It will be so easy to remove the | |||
consent how to give it. | |||
4. When assessing whether consent has been freely given, the fullest extent will be taken into account | |||
possible the fact whether, among other things, the performance of a contract, including the provision of a | |||
service, is subject to consent to the processing of personal data that are not necessary for | |||
the execution of said contract ”. | |||
The statement in recitals 32, 40 to 44 and 47 is taken into account (already cited in | |||
Basis of Law VI) of the RGPD in relation to the provisions of articles 6 and 7 | |||
previously reviewed. From what is expressed in these recitals, the following should be highlighted: | |||
(32) Consent must be given by a clear affirmative act that reflects a manifestation of | |||
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from | |||
personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not | |||
they must constitute consent. Consent must be given for all activities of | |||
treatment carried out for the same or the same purposes. When the treatment has several purposes, you must | |||
give consent for all of them ... | |||
(42) When the treatment is carried out with the consent of the interested party, the person responsible for the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 86 | |||
86/124 | |||
treatment must be able to demonstrate that he has given his consent to the operation of | |||
treatment. In particular in the context of a written statement made on another matter, | |||
there must be guarantees that the interested party is aware of the fact that he gives his consent and | |||
to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071), | |||
A model declaration of consent must be provided previously prepared by the | |||
data controller with an intelligible and easily accessible formulation that uses a language | |||
clear and simple, and that does not contain abusive clauses. For the consent to be informed, the | |||
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the | |||
treatment for which the personal data is intended. Consent must not | |||
be considered freely provided when the interested party does not have a true or free choice or not | |||
You can deny or withdraw your consent without suffering any harm. | |||
(43) (…) It is presumed that consent has not been freely given when it does not allow authorizing by | |||
separate the different personal data processing operations despite being appropriate in the case | |||
specific, or when the performance of a contract, including the provision of a service, is | |||
dependent on consent, even when it is not necessary for such compliance. | |||
It is also necessary to take into account the provisions of article 6 of the LOPDGDD: | |||
"Article 6. Treatment based on the consent of the affected party | |||
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term | |||
consent of the affected party any manifestation of free, specific, informed and unequivocal will | |||
by which he accepts, either through a declaration or a clear affirmative action, the treatment | |||
of personal data concerning you. | |||
2. When it is intended to base the processing of the data on the consent of the affected party for a | |||
plurality of purposes, it will be necessary to state specifically and unequivocally that said | |||
consent is given for all of them. | |||
3. The execution of the contract may not be subject to the affected party consenting to the treatment of the | |||
personal data for purposes that are not related to the maintenance, development or control | |||
of the contractual relationship ” . | |||
- Processing of personal data based on the consent of the interested parties | |||
In accordance with the above, data processing requires the existence of a | |||
legal basis that legitimizes it, such as the consent of the interested party validly given, | |||
necessary when there is no other legal basis than those mentioned in article 6.1 | |||
of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected | |||
data. | |||
Article 4 of the RGPD) defines “consent” as follows: | |||
"11)" consent of the interested party ": any manifestation of free will, specific, informed and | |||
unequivocal by which the interested party accepts, either through a declaration or a clear action | |||
affirmative, the processing of personal data that concerns him ” . | |||
Consent is understood as a clear affirmative act that reflects a | |||
manifestation of free, specific, informed and unequivocal will of the interested party to accept | |||
the processing of personal data that concerns you, provided with guarantees | |||
sufficient so that the person in charge can prove that the interested party is aware of the | |||
fact that you consent and the extent to which you do so. And it must be given to all | |||
the treatment activities carried out for the same or same purposes, so that, when | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 87 | |||
87/124 | |||
the treatment has several purposes, consent must be given for all of them in a | |||
specific and unequivocal, without the execution of the contract being subject to the fact that the affected | |||
consent to the processing of your personal data for purposes that are not related | |||
with the maintenance, development or control of the business relationship. In this regard, the legality | |||
of the treatment requires that the interested party be informed about the purposes for which they are intended | |||
the data (informed consent). | |||
Consent must be given freely. It is understood that consent does not | |||
is free when the interested party does not have a true or free choice or cannot deny or | |||
withdraw your consent without suffering any harm; or when you are not allowed to authorize | |||
separate the different personal data processing operations despite being adequate | |||
in the specific case, or when the fulfillment of a contract or service provision is | |||
dependent on consent, even when it is not necessary for such compliance. | |||
This occurs when consent is included as a non-negotiable part of the | |||
general conditions or when the obligation to agree to the use of | |||
personal data additional to those strictly necessary. | |||
Without these conditions, the provision of consent would not offer the interested party a | |||
true control over your personal data and their destination, and this would make it illegal to | |||
treatment activity. | |||
The Article 29 Working Group analyzed these issues in its document | |||
"Guidelines on consent under Regulation 2016/679" , adopted on | |||
11/28/2017, reviewed and approved on 04/10/2018. | |||
These Guidelines have been updated by the European Data Protection Committee | |||
on 05/04/2020 through the document “Guidelines 05/2020 on consent with | |||
according to Regulation 2016/679 ” (it keeps the parts that are transcribed | |||
then). In this document 5/2020 it is expressly stated that the opinions of the | |||
Article 29 (WP29) Working Group on consent remain relevant, | |||
provided they are consistent with the new legal framework, stating that these guidelines do not | |||
they replace the previous opinions, but rather expand and complete them. | |||
From what is indicated in the GT29 document cited above, it is interesting now | |||
highlight some of the criteria related to the validity of consent, specifically | |||
on the elements "specific" , "informed" and "unequivocal" : | |||
“3.2. Specific manifestation of will | |||
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of | |||
your data must be given "for one or more specific purposes" and that an interested party can choose with | |||
with respect to each of these purposes. The requirement that consent must be "specific" has | |||
in order to guarantee a level of control and transparency for the interested party. This requirement has not been | |||
amended by the GDPR and remains closely linked to the consent requirement | |||
"informed". At the same time, it must be interpreted in line with the 'disassociation' requirement for | |||
obtain "free" consent. In short, to fulfill the character of "specific" the | |||
responsible for the treatment must apply: | |||
i) the specification of the purpose as a guarantee against deviation of use, | |||
ii) disassociation in consent requests, and | |||
iii) a clear separation between the information related to obtaining consent for the | |||
data processing activities and information on other issues. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 88 | |||
88/124 | |||
Ad. i): In accordance with article 5, section 1, letter b), of the GDPR, obtaining consent | |||
Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the | |||
planned treatment activity. The need for specific consent in combination with the | |||
notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as | |||
guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out | |||
of the data once an interested party has given their authorization to the initial collection of the data. | |||
This phenomenon, also known as diversion of use, poses a risk to stakeholders already | |||
that may lead to an unforeseen use of personal data by the person responsible for the | |||
treatment or third parties and the loss of control by the interested party. | |||
If the controller is based on article 6, paragraph 1, letter a), the interested parties must | |||
always give your consent for a specific purpose for the processing of data. In consonance | |||
with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the | |||
Recital 32, consent may cover different operations, provided that said | |||
operations have the same purpose. Needless to say, specific consent can only be obtained | |||
when the interested parties are expressly informed about the purposes envisaged for the use of the data | |||
that concern them. | |||
Without prejudice to the provisions on compatibility of purposes, consent must be | |||
specific for each purpose. The interested parties will give their consent understanding that they have control | |||
about your data and that these will only be processed for said specific purposes. If a responsible treats | |||
data based on consent and, in addition, you want to process said data for another purpose, you must | |||
obtain consent for that other purpose, unless there is another legal basis that better reflects the | |||
situation… | |||
Ad. ii) The consent mechanisms should not only be separated in order to comply with the | |||
"free" consent requirement, but must also comply with the consent requirement | |||
"specific". This means that a data controller seeking consent to | |||
several different purposes, it must facilitate the possibility of opting for each purpose, so that users | |||
can give specific consent for specific purposes. | |||
Ad. iii) Finally, the data controllers must provide, with each request for | |||
separate consent, specific information on the data that will be processed for each purpose, with the | |||
In order for the interested parties to know the impact of the different options they have. Of this | |||
Thus, data subjects are allowed to give specific consent. This question overlaps with the | |||
requirement that those responsible provide clear information, as stated above | |||
in section 3.3 ". | |||
"3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of | |||
Previous right). | |||
"3.4. Unequivocal manifestation of will | |||
The RGPD clearly establishes that consent requires a declaration by the interested party or a | |||
clear affirmative action, meaning that consent must always be given through action | |||
or statement. It must be evident that the interested party has consented to an operation | |||
specific data processing ... | |||
A "clear affirmative action" means that the data subject must have acted deliberately to | |||
give your consent to that particular treatment. Recital 32 offers additional guidance | |||
on this point ... | |||
The use of already checked acceptance boxes is not valid under the GDPR. The silence or the | |||
inactivity of the interested party, or simply continuing with a service, cannot be considered as a | |||
active indication of having made a choice ... | |||
A data controller must also take into account that consent cannot | |||
be obtained through the same action by which the user agrees a contract or accepts the terms and | |||
general conditions of a service. Global acceptance of the general terms and conditions does not | |||
can be considered a clear affirmative action aimed at giving consent to the use of data | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 89 | |||
89/124 | |||
personal. The RGPD does not allow those responsible for the treatment to offer boxes marked | |||
previously or opt-out mechanisms that require the intervention of the interested party to | |||
avoid the agreement (eg "opt-out boxes") ... ”. | |||
Those responsible for the treatment must design the consent mechanisms so that | |||
are clear to stakeholders. They must avoid ambiguity and ensure that action by means of | |||
which consent is given is distinguished from other actions… ”. | |||
This document cites Opinion 15/2011 of the WG29, on the definition of the | |||
consent. Regarding consent as a manifestation of unequivocal will, in this | |||
Last Opinion indicates: | |||
"For consent to be unequivocally granted, the procedure for obtaining it and | |||
granting does not have to leave any doubt about the intention of the interested party when giving his | |||
consent. In other words, the manifestation by which the interested party consents must not | |||
leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the | |||
person will produce an equivocal situation. | |||
As described below, this requirement obliges data controllers to create | |||
rigorous procedures for people to give their consent… ”. | |||
“This example illustrates the case of the person who remains passive (eg, inaction or 'silence'). | |||
Unequivocal consent does not fit well with procedures for obtaining consent to | |||
starting from the inaction or silence of the people: the silence or inaction of one party is | |||
inherently misleading (the interested party's intention could be assent or simply not | |||
perform the action) ”. | |||
“… Individual behavior (or rather, lack of action) raises serious doubts about the will | |||
according to the person. The fact that the person does not take a positive action does not allow | |||
conclude that you have given your consent. Therefore, it does not meet the consent requirement | |||
unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the | |||
data processing provide proof that shows that the person has consented ”. | |||
In this case, BBVA contemplates in its privacy policy the use of the | |||
personal data of your customers for purposes other than mere compliance with the | |||
business relationship. Specifically, the aforementioned entity mentions the following purposes, excluding | |||
that relating to the management of the products and services contracted: | |||
“2) To get to know you better and personalize your experience. | |||
3) To offer you products and services from BBVA, the BBVA Group and others, customized for you. | |||
We are not going to flood you with information. | |||
4) To communicate your data to BBVA Group companies so that they can offer you products and | |||
own personalized services for you. | |||
5) To improve the quality of products and services ”. | |||
In relation to these purposes, BBVA refers to legitimate interest as the basis | |||
legitimizing for the use of the data for the purpose indicated in section 2) above and to | |||
consent in relation to the other purposes indicated. | |||
The responsible entity did not design a specific mechanism to collect the | |||
consent of their clients in order to use personal data with the | |||
purposes 3), 4) and 5), BBVA having estimated that the acceptance without further ado of the | |||
privacy, by means of the client signing the repeated form, entails the provision of | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 90 | |||
90/124 | |||
that consent. | |||
BBVA limits the options of the interested party to marking a box through which | |||
You record your opposition to the indicated data processing. The form | |||
data collection and provision of consent reads as follows: | |||
"We inform you that if you do not agree with the acceptance of any of the following purposes, | |||
you can select them below. | |||
. Products and prices more adjusted to you | |||
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make of your data. | |||
We remind you that when you enter the key that is requested in the signing process, you will be giving your | |||
In accordance with this Declaration of Economic Activity and Personal Data Protection Policy. | |||
SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF | |||
PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL | |||
PERSONAL DATA / DAE, version 13 09-23-2018) ”. | |||
Contrary to what is established in the RGPD, with this mechanism there is no option to | |||
that the client gives his consent to the treatments in question, but that the | |||
Consent is intended to be obtained through the inaction of the interested party (do not mark the | |||
boxes indicating “I DO NOT want to…” ). It is not an affirmative action, but an | |||
pure inaction that does not ensure that the interested party unequivocally grants consent | |||
(usually when you mark something it is because you want it, not because you don't want it; it may not | |||
having understood the double negation; may not have paid due attention when reading | |||
quickly the indications in question). | |||
It is, in short, a consent that is intended to be deduced from inaction and, | |||
therefore, contrary to the RGPD. The requirement according to which “consent must | |||
be given through a clear affirmative act that reflects a manifestation of free will, | |||
specific, informed, and unequivocal of the interested party to accept the data processing of | |||
personal character that concerns him ” , understanding that “ inaction should not constitute | |||
consent ” (Recital 32). | |||
With the designed mechanism, BBVA understands all treatments consented | |||
detailed with the signature of the Privacy Policy. This acceptance by action | |||
unique of all the treatments, which results from the acceptance of the privacy policy (says | |||
expressly the repeated document: "We remind you that when you enter the password that | |||
is requested in the signing process, you will be agreeing to this Declaration of | |||
Economic Activity and Personal Data Protection Policy ” ), also becomes | |||
Invalid consent given by the interested party, regarding the use of the data | |||
for purposes other than the execution of the contract or business relationship maintained by the | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 91 | |||
91/124 | |||
interested party and the responsible entity or, what is the same, with respect to all those | |||
treatments that require a differentiated and granular consent. | |||
Consent must be given for all processing activities carried out with | |||
the same or the same purposes and, when the treatment has several purposes, the | |||
consent for all of them, although through a manifestation of expressed will | |||
for each of the purposes separately or differently, allowing the interested party to choose | |||
for choosing all, a part or none of them. As expressed in Recital 43, no | |||
consent can be understood to have been freely given by not being allowed to "authorize | |||
separately the different personal data processing operations despite being | |||
appropriate in the specific case ” . Recital 32 states that "consent must | |||
cover all processing activities carried out for the same purpose or purposes. When the | |||
processing has multiple purposes, consent must be given for all of them ” . | |||
"When data processing is carried out for various purposes, the solution to meet | |||
with the conditions of valid consent lies in the granularity, that is, the | |||
separation of these purposes and obtaining consent for each purpose ” (Guidelines of the | |||
GT29). Understand that the signature of the form enabled by BBVA for data collection | |||
personal and for the provision of consent implies acceptance of all of them not | |||
It meets this requirement to authorize the various options separately. Accept as valid | |||
signing the document as the only action would be the same as accepting the provision of a | |||
global consent for all processing operations without considering whether their | |||
purposes are diverse or not, which is contrary to all the bases expressed | |||
about this issue. | |||
In addition, as noted, the formula used is not articulated as a | |||
authorization or consent, but in the opposite direction. With this formula, that only | |||
allows the interested party to “not authorize” , BBVA understands that consent has been given when it is not | |||
check the option offered. In these cases, that is, when the interested party does not mark the | |||
options "I do not want ..." , it will not be possible to conclude with absolute certainty if the interested party acted | |||
deliberately leaving those boxes unchecked. For the same reason, the person responsible never | |||
will be in a position to demonstrate that it acted with the consent of the owners of the | |||
personal information. | |||
This formula responds to what the Article 29 Working Group calls | |||
“Opt-out mechanisms” : << The RGPD does not allow those responsible for the | |||
treatment offer previously checked boxes or opt-out mechanisms | |||
that require the intervention of the interested party to avoid the agreement (for example, check boxes | |||
voluntary exclusion ”) >>. | |||
(…) | |||
Furthermore, the consent given is not considered informed. It has already been said here | |||
the importance of providing information to data subjects before obtaining their consent, | |||
essential so they can make decisions having understood what you are authorizing. Yes | |||
the person in charge does not provide clear and accessible information, the user's control will be | |||
Illusory and consent will not constitute a valid basis for the processing of the data. | |||
What is stated in Law Foundation VI, on the objections observed in the | |||
information that BBVA provides regarding the protection of personal data, affect | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 92 | |||
92/124 | |||
equally to the consent that could have been given, making it invalid as it is not | |||
an informed consent, in relation to data collection operations or | |||
data processing with respect to which defects in the | |||
information, including the processing of data that has not been provided directly by the | |||
interested party or that are not necessary for the fulfillment of the contractual relationship that | |||
bind to the entity. | |||
It is not necessary to reiterate here the circumstances already expressed in relation to the | |||
language used in the privacy policy or the lack of a clear and intelligible formulation | |||
of the purposes and processing operations. | |||
All these deficiencies prevent those interested from knowing the meaning and real meaning | |||
of the indications provided and the real scope of the consents that they could give. | |||
Therefore, all the detailed treatments whose legal basis comes from | |||
determined, as expressed by the BBVA entity itself, by the consent of | |||
the interested parties, which include the following processing of personal data, with the | |||
detail that in each case is included in the information provided by BBVA, already detailed: | |||
. The use of personal data of clients to offer them products and services of | |||
BBVA, the BBVA Group and third parties. | |||
. The communication of personal data to BBVA Group companies. | |||
. The use of personal data to improve the quality of products and services. | |||
BBVA, in its brief of allegations, has made a considerable effort to | |||
justify the mechanism designed, that is, to justify that the signature of the document of | |||
privacy policy is affirmative action. However, no argument provided by | |||
the entity is valid to save the need to give consent separately | |||
through an affirmative action (the consent that BBVA understands given to | |||
from a box that the interested party leaves unchecked). This earlier conclusion is so sharp | |||
that the foregoing to substantiate it is considered sufficient to reject | |||
said allegations. | |||
Contrary to what is indicated in the brief of allegations prepared by BBVA, there is no | |||
offers the interested party the possibility of opting and choosing their preferences, but the possibility of | |||
reject or oppose; It is not true that control over the data is guaranteed by the | |||
client; Nor is it that BBVA has opted for a clear affirmative action, referring to | |||
the signing of the "Declaration" . | |||
Regarding the formulas for obtaining consent, BBVA warns that the | |||
Recital 32 admits many different ones. This is true, but the same Recital 32 | |||
requires for all these formulas that consent is given by an affirmative act | |||
that reflects a free, specific, informed and unequivocal manifestation of the will of the | |||
interested in accepting the processing of personal data that concerns him. Already | |||
has previously explained the scope of these demands. | |||
BBVA cites examples of consents that it says are valid, although none of them | |||
can be estimated similar to the mechanism designed by this entity in the repeated form of | |||
data Collect. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 93 | |||
93/124 | |||
One of the examples you cite is the case numbered "example 17" in the | |||
Guidelines on WG consent29. BBVA understands that it can be assimilated to what it is | |||
object of this file, when admitting a scenario that contains the options for marking | |||
a "yes" and a "no" : | |||
“A data controller can also obtain explicit consent from a person who | |||
visit your website by offering an explicit consent screen that contains Yes and No boxes, | |||
provided that the text clearly indicates consent, for example, “I, give my consent to the | |||
treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike | |||
say that the conditions of informed consent must be met, as well as the rest of the | |||
conditions necessary to obtain valid consent ” . | |||
In the opinion of this Agency, this example is not comparable to the present case. In that | |||
For example, the marking of the box is given validity, giving or denying consent, | |||
while the mechanism of BBVA's Privacy Policy is taken for granted the | |||
consent without taking any action. It would be different if in the example | |||
shown, consent will be given if you do not check either of the two | |||
available boxes, in which case, that presumed “manifestation of will” would not be | |||
acceptable. | |||
Likewise, in its brief of allegations to the proposed resolution, it insists on the | |||
same reasoning already contained in his brief of allegations at the opening and indicates that | |||
the Agency has not argued anything in this regard. | |||
This Agency, however, believes otherwise. The standards outlined and | |||
arguments presented in this Legal Basis are considered sufficient to give | |||
answer and disprove the allegations presented by BBVA, and these allegations are the | |||
that they have not taken into consideration what is established in the norms and the arguments of the | |||
Agency. | |||
(…) | |||
It adds that it is lawful and legitimate to process a large amount of personal data and that this | |||
fact cannot be penalized. And this is so, provided that the principles and | |||
Provided guarantees and any applicable regulations. | |||
- Other processing of personal data without legal basis | |||
On the other hand, this Agency considers that there are other data processing that | |||
They are stated in the privacy policy that they are carried out without any basis of legitimacy: | |||
. Purpose 4 refers to the communication of customer data to Group companies | |||
BBVA so that they can offer you personalized products and services. However, in the | |||
privacy policy is added that the information communicated "will be treated to try | |||
improve the characteristics and prices of the offer of products and services ”. The use of | |||
data by the BBVA Group companies for this purpose is not covered by the | |||
consent given by the client in relation to this purpose. | |||
. Nor is there a legal basis that legitimizes the use of personal data "related to | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 94 | |||
94/124 | |||
all the products and services… of which BBVA is a marketer ” with the purposes that | |||
are indicated in the privacy policy. BBVA is not the entity responsible for this data | |||
obtained from third-party products marketed by it, which limits the possibility | |||
to use the information in question for their own purposes, as stated above. | |||
The allegations to the proposed resolution made by the BBVA entity do not | |||
They contain no comments on these questions. | |||
- Processing of personal data based on the legitimate interest of the person responsible or | |||
third party | |||
It is considered, on the other hand, that there is not sufficient legal basis for the treatment of | |||
personal data that BBVA bases on your legitimate interest, carried out for the purpose of | |||
get to know the customer better and improve their experience, including profiling, depending on | |||
the terms used in the form under analysis. | |||
In this regard, the legitimate interest in the | |||
treatment of customer data in order to develop the business model of the | |||
entity, assess new features or send congratulations to customers. | |||
It should also be noted that in the description of the data processing that BBVA | |||
plans to perform on the basis of legitimate interest, includes the making of offers | |||
personalized or the development and improvement of the quality of products and services; being these | |||
processing of data similar to those outlined by citing other purposes based on the | |||
consent (offer personalized products and services and improve the quality of | |||
products and services), motivating that the description of the purposes and enumeration of | |||
processing of data contained in the information offered causes confusion to | |||
interested. Thus, data processing based on interest cannot be admitted. | |||
legitimate similar to others carried out on the basis of the client's consent, which, | |||
furthermore, it is not provided in a valid way. | |||
The information included in the “Declaration | |||
economic activity and personal data protection policy ” on these treatments | |||
of data based on the legitimate interest of BBVA: | |||
What do we use your personal data for? | |||
2. Get to know yourself better and personalize your experience | |||
At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is more adapted to your customer profile and your needs. | |||
To achieve this we have to know you better, analyzing not only the data that allow us to identify you | |||
as a client, but also your financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. income, | |||
transfers, debts, receipts- as well as the uses of BBVA products, services and channels. | |||
Additionally, we will apply statistical and classification methods to correctly adjust your | |||
profile. Based on the above, we managed to develop our business models. | |||
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and | |||
services that we consider according to your profile (own or marketed by BBVA), as well as offers | |||
personalized with more adjusted prices for you. As we will know you better, we can congratulate you | |||
for your anniversary, wish you a good day or happy holidays. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 95 | |||
95/124 | |||
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or | |||
at any of our offices. | |||
This section is only applicable to BBVA customers. | |||
Why do we use your personal data? | |||
2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA. | |||
For the legitimate interest of BBVA, so that BBVA can better meet your expectations and | |||
we can increase your level of customer satisfaction by developing and improving the quality of | |||
own or third-party products and services, as well as perform statistics, surveys or studies of | |||
market that may be of interest. | |||
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to | |||
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a | |||
good day or happy holidays. | |||
These legitimate interests respect your right to the protection of personal data, to honor and to | |||
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation | |||
reasonable to have your data used so that we can improve products and services and you can | |||
enjoy a better customer experience. In addition, we estimate that you also have a | |||
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or | |||
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise | |||
your right to object if you consider it appropriate at the following address: | |||
rightsprotecciondatos@bbva.com or at any of our offices. | |||
With this information, it is difficult for the interested party to have a clear idea about the | |||
data processing that will be carried out. (…) | |||
The information inferred by BBVA based on legitimate interest, including profiles | |||
prepared, is also used, based on the consent of the interested party, to offer | |||
products and services from BBVA, the BBVA Group and personalized third parties; and with the same | |||
legal basis is communicated to the BBVA Group companies so that they can also offer | |||
personalized products and services and “try to improve the characteristics and prices of the | |||
offer of products and services ” . | |||
The analysis of the question raised must initially take into account the provisions of | |||
Article 1.2 of the RGPD, according to which “This Regulation protects the rights and | |||
fundamental freedoms of natural persons and, in particular, their right to protection | |||
of personal data ” . For this, all the circumstances that | |||
surround the collection and processing of data and the way in which they are fulfilled or reinforced | |||
the principles, rights and obligations required by the data protection regulations of | |||
personal character. | |||
Article 6 of the RGPD requires that the processing of personal data, to be | |||
lawful, can be protected by any of the bases of legitimacy that it establishes and that the | |||
responsible for the treatment is able to demonstrate that, indeed, it concurred in the | |||
processing operation the legal basis that it invokes (article 5.2, principle of | |||
proactive responsibility). | |||
The legal bases of the treatment that are detailed in article 6.1 RGPD are | |||
related to the broader principle of legality of article 5.1.a) of the RGPD, precept | |||
which provides that personal data will be treated " lawfully, loyally and transparently in | |||
relationship with the interested party ”. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 96 | |||
96/124 | |||
In relation to the legal basis of the legitimate interest, invoked by BBVA for the | |||
treatments described in the previous sections, the aforementioned article 6 establishes: | |||
"1. The treatment will only be lawful if at least one of the following conditions is met: | |||
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller | |||
treatment or by a third party, provided that the interests or interests do not prevail over said interests. | |||
fundamental rights and freedoms of the interested party that require the protection of personal data, | |||
particularly when the interested party is a child ... ”. | |||
Recital 47 of the RGPD specifies the content and scope of this base | |||
legitimizing the treatment. | |||
The interpretive criteria that are extracted from this Considering are, among others, (i) | |||
that the legitimate interest of the controller prevails over the interests or rights and freedoms | |||
fundamentals of the data owner, in view of the reasonable expectations that the latter | |||
has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be | |||
it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out, | |||
also in those cases in which the interested party can reasonably foresee, in | |||
the moment and in the context of the data collection, that the treatment with | |||
such an end; (iii) the interests and fundamental rights of the owner of the personal data could | |||
prevail over the legitimate interests of the controller when the data is processed | |||
is carried out in such circumstances in which the interested party " does not reasonably expect" that | |||
a further processing of your personal data is carried out. | |||
It should be added that the interested party, in all cases, can exercise the right to | |||
opposition, which also involves a new evaluation of the interests of the controller and owner | |||
of the data, except in cases of commercial prospecting, in which the exercise of the right | |||
forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD). | |||
It is interesting to highlight some aspects collected in the Opinion 6/2014 prepared by the | |||
Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the | |||
processing of data under article 7 of Directive 95/46 / CE ", dated | |||
04/09/2014, especially the factors that can be assessed when the | |||
mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 is | |||
issued to favor a uniform interpretation of Directive 95/46 then in force, | |||
repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the | |||
RGPD, and that the reflections offered are an example and application of principles that inspire | |||
also the RGPD, such as the principle of proportionality, or general principles of the | |||
Community law, such as the principles of equity and respect for the law and the law, | |||
many of his reflections can be extrapolated to the application of current regulations. | |||
As indicated, so that section f) of article 6.1. RGPD may constitute | |||
the legitimizing basis for the processing of personal data that is carried out, mandatory, | |||
and prior to the treatment, a weighting, an “evaluation | |||
meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the | |||
treatment, on the one hand, and on the other, both the interests and the rights and freedoms | |||
fundamentals of those affected. Weighting that is essential, because only when I eat | |||
As a result of it, the legitimate interest of the data controller prevails over the | |||
rights or interests of the owners of the data may operate as legal basis of the | |||
treatment of the aforementioned interest. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 97 | |||
97/124 | |||
Regarding the weighting test, the repeated Opinion indicates the following: | |||
"The legitimate interest of the controller, when it is minor and not very pressing, in general, | |||
only nullifies the interests and rights of data subjects in cases where the impact on these | |||
rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest | |||
may, in some cases and subject to guarantees and measures, justify even a significant intrusion into | |||
privacy or any other significant impact on the interests or rights of the interested parties. | |||
Here it is important to highlight the special role that guarantees can play in reducing a | |||
undue impact on data subjects and therefore to change the balance of rights and interests | |||
to the extent that the legitimate interest of the data controller prevails. By | |||
Of course, the use of guarantees alone is not sufficient to justify any type of | |||
treatment in any context. Furthermore, the guarantees in question must be adequate and | |||
sufficient, and must, without question and significantly, reduce the repercussion for the interested parties ” . | |||
The aforementioned Opinion refers to the multiple factors that can operate | |||
in the weighting of the interests at stake and groups them into these categories: | |||
(a) the evaluation of the legitimate interest of the controller, the nature and source | |||
legitimate interest and if the data processing is necessary for the exercise of a right | |||
fundamental, is otherwise in the public interest or benefits from recognition of the | |||
affected community; | |||
(b) the impact or repercussions on data subjects and their reasonable expectations about what | |||
will happen to your data ( “what a person considers reasonably acceptable under | |||
circumstances ” ), as well as the nature of the data and the way in which they are | |||
processed; underlining that the claim is not that the data processing carried out by the | |||
responsible does not have any negative impact on the interested parties but prevent the | |||
impact is “ disproportionate ”; | |||
(c) the provisional equilibrium and | |||
(d) additional guarantees that could limit an undue impact on the interested party, such | |||
such as data minimization, privacy protection technologies, increased | |||
transparency, the general and unconditional right to opt-out and the | |||
data portability. | |||
First of all, the Opinion underlines that the implication that the person responsible for the | |||
treatment may have in the data processing carried out is that of "interest", which is already | |||
referenced in the previous Legal Basis to indicate that it is related to | |||
purpose, but it is a broader concept ( “purpose is the specific reason why | |||
process the data: the purpose or intention of the data processing. One interest for another | |||
On the other hand, it refers to a greater involvement that the controller may have in the | |||
treatment, or the benefit that the controller obtains from the treatment ” ). | |||
It is also broader than that of fundamental rights and freedoms, hence, regarding | |||
those affected are weighed not only their fundamental rights and freedoms, but also their | |||
"Interests" . | |||
According to GT29, “an interest must be articulated with sufficient clarity to | |||
allow the balancing test to be carried out against the interests and | |||
fundamental rights of the interested party. Furthermore, the interest at stake must also be | |||
pursued by the controller. This requires a real and current interest, which is | |||
corresponds to present activities or benefits that are expected in a very future | |||
next. In other words, interests that are too vague or speculative are not | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 98 | |||
98/124 | |||
they will be enough ” . | |||
In addition, the "interest" of the data controller, as established in article 6.1.f) | |||
of the RGPD and before article 7.f) of the Directive, must be "legitimate" , which means, says the | |||
Opinion, which must be "lawful" (respectful of applicable national and EU legislation). | |||
However, the WG29 adds that "The legitimacy of the interest of the data controller | |||
it is only a starting point, one of the elements that must be analyzed under article | |||
7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend | |||
the result of the next balancing test ”; "If the interest pursued by the | |||
controller is not compelling, it is more likely that the interest and rights | |||
of the interested party prevail over the legitimate - but less important - interest of the | |||
responsible for the treatment. Similarly, this does not mean that less interest | |||
compelling of the data controller cannot sometimes prevail over the interests | |||
and rights of the data subjects: this normally happens when the impact of the treatment | |||
about stakeholders is also less important ” . | |||
And exposes the following example: | |||
"Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the | |||
preferences of your customers so that this allows them to better personalize their offers and, ultimately | |||
term, offer products and services that better respond to the needs and desires of your | |||
customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in | |||
some types of market activities, online and offline, provided that | |||
adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment | |||
by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and | |||
beyond). | |||
However, this does not mean that data controllers can refer to article 7, | |||
letter f), as a legal basis for improperly monitoring online and offline activities | |||
line of your customers, combine huge amounts of data about them, from different | |||
sources, which were initially collected in other contexts and for different purposes, and create -and, for | |||
For example, with the intermediation of data brokers, also trade with them - complex profiles | |||
of the personalities and preferences of customers without their knowledge, without a viable mechanism of | |||
opposition, not to mention the absence of informed consent. It is likely that said | |||
profiling activity represents a significant intrusion on customer privacy and, | |||
When this happens, the interests and rights of the interested party will prevail over the interest of the | |||
responsible for the treatment ” . | |||
Ultimately, the concurrence of said interest in the data controller does not | |||
necessarily means that article 6.1 f) RGPD can be used as a basis | |||
legal treatment. Whether or not it can be used as a legal basis | |||
it will depend on the result of the balancing test. | |||
In addition, the treatment must be that necessary to satisfy the legitimate interest | |||
pursued by the person in charge, so that less invasive means are always preferred | |||
to serve the same purpose. Need means here that the treatment is essential | |||
for the satisfaction of the aforementioned interest, so that, if said objective can be achieved | |||
reasonably otherwise less impactful or intrusive, the interest | |||
legitimate cannot be invoked. | |||
The term " need " used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a | |||
own and independent meaning in Community legislation. It is a " concept | |||
Autonomous Community Law ” (CJEU of 12/16/2008, case C-524/2006, section | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 99 | |||
99/124 | |||
52). On the other hand, the European Court of Human Rights (ECHR) has also offered | |||
guidelines for interpreting the concept of need. In section 97 of its Judgment of | |||
03/25/1983 affirms that the " necessary adjective is not synonymous with" indispensable "nor does it have the | |||
flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”. | |||
On the impact or repercussion that the data processing has on the interests or | |||
fundamental rights and freedoms of the interested parties, indicates that the more "negative" or | |||
“Uncertain” may be the impact of treatment, it is more unlikely than treatment in its | |||
set may be considered legitimate. | |||
“The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a | |||
concept much broader than damage or harm to one or more interested parties in particular. The term | |||
'Impact' as used in this Opinion covers any possible consequences (potential or actual) | |||
of data processing. For the sake of clarity, we also emphasize that the concept is not | |||
related to the notion of violation of personal data and is much broader than the | |||
repercussions that may arise from said violation. On the contrary, the notion of impact, such as | |||
used here, it encompasses the various ways in which an individual may be affected, positively or | |||
negatively, due to the processing of your personal data ”. | |||
“In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is. | |||
that the treatment is considered, as a whole, legitimate. The availability of methods | |||
alternatives to achieve the objectives pursued by the data controller, with | |||
less negative impact on the data subject, should certainly be a consideration | |||
relevant in this context ”. | |||
As sources of potential repercussions for stakeholders he cites the probability | |||
that the risk may materialize and the seriousness of the consequences, noting that | |||
this concept of “severity may take into account the number of potentially | |||
affected ” . | |||
The assessment of the nature of the personal data that has been | |||
object of treatment ) , if the data has been made available to the public by the interested party or | |||
by a third party, a fact - says the Opinion - that can be an evaluation factor especially | |||
whether the publication was made with a reasonable expectation of data reuse | |||
for certain purposes: | |||
“… Does not mean that data that appears in and of itself innocuous can be processed | |||
freely ... even such data, depending on how it is processed, can have an impact | |||
significant about people ”. | |||
The way in which the person in charge treats the data; whether they have been disclosed to the public or | |||
have been made available to large numbers of people or if large amounts of data are | |||
process or combine with other data ( “for example, in the case of profiling, with | |||
commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said: | |||
“Apparently innocuous data, when treated on a large scale and combined with other data, | |||
can lead to interference with more sensitive data, as demonstrated in Scenario 3 above, | |||
which gives as an example the relationship between pizza consumption patterns and insurance premiums for | |||
healthcare. | |||
In addition to potentially leading to the processing of more sensitive data, such analysis may | |||
also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the | |||
behavior or personality of the affected persons. Depending on the nature and | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 100 | |||
100/124 | |||
impact of these predictions, this can be highly intrusive in the privacy of the person ” . | |||
All this, without forgetting the reasonable expectations of the interested parties: | |||
“… It is important to consider whether the position of the data controller, the nature of the relationship or | |||
the service provided, or the applicable legal or contractual obligations (or other promises made | |||
at the time of data collection) could give rise to reasonable expectations of a | |||
stricter confidentiality and stricter limitations on further use. Usually, | |||
the more specific and restrictive the context of data collection, the more constraints it is | |||
likely to be used. In this case, again, it is necessary to take into account the factual context and not | |||
simply be based on the fine print of the text ” . | |||
The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the | |||
position of the data controller and the interested party; your position may be more or less | |||
dominant with respect to the interested party depending on whether the person responsible for the treatment is a | |||
person, a small organization or a large company, even a multinational company: | |||
“A multinational company may, for example, have more resources and bargaining power than the | |||
individual data subject and may therefore be in a better position to impose on the data subject | |||
what you think is your "legitimate interest". This may all the more so if the | |||
company has a dominant position in the market ” . | |||
When it comes to weighing the interests and rights at stake, the WG29 understands that the | |||
compliance with the general obligations imposed by the regulations, including the principles | |||
proportionality and transparency, help to ensure that the requirements are met | |||
legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those | |||
horizontal requirements, by itself, are always sufficient. | |||
If, finally, after the evaluation, it is not clear how to achieve equilibrium, the | |||
taking additional guarantees can help reduce undue impact and ensure | |||
that the treatment may be based on legitimate interest. As additional measures | |||
includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms, | |||
or increased transparency: | |||
“The concept of responsibility is closely linked to the concept of transparency. With the purpose of | |||
allow data subjects to exercise their rights and allow for wider public scrutiny by | |||
part of the interested parties, the Working Group recommends that those responsible for the treatment | |||
explain to stakeholders clearly and easily the reasons why they believe their interests | |||
prevail over the interests or fundamental rights and freedoms of the interested parties, and | |||
also explain the guarantees they have adopted to protect their personal data, including, | |||
where appropriate, the right to opt out of treatment ”. | |||
“As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of the | |||
purpose (cited in footnote 9 above), in the case of profiling and taking | |||
automated decisions, interested parties or consumers must be given access to their profiles to | |||
guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave | |||
place to the development of said profiles. In other words: organizations should disclose their | |||
criteria for decision making. This is a fundamental guarantee and is especially | |||
important in the world of big data. Whether or not an organization offers this | |||
Transparency is a very pertinent factor that should also be considered in the proof of | |||
balancing ”. | |||
By referring to the right to object and the opt-out mechanism or right | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 101 | |||
101/124 | |||
unconditional opposition, the GT29 reflects on advertising based on profiles of the | |||
client, which requires a follow-up of the activities and personal data of the | |||
interested parties, which are analyzed with sophisticated automated methods. He concludes the following: | |||
“In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the | |||
purpose, where it was specifically stated that when an organization wishes to analyze or predict | |||
specifically the personal preferences, behavior and attitudes of customers | |||
individuals that will subsequently motivate the «decisions or measures» adopted in relation to | |||
such clients ... free, specific, informed and informed consent should almost always be required | |||
unequivocal of "voluntary inclusion", since otherwise the reuse of the data will not be able to | |||
considered compatible. Most importantly, such consent must be required, for | |||
For example, for tracking and profiling for prospecting, advertising | |||
behavioral, data marketing, location-based advertising, or digital research | |||
market based on monitoring ” . | |||
In this case, the existence of a prevailing legitimate interest of the | |||
responsible for legitimizing the data processing that BBVA intends to base on this basis | |||
legal. | |||
It is worth highlighting in the first place, the defects expressed in the Foundation of | |||
Previous law in relation to compliance with the principle of transparency, by the | |||
limitations and difficulties, if not an impediment, that they pose when carrying out a | |||
true assessment of the concurrence of a prevailing legitimate interest, real and not | |||
speculative. | |||
What has already been indicated about the language used is reiterated here; the indefiniteness of | |||
purposes for which the personal data will be used ( "to better understand the customer" and "to improve | |||
products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the | |||
information related to clients that carry such purposes; or about the types of profiles | |||
what will be done and the specific uses and applications that will be given to these profiles; and, | |||
especially, the lack of information on the specific interest of the person in charge, which is not | |||
expressed with the clarity and precision required by regulations. | |||
Considering that it is not even possible to clearly know the purposes of the | |||
treatment, they can hardly be associated with legitimate interests of BBVA that | |||
may, in addition, prevail over the rights of the interested parties, who are not informed | |||
clearly about the extremes required by data protection regulations. | |||
The legitimate interest expressed, which is described in the same terms as the | |||
purposes, it is vague and speculative (the details on the description of the legitimate interest | |||
they are outlined in the previous Law Foundation, (…)). It has as | |||
consequence that the treatments carried out are not predictable for a citizen | |||
means, medium. | |||
This being the case, it is impossible for the interested party, or this supervisory authority, to be able to | |||
assess whether the processing operations carried out are necessary, or if, on the contrary, | |||
The same result could be obtained by less invasive means; it cannot be concluded either, | |||
even less, that the interest invoked is prevalent. | |||
Rather, it seems that the "interests" expressed by BBVA, whether in the | |||
Privacy or (…) respond to economic interests of the entity, which are not expressed. The | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 102 | |||
102/124 | |||
obtaining an economic benefit through the business activity that BBVA | |||
develops it is still a legitimate interest, but in no case may it prevail over the | |||
fundamental right to data protection of affected persons. With total clarity | |||
the STS of 06/20/2020 has recently ruled on this matter (R. cassation | |||
1074/2019). In the sixth Legal Foundation he says, regarding one of the questions of | |||
appeal interest raised in the writ of admission of the appeal, “Commercial interests | |||
of a company responsible for a data file must yield to the legitimate interest of the | |||
owner of the data to the protection of the same ”. These economic interests cannot | |||
be rated as pressing. | |||
It is not said, as BBVA seems to indicate in its allegations to the proposal, that the | |||
pursued interest responds to economic interests and that, based on this, the | |||
processing of personal data based on legitimate interest. What stands out here is | |||
that if that is the legitimate interest, in itself considered and without taking into account the rest of | |||
factors that may operate in the weighting of the interests at stake, it is not estimated | |||
sufficient to accept the existence of a legitimate interest that protects the treatment of | |||
data in accordance with the provisions of article 6.1 f) of the RGPD. | |||
Now, even admitting BBVA's thesis, which qualifies as the legal interest of the | |||
responsible or third parties which we believe is nothing but the purpose of the treatment, that | |||
purported interest in no case could be qualified as necessary. | |||
(…) Without prejudice to the fact that the treatment of the claimants' data is “useful” , | |||
“Desirable” or “reasonable” , as stated by the ECHR in its Judgment of 3/25/1983, the term | |||
"Necessary" does not have the flexibility that is implicit in those expressions. | |||
As can be seen, what has been said above is in accordance with the doctrine of the | |||
Constitutional Court on the proportionality judgment that must be carried out on a | |||
restrictive measure of a fundamental right, to which BBVA refers in its allegations to | |||
the motion for a resolution. According to this doctrine, three requirements must be verified: | |||
suitability (if the measure allows to achieve the proposed objective); need (that does not exist | |||
another more moderate measure); proportionality in the strict sense (more benefits or advantages | |||
what damages). | |||
On these issues, it is not understood what BBVA indicated in those allegations | |||
when it indicates that it has adopted the necessary measures to minimize the information | |||
treated, and clear that the identifying data of the client is excluded. It has been said before that | |||
The information related to the client used is all the information related to the client, including the | |||
identifying data. (…) | |||
In addition to the above, the following circumstances are taken into account: | |||
. The manner in which the data used is collected based on legitimate interest and scale | |||
in data collection, which is excessive; as well as the use of personal data | |||
collected from third parties without the knowledge of the interested party (external solvency files | |||
assets and credits) or third-party products marketed by BBVA. | |||
. The techniques used (data processing in order to obtain algorithms) and the lack | |||
of transparency on the logic of the treatment consisting of profiling, which | |||
can lead to price discrimination and potentially financial impact | |||
which may have the character of excessive. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 103 | |||
103/124 | |||
. The high number of affected, as well as the large amount of data that is processed and | |||
combined with other data. The unlimited combination of personal data of all | |||
products and services contracted by the client, including third-party products | |||
marketed by BBVA and others obtained from external sources, and the lack of means that | |||
allow the user real control of their data is enough to consider that the interest of BBVA | |||
It cannot prevail over the rights of those affected. Said combination of data, due to its | |||
massive nature and due to the lack of definition of the data that will be used and the purposes, | |||
respects the aforementioned proportionality nor does it allow the necessary weighing judgment | |||
to assess the concurrence of a legitimate interest that justifies the processing of the data. | |||
It is significant that (…); and that the information obtained in accordance with | |||
the regulations for the prevention of money laundering and terrorist financing (...) | |||
. The dominant position of the person in charge over the interested party, due to his condition of great | |||
company and one of the market leaders in its sector. | |||
No consideration does BBVA make on the above circumstances in its writing | |||
of allegations to the proposal, despite its importance, except in relation to the deadline | |||
conservation. BBVA understands that the AEPD erroneously interprets what has been stated about the | |||
period of conservation of the data to carry out the treatment. (…). And clarifies that | |||
Data collected in compliance with the legislation on the prevention of money laundering is | |||
kept for the period established in this legislation, for the purposes provided in it, | |||
but not for controversial treatment. | |||
As can be seen, this Agency does not misinterpret the question | |||
regarding the age of the data subjected to treatment based on legitimate interest and not | |||
questions the conservation of the corresponding data in compliance with the legislation of | |||
money laundering. (…) And the use of data is questioned significantly | |||
collected in accordance with said regulations for the treatment operations that we | |||
occupy. | |||
A special importance must also be given to the absence of measures or | |||
additional guarantees. Among them, the increased transparency and | |||
enabling opt-out mechanisms. | |||
Regarding transparency, BBVA refers to the information provided in the “Declaration of | |||
Economic Activity and Data Protection Policy ” , without making available to the | |||
interested parties, the Report on the weighting of legitimate interest or the impact assessments; and | |||
mentions as a guarantee the exercise of the right of opposition, which is nothing more than a requirement | |||
normative. This right requires a new weighting, in accordance with the provisions of the | |||
Article 21 of the RGPD ( “the data controller will stop processing personal data, | |||
Unless it proves compelling legitimate reasons for the treatment that prevail over | |||
interests, rights and freedoms of the interested party ” ) and has nothing to do with the | |||
opt-out or unconditional opt-out mechanisms recommended. | |||
(…) | |||
Finally, it should be noted that BBVA repeatedly, throughout its brief of | |||
allegations, states that the processing of personal data carried out with this database | |||
legal benefit of the client. Consider achieving excellence in service | |||
through adequate knowledge of your customers, which allows you to anticipate your | |||
needs and improve BBVA's portfolio of products and services so that they meet the | |||
preferences of those; as well as enabling the use of the optimal channels for each client, | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 104 | |||
104/124 | |||
It is not only done for the benefit of the Bank but, in particular, of its clients. | |||
This entity affirms that the treatment is necessary for the fulfillment of | |||
that legitimate interest of BBVA and the client. | |||
The legitimate interest of the client is considered, in the terms of article 6.1 f) of the | |||
RGPD, as the legitimate interest of third parties. In this case, there is no such approach, according to | |||
which personal data processing operations are carried out on the basis of the | |||
legitimate interest of the client. Accepting it would be as much as admitting a legitimate interest that has arisen, | |||
or later, in respect of which the requirements set forth in the regulations have not been respected | |||
protection of personal data and about which is not informed in the Privacy Policy. | |||
In summary, for the reasons expressed, it is not proven that the alleged legitimate interest | |||
for the treatment of data that BBVA claims prevail over the interests and | |||
fundamental rights and freedoms of clients. Furthermore, the guarantees offered are not | |||
enough to overcome the imbalance that occurs with these treatment operations | |||
of personal data. | |||
Consequently, it must be concluded that the legitimate interest of BBVA does not prevail as | |||
legitimate basis for the treatment. | |||
The conclusion obtained from this examination does not contradict what was expressed in the Report of the | |||
Legal Office of the AEPD 195/2017, to which BBVA repeatedly refers, both (...) | |||
as in your brief of allegations. According to BBVA, this 195/2017 Report concludes the | |||
prevalence of the legitimate interest of financial entities for the analysis of the | |||
transactional movements and / or customer savings capacity, to make observations | |||
and offer recommendations on products and services, as well as for profiling | |||
more detailed that allows to specify with precision the products to be offered. | |||
However, the premises assessed in said report do not conform to the assumption | |||
present, in which the processing of personal data has a much more | |||
broader than those analyzed in said report, both with regard to the purposes of the | |||
treatment such as the information or personal data used. There is more to note that | |||
that report simply analyzes the performance of treatments for marketing purposes, | |||
provided that the offer refers to products similar to those contracted by the interested party and is | |||
use only the information available as a consequence of the management of the | |||
products. | |||
On the other hand, the aforementioned Legal Cabinet Report also responds to the | |||
queries raised regarding the anonymization of transactional data for | |||
develop new products, to analyze patterns of use of services to develop | |||
new ones. These uses coincide with the data processing that BBVA carries out based on | |||
to legitimate interest, but with non-anonymous information. | |||
Regarding the anonymization of data expressed, it is concluded that they must be distinguished | |||
two treatments. Namely, the one that gives rise to anonymous information (the anonymization | |||
itself), subject to data protection regulations, and the treatment that is | |||
carry out with the data already anonymized, excluded from said regulations. Exposes the report | |||
that when the anonymization is complete, it is impossible to link the information | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 105 | |||
105/124 | |||
directly or indirectly with a specific affected person, and much more if the data | |||
resulting are aggregated, the treatment may be protected in the legitimate interest. | |||
Based on everything stated in this report, BBVA alleges that the data processing | |||
that are carried out with the purposes 3 and 5 of the "Declaration of Economic and Political Activity | |||
of Data Protection ” (3. Offer personalized products and services of BBVA, the Group | |||
BBVA and others; 5. Improve the quality of products and services) could have been based | |||
in the concurrence of legitimate interest, so that when obtaining the consent of the | |||
stakeholders has adopted by reinforced measures of active responsibility. | |||
This Agency does not share the idea that consent constitutes a basis | |||
reinforced legal. As stated here, consent is subject to | |||
specific requirements in its provision, so that its provision by itself does not guarantee | |||
the legality of the treatments. | |||
The same can be said about the performance of those treatments based on the | |||
legitimate interest. It would be necessary, as has been seen here, an exhaustive analysis of all the | |||
concurrent circumstances in relation to the treatments intended to assess this the | |||
relevance of legal basis. | |||
In any case, it has been the BBVA entity itself that decided, in the design of its | |||
treatment operations, protect in the consent those that are described in the | |||
purposes 3 and 5. | |||
Consequently, in accordance with the above findings, the aforementioned | |||
facts represent a violation of article 6 of the RGPD, in relation to article 7 of the | |||
same legal text and article 6 of the LOPDGDD, which gives rise to the application of the powers | |||
corrective measures that article 58 of the RGPD grants to the Spanish Data Protection Agency. | |||
VIII | |||
In the event of an infringement of the RGPD precepts, among the | |||
corrective powers available to the Spanish Data Protection Agency, such as | |||
control authority, article 58.2 of said Regulation contemplates the following: | |||
“2 Each supervisory authority shall have all the following corrective powers indicated at | |||
continuation: | |||
(…) | |||
b) punish any person responsible or in charge of the treatment with warning when the | |||
treatment operations have infringed the provisions of this Regulation; " | |||
(...) | |||
d) order the person in charge or in charge of the treatment that the treatment operations conform to | |||
the provisions of this Regulation, where appropriate, in a certain way and within | |||
a specified term; | |||
(…) | |||
i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures | |||
mentioned in this section, according to the circumstances of each particular case; " . | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 106 | |||
106/124 | |||
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) | |||
above is compatible with the sanction consisting of an administrative fine. | |||
IX | |||
In the present case, the breach of the principle of | |||
transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality | |||
of the treatment regulated in article 6 of the same Regulation, with the scope expressed in | |||
the previous Fundamentals of Law, which implies the commission of respective infractions | |||
typified in article 83.5 of the RGPD, which under the heading " General conditions for the | |||
imposition of administrative fines ” provides the following: | |||
"Violations of the following provisions will be sanctioned, in accordance with section 2, with | |||
administrative fines of up to EUR 20,000,000 or, in the case of a company, a | |||
amount equivalent to a maximum of 4% of the total annual global business volume for the year | |||
previous financial statement, opting for the one with the highest amount: | |||
a) the basic principles for the treatment, including the conditions for consent in accordance with | |||
Articles 5, 6, 7 and 9; | |||
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” . | |||
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute | |||
offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83 | |||
of Regulation (EU) 2016/679, as well as those that are contrary to this law | |||
organic ” . | |||
For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate: | |||
“Article 72. Violations considered very serious. | |||
1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very | |||
serious and will prescribe after three years the infractions that suppose a substantial violation of the | |||
articles mentioned therein and, in particular, the following: | |||
(…) | |||
b) The processing of personal data without any of the conditions of legality of the | |||
treatment established in article 6 of Regulation (EU) 2016/679 ”. | |||
“Article 74. Infractions considered minor. | |||
The remaining infringements of a merely formal nature are considered minor and will prescribe a year. | |||
the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in | |||
in particular, the following: | |||
a) Failure to comply with the principle of transparency of information or the right to information of the | |||
affected by not providing all the information required by articles 13 and 14 of Regulation (EU) | |||
2016/679 " . | |||
In order to determine the administrative fine to be imposed, the provisions | |||
of articles 83.1 and 83.2 of the RGPD, precepts that state : | |||
"1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the | |||
this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are | |||
in each individual case effective, proportionate and dissuasive. | |||
2. Administrative fines will be imposed, depending on the circumstances of each individual case, to | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 107 | |||
107/124 | |||
additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and | |||
j). When deciding the imposition of an administrative fine and its amount in each individual case, the | |||
due account: | |||
a) the nature, seriousness and duration of the offense, taking into account the nature, scope or | |||
purpose of the treatment operation in question as well as the number of interested parties affected | |||
and the level of damages they have suffered; | |||
b) intentionality or negligence in the infringement; | |||
c) any measure taken by the controller or processor to mitigate the damage and | |||
damages suffered by the interested parties; | |||
d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the | |||
technical or organizational measures that have been applied by virtue of articles 25 and 32; | |||
e) any previous infringement committed by the person in charge or the person in charge of the treatment; | |||
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and | |||
mitigate the possible adverse effects of the violation; | |||
g) the categories of personal data affected by the infringement; | |||
h) the way in which the supervisory authority learned of the infringement, in particular if the | |||
responsible or the manager notified the infringement and, if so, to what extent; | |||
i) when the measures indicated in article 58, paragraph 2, have been previously ordered | |||
against the person in charge or the person in charge in relation to the same matter, compliance | |||
of said measures; | |||
j) adherence to codes of conduct under Article 40 or to certification mechanisms | |||
approved in accordance with Article 42, and | |||
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as | |||
financial benefits obtained or losses avoided, directly or indirectly, through the | |||
infringement". | |||
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides: | |||
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are | |||
will be applied taking into account the graduation criteria established in section 2 of the aforementioned | |||
Article. | |||
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also | |||
be taken into account: | |||
a) The continuing nature of the offense. | |||
b) The linking of the offender's activity with the processing of personal data. | |||
c) The benefits obtained as a result of the commission of the offense. | |||
d) The possibility that the affected person's conduct could have led to the commission of the offense. | |||
e) The existence of a merger by absorption process subsequent to the commission of the offense, which does not | |||
it can be attributed to the absorbing entity. | |||
f) Affecting the rights of minors. | |||
g) Have, when not mandatory, a data protection officer. | |||
h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of | |||
alternative conflict resolution, in those cases in which there are controversies between | |||
those and anyone interested ”. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 108 | |||
108/124 | |||
In this case, considering the seriousness of the violations found, the | |||
imposition of a fine, in addition to the adoption of measures. The request cannot be accepted | |||
formulated by BBVA to impose other corrective powers that would have allowed | |||
the correction of the irregular situation, such as the warning, which is planned to | |||
natural persons and when the sanction constitutes a disproportionate burden (considering | |||
148 of the RGPD). | |||
BBVA states that it does not understand that in the past the Agency resorted to plans | |||
sectorial and in this case the sanctioning proceedings are initiated. This entity does not consider that | |||
These plans are carried out ex officio with the purpose of examining a sector in general and concluding | |||
recommendations that facilitate entities to adjust their processes in terms of protection | |||
of personal data. | |||
Likewise, in its brief of allegations to the resolution proposal, BBVA has | |||
requested that in determining the sanction that may be imposed the | |||
application of the principles of culpability and proportionality. | |||
He alleges the non-concurrence of guilt in his actions, considering that he has | |||
acted at all times with total diligence. It emphasizes that it has followed the guidelines of the | |||
AEPD included in the "Guide for compliance with the duty to inform" and that it has reported | |||
on all the points established in article 13 of the RGPD, as well as on other | |||
extremes that this rule does not impose and that neither did the interpretation of the AEPD; and | |||
He adds that he acted in the conviction, after having reported on the claims | |||
made, that the Agency had not noticed an element that contravened the established | |||
in the RGPD and LOPDGDD. Based on this, it invokes the principle of legitimate expectations, having | |||
acted in the belief that his conduct was in accordance with the law, and the Judgment of the | |||
National Court of 10/15/2012 (resource 608/2011), in which “the active | |||
participation of the Administration ”, which could lead the interested party to the conclusion that his | |||
action was in accordance with law; that his conduct is not covered by a | |||
reasonable legal interpretation of the applicable rules; and the difficulties in | |||
interpretation described by the Administration ”. | |||
BBVA refers to the different appreciation of some specific expressions | |||
contained in the Privacy Policy regarding the indications contained in this regard in | |||
the aforementioned Guide and what BBVA has described as "inactivity of the Administration" , by the | |||
time elapsed between the admission for processing of the claims made by the | |||
Claimants 1 and 2, which took place on 02/01/2019, and the adoption of the agreement to open the | |||
present sanctioning procedure, dated 12/02/2019. On this basis, he invokes the principle | |||
of legitimate confidence and understands that the actions of this Agency have influenced the commission | |||
of the infractions. | |||
This claim should be rejected for the reasons that have already been set out in this | |||
resolution when dealing with these allegations. | |||
On the one hand, it must be reiterated that BBVA has partially interpreted the “Guide for | |||
compliance with the duty to inform ” , basing its conclusions on three expressions | |||
specific points that are cited as an example in it, but without considering the general criteria | |||
and warnings it contains, which also cover important concerns that | |||
have determined the classification of the facts as constituting an infringement, referring not to | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 109 | |||
109/124 | |||
only to the language but also to the content of the Privacy Policy, in what it says and in what | |||
omitted, as well as all the processing operations carried out by BBVA. | |||
It is also indicated in the cited Guide itself that it must be completed with others that | |||
are related to the RGPD, as in this case in relation to the aspect to which we | |||
we refer. Specifically, the document of the Working Group on Article 29 “Guidelines on | |||
transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and revised on | |||
04/11/2018, which must be known by an entity such as BBVA, when referring to the language that | |||
should be used in the information on the protection of personal data cites the | |||
expressions in question as " examples of poor practice". | |||
On the other hand, the actions of this Agency have not influenced in any way the | |||
BBVA's conduct determining the infractions analyzed. The alleged "inactivity of the | |||
Administration ” , for the time elapsed between the admission for processing of the first | |||
claims made and the adoption of the agreement to open the procedure, does not influence | |||
at all in the commission of the infractions or aggravate them, and this Agency has not carried out | |||
any action that has allowed BBVA to conclude that this Control Authority does not | |||
noted in the claims made any element that contravened the provisions of | |||
the RGPD and LOPDGDD. BBVA cannot provide any statement or action from this | |||
Agency that led him to this alleged confusion, simply because there is no action | |||
some in that sense. | |||
On the other hand, actions were carried out against BBVA from which it was able to deduce that the | |||
matter was ongoing. We refer to the procedures carried out by this Agency | |||
during the process of admission for processing of claims received after the | |||
02/01/2019, prior to the acceptance agreement of the respective claim, consisting of | |||
transfer these claims to the BBVA entity itself so that it could proceed to its analysis and | |||
respond to this Agency and the claimant. | |||
As mentioned in the previous Fundamentals of Law, BBVA knew the | |||
claims made and also knew that there was no pronouncement of this | |||
Agency about it. | |||
Thus, one cannot speak of “inactivity of the Administration” , since during that | |||
time the admission procedures were carried out for the rest of the claims. As has been | |||
detailed, the claims submitted by claimants 3 to 5 were entered in this | |||
Agency on the dates 02/13/2019 (a few days after that admission to the processing of | |||
02/01/2019), 05/23/2019 and 08/27/2019; and they were admitted for processing through | |||
08/06/2019, 09/13/2019 and 10/30/2019, respectively. | |||
Prior to admission, the claims made by the claimants 3 | |||
5 were transferred to BBVA for the indicated purpose. The transfer of these claims | |||
was notified to BBVA on 05/21/2019, 06/28/2019 and 09/19/2019. In the case of | |||
Complainant 4, BBVA requested an extension of the time allowed to respond and was granted | |||
said extension by writing notified to that entity on 08/19/2019. | |||
Ultimately, no legal consequence can be attributed to the time elapsed | |||
between the admission for processing of the claims and the opening of the procedure, even less | |||
the one claimed by BBVA. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 110 | |||
110/124 | |||
In accordance with the transcribed precepts, in order to set the amount of the sanctions | |||
of fine to be imposed in the present case on the defendant, as responsible for infractions | |||
typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine | |||
impose for each of the offenses charged as follows: | |||
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified | |||
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the | |||
LOPDGDD. | |||
It is estimated that the following factors concur as aggravating factors that reveal | |||
greater unlawfulness and / or culpability in the conduct of the BBVA entity: | |||
a) The nature, seriousness and duration of the offense: the facts found affect very | |||
seriously to one of the basic principles relating to data processing, such as the | |||
transparency, calling into question all the actions carried out by BBVA, in its | |||
as a whole, since the infractions result from the data management procedures | |||
personnel designed by BBVA to adapt these processes to the RGPD, which are | |||
considered irregular from the moment of collection of personal data. Without | |||
However, the present case does not refer to an assumption of total absence of information, but | |||
that the disputed facts result from not providing the interested parties with information | |||
sufficient in relation to the various treatments performed . | |||
BBVA considers that it is not acceptable in Law to assess as a circumstance | |||
aggravate an element of the offending type, such as the principle of transparency. However, | |||
what is taken into account here is not the offending type, even if it is mentioned in the presentation | |||
of the argument. As indicated, the fact that the | |||
Appreciated deficiencies call into question all the actions carried out by BBVA since | |||
same moment of the collection of the personal data of its clients. | |||
No reference is made by BBVA to these specific circumstances. | |||
b) The intentionality or negligence appreciated in the commission of the offense: the actions | |||
have proven an intentional conduct in relation to the violation of the regulations of | |||
personal data protection. (…) | |||
We do not see, on the other hand, what "guidelines emanating from the AEPD" has adjusted the | |||
design of this mechanism. | |||
c) The continuing nature of the offense, in the sense interpreted by the National High Court, | |||
as a permanent offense. | |||
BBVA warns in its allegations that this reproach is attributable to this Agency, | |||
that he was aware of the Privacy Policy almost a year before the opening of the procedure and, | |||
through its inaction, “it made it possible for BBVA not to adopt any measure to correct or | |||
modify the Privacy Policy ” . | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 111 | |||
111/124 | |||
This claim must also be rejected. We refer to what has already been stated in | |||
this same Legal Basis on the alleged "inactivity of the Administration". | |||
d) The high link of the activity of the offender with the performance of data processing | |||
personal: all operations that constitute the business activity carried out by | |||
BBVA involve personal data processing operations. | |||
e) The condition of a large company of the responsible entity and its volume of business: it is a | |||
leading company in the financial sector with a strong international presence. According to | |||
information that appears on the website “bbva.com” , the Income Statement for the 2019 financial year, to | |||
dated 09/30/2019, reflects a “Net Margin” of 9,304 million euros. In section | |||
“Geographical diversification” the breakdown by country is indicated, with Spain corresponding to | |||
23.4%. | |||
f) High volume of data and processing that constitutes the object of the file: the | |||
Infractions affect all data processing carried out by BBVA that does not result in | |||
necessary for the execution of the contract, for which all the information is used | |||
relative to customers. | |||
g) High number of interested parties: the perceived defects affect all clients | |||
natural persons of the entity (eight million thirty-one thousand, as stated by BBVA in its | |||
brief of allegations). | |||
h) The imputed entity does not have adequate procedures in place for action in the | |||
collection and processing of personal data, so that the infringement is not | |||
consequence of an anomaly in the functioning of these procedures, but a | |||
defect in the personal data management system designed by the person in charge. | |||
In relation to this aggravating circumstance, BBVA again claims that it cannot | |||
considered as such the offending type, understanding that the breach of the obligations | |||
information and the requirements for obtaining consent already imply that the | |||
responsible does not have proper procedures. | |||
This claim must be rejected. The circumstance expressed is taken to mean | |||
literal established in the standard. Furthermore, in this case, it is not taken into consideration for | |||
justify this aggravating information obligation. It is taken into account that the offense | |||
consisting of carrying out data processing operations without legal basis is | |||
structural and is not the result of a specific breach. And this results not only from non-compliance | |||
of the requirements for obtaining consent and not only affects operations carried out | |||
with this legal basis. For this reason, there is talk of the absence of adequate procedures in the | |||
collection and processing of personal data. | |||
Considering the exposed factors, the assessment of the fine for this | |||
offense is 2,000,000 euros. | |||
2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the | |||
article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of | |||
the LOPDGDD: | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 112 | |||
112/124 | |||
It is estimated that they concur as aggravating factors, in addition to all the factors | |||
exposed in relation to the previous infraction indicated with letters c), d), e), f), g) and h), | |||
the following factors that reveal greater unlawfulness and / or culpability in the conduct | |||
of the BBVA entity: | |||
a) The nature, severity and duration of the offense: the offenses result from the | |||
personal data management procedures designed by BBVA for the adaptation of | |||
those processes to the RGPD, which are considered irregular from the moment of the | |||
collection of personal data and the provision of consents requested from the | |||
customers at the same time. The severity of the infractions increases according to the | |||
scope or purpose of the processing operations in question, which include the | |||
profiling using excessive information. | |||
b) The intentionality or negligence appreciated in the commission of the offense: the actions | |||
have proven an intentional conduct in relation to the violation of the regulations of | |||
personal data protection. It has already been said in this document that BBVA was | |||
aware that the mechanism enabled to obtain consent to the treatment of | |||
personal data would result in the majority accepting all purposes for | |||
default. The absence of specific guarantees in relation to data processing | |||
based on legitimate interest is one more circumstance to consider in this case, | |||
considering the scope of such treatments. | |||
(…) | |||
b) The benefits obtained as a result of the commission of the offense: the information | |||
relating to customers is used to improve the entity's business and to disseminate | |||
their products. | |||
c) The nature of the damages caused to the interested persons or third parties: | |||
the high degree of intrusion into the privacy of BBVA customers is taken into account and that | |||
The information is communicated to third parties (BBVA Group companies) for non-legitimate purposes. | |||
Considering the exposed factors, the assessment of the fine for this | |||
offense is 3,000,000 euros. | |||
The allegations to the proposed resolution made by the BBVA entity do not | |||
contain no observations on the circumstances indicated by letters d), e), f) and g) | |||
of point 1 (non-compliance with articles 13 and 14 of the RGPD), and those indicated with the letters | |||
a) and b) of point 2 above (breach of article 6 of the RGPD). | |||
Instead, it requests that the measures taken be taken into account as mitigating | |||
to regularize the situation of the claimants and the preparation of a new version of the | |||
BBVA Privacy Policy, in July 2020. | |||
Regarding the actions carried out in relation to the claims made, | |||
they basically limit themselves to marking claimants as excluded from commercial actions. | |||
In some cases as a consequence of the exercise of the right of opposition by the interested party and, | |||
in others, in view of the claim made. In two of the cases, the action carried out | |||
consisted in the formalization of the “Declaration of economic and political activity of | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 113 | |||
113/124 | |||
protection of personal data ” in the same terms analyzed in this resolution. | |||
These actions are not relevant enough to be considered in this | |||
procedure for the purposes intended by BBVA. It can be said that, in some cases, | |||
Those in which the subscription is formalized by the client of the "Declaration" does not exist | |||
no regularization; and in the others, the action complies with the regulations in that regard | |||
to the exercise of rights by the interested parties. It is not a true regularization of the | |||
irregular situation that is determined in the present sanctioning procedure. Therefore, | |||
rejects the request to consider such actions as a mitigating circumstance. | |||
On the other hand, BBVA considers that circumstances should be taken into account | |||
mitigating diligence, proactivity and speed shown, once the opening of the | |||
procedure, with the improvement of the information provided to the interested parties and the | |||
establishment of a new mechanism for obtaining the consent of the interested party, | |||
including in the first informative layer differentiated and granular boxes that the | |||
The interested party must check if they wish to authorize BBVA to process their data with each of the | |||
stated purposes | |||
It indicates that it has carried out a series of internal actions and has intensified | |||
its activity with the purpose of reinforcing the information provided to customers, having | |||
prepared, in July 2020, a new version of the Privacy Policy. | |||
However, it does not provide any details or justification about the actions it says | |||
have developed. | |||
Regarding the new version of the Privacy Policy, with which it intends | |||
correct or leave without "content all of the reproaches made by the AEPD" , and | |||
modifies the mechanism enabled to obtain consent, nor does it even provide the text | |||
of it, but only some fragments. | |||
Nor does BBVA provide any report or evaluation, nor does it explain how it has adapted the | |||
rest of the documents that determine the configuration of this new Privacy Policy and | |||
their subsequent analysis (e.g., recording of treatment activities, evaluation reports | |||
impact or weighting of legitimate interest). | |||
This documentation is especially necessary considering that the | |||
fragments of this new Privacy Policy included in the allegations make | |||
reference to treatment operations and other specific aspects that do not appear in the | |||
documentation that makes up the file. | |||
Furthermore, BBVA has not justified having transferred this new | |||
information on data protection, not even having planned this transfer. | |||
And the same can be said in relation to the consents given and the | |||
data processing carried out. BBVA, in its allegations, makes no mention of the | |||
regularization in its records of the annotations corresponding to the consents | |||
collected to date, or the suspension of personal data processing | |||
classified as illegal in these actions or the deletion of personal data | |||
collected from third parties or inferred by the entity itself. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 114 | |||
114/124 | |||
BBVA has enjoyed numerous opportunities to provide this documentation | |||
during the processing of the procedure. In each and every communication that you | |||
have been sent has been warned about the principle of permanent access regulated in the | |||
Article 53 "Rights of the interested party in the administrative procedure" of Law 39/2015, of | |||
October 1, of the Common Administrative Procedure of Public Administrations, which | |||
recognizes those interested in the procedure the right to know, at any time, | |||
the status of the processing and to formulate allegations, use the admitted means of defense | |||
by the Legal System, and to provide documents at any stage of the procedure | |||
prior to the hearing process. So that | |||
Consequently, it is not possible to consider the irregular situation regularized. | |||
X | |||
In accordance with the provisions of article 58.2.d) of the RGPD, each | |||
control may “order the person in charge of the treatment that the operations of | |||
treatment comply with the provisions of this Regulation, where appropriate, of a | |||
in a certain way and within a specified period… ” . | |||
In this case, considering the circumstances expressed in relation to the | |||
Appreciated breaches, from the point of view of data protection regulations | |||
personnel, it is appropriate to require the BBVA entity so that, within the period indicated in the | |||
operative, adapt to the personal data protection regulations the operations of | |||
processing of personal data carried out, the information offered to its customers and the | |||
procedure by which they give their consent for the collection and | |||
processing of your personal data. All this with the scope and in the sense expressed in | |||
the Bases of Law of this act. | |||
In those cases in which the client has not been duly informed about the | |||
circumstances regulated in articles 13 and 14 of the RGPD or had not provided | |||
valid consent, BBVA will not be able to carry out the collection and processing of data | |||
personal. The same applies in relation to data processing based on the | |||
legitimate interest of BBVA or third parties. | |||
In accordance with the above, in relation to the personal data of | |||
clients who have given their consent using the form called | |||
"Declaration of economic activity and personal data protection policy" , proceeds | |||
that BBVA, within the period indicated in the operative part, cease data processing | |||
following personal data: personal data processing consisting of offering customers | |||
products and services of the BBVA entity itself, of the BBVA Group and others customized for | |||
the client; cessation of the processing of personal data of its clients consisting of | |||
communicate such data to the BBVA Group companies so that they can offer them products | |||
and own personalized services for the client; and cessation of data processing | |||
your customers' staff to improve the quality of new products and services and | |||
existing. | |||
Likewise, it is appropriate to require BBVA so that, within the period indicated in the | |||
operative, notify the BBVA Group entities to which you have communicated data | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 115 | |||
115/124 | |||
personal data of the clients who have given their consent using the form | |||
called "Declaration of economic activity and data protection policy | |||
personal data ” that must delete such data and cease using them to | |||
offer their owners products and services of the Group's entities | |||
customized for the client and to improve the characteristics and prices of the offer of | |||
products and services. | |||
In the same way, it is necessary to require BBVA so that, within the period indicated in the | |||
operative part, cessation of the processing of personal data that said entity | |||
based on the legitimate interest of BBVA or third parties. | |||
It is noted that not meeting the requirements of the AEPD may be considered | |||
as a serious administrative offense by "not cooperating with the Control Authority" before the | |||
requirements made, and such conduct may be sanctioned with a pecuniary fine. | |||
The allegations to the proposed resolution made by the BBVA entity do not | |||
They contain no comments on these questions. | |||
Therefore, in accordance with the applicable legislation and the graduation criteria of | |||
the sanctions whose existence has been proven, | |||
the Director of the Spanish Agency for Data Protection RESOLVES: | |||
FIRST: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, with NIF | |||
A48265169 , for an infringement of articles 13 and 14 of the RGPD, typified in article | |||
83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD, | |||
a fine of 2,000,000 euros (two million euros). | |||
SECOND: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, for a | |||
infringement of article 6 of the RGPD, classified in article 83.5.a) and classified as very serious | |||
For the purposes of prescription in article 72.1.b) of the LOPDGDD, a fine in the amount of | |||
3,000,000 euros (three million euros). | |||
THIRD: REQUIRE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA so that, | |||
within six months, adapt to the personal data protection regulations the | |||
processing operations carried out, the information offered to its customers and the | |||
procedure by which they must give their consent for the collection | |||
and processing of your personal data, with the scope expressed in the Basis of | |||
Right X. Within the indicated period, BBVA must justify before this Spanish Agency for | |||
Data Protection attention to this requirement. | |||
FOURTH: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, | |||
SA | |||
FIFTH: Warn the sanctioned person that he must enforce the sanction imposed once | |||
this resolution is executive, in accordance with the provisions of art. 98.1.b) of the | |||
Law 39/2015, of October 1, on the Common Administrative Procedure of the | |||
Public Administrations (hereinafter LPACAP), within the established voluntary payment period | |||
in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, | |||
of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 116 | |||
116/124 | |||
income, indicating the NIF of the sanctioned person and the procedure number that appears in the | |||
heading of this document, in the restricted account number ES00 0000 0000 0000 0000 | |||
0000 , opened in the name of the Spanish Agency for Data Protection in the bank | |||
CAIXABANK, SA. Otherwise, it will be collected in the executive period. | |||
Once the notification has been received and once it is executed, if the date of execution is between the | |||
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to | |||
on the 20th of the following or immediately subsequent business month, and if it is between the 16th and | |||
last of each month, both inclusive, the payment term will be until the 5th of the second month | |||
next or immediately after business. | |||
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution | |||
It will be made public once it has been notified to the interested parties. | |||
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the | |||
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties | |||
They may optionally file an appeal for reconsideration before the Director of the Agency | |||
Spanish Data Protection Agency within a month from the day after the | |||
notification of this resolution or directly administrative contentious appeal before the Chamber | |||
of the Contentious-administrative of the National Court, in accordance with the provisions of the | |||
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of | |||
July, regulating the Contentious-administrative Jurisdiction, within two months to | |||
count from the day after notification of this act, as provided in article | |||
46.1 of the aforementioned Law. | |||
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may | |||
provisionally suspend the final resolution through administrative channels if the interested party states | |||
his intention to file a contentious-administrative appeal. If this is the case, the | |||
The interested party must formally communicate this fact by writing to the Agency | |||
Spanish Data Protection, presenting it through the Electronic Registry of the | |||
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the | |||
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. | |||
You must also send the Agency the documentation that proves the effective filing | |||
of the contentious-administrative appeal. If the Agency is not aware of the | |||
filing of the contentious-administrative appeal within a period of two months from the | |||
following notification of this resolution, it would terminate the suspension | |||
precautionary. | |||
938-300320 | |||
Mar Spain Martí | |||
Director of the Spanish Agency for Data Protection | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 117 | |||
117/124 | |||
APPENDIX 1 | |||
"DECLARATION OF ECONOMIC ACTIVITY AND DATA PROTECTION POLICY | |||
PERSONAL " | |||
<< 2. Personal Data Protection Policy | |||
Below we explain BBVA's Personal Data Protection Policy according to which | |||
we will process your personal data. | |||
Who is responsible for the processing of your personal data? | |||
Banco Bilbao Vizcaya Argentaria, SA ("BBVA"), with registered office at Plaza de San Nicolás 4, 48005 | |||
Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com | |||
For what purposes will we use them? | |||
• If you are a BBVA customer: | |||
1. To manage the products and services you have, request or contract with BBVA. | |||
2. To get to know you better and personalize your experience. | |||
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No | |||
we are going to flood you with information. | |||
4. To communicate your data to BBVA Group companies so that they can offer you products and | |||
own personalized services for you. | |||
5. To improve the quality of products and services. | |||
. If you are a representative, guarantor, authorized or beneficiary, we will treat your personal data in | |||
BBVA for the management of the contract in which you intervene for your legal relationship with a BBVA client. | |||
Who will your data be communicated to? | |||
Never to third parties, unless the law requires us. | |||
Only if you want, to the following BBVA Group companies | |||
https://www.bbva.es/estaticos/mult/Sociedades-grupo.pdf as we explain in the document | |||
"Extended information" that you will find later. | |||
What are your rights? | |||
Your data is yours and you control it. Therefore, you can access at any time, rectify and | |||
delete the data, as well as request other rights, as explained in the section "Information | |||
enlarged ”. | |||
For what reason do we use your personal data (legal basis)? | |||
We use your data to: | |||
. If you are a BBVA customer: | |||
. Manage the products and services that you request or contract from us. | |||
. Comply with the law. | |||
. Get to know yourself better and make your experience more personalized. The legitimate interest of BBVA is explained | |||
in the "Extended information" section. If you do not agree, you can object by sending an email to | |||
rightsprotecciondatos@bbva.com or at any of our offices. | |||
. The purposes for which you give us your consent and which we describe in the section | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 118 | |||
118/124 | |||
"Extended information". | |||
. If you are a representative, guarantor, authorized or beneficiary: | |||
• Manage the contracting of the products and services in which you participate. | |||
• Comply with the law. | |||
Do you want to expand this information? | |||
You can find more information by accessing and downloading the document [Extended information]. | |||
We inform you that if you do not agree with the acceptance of any of the following purposes, | |||
you can select them below. | |||
. Products and prices more adjusted to you | |||
[x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group | |||
BBVA and others customized for me. | |||
[x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can | |||
offer personalized products and services for me. | |||
Quality improvement | |||
[x] I DO NOT want BBVA to process my data to improve the quality of new products and services and | |||
existing. We want to remind you that you can always easily change or delete the use that | |||
we make of your data. | |||
We remind you that when you enter the key that is requested in the signing process, you will be giving your | |||
In accordance with this Declaration of Economic Activity and Personal Data Protection Policy. | |||
SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF | |||
PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL | |||
PERSONAL DATA / DAE, version 13 09-23-2018) | |||
… (Date) >> | |||
In the section "Extended information" cited above is offered to the | |||
interested the following detail: | |||
<< Extended information | |||
Do you want to know more about our new personal data protection policy? | |||
Below we show you all the details about how we treat your personal data at BBVA. | |||
Who is responsible for the processing of your personal data? | |||
Banco Bilbao Vizcaya Argentaria, SA (BBVA), with registered office at Plaza de San Nicolás 4, 48005, | |||
Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com | |||
How can you get in touch with the BBVA Data Protection Officer? | |||
You can contact the BBVA Data Protection Officer at the following email address | |||
email: dpogrupobbva@bbva.com | |||
What personal data of yours does BBVA process? | |||
On the occasion of your relationship with us, BBVA may process the following categories of data | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 119 | |||
119/124 | |||
personal: | |||
. If you are a BBVA customer | |||
. Identification and contact data (including postal and / or electronic addresses). | |||
. Signature data (including the digitized and electronic signature that we will comment on later). | |||
. Codes or identification keys for access and operation in the remote channels that you use in | |||
your relationship with BBVA. | |||
. Economic and financial solvency data (including those related to all products and services | |||
that you have contracted with BBVA or of which BBVA is a marketer). | |||
. Transactional data (income, payments, transfers, debits, receipts, as well as any other | |||
operation and movement associated with any products and services that you have contracted with | |||
BBVA or of which BBVA is a marketer). | |||
. Sociodemographic data (such as age, family situation, residences, studies and occupation). | |||
. If you are a representative, guarantor, authorized or beneficiary: | |||
. Identification and contact data (including postal and / or electronic addresses). | |||
. Signature data (including the digitized and electronic signature that we will comment on later). | |||
. Codes or identification keys for access and operation in the remote channels that you use in | |||
your relationship with BBVA. | |||
. Economic and financial solvency data (including those related to all products and services | |||
that you have contracted with BBVA or of which BBVA is a marketer). | |||
. Transactional data (income, payments, transfers, debits, receipts, as well as any other | |||
operation and movement associated with any products and services that you have contracted with | |||
BBVA or of which BBVA is a marketer). | |||
. Sociodemographic data (such as age, family situation, residences, studies and occupation). | |||
From BBVA we ask you to keep your data duly updated to guarantee that in | |||
At all times the data we process is true. If you modify them, let us know so that we are | |||
aware of your current situation. | |||
What do we use your personal data for? | |||
1. Manage the products and services that you have, request or contract with BBVA | |||
. If you are a BBVA customer | |||
At BBVA we process your personal data to: | |||
. Properly manage the products and services that you request and hire us. | |||
. Follow the relationship we maintain with you and your financial evolution (which includes the analysis of your | |||
status as a customer and the products and services you have with BBVA or of which BBVA is | |||
marketer). | |||
. Send you non-commercial notifications to manage your relationship with BBVA. | |||
. Show you your financial data in a simple and intuitive way. | |||
. Control, analyze and manage risk situations, defaults, incidents or claims. | |||
. If you are a representative, guarantor, authorized or beneficiary, we will process your personal data at BBVA | |||
for the management of the contract in which you intervene for your legal relationship with a BBVA client. | |||
At BBVA we treat your personal data to always serve you with the same level of quality, with | |||
regardless of the channel you want to use to communicate with us (eg office, web, | |||
mobile applications, ATM, telephone) and thus be able to offer you a better deal and service appropriate to your | |||
customer status. | |||
Information to CIRBE | |||
At BBVA we are obliged to notify the Bank of Spain's Risk Information Center | |||
(CIRBE) the risks of your banking operations as a client or guarantor, together with your data | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 120 | |||
120/124 | |||
personal and your status as an individual entrepreneur, if applicable. We can consult the data that | |||
may appear about you in the CIRBE to assess your solvency, if you request or maintain products or | |||
financing services with us. | |||
Check solvency and credit files | |||
When you give us your consent, you authorize us to consult the data that appears in your name in | |||
solvency and credit files, to analyze the economic viability of your requests and operations. | |||
We inform you that we can communicate the data of your debts to companies with financial solvency and | |||
credit of monetary obligations, when: | |||
. It is a true, past due and enforceable debt that has been unpaid. | |||
. 5 years have not elapsed since the date on which the debt should have been paid, from | |||
maturity of the obligation or of the specific term, if it is of periodic maturity. | |||
. We have previously requested the payment. | |||
Fraud prevention | |||
When you apply for financing, we will need you to prove your working life and your personal income tax return, | |||
to prevent fraud. If you want to speed up the application process, we will need: | |||
. Verify your work life: you can provide us with the online access code that you receive from the Treasury | |||
General Social Security (single-use key), in this way you will authorize us to | |||
we can consult it on your behalf (just check it). | |||
. Verify that your personal income tax return is authentic: we will use the secure verification code that | |||
appears in your copies of the declaration, when you authorize us to do so. | |||
Prevention of money laundering and financing of terrorism | |||
To prevent money laundering, the financing of terrorism, we have the obligation to: | |||
. Declare monthly to the Financial Ownership File the opening, cancellation or | |||
modification of any checking, savings, securities or time deposit accounts. For the | |||
Therefore, your identification data will be part of that file, whose responsibility is the Secretariat of | |||
State of Economy and Business Support. | |||
. Collect information about you, identify you, as well as provide information on payment operations to | |||
the authorities of other countries, inside and outside the European Union, on the basis of the legislation of | |||
some countries and agreements signed between them. | |||
2. Get to know yourself better and personalize your experience | |||
At BBVA we want your experience as a customer to be as satisfactory as possible, through a | |||
personalized relationship that is more adapted to your customer profile and your needs. | |||
To achieve this we have to know you better, analyzing not only the data that allow us to identify you | |||
as a client, but also your financial evolution and that of the products and services you have | |||
contracted with us or through BBVA as a marketer, your operations -payments. income, | |||
transfers, debts, receipts- as well as the uses of BBVA products, services and channels. | |||
Additionally, we will apply statistical and classification methods to correctly adjust your | |||
profile. Based on the above, we managed to develop our business models. | |||
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and | |||
services that we consider according to your profile (own or marketed by BBVA), as well as offers | |||
personalized with more adjusted prices for you. As we will know you better, we can congratulate you | |||
for your anniversary, wish you a good day or happy holidays. | |||
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or | |||
at any of our offices. | |||
This section is only applicable to BBVA customers. | |||
3. Offer you products and services from BBVA, the BBVA Group and others, customized for you | |||
Offer you BBVA products and / or services | |||
We would like to keep you up to date on new BBVA products and services, as well as give you advice | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 121 | |||
121/124 | |||
recommendations to better manage your financial situation. | |||
We can also send you information about BBVA products and services with prices more | |||
adjusted to your profile, informing you of what may interest you as a client. | |||
Offer of products and / or services of the BBVA Group and third parties | |||
We can send you information, according to your customer profile, about products, services and offers | |||
financial and non-financial activities of BBVA Group companies and third parties (including products and | |||
services of which BBVA is a marketer) belonging to these sectors of activity: financial, | |||
parabanking, insurance, automotive travel, telecommunications, supplies, security, IT, | |||
education, real estate. consumer products, leisure and free time, professional services and services | |||
social. | |||
Channels for sending commercial information | |||
We will contact you through different channels: postal mail, email | |||
push notifications, SMS, social networks, banners, web pages or other means of communication | |||
equivalent electronics. | |||
This section only applies to BBVA customers. | |||
4. Communicate your data to BBVA Group companies so that they can offer you products and services | |||
customized for you. | |||
If you want the BBVA Group companies included at this address | |||
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services | |||
personalized in characteristics and price, we need your authorization to communicate data | |||
related to your customer profile (amount of income and expenses, balances and use of our channels). | |||
This information will be processed to try to improve the characteristics and prices of the product offering and | |||
services. The BBVA Group companies will only process your data for that purpose. | |||
5. Improve the quality of products and services | |||
We need to use your information anonymously without any characteristics that can | |||
identify, because at BBVA we want to: | |||
Increase your degree of customer satisfaction. | |||
Meet your expectations. | |||
Perfect our internal processes. | |||
Improve the quality of existing products and services. | |||
Develop new products and services of your own or of third parties. | |||
Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be | |||
of interest of BBVA or third parties. | |||
Improve instruments to combat fraud. | |||
This information is obtained from the use of BBVA products, services and channels. Throughout | |||
At the moment, we process the data using secure and up-to-date internal protocols. | |||
This section only applies to BBVA customers. | |||
Why do we use your personal data? | |||
Below we explain the legal basis that allows us to process your data for each of the | |||
purposes that we have indicated before: | |||
1. Manage the products and services that you have, request or contract with BBVA: in compliance with | |||
a contract. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 122 | |||
122/124 | |||
BBVA must also comply with the legal obligations imposed by and between laws. by | |||
Law 10/2010, for the Prevention of Money Laundering and Terrorism Financing; Law 44/2002. | |||
Reform of the Financial System; Law 10/2014 on the Management, Supervision and Solvency of | |||
Credit Institutions, as well as the regulations on the protection of personal data | |||
valid. | |||
2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA. | |||
For the legitimate interest of BBVA, so that BBVA can better meet your expectations and | |||
we can increase your level of customer satisfaction by developing and improving the quality of | |||
own or third-party products and services, as well as perform statistics, surveys or studies of | |||
market that may be of interest. | |||
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to | |||
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a | |||
good day or happy holidays. | |||
These legitimate interests respect your right to the protection of personal data, to honor and to | |||
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation | |||
reasonable to have your data used so that we can improve products and services and you can | |||
enjoy a better customer experience. In addition, we estimate that you also have a | |||
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or | |||
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise | |||
your right to object if you consider it appropriate at the following address: | |||
rightsprotecciondatos@bbva.com or at any of our offices. | |||
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you: | |||
when you give us your consent. | |||
4. To communicate your data to BBVA Group companies so that they can offer you products and | |||
personalized services for you: when you give us your consent. | |||
5. Improve the quality of new and existing products and services: when you give us your | |||
consent. | |||
Sections 2, 3, 4 and 5 above only apply to BBVA customers. | |||
How long will we keep your data? | |||
We will keep your personal data for the duration of the contractual relationship. Requests for | |||
Transactions that are not signed will be kept by BBVA for a maximum period of 6 months, except | |||
that in the request we agree on a longer term, to avoid duplication of procedures before your new | |||
requests. | |||
Once your contracts have ended, at BBVA we will keep your personal data blocked for | |||
the statutory limitation periods, generally 10 years due to regulations on the prevention of | |||
money laundering and financing of terrorism, and up to 21 years by application of the Civil Code and | |||
mortgage legislation. | |||
After the statutory limitation periods have elapsed, we will destroy your data. | |||
Who will we communicate your data to? | |||
We will not transfer your personal data to third parties, unless we are required by law or you | |||
you have previously agreed with BBVA | |||
As we have indicated, if you consent previously, we may communicate to the companies of the | |||
BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus | |||
identification, contact and transactional data so that you can receive offers | |||
personalized. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 123 | |||
123/124 | |||
In order to provide you with an adequate service and manage the relationship that we maintain with you as | |||
client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by | |||
categories of companies that process your data on behalf of BBVA, as part of the provision of | |||
services that we have contracted. | |||
We also inform you that, for the same purpose as that indicated in the previous paragraph, | |||
certain companies that provide services to BBVA may access your personal data | |||
(international data transfers). | |||
These transfers are made to countries with a level of protection comparable to that of the Union | |||
European (adaptation decisions of the European Commission, standard contractual clauses as well as | |||
certification mechanisms) For more information you can contact the Delegate for the Protection of | |||
BBVA data at the following email address: dpogruppbbva@bbva.com | |||
What are your rights when you provide us with your data? | |||
RIGHT CONTENT | |||
Access You can check your personal data included in BBVA files | |||
Rectification You can modify your personal data when they are inaccurate | |||
Deletion You can request the deletion of your personal data | |||
Opposition You can request that your personal data not be processed | |||
Limitation You can request the limitation to the processing of your data in the following cases: | |||
. While the challenge to the accuracy of your data is being verified. | |||
. When the treatment is illegal, but you oppose the deletion of your data. | |||
. When BBVA does not need to process your data but you need it for the exercise or | |||
defense of claims. | |||
. When you have opposed the processing of your data for the fulfillment of a mission | |||
in the public interest or for the satisfaction of a legitimate interest, while verifying whether the | |||
legitimate reasons for the treatment prevail over yours. | |||
Portability You can receive, in electronic format, the personal data that you have provided us and | |||
those that have been obtained from your contractual relationship with BBVA, as well as | |||
transmit them to another entity. | |||
CHANNELS OF ATTENTION: Derechosprotecciondatos@bbva.com; Group Customer Service | |||
BBVA, APDO: 1598-28080 Madrid; BBVA offices | |||
If you consider that we have not processed your personal data in accordance with the regulations, you can | |||
contact the Data Protection Delegate at the address dpogrupobbva@bbva.com | |||
However, you can file a claim with the Spanish Agency for Data Protection | |||
(www.agpd.es). | |||
To exercise your rights, accompany your request with a copy of your ID or equivalent document | |||
accrediting your identity. | |||
The exercise of these rights is free. | |||
Likewise, if you are a BBVA customer, at any time, you can withdraw the consent given without | |||
that this affects the legality of the treatment by sending your request to the email address | |||
rightsprotecciondatos@bbva.com, to the BBVA Group Customer Service, APDO: 1598 - | |||
28080 Madrid, or by going to one of our offices. Remember to accompany your request a | |||
Copy of your ID or equivalent document proving your identity. | |||
Digitized and Electronic Signature… >>. | |||
<< Glossary | |||
(…) | |||
Legitimate interest | |||
Legitimate interest is one of the legal bases that authorize BBVA to process your data. That means | |||
that BBVA can process your data because it has an interest in doing so, provided that this interest is not | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 124 | |||
124/124 | |||
harm your rights >>. | |||
C / Jorge Juan 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
</pre> | </pre> |
Latest revision as of 13:56, 13 December 2023
AEPD - PS/00070/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(11) GDPR Article 5 GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 13(1)(c) GDPR Article 13(1)(d) GDPR Article 14 GDPR Article 14(1)(d) GDPR Article 21(2) GDPR Article 21(3) GDPR Article 11(1) LOPDGDD Article 6 LOPDGDD Article 11(2) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 11.12.2020 |
Fine: | 5000000 EUR |
Parties: | Banco Bilbao Vizcaya Argentaria, SA |
National Case Number/Name: | PS/00070/2019 |
European Case Law Identifier: | n/a |
Appeal: | Annulled AN (Spain) 104/2021 |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first fine was imposed for breaching the principle of transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing).
English Summary
Facts
The decision relates that various joint complaints against Banco Bilbao Vizcaya Argentaria, SA (BBVA).
The first complainant complained that BBVA sent promotional SMS to his mobile phone without acquiring consent. In relation to this claim, BBVA argued that the claimant had consented to the sending of advertisement by subscribing to the document entitled "Customer identification, processing of personal data and digitized signature".
The second complainant complained that BBVA did not comply with the legal requirements of free and informed consent. The complainant outlined that they sent an email to BBVA’s data protection officer outlining that BBVA’s application did not provide the possibility to refuse data processing, in breach of Article 12 GDPR. BBVA’s response to this email was that this method of gathering consent was valid according to BBVA as well as according to other forums where such a question has been raised. The complainant provided a copy of the privacy policy document produced by the application. In this copy, Section 1 contained identification data. All the options activated were ticked to gather consent with buttons with the options “I do not want…”.
The third complainant complained that BBVA asked them to sign the privacy policy document to unblock their account. This document, which enables the data subject to provide consent to processing of personal data, includes a ticked option which stated “I don’t want BBVA to process my data to offer me other products and services by email”. This was signed by the data subject.
The fourth complainant complained that they received advertisement communications that they had not authorised or requested. The BBVA argued that the complainant did not oppose themselves to this data processing in the privacy policy document they signed. The Spanish DPA highlighted that there was no possibility to refuse in this specific document.
The fifth complainant complained that they received calls and SMS with advertisements. BBVA outlined that the complainant signed the privacy policy document and consented to such processing of personal data for commercial purposes. It also said that the complainant signed the document a second time expressing their refusal to the processing for commercial purposes. In the first document that was no option to indicate consent and in the second document, the complainant signed the “I don’t want…”.
The privacy policy document in question contained personal data including name, tax ID, date of birth, nationality, address, matrimonial status, fixed and varying income and annual revenue. The purposes and legal bases for processing are also outlined: BBVA relied on legitimate interest for the purpose of “Get to know [the client] better and personalize [the client’s] experience”. It relied on the client’s consent for the following purposes:
- i) offer products and services from BBVA, the BBVA Group and others, customized for the client;
- ii) communicating the client’s personal data to BBVA Group companies so that they can offer them personalised products and services; and
- iii) improve the quality of products and services.
According to the BBVA’s policy, signature by the client indicates acceptance of the privacy policy. However, for a data subject to be a client, they must sign it. After the signature point is a section on “additional information” with a glossary of the terminology. With regards to obtaining consent, the section just above the signature point provides different options for the data subject. This includes:
"We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below.
Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer own products and services customized for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data"
Upon request by the Spanish DPA, BBVA provide the data protection impact assessment (DPIA) for profiling for the purpose of advertisements and the DPIA for risk profiling. The DPA also requested a report where BBVA balanced legitimate interest for the processing relying on that legal basis as well a register of all data processing activities.
Dispute
Did the defendant’s privacy policy lack clarity and specificity in breach of Articles 12, 13 and 14 GDPR?
Did the defendant rely on valid legal bases for processing personal data within the scope of Article 6 GDPR?
Holding
The Spanish DPA (AEPD) jointly decided 5 complaints filed against BBVA in relation to its privacy policy and commercial communications (SMS and emails).
The DPA clarified that as the 5 data subjects complained about the effect of BBVA’s privacy policy, the issue is not the data controller’s allegedly illegal processing of personal data as a result of the privacy policy but rather an issue relating to the privacy policy itself. It is the privacy policy which infringes the GDPR. The DPA therefore decided to inspect the ways in which BBVA gathers consent and its validity by inspecting the privacy policy document. As the privacy policy is used for all clients, the alleged GDPR breach do not only affect the 5 complainants.
The DPA imposed two distinct fines. The first one was a fine of €2 million for the absence of clear information in the privacy policy in breach of the principle of transparency as per Articles 12, 13 and 14. The second fine of €3 million was imposed as BBVA breached Articles 6 (legality of processing). The DPA also required from BBVA that they amend their privacy policy to ensure that they rely on a valid legal basis for processing and that sufficient information is provided to clients.
On the information within the privacy policy
The DPA first addressed the issue of the provision of information in the privacy policy.
Imprecise terminology and vague formulations
The Spanish DPA referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles 11(1) and (2) of the Spanish Data Protection Law (LOPDGDD) to highlight the importance of the principle of transparency in data protection law. The DPA then held that BBVA, as a data controller that processes personal data, must in particular respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a).
According to the DPA, BBVA’s privacy policy used terminology that was too imprecise and formulations that were too vague when providing information to the data subject. For example, the expressions “get to know [the client] better and personalize [the client’s] experience” or “offer products and services from BBVA, the BBVA Group and others, customized for the client” were considered too vague by the DPA (the DPA provides a whole list of vague formulations at pages 61-62). It lacked precision as expressions were repeated throughout without clarification, making the privacy policy unclear and ambiguous. It was not easy for the clients to deduce any meaning from these expressions either. The DPA therefore held that privacy policy could not be easily understood by the data subject.
The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA’s privacy policy fell within the examples of poor transparency practices. It used the guidelines as support for its decision that the privacy policy was too vague and unclear.
Information on categories of data processed and specific categories for each purposes
The Spanish DPA held that information on the categories of personal data processed in the privacy policy was incomplete. The DPA referred to the Article 29 Working Party Guidelines on consent to highlight the requirements for valid consent, as defined in Article 4(11) GDPR. Accordingly, such consent must be freely given, specific informed and an unambiguous indication of the data subject’s wishes.
The DPA held that there was insufficient information in relation to the type of data that was processed on the basis of consent by the controller (BBVA). Therefore, it cannot be said that informed consent was gathered. The DPA highlighted that BBVA provides, in a generic way, that they may process "Economic and solvency data (including those related to all the products and services that you have contracted with BBVA or of which BBVA is a marketer)” or “Sociodemographic data (such as age, family situation, residences, studies and occupation)” for example. Accordingly, the DPA considered that it is not clear whether BBVA processes economic data unrelated to the products contracted with or marketed by the entity; or what sociodemographic data will be processed. Similarly, consent was not free, specific nor a manifestation of the data subject’s wishes either.
Where the legal basis is legitimate interest, the Spanish DPA held that the absence of information entails a breach of Article 14(1)(d) GDPR. BBVA failed to report on the categories of data that will be subjected to data processing. For example, there was no mention in the policy that BBVA gathered data on the data subject through third parties.
Referring to the Guidelines on transparency and the GDPR Recitals, the DPA outlined the importance of transparency as a fundamental aspect of lawful and fair processing Article 5(1)(a) GDPR). Lack of clear information would, in turn, likely lead to an infringement of other principles under Article 5 such as purpose limitation and data minimisation.
Information on purpose for which personal data is used and legal basis
The Spanish DPA identified several sections in the privacy policy where BBVA outlined that similar treatments for different purposes were at time on the basis of consent whereas other times on the basis of legitimate interest. For example, processing of personal data for the purpose of personalised offers relied on consent, and a similar processing activity, for improving customer experience was based on legitimate interest.
The DPA held that whilst the legal bases may be accurate, the similar processing activities with different legal bases meant that the privacy policy lacked clarity for an average citizen. The Spanish DPA also highlighted that having too general formulas for purposes in the privacy policy would fall short of the purpose limitation principle (Article 5(1)(b)).
Information on legitimate interest of the data controller and third parties
The DPA held that information provided by BBVA was vague with regards to the legal basis for processing. BBVA did not substantiate the legality of its data processing, in breach of the principle of transparency. For example, BBVA’s definition of legitimate interest in the privacy policy did not provide sufficient information as to the justification for relying on this legal basis. The DPA held that BBVA did not elaborate on the parties’ (including third parties) interests at stake nor their “reasonable expectations” (quoting Recital 47). There was therefore a breach of Article 13.
According to the DPA, sufficient information, which in this case lacked, would have enabled the client or data subject to be able to object to this legal basis.
Information on profiling
The Spanish DPA clarified that BBVA used personal data to elaborate profiles for various purposes outlined in the privacy policy, including for commercial purposes. This relied on consent and legitimate interest, which as mentioned above was not sufficiently defined in the privacy policy.
The DPA added that BBVA does not provide sufficiently information in breach of the obligation to inform the data subject with regards to elaborations of profiles (Article 13(1)(c) GDPR specifically). Additionally, the DPA held that BBVA did not clarify what types of profiles were made and what the intended uses were, nor did BBVA inform the data subject of their right to object to such profiles for direct marking purposes (as per Article 21(2) GDPR). At certain points in the privacy policy, BBVA did not explain that profiling occurred at all (e.g. for the “Get to know [the client] better and personalize [the client’s] experience” purpose). This was also an infringement of Article 11 LOPDGDD which clarifies the minimum content that must be provided to the data subject. Other times, the concept of profiling for the “Get to know [the client] better and personalize [the client’s] experience” purpose was mentioned briefly and vaguely.
The DPA highlighted that at no point does the privacy policy refer to whether the profiling falls within the scope of Article 22 GDPR, which would trigger information obligations within Article 13(2)(f) GDPR. However, the DPA held that lack of mention of automated decision making in the policy can be understood as establishing that no such action is carried out. The DPA mentioned Article 22 purely as a warning with regards to information on profiling in privacy policies generally
To summarise, the DPA held Articles 13 and 14 GDPR, which regulate the application of the principle of privacy, were breached as a result of the lack of information in the privacy policy on all the above mentioned circumstances.
Legal basis for processing
The DPA then went on to assess the legality of the legal bases relied upon by BBVA.
Processing of personal data based on consent
The Spanish DPA outlined the conditions for consent as a legal basis for processing as prescribed within Articles 4(11), 6 and 7 GDPR. It also referred to the correlating article in the Spanish data protection law (Article 6 LOPDGDD). Finally, it outlined the Article 29 Working Party Guideline on consent. The DPA highlighted that these Articles enable the data subject to have true control over their personal data and their destination.
The DPA then inspected BBVA’s privacy policy and held that the defendant did not design a specific mechanism to collect valid consent when relying on consent as a legal basis for processing personal data for 3 specific purposes (see facts). BBVA limited the data subject’s options in the way it presented the boxes to tick. The boxes outlined possibilities to object rather than boxes to consent to processing. As such, the DPA held that BBVA relied on “inaction” of the data subject to gather consent. This was in breach of the GDPR’s requirements for gathering valid consent (quoting Recital 32).
Additionally, the DPA held that a general signature of the privacy policy could not be valid consent as it was not specific to the distinct purposes. There was no possibility for opting and choosing one’s own preferences (only the possibility to reject or object) meaning that the data subject could not control their own personal data.
Finally, the consent given was not informed as the privacy policy lacked crucial information as highlighted in the above sections.
Therefore, BBVA processed data without a legal basis for the 3 purposes relying on consent. This was a breach of Article 6 GDPR in connections with Articles 4(11) and 7 on valid consent.
Other processing without legal basis
There were other processing activities conducted by BBVA which lacked any legal basis.
Processing of personal data on the basis of legitimate interest of the data controller or third party
The Spanish DPA held that there was no sufficient legal basis for processing personal that the BBVA claimed was on the basis of legitimate interest. Additionally, some processing supposedly relying on legitimate interest were very similar to those based on consent, which as mentioned, was invalid. Therefore, the DPA held that processing based on legitimate interest were not legal.
The DPA relied on Article 6 GDPR to highlight that processing must be lawful and that it is the responsibility of the controller to rely on a valid legal basis (in connection with Articles 5(1)(a) and 5(2) GDPR). The DPA also considered that lack of information meant that the data subject could not assess the evaluation done by the controller and therefore, would not be in an informed position to oppose to processing on the basis of legitimate interest. This would mean that the data subject cannot fully exercise its rights under Article 21(3) GDPR.
Additionally, lack of information on the actual interests considered in the balancing exercise was considered by the Spanish DPA to indicate that the legal basis of legitimate interest was not valid: the absence of a weighing exercise means that Article 6(1)(f) cannot be relied upon as a valid legal basis for processing. The DPA then outlined that since information on the balancing exercise lacked, it was difficult to assess whether BBVA’s interests were legitimate. It nonetheless went on to hold that the interests are of an economic nature. Whilst this can be a legitimate interest the DPA held that it cannot prevail over the fundamental rights of the data subject.
Additional information was also considered, including: how data used based on legitimate interest were collected, the excessive scale on which they are collected, the use of data collected from third parties without the knowledge of the interested party, techniques used, lack of transparency about the logic used in profiling, large number of affected data subjects, loss of control for the data subject and the controller’s dominant position. Similarly, there were no additional guarantees or measures taken by BBVA.
Following these considerations, DPA deemed that the processing could not be interpreted as being in the data subject’s interests. Therefore, it held that there was no evidence that the legitimate interest relied upon by BBVA was valid and prevailed over the interests and fundamental rights and freedoms of the data subject. Lack of guarantees meant that nothing could overcome any imbalances in the processing of this personal data.
Therefore, the DPA held that BBVA did not satisfy the conditions of Article 6(1)(f). There was no, legal basis for processing the data allegedly relying on legitimate interest.
Comment
Comment from @Francesc Julve:
Many are looking at the amount of the fine imposed but the sanction is also important with regards to the prohibition of processing data and the obligation to delete the unlawful processed data that the AEPD also imposed.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/124 Procedure Nº: PS / 00070/2019 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: On 10/16/2018, a claim submitted to this Agency by D. AAA (hereinafter claimant 1), against the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA (hereinafter BBVA), for sending to its mobile phone line, at dated 10/11/2018, of a promotional SMS. He adds that he has not authorized the sending of such messages and has been on the Robinson List for a long time. With your claim, you only provide a copy of the SMS object of the same, the text of which is the following: “Publi BBVA: You lend UP TO 9,000 EUROS to start your projects. Info 912975969. https://bbva.info/2xLgPps. No + publi send BAJA to 217582 ". This claim was transferred to the entity BBVA. In response to what was stated by Claimant 1, BBVA informs this Agency that it agreed to the content of the document "Customer identification, processing of personal data and signature digitized ” , signed by the claimant on 06/07/2016, by virtue of which the client He consented to the sending of advertising by BBVA " through any means" . BBVA adds that, however, in view of the claim made, it has proceeded to disable the option relating to the sending of commercial communications to the claimant 1. BBVA provides the document "Customer identification, processing of personal data and digitized signature ” signed by the complainant on 06/07/2016. SECOND: On 12/09/2018, a claim submitted to this Agency by D. BBB (hereinafter claimant 2), against the entity BBVA, noting that the App BBVA for the entity's Android systems does not meet the legal requirements regarding free and informed consent. In this claim it shows that the past 11/09/2018 the aforementioned App, through a pop-up screen, required the provision of consent whose scope should be known through a link to another page, in which the option to transfer data to third parties was activated by default. It adds that on the previous June 6, BBVA recognized by letter the right of opposition of the claimant to the processing of their data for commercial purposes (provide a copy of this communication), and that this circumstance should have been taken into account by BBVA before require again the provision of your consent to the processing of data through the BBVA App. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/124 On the other hand, the claimant warns that he addressed the aforementioned entity stating the same circumstances and that said claim was rejected on 11/29/2019. The claimant provides a copy of one of the emails sent to BBVA, dated 11/09/2018, in which it expressly indicates the following: “Dear BBVA DPO The document attached to the previous message comes from the BBVA APP offered on the Android platform. The aforementioned application requires the user, as a step prior to its use, to provide consent through the electronic signature of a document that only offers the possibility of opposing data processing personal for purposes other than those necessary for the purposes of providing financial services if the Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the GDPR) should be considered as activated. The informative text is inconsistent with the principle of transparency of article 12 of the RGPD and above all because after activating the aforementioned boxes opposition, a pop-up screen appears with a new warning that clearly restricts the freedom of consent in the terms of article 7 of the RGPD. I hope I have more clearly described the problem related to the aforementioned APP and the document of consent generated by it. Finally, I would like to attach your communication regarding my exercise of the right to object to processing of personal data already registered by your department, and that should have been taken in account regarding the operation of the BBVA APP ”. BBVA responds to this email by means of another dated 11/29/2018 in which literally indicates: “The way in which the consent to which you refer is obtained has been considered valid not only in the internal analyzes of our own entity, but in all those forums where it has been raised the question, since the interested party has the option of choosing in a simple and easily understandable the option you prefer. About pop-up screens that you tell us comments, BBVA understands that it must provide interested parties with the necessary information so that know what happens when you activate these boxes, so that with all the information in your hand, decide the option that most satisfies them ” . The claimant also accompanies the document generated by the App, with the label "Declaration of economic activity and personal data protection policy" (as also "Privacy Policy" ), in which section 1 contains the data identification of the client (the claimant) and his declaration of economic activity. Among others data, include those related to name, surname, tax identifier, date of birth, nationality, address, marital status, matrimonial status, contact details, fixed income and variables, entity in which it provides services, gross annual income. Section 2 of this document is dedicated to the "data protection policy personal ” . The full content of this section, the "extended information" that is offered to the interested party and part of the "glossary of terms" contained in the same document, which is declares reproduced in this act, it is attached as Annex 1. In the document provided by claimant 2 all the options are marked enabled for the interested party to give their consent to the processing of data personal with the purposes that are expressed in said options: ". Products and prices more adjusted to you [x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/124 [x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [x] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data ". THIRD: On 02/13/2019, a claim submitted to this Agency by D. CCC (hereinafter claimant 3), against the entity BBVA, noting that for the unlocking your account it was necessary to sign the data protection document personal information, that it was sent to him electronically, and that he had no possibility to mark the options on the treatment of information. Provides printing of the information available in the BBVA App, in the personal area of the claimant (February 1 to 6, 2019), which includes a section "Use of personal data" in which a box is made available to the interested party that can be marked with the indication "I have read, understand and accept the Personal Data Protection Policy to be a client of BBVA ” . Also, provide a copy of an email sent to the claimant's address from the address notifications-bbva@bbva.com, with an attached file called "LOPDDAE", in pdf format, and the text "You have a pending signature ... (name and surname of Claimant 3), you have a document pending signature. We recommend that you read with calm down the document that we enclose, before signing it ” . Below is a button labeled “Sign Now” . Subsequently, the interested party is informed that he has other channels for signing the document in question (office, App, web and telephone banking). Said document, which is also attached to the claim, corresponds to the "Declaration of Economic Activity and Policy of Protection of Personal Data" , whose content coincides with that which is reproduced in Annex 1, except for the detail related to the box through which the customer is offered the option "I do not want BBVA to process my data to offer me products and services from BBVA, Grupo BBVA and others customized for me ” , which allows you to mark the following channels: [ ] By email [] By SMS [] By phone (phone call) [] By post The document provided appears dated 02/11/2019 and without signature. Of the options enabled in this document so that the interested party gives their consent to the treatment of your personal data for the purposes that are expressed in each case, the option “I do not want BBVA to process my data to offer me BBVA products and services, from the BBVA Group and others personalized for me by email ” . The aforementioned claim was forwarded to BBVA so that it could analyze it and send the information pertinent to this Agency. The period granted to BBVA to respond to Said transfer occurred without any response from this Agency. FOURTH: On 05/23/2019, a claim submitted to this Agency C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/124 by D. DDD (hereinafter claimant 4), against BBVA, noting that, under the pretext If you have been informed by means of a document that you have not signed, said entity sends you commercial communications that you have not requested or authorized. He adds that he informed him about the adoption of measures to prevent you from continuing to receive commercial communications, who stopped sending emails, but continued to receive SMS, in which no unsubscribe mechanisms are provided. It provides several SMS in which pre-granted loans are offered; copy of a writing in which BBVA estimates the right of opposition exercised by the claimant, of 04/10/2019; another previous letter, dated 02/25/2019, in which BBVA informs you that your data Personal are treated according to the attached document, signed on 11/26/2018, in which He was offered the possibility of refusing the aforementioned purposes. The attached document the last written review corresponds to the "Declaration of Economic Activity and Policy of Data Protection ” , which contains the details of the complainant as a BBVA customer. In This document does not include any of the options offered to the interested party to consent to the processing of your personal data, This claim was transferred to the entity BBVA. In response to what was stated by Claimant 4, BBVA informs this Agency that commercial communications were sent to the same, that he did not object to this data processing in the document signed on 11/26/2018. Notices that communications ceased after the exercise of the right to opposition by the claimant, although the mobile phone line cited in the claim as a recipient of commercial communications, it is not associated with its data in your information system. Subsequently, BBVA stated that the SMS were sent manually by a manager commercial from the corporate mobile phone without previously checking that the client was included in the Robinson listing. FIFTH: On 08/27/2019, a claim submitted to this Agency by D. EEE (hereinafter the claimant 5), against the entity BBVA, for the performance of telephone calls and sending of advertising SMS, to offer insurance, credit cards and financing of receipts, despite the fact that he exercised the right to object to the transfer of his data for promotional purposes and that it was attended by said entity. In its claim details the telephone lines that issue the calls and messages, the line receiver and the date and time of the last call. With your claim, provide a copy of an invoice corresponding to the receiving line of calls and messages, issued on behalf of the claimant; letter from BBVA addressed to same, dated 03/07/2018, in which your request to oppose the use and transfer of your data to third parties for the purposes of commercial or advertising prospecting of the entity or other Group companies; transcription of messages sent to BBVA warning again on your wish not to receive advertising, of 05/26/2019, answered the day next by the person in charge with a message of apology; screen printing 08/27/2019, on the inclusion of its mobile phone line in the Robinson List; and detail of calls received (there is a call from the number that is the subject of the claim, made on 08/27/2019. This claim was transferred to the entity BBVA. In response to what was stated by Claimant 5, BBVA informs this Agency that, on 06/18/2018, the interested party signed C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/124 digitally the document "Declaration of Economic Activity and Protection Policy of Personal Data ” , giving your consent to the processing of your data for the commercial, even though he was given the opportunity to object to the use of his data to offer you products and services from BBVA and from Group entities. This option is formalized the claimant by signing that document later through the remote banking. It adds that the lines to which the claim refers belong to BBVA Seguros, of which the claimant is a client, which made three calls in August 2019 (days 20, 21 and 27); and that BBVA forwarded the complainant's opposition letter to BBVA Seguros, which took the appropriate measures to stop commercial communications on same day 08/27/2019. BBVA provides the documents "Declaration of Economic Activity and Policy of Protection of Personal Data ” , signed by the claimant on 06/18/2018 and 05/27/2019. In the first of them there is no mark in the boxes enabled to that the client expresses his consent to the following treatments: . Products and prices more adjusted to you [] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data ". In the one signed on 05/27/2019, these three boxes are marked. SIXTH: The claims to which the proceedings refer were admitted for processing through resolutions dated 02/01/2019 (those relating to claimants 1 and 2), 08/06/2019 (the one related to claimant 3), 09/13/2019 (the one related to claimant 4) and 10/30/2019 (the one related to the claimant 5). SEVENTH: On 11/21/2019, the General Sub-Directorate of Data Inspection Access the BBVA website ( “bbva.com” ) and obtain available information about the entity. This website indicates: "BBVA in Spain As one of the leading entities in the country, with more than 10 million clients and close to 30,000 employees, we provide financial services through our network of 3,200 offices ” . Financial information is also obtained, of which it is worth highlighting that relating to the Income Statement, which "as of 09/30/2019" reflects a "Net Margin" of 9,304 million euros. In the "Geographical diversification" section , the breakdown by country is indicated, corresponding to Spain 23.4%. According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" amounts to 3,267,264,424.20 euros. EIGHTH: On 12/02/2019, the Director of the Spanish Agency for Data Protection C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/124 agreed to initiate a sanctioning procedure against the BBVA entity, in accordance with the provisions in article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, relating to the Protection of Natural Persons with regard to Treatment of Personal Data and the Free Circulation of this Data (General Regulation of Data Protection, hereinafter RGPD), for the alleged violation of article 13 of the RGPD, typified in article 83.5.b) of the aforementioned Regulation; and for the alleged violation of Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation, determining that the penalty that may correspond would amount to a total of 6,000,000.00 euros (3,000,000.00 euros for each of the infringements charged), without prejudice to what result of the instruction. The indicated imputations result from the analysis of the data collection form personal data used by the BBVA entity after 05/25/2018, called "Declaration of economic activity and personal data protection policy" , through which BBVA announces the terms applicable to the protection of personal data and requires the consent of the interested parties. The reasons underlying the accusations indicated are, succinctly, the following: a) Infringement of article 13 of the RGPD: . Use of imprecise terminology to define the privacy policy. . Insufficient information on the category of personal data that will be submitted to treatment, especially in relation to the data that BBVA says it obtains from the use by the customer of products, services and channels; the economic and solvency data obtained from products contracted with BBVA or of which BBVA is a marketer; and the data personal data that will be transferred to BBVA Group companies. . Breach of the obligation to report on the purpose of the treatment and legal basis that legitimizes it, especially in relation to the processing of personal data that BBVA is based on legitimate interest. . Insufficient information on the type of profiles to be made, the uses specific to which they will be used b) Infringement of article 6 of the RGPD: . Non-existence of a specific mechanism for collecting the consents of the clients for the processing of personal data. The interested party's options are limited to marking a box by which you record your opposition to data processing. . Non-compliance with the requirements established for the provision of a specific, unequivocal and informed consent. . Insufficient justification of the processing of personal data based on interest legitimate of the person in charge. Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the imposition on the entity BBVA of the obligation to adopt the necessary measures to adapt to the personal data protection regulations the processing operations that performs, the information offered to its clients and the procedure by which they give their consent for the collection and processing of their personal data, with the scope expressed in the Basis of Law of the repeated agreement and without prejudice to the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/124 resulting from the instruction. NINTH: Once the aforementioned initiation agreement was notified, BBVA presented a brief of allegations in the that requests that a resolution be issued declaring the nullity of full right of the procedure for the reasons set out in its following first allegation or, in its default, your file is remembered. In summary, the aforementioned entity bases its request on the following considerations: 1. The setting of the amount of the sanction in the agreement to initiate the procedure, which is justified in Law Foundation VI, produces helplessness to the interested party who vitiates nullity the same. Understand that determining the sanctioning reproach in said act, evaluating even concurrent aggravations without minimally motivating them, on which he has not had occasion to demonstrate, affects the application of the fundamental principles of law criminal, applicable with certain qualifications to the administrative sanctioning procedure, such as has revealed settled jurisprudence. It considers that the initiation agreement exceeds the legally foreseen content, as It should only incorporate the limits of the possible sanction that could be imposed, and not determine a specific amount that implies a summary assessment of the circumstances concurrent. The agreement issued goes beyond what is admitted in article 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). This anticipated and lacking motivation assessment of BBVA's responsibility, indicating even the mitigating and aggravating ones, even if it is by their mere mention, and even when intends to save what finally proceeds according to the instruction, in the opinion of that entity, an unprecedented part is carried out , without any allegation of the accused that allowed the sanctioning body assess the circumstances appreciated in light of said allegations, generating helplessness to the part. The fact that the amount comes from the mere enumeration also produces defenselessness circumstances, without stating how they affect liability. This is a matter that affects the impartiality of the investigating body designated in the same agreement to initiate the procedure, which he knows before beginning the procedure the criterion of the body to which the file will finally be submitted, on which it hierarchically depends. This supposes a rupture of the principle of separation between the investigation phase and the sanction phase. (Article 63.1 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations - hereinafter LPACAP), depriving the instructor of a objective knowledge of the facts and the possibility of making an assessment of the circumstances arising from the instruction. On the other hand, article 85 of the LPACAP is cited to specify in the operative part of the opening agreement the reductions that entail the recognition of responsibility or the voluntary payment of the penalty. However, the BBVA entity considers that this precept establishes that the amount of the pecuniary sanction may be determined “beginning on sanctioning procedure ” and that it is only applicable to cases that give rise to the imposition of a fine of a fixed and objective nature. In the present case, the sanction is not fixed and nor necessarily of a pecuniary nature, given that the RGPD establishes a wide range of possible sanctions and corrective measures, including issuing a warning. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/124 2. The non-existent link between the claims made for the purpose of the procedure and the content of the file administrative, since the allegedly infringing facts that are invoked cannot be the basis on which the AEPD relies for the opening of this proceeding, nor the alleged violations can support the sanction sought. The scope of the Privacy Policy is analyzed without linking any reasoning to the content of the claims and without stating any action carried out by the AEPD that motivates the opening of the procedure. In this regard, it notes that the Agency has limited, in the previous phases, to transfer the claim to the DPD of the entity, except for the relative to claimant 2, and to agree to its admission for processing once clarifications are received of the aforementioned DPD. This was understood by the National Court in Judgment of 04/23/2019 (appeal 88/2017), that annuls the sanction of the AEPD, among other reasons, due to a discrepancy between what was denounced and the object of the sanctioning resolution: "This Chamber considers that the proven facts of the resolution are not adjusted to the requirements that, according to the principles set out, must be respected in a sanctioning procedure. In the first place, because such proven facts appear totally disconnected from the facts. denounced, and which led to the opening of preliminary investigation actions, since no mention is made in said proven facts about the behaviors denounced by the three participants in the procedure, the AEPD totally disregarding the result of the investigations carried out as a result of these complaints, as well as the numerous tests practiced. The account of "proven facts", both in the criminal procedure and in the administrative sanctioning procedure, It is essential to establish the facts and the typified behaviors, since only in this way is it possible to respect the principle of typicity, which, according to the doctrine is “the legal description of a specific conduct to that the administrative sanction will be connected ”. This principle is just the projection of the need for certainty that should guide the exercise of the sanctioning power of the Administration that includes the Article 25.1 CE and its foundation is in the respect of two other values such as freedom and legal security ” . At the same time, the AEPD has revealed throughout the entire file a manifests inactivity, taking into account that the claim of the Claimants 1 and 2 dated 02/01/2019, the last of them without prior transfer to the DPD, and that the request sent by BBVA on 02/21/2019 was not even answered requesting information on the status of the claim (it was not reported on its admission for processing). Subsequently, without any additional action, three other claims were admitted before to dictate the initiation agreement. In other words, the preliminary investigation phase was kept open for ten months without any action aimed at investigating the content of the claim. It could be considered that the AEPD waited for a number of claims that he considered significant, in this case, five, although they related to different issues, to reactivate a procedure that had been "suspended" since the first admissions to process, and which deals only with the "Declaration of Activity Economic and Data Protection Policy ” , held by the AEPD from the presentation of the claim by claimant 2, dated 12/09/2018. We are faced with an assumption in which the authority considers it necessary to allow a period of time to elapse from the admission for processing of a claim related to a specific treatment, to verify if the conduct is due to a specific or structural failure of the person in charge. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/124 During that time, BBVA acted with the confidence that, being the Agency aware of the circumstances manifested in the claims and no actions having taken place investigation or other nature, the existence of irregularity was not appreciated. Would fit consider whether it has not been the inaction of the AEPD during those ten months that has aggravated the reproach that it considers concurrent in BBVA, given that the Agency knew the Policy of Privacy and did not warn about the admission for processing of claims or the eventual illegality of this Privacy Policy. The reproach derived from its maintenance over time it should be attributable to whoever kept that opinion hidden. Regarding the specific claims made, it indicates that they show common elements that illustrate the good work of BBVA in respecting data protection regulations personal, which represent a tiny and irrelevant percentage of the wide universe of treatments carried out and the number of clients. In this regard, it provides certificate issued by the DPD relative to the year 2019, noting that, out of a total of personal clients eight million thirty-one thousand, received nine hundred six communications and only six referred to comments on the Privacy Policy. Understand that it shows that customers have not considered their rights violated, except for the five claimants. As elements common to all claims, the following stand out: . All interested parties / claimants could choose between all the alternatives offered and manage your consent to the processing of your data when they formalized the document and They were able to change their preferences through multiple channels, thus respecting the power of disposition of those affected. . It has respected the rights exercised, responding in a timely manner to the Revocations of consent or exercise of opposition rights. This has happened in the case of any of the claimants. . In the cases in which the claimant shows his disagreement with the way to obtain consent, he had made use of the mechanisms made available to him, since outside at the time of signing the "Declaration" or later electronically. It is contradictory, in BBVA's opinion, that the signature of the document accompanied by the Checking the boxes should be considered an affirmative action and the signature of the document without checking the boxes does not have, according to the Agency, the same scope or nature affirmative action (implicit consent, other than tacit, presumed or inaction). . When an error has occurred, as in the case of claimant 4, it has been recognized and repaired with the utmost diligence, having led to the development of a large number of actions to fully comply with the regulations (also on the occasion of the claims). Next, BBVA dedicates a part of this second allegation to highlighting some specific considerations for each of the claims: a) Claimant 1 refers to the sending of advertising via SMS, carried out with the consent of the interested party, as evidenced in the response made in the framework of E / 08334/2018, and their right to object was immediately addressed. Does not exist any subsequent complaint or claim. b) The claim presented by claimant 2 was not known by BBVA until the opening of the procedure, so he has not had the opportunity to refute the accusations C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/124 made on the Privacy Policy, the operation of the application or the legality of the data processing. In this case, the right to object to the treatment of the data for commercial purposes; and so it was marked on the document whose signature was required when downloading the APP. The download process offers the customer the possibility of decide on the treatments and purposes, as the claimant did, and report on the consequences of those decisions, without any of the messages that appear condition the interested party. The result was that, through the application, during the process of obtaining consent, was able to manage the use of data freely and in an informed manner. Provides a printed copy of the "become a customer" process that the application follows, which includes the hiring an online account. This process offers the interested party basic information on data protection, whose content coincides with that contained in Annex 1, and a link to extended information. Likewise, in both processes consent is requested to the interested party for the processing of their data ... and they are offered the possibility of marking different options on consent for the processing of your personal data, which coincide with those enabled in the "Declaration of Economic Activity and Policy of Data Protection". c) Contrary to what is indicated in the initiation agreement, BBVA responded to the transfer made by the AEPD of the claim submitted by claimant 3 (file E / 04690/2019) and also responded to the complainant himself, although these responses have not been incorporated into the file. BBVA blocked this client's account in accordance with provided for in Law 10/2010, of April 28, on the Prevention of Money Laundering and Financing of Terrorism, until the signing of the “Declaration of Economic Activity and Personal Data Protection Policy ” , which took place on two occasions (in the office and through the mobile application), and in both the interested party incorporated their preferences on the refusal to receive publicity. Raise again if action is not to be considered affirmative signing of the privacy policy and marking one of the boxes enabled, or if there is a difference between that action and the subscription of said policy without marking none of the boxes; all of them easily accessible, intelligible, simple and clear. It adds that there is no complaint from this client, beyond the claim made before the AEPD. Provide a copy of a written response to the transfer of the claim made within the framework of the file E / 4690/2019, dated 06/21/2019 and proof of sending it to this Agency via postal mail on the same date. This answer, whose content basically coincides with what has been stated above, accompanies a copy of the statements of economic activity and personal data protection policy completed with the Claimant 3's personal data, dated 01/17/2019 and 02/11/2019; the first of them signed and the second unsigned. In both declarations the option “No I want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others personalized for me by email ”. d) The background information regarding claimant 4 is contained in file E / 06420/2019, which sufficiently explain the facts. In this case, until the moment of opposition BBVA was authorized to send commercial communications such as the one denounced and ceased in these treatments after the exercise of the right, although an SMS was sent later It was due to a specific error of little interference, committed by an office manager, which was remedied immediately and led to the sending of communications on the policies adopted to the branch network. These facts do not justify the reproach that is claimed. Add that BBVA there was no record of the proceedings file or the admission for processing until the agreement of C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/124 initiation of the sanctioning file. It says Provide supporting documentation of the points indicated. However, only provides what appear to be messages addressed to private clients, SMEs or freelancers with information regarding the protection of personal, entity or commercial data. Some of They are dated May and July 2018, February 2019 and a final date of 09/24/2019, but not include no indication that relates these alleged messages to the complainant 4. e) It refers to the content of the information provided on the occasion of the file E / 08740/2019, which shows that BBVA was respectful of the claimant's decisions 5 in relation to the use of your data. In this case, claimant 5 signed the repeated statement on two occasions, not stating his refusal to the treatments in the first occasion and doing it in the second. 3. On compliance with the principle of transparency and the right of information to its clients about the processing of their data, BBVA exposes the following: A) Previously, said entity refers to the scope, content and derived obligations of the principle of transparency, as regulated in the applicable regulations and interpreted by the AEPD itself, the set of European Authorities, the Working Group of article 29 and, subsequently, the European Committee for Data Protection. Make a statement on the information requirements derived from the aforementioned principle, the information to be provided, how it should be provided and the reporting system levels or layers that can be used. From what is expressed in these sections, it is worth mentioning the indications that BBVA includes on issues or aspects outlined in the agreement to initiate the procedure that, in their opinion, They do not correspond to the requirements established by the standards analyzed. Specific, BBVA points out that the obligation to inform interested parties about the data or categories data subject to treatment is not provided for in article 13 of the RGPD; and is only required in Article 14 of the same text for cases in which the data is not collected from the interested party, Although this obligation refers to the categories of data and not to the specific data object treatment. Likewise, it also highlights that articles 12 to 14 of the RGPD do not require “the person responsible for the treatment to provide interested parties with such detailed information that includes the characteristics that the treatment does not have, that is, it will not proceed to inform about, for For example, what data or categories of data are not subject to treatment or the purposes for which the data will not be processed, such as the fact that it is not produced profiles ” . And neither do those articles require, “when a treatment is based on the interest legitimate entity of the person in charge or of a third party, is included in the information provided to the interested parties the weighing trial carried out to verify that the rights or interests of those affected do not prevail over said legitimate interest, despite the fact that the AEPD reproaches this party in the Initiation Agreement for not having informed about the aforementioned weighting ” . B) (…) C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/124 C) Regarding the content of the Privacy Policy, it highlights that it follows the recommendations contained in the Guide prepared by the AEPD. It is organized around a series of questions and the purposes are grouped, with basic and additional information, both with the same sections. In relation to purpose 2 "To get to know you better and personalize the experience" , he warns that does not imply the referral of personalized commercial offers, but that the treatments that are described refer to the analysis and assessment of customer data, but not to the sending advertising. The only communications mentioned in this section are the Congratulations. In the extended information, it is reported that the legitimation basis is the interest legitimate and the specific interest pursued is indicated. In both sections the possibility to object to this treatment. Purpose 3 “To offer you products and services from BBVA, the BBVA Group and others personalized for you ” is the one that refers to the sending of all types of communications for commercial, through the channels indicated. Purpose 4 also refers to business purposes, but communication is described of the data to other entities of the Group so that they are the ones that directly communicate with the client, provided that they have authorized it. Entities are identified recipients, the purpose and the categories of data that will be communicated. Purpose 5 details the treatments carried out by BBVA to “Improve the quality of the products and services ” , although, as indicated in the “ Extended Information ” , the information obtained from the use of BBVA products, services and channels is anonymized and, therefore, excluded from the scope of the regulation. Even so, it was decided to submit this purpose to the consent of the client. D) In relation to the assessments carried out in the Initiation Agreement on the Policy of Privacy, BBVA states the following: . As a preliminary consideration, it reiterates that it does not understand the criteria that have determined the initiation of the procedure and the penalty amounts proposed for claims that are not they are related to the facts that justify said opening; and that among the different corrective powers has been chosen for the most serious, instead of other alternatives that would have allowed the correction of a hypothetical situation of default. Understand that it is necessary to bear in mind the environment and the problems that the interpretation of the provisions of the RGPD, to which the Agency itself has not been abstracted; and cites the “Report on privacy policies on the Internet. Adaptations to the RGPD ” to point out which is a sample of these difficulties, although their conclusions did not assume the same reproach. Furthermore, BBVA understands that the procedure is used to adopt criteria general interpretation of the protection norms, which is not admissible in light of the doctrine of the National Court. . This subsection is dedicated to analyzing the content of the Initiation Agreement as it relates to the information provided to customers by BBVA. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/124 The procedure begins for violation of article 13 of the RGPD, but refers to the breach of the obligation to inform the interested parties about the categories of Personal data processed, which is required in article 14 of said Regulation and not in 13. Even so, BBVA includes the data categories at the beginning of the extended information, following the example published in the AEPD's “Guide for compliance with the duty to inform” , adding, in addition, a description of the type of data, offering more information exhaustive of what the EAPD itself suggests in the aforementioned Guide. On the other hand, the Agency, in the repeated agreement, suggests that it should be informed on what specific data is used for each treatment, despite the fact that this requirement does not It is provided for in the RGPD or in any guideline published by the Agency, the GT29 or the EDPB. In the same way, neither text indicates that you should inform yourself about the data or treatments that the person in charge does not carry out. Consider mere conjecture without any proof indications about what could happen if the information collected by the Bank from the use of BBVA products, services and channels will include information related to “the share union ... or fees paid to political parties, or religious entities, or by the use of services provided by health or religious entities ” , that is, categories special personal data. The truth, adds BBVA, is that the privacy policy does not refers to these data or treatments simply because they are not carried out. If all the details that the AEPD now seem to require were added, it would lead to a text extensive and predictably not very understandable, leading to information fatigue or fatigue, proscribed by both the Agency and the GT29. Along the same lines, the Agency indicates that the information provided does not allow the interested party have a clear idea about the data that will be communicated to the Group's entities. To this In this regard, the aforementioned article 13 of the RGPD requires informing about the recipients or categories of recipients of personal data, not to mention the category of data. Still I know informs that the identification, contact and transactional data will be provided, to that the interested party may receive commercial offers. Transactional data is detailed in the description of purpose 4 (amounts of income and expenses, balances and use of our channels). The AEPD carries out an interpretation of article 13 of the RGPD that exceeds its content and their own interpretation. With this, he would be issuing new guidelines on the content of the duty to inform more demanding than that indicated in its Guide, using for this a sanctioning procedure clearly detrimental to BBVA. In this regard, he cites the Judgment of the National Court of 04/23/2019 (appeal 88/2017), which declared contrary to the principles of sanctioning law the establishment of general criteria within a sanctioning procedure. The Agency also considers inadequate or insufficient the information provided in relation to with the purpose 2 "To know you better and personalize your experience" , and indicates said Authority of control that is reported on the realization of personalized offers and the improvement of products and services with a legal basis in the consent of the interested party and in the legitimate interest. Without However, in the description of this purpose it is spoken of evaluating new functionalities, products and services and assess personalized offers, but no reference is made to the referral of commercial or advertising offers. Purpose 2 allows to know the channel that the customer, what products perform better, what new products could be C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 12/14 interesting for customers, respond to a customer who is interested in the products of the entity offering those that fit your needs. In this sense, the description carried out in purpose 2 refers only to the realization of an internal profiling of customers to personalize their experience or respond more efficiently to their requests. The referral of advertising, which may be based on said profile, is part of the purpose 3, whose basis of legitimacy is consent. Only purpose 2 refers to the use of the profile. In this sense, adds BBVA, the expressions unclear and imprecise to which the Agency refers, such as " customize your experience ” , “ offer you personalized products and services ” or “ commercial profile ” , are substantially similar to those contained in the second layer example on page 11 of the "Guide for compliance with the duty to inform" of the AEPD: "to be able to offer you products and services according to your interests ” , “ improve your user experience ” , "We will develop a commercial profile . " In short, purpose 2 describes the treatments for profiling and their use does not commercial; while the purpose 3 the treatments that, being able to take advantage of said profile, involves the remission of commercial offers. Additionally, and contrary to what is stated by the AEPD, in purpose 2 it is reported how the client's profile is elaborated and that to achieve it different data are analyzed, which are detailed below, and the possibility of opposing the treatment is expressed. On the other hand, regarding the objections indicated by the AEPD for not reporting on the specific legitimate interests on which BBVA relies for these treatments, warns that This information is included in the section "Why do we use your personal data?" in which the bases that legitimize the treatment are detailed ( “… so that BBVA we can better meet your expectations and we can increase your degree of satisfaction as a customer by developing and improving the quality of own or third party products and services, as well as carry out statistics, surveys or market studies that may result from interest… to be a bank close to you as a client… ” ). Finally, it states that the privacy policy does not mention the existence of decisions automated regulated in article 22 of the RGPD since they are not carried out. The decisions referred to in the section on purpose 2 would not fit into the regime established in article 22 of the RGPD, since they would not produce legal effects in the recipients of the advertising that had been sent nor could it be considered that said Referral significantly affects customers in a similar way. 4. On the existence of a legal basis for the treatment of customer data of BBVA. A) Legality of data processing carried out on the basis of legitimate interest prevalent. As indicated, this question has to do with the treatments that are carried out with the purpose of "Knowing you better and personalizing your experience" (purpose 2), which in no The moment refers to the sending of commercial communications that BBVA bases on the consent of the interested party. Those treatments consist only of the analysis of the customer behavior in relation to the channels, products and services offered C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 15 12/15 by BBVA to obtain indicators that will allow it to properly adjust its business, develop and improve its portfolio of products and services, adjusting them to the customer preferences, as well as the quality of services. Only if you have the consent of the interested party, you can apply the result of that treatment for the referral of commercial communications to clients (purpose 3). There is therefore no confusion some between both treatments In this regard, the Agency concludes that the legal basis of Article 6.1 f) of the GDPR is not applicable to these treatments considering that the interests are not clearly stated legitimate interests of BBVA (based on an incomplete definition of the legitimate interest contained in the glossary), the evaluation of the prevalence of legitimate interest is not reported and because the clause makes explicit the reasonable expectations of the interested parties that BBVA appreciates that concur in them. BBVA considers that none of these arguments allow reaching the intended conclusion by the Agency because the legitimate interest does not support, as has been said, the sending of commercial communications. In addition, the extended information details the legitimate interest of BBVA (better serve the customer expectations and increase their degree of satisfaction, develop and improve the quality of its products and services, as well as carrying out statistics, surveys or studies of market); the AEPD has not proven that the weighting test has not been carried out and the The regulation does not require that this information be passed on to the interested parties. BBVA considers that no it must be public knowledge. On the other hand, it understands that it is contradictory to object to the absence of the weighting and consider, at the same time, excessive for BBVA to make explicit what it understands that customers expect from your financial institution, what is your reasonable expectation, capital element to determine the prevalence of the legitimate interest of a data controller. Based on this, the Agency understands that said expectation is induced by BBVA and that the customers do not reasonably expect their data to be used to improve products and services and improve the customer experience. (…) Understand that the reasonable expectation must remain hidden, that by making it manifest in the informative clause it loses its character of expectation, it is contrary to logic and It undermines the obligation to guarantee the greatest clarity of information. In relation to the Agency's statements about the possibility that the use of the data in order to better know the customer can lead to an exhaustive analysis of the same, which is based on the possible use of data unrelated to the contracted products, collected from the use of BBVA products, services and channels; understand the entity that is It deals with mere conjectures that do not respond to the reality of the treatments carried out. BBVA does not carry out these treatments, (…) Thus, the treatment analyzed is linked to legitimate interest and allows BBVA optimize the business model; improve the quality of the products and services offered; perfect internal management and personalized relationship with the client; determine the propensity of customers to a certain product preferences in terms of channels to through which they are related and the groups to which they can offer certain C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 16 16/124 products (commercial communications are not sent to these unless they had granted your consent in accordance with purpose 3). In this sense, the existence of a reasonable expectation from customers is logical. about the processing of your data to design products that may be of interest to you. In addition, for this, data of third parties linked to the client are not processed in the transactions you make. Only data referring to behavior in relation to products and channels, which meet the principle of suitability and necessity. This conclusion coincides with the criteria supported by the AEPD in its report 195/2017, issued at the request of the Spanish Banking Association. In section VII he analyzes the prevalence of the legitimate interest of financial entities for the analysis of the transactional movements and / or customer savings capacity, to make observations and offer recommendations on products and services. And the same report also refers to the treatment of all transactions in order to be able to perform a more profiling detailed that allows to specify with precision the products to be offered. AND contemplates the adoption of additional guarantees, such as detailing in more detail the treatment to be carried out, and particularly the fact that the data Transactional will be used to create profiles and offer the interested party the possibility to specifically object to this treatment. Therefore, you understand that the Agency they would be acting against their own acts and violating the principle of legitimate expectations. Finally, on this issue, it points out that the Agency conjectures about the treatments that BBVA would be doing it, without having proof to prove it. B) Of the legality of the treatments carried out by BBVA based on the consent of their clients and the compliance of said consent with the data protection regulations. a) On the power of control of the affected party over their data The client, from the moment they manage their registration and while maintaining the relationship, has absolute power and control over the processing of your data, insofar as it is offers the possibility to opt and choose your preferences in relation to the operations of processing carried out, at any time and through the different channels made available to you in person and digitally. This power of control is what the regulations intend to guarantee and that is how the AEPD. In his recent document "User control in the personalization of ads in Android ” , referring to the duty to provide the user with real control over their data personal information, and in the document "Guide on the use of cookies" when it states "... the need to implement a system in which the user is fully aware of the use of those devices and the purpose of their use, being ultimately aware of the destination of their data and the incidents that this system implies in their privacy ” . This result is the one obtained with the processes and means enabled by BBVA, adjusted to the provisions of article 7.2 of the RGPD, in which the interested party has absolute freedom of choice and control over your data, the different options are presented for different treatments and purposes separately, does not refer to documents that are not C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 17 12/17 easily accessible and uses a granular structure when providing the information, promoted by the legislator, the AEPD and the GT29 in their “Guidelines on consent in the meaning of Regulation (EU) 216/679 ” in its revised version of 04/10/2018. The provisions of Recital 32 are also respected, which admits many and different formulas to obtain consent, insofar as it is clear that the interested party accepts the proposed treatment of your data, separately for the different processing activities carried out for the same or the same purposes; as well as the ban contained in article 7.4 of the RGPD, referring to the contingency of the execution of a contract to which the affected party consents to the processing of their data for purposes that are related to the maintenance, development or control of the contractual relationship; and the reference to Recital 43 when it states that “it is presumed that consent is not has freely given ... when the performance of a contract, including the provision of a service, is dependent on consent, even when it is not necessary for said compliance ” or the separate authorization of the different treatment operations of personal data. There is no reproach in the Initiation Agreement for these key issues, so only the way in which consent has been obtained seems to be disputed. b) On obtaining consent by taking an affirmative action of the clients. The GT29, in relation to the unequivocal nature of consent, refers to an action by the affected party that reveals a behavior, a manifestation of will or, as It is said in the RGPD, "a clear affirmative action" , which means that the interested party must having acted deliberately. For its part, the “RGPD Guide for Responsible for the Treatment ” of the AEPD refers to a manifestation of the interested party or a clear action affirmative. In this regard, BBVA points out that it has opted for this clear affirmative action: . Through any of the channels provided, BBVA enables the signing of the “Declaration of Economic Activity and Data Protection Policy ” , which offers the interested party the different options in relation to the purposes additional to the management of the relationship contractual. The signing of this document is a clear affirmative action, which is carried out carried out with full knowledge of the scope and consequences that it entails (the claimants have effectively managed their preferences). Furthermore, through the application, the interested party has at their disposal a simple procedure to manage in your preferences at all times (claimant 2). . The registration process, through the indicated digital and face-to-face channels, complies with the requirements expressed in the "GDPR Guide for data controllers" of the AEPD, which recalls that consent “can be unequivocal and be given implicitly when it is deduced from an action of the interested party ” . Furthermore, the Inception Agreement incurs contradiction given that the AEPD, in relation to claimant 2, has considered valid the process in which the client has checked any of the boxes enabled for the provision consent, but not when you have not checked those boxes and authorize with your signature the processing of your personal data for the purposes that are made available to you. The holographic or digital signature of the document is a clear affirmative action that is carried out with C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 18 18/124 full knowledge of its scope, considering the clear content of these boxes and that, for their positioning, are clearly visible and directly accessible. In the field of managing cookies or similar technologies, the control authority has admitted as affirmative actions such as navigating in a different section of the website that would use them, close the privacy notice of the first layer or click on some content of the service offered on the web. In this area, Document 02/2013 of the WG29 states that “ensure that the active behavior is close to the location where the information is presented is essential to be sure that the user must submit the action to the requested information ” . The Agency's "Guide on the use of cookies" supports as valid a link or button to manage preferences along with the possibility to "accept" or "reject" or support "pressing specific keys" as affirmative action. In the same way, the non-marking of the boxes and the subsequent subscription of the aforementioned document involve a “physical movement” that can be considered as an action clear affirmative in accordance with the RGPD, with which the interested party achieves control over their data personal. Moreover, in the regime of explicit consent, which reinforces "ordinary" consent in attention to the treatments and data submitted to it, the Guidelines on the consent of the GT29 admit as valid explicit consents formulas or less demanding processes than the one implemented by BBVA. Thus, in a written statement, These Guidelines cite an assumption that could be assimilated, in which it admits a “yes” or a “no” (example 17: “A data controller can also obtain explicit consent from a person visiting your website by offering an explicit consent screen that contains Yes and No boxes, as long as the text clearly indicates… ” ). I also know cites as an example, in the digital or online context, the one in which an interested party can issue the required declaration by filling in an electronic form, sending an email, uploading a scanned document with your signature or using an electronic form. . The consent provided by BBVA cannot be considered a consent by omission or due to inaction, as there is in any case an active behavior of the interested party: on paper insert the signature in the same place or having in sight the options offered; at digital channel, on many occasions the affected person will have accessed, browsed through the different Screens enabled to manage your consent, having chosen, or not, to reject certain treatments. In the latter case, the process involves carrying out two actions: First, the affected person has an interactive document included as a hyperlink in the text that accompanies a box ( "I have read and accept the data processing personal ” ), whose dialing is blocking to continue with the registration process; he The repeated document used in this channel is configured in two layers: a first that incorporates the boxes under discussion, and a second layer with expanded information; Second, after the collection of personal data, the interested party again has available the document with the result of the affirmative action so that, if it is agree, you must proceed to your signature. Therefore, there is no inactivity or “silence” that is interpreted as an act of acquiescence or acceptance, there is a specific activity or, at least, the option to carry it out. BBVA, nor any other responsible party, cannot materially assure that the client's signature has place after the leisurely reading of the privacy policy. However, in order to guarantee that this action takes place, facilitates repeated and insistent messages remembering this need, so that the interested party is responsible for their decisions. And he can't responsible to complete or replace the autonomy of the affected will. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 19 19/124 Neither does a presumed consent take place since there is no statement or act positive that implies acceptance of the privacy policy in its entirety. He interested party knows this policy and chooses to choose their preferences either by marking the boxes, either by subscribing to said privacy policy without checking them. There is no inaction, for the same reasons and it is not a case of squares either pre-marked, the continuity of a service or functionality as a result of silence or obtaining consent in the context of the acceptance of a contract or of the terms and conditions of a service. What's more, the subscription of the document is necessary to register as a BBVA customer, which implies the need for customers to access the documents, opt for any of the alternatives offered and sign the document, expressing their agreement or disagreement with the specific treatment operations subject to your consent. C) The consent requested by BBVA as a reinforcement of the clients' rights in treatments that could be based on the prevailing legitimate interest of the entity. The processing of the data for most of the purposes for which the Customer consent could have been based on BBVA's concurrence of interest legitimate prevailing law of BBVA, so that the entity, when obtaining the consent of the stakeholders has adopted strengthened active liability measures. The entity refers to purposes 3 and 5 of the Privacy Policy (offer products and personalized services from BBVA, the BBVA Group and others; and to improve the quality of products and services). In this regard, it recalls the 195/2017 report of the AEPD, cited in section A) of the present point 4, whose sections VII and VIII are applicable to the case now analyzed, referred to the treatments that a financial institution can protect the legitimate interest in relationship with purposes that, in BBVA's opinion, fit with those listed as 3 and 5 of the basic information contained in the informative clause. In view of what is stated in that report, it can be concluded that the AEPD considers that, in certain assumptions and under certain circumstances, the processing of data with the purpose of knowing the client's preferences and their behavior in relation to products, as well as for the establishment of profiles that allow the submission of personalized commercial communications, would be covered by article 6.1.f) of the GDPR, which would exclude the need for customers to give their consent. Thus, the entity has reinforced the power of disposition of the interested parties on their data personal, allowing you to express your refusal or opposition to the treatment from the same moment of the collection of your data, without having to make use of the right of opposition in a later moment. In addition, the exercise of this right must be justified in some assumptions ( "reasons related to your particular situation" ), while in the option offered by the client is based on his sole and exclusive will. Therefore, if the reasoning of the initiation agreement is followed, the AEPD would be considering more harmful to request consent when it is not required than to report on the treatments that the responsible entity intends to base on the prevailing legitimate interest. Based on everything set out in this point 4 of BBVA's allegations, this entity C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 20 12/20 concludes that the treatment carried out for purpose 2 is fully based on legitimate interest; those carried out for purposes 3, 4 and 5 are based on the consent granted by the interested parties with all the established requirements; and what in In the case of purposes 3 and 5, this request for consent constitutes a measure reinforced active responsibility adopted by BBVA. TENTH: By letter of 07/02/2020, notified to BBVA on the 6th of the same month, the The instructor of the procedure agreed to open a period of practice tests, Considering the claims filed and their attached documentation, as well as the documents and statements obtained by the Subdirectorate General for Data Inspection in relation to such claims in the information application process prior to admission for processing. Likewise, they were considered submitted the allegations to the initiation agreement formulated by BBVA and the documentation that accompanies them. On the other hand, it was agreed to require the entity BBVA so that within a period of ten days able to provide the following information and / or documentation: a) Copy of the record of all personal data processing activities carried out under the BBVA's responsibility mentioned in the personal data collection form called "Declaration of economic activity and personal data protection policy" , in its initial version, together with any addition, modification or exclusion in its content. b) Copy of the evaluation / s of the impact on the protection of personal data relative / s to any type of personal data processing operations carried out under the responsibility of BBVA, of those mentioned in the form “Declaration of economic activity and protection policy of personal data ” , which pose a high risk to the rights and freedoms of natural persons, in its initial version and, where appropriate, with details of the modifications or updates that could have been made. Likewise, if there has been a change in the risk represented by the processing operations and if deemed necessary, the result of the examination that BBVA may have carried out was requested to determine if the treatment is in accordance with the impact assessment related to the protection of data (article 35.11 of the RGPD). c) A copy of the documents stating the evaluation carried out by the BBVA entity on the prevalence or not of the interests and fundamental rights of the interested parties over the interests of BBVA in relation to the personal data processing operations carried out under the responsibility of BBVA, of those mentioned in the form “Declaration of economic activity and personal data protection policy ” , with which the satisfaction of interests legitimate laws pursued by the BBVA entity itself or by a third party. d) Copy of the report in which the results of the opinion study carried out among the months of January and February 2018 among new customers, to which BBVA refers on page 44 of its brief of allegations and Document 9 attached to said brief. In response to BBVA's request, the term granted was extended by five days skillful. Once the total term granted was exceeded, on 08/03/2020, a letter was received from response to which BBVA attached the following documentation: A) Impact evaluation on the protection of personal data of the treatments C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 21 12/21 related to the realization of commercial profiling. (…) B) Impact evaluation on the protection of personal data of the treatments related to carrying out risk profiling. (…) C) Report on the weighting of the prevalence of legitimate interest in the treatments to which the purpose numbered as 2 is referred to in the section “For what purposes are the we will use?" , contained in the personal data collection form "Declaration of economic activity and personal data protection policy ”. (…) ELEVENTH: By letter of 08/11/2020, notified to BBVA on 08/17/2020, granted BBVA a new period of five business days to provide a copy of the documentation indicated in section a) of the requirement indicated in the antecedent above (record of treatment activities), which was not incorporated by BBVA into its Answer from 08/03/2020. The response to this second requirement also occurred once the total term granted. On 09/16/2020, a letter was received from the aforementioned entity to which accompanied the record of treatment activities. (…) TWELFTH: On 10/07/2020, a resolution proposal was issued in the sense following: "1. That the Director of the Spanish Data Protection Agency sanctions the BBVA entity, for an infringement of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD, with a fine of 3,000,000 euros (three million euros). 2. That the Director of the Spanish Data Protection Agency sanction the BBVA entity, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine of 3,000,000 euros (three million euros). 3. That the Director of the Spanish Agency for Data Protection proceed to impose to the BBVA entity, within the period to be determined, the adoption of the necessary measures to adapt to the personal data protection regulations the processing operations that performs, the information offered to its clients and the procedure by which they must give their consent for the collection and processing of their personal data, with the scope expressed in Law Foundation X of the proposed resolution ” . THIRTEENTH: BBVA has been notified of the aforementioned resolution proposal, with On 11/03/2020, this Agency received a written statement of allegations requesting C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 22 12/22 once again that the nullity of the procedure is declared or, where appropriate, the expiration of the same. Alternatively, it requests that its file be agreed or, failing that, the penalty of warning or a significant reduction of the amount is imposed established in the proposed resolution. Declares reproduced in its entirety its allegations to the initiation agreement, that, in its opinion, the motion for a resolution does not take into account or contest; and formulates the considerations following, which basically reproduce those allegations at the opening of the process: 1. Regarding the setting of the amount of the sanction in the commencement agreement, it indicates again that a substantial defect of nullity is incurred, produces defenselessness and breaks the principle of impartiality of the investigating body. It considers that this causes a confusion between the phases instruction and resolution, as evidenced by the fact that the proposed resolution sets an amount identical to that indicated by the sanctioning body in the start and reproduce the concurrent circumstances. This supposes a bankruptcy of the principles inspiring the sanctioning law that is not remedied by the mere fact that the entity has been able to issue arguments to the opening and to the resolution proposal. BBVA understands that the proposal incurs a contradiction when considering that the Determining the amount of the penalty is an obligation imposed by article 64.2 of the LPACAP and then point out that “not only are the requirements mentioned, but goes further by offering legal reasoning that justifies the possible legal classification of the facts assessed at the beginning and, even, the circumstances that may influence the determination of the sanction ” . BBVA considers that that rule imposes no such obligation nor is it possible for the Administration to "go beyond" what provided for in the standard, which constitutes an excess of the powers of the body sanctioner that violates the rights of the entity against which the procedure is directed. It warns that article 64.2 of the LPACAP does not represent an important innovation of the legal system regarding the sanctioning regime in force previously, which already indicated that the initiation agreement should incorporate “the sanctions that could correspond, without prejudice to what results from the instruction ” , under which the AEPD indicated in its initiation agreements the maximum and minimum limits of the aforementioned offense in the agreement, without establishing the exact amount or amount of the penalty. Likewise, neither article 85.1 of the LPACAP requires that prior determination of the amount, since it does not refer to a pre-established sanction, but to the imposition of the sanction that proceed. This norm, applicable “the procedure has begun” , provides that the recognition of responsibility may determine the imposition of the sanction "appropriate" , so that this fixation seems to be foreseen after the acknowledgment of responsibility itself. In its section 3, the same article provides that the reductions must be adopted on the “Proposed” sanction , which requires that it has actually been determined in the procedure what is that amount, and the diction of the precept itself seems to refer to the resolution proposal as the ideal place to determine the aforementioned amount, this power corresponding to the examining body. According to BBVA, this conclusion is not contradicted by the fact that the discounts would proceed for the recognition of responsibility and advance payment of the sanction C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 23 23/124 must be disclosed in the initiation agreement. Both benefits can be awarded although the sanction is not quantified. 2. Regarding the non-existent link between what was attributed to my client and the claims against the referred to in the proposed resolution and on the inactivity of the AEPD. In relation to this issue, it considers that the arguments contained in the proposal for resolution are not admissible, as there is no doubt about the inactivity of the Administration, which has contributed to the maintenance of BBVA's conduct and affects the validity of the procedure. The AEPD expressly considers that there has been no phase of previous actions of investigation, prior to the adoption of the opening agreement, but that the claims were admitted for processing without any decision being made on them until initiation of this procedure, and that you can maintain that situation with the sole limitation that said decision does not violate the statute of limitations of the alleged infringement, which would not begin to be computed until BBVA modified its Privacy. However, this situation is contrary to the principles of the procedure sanctioning, generating a situation of legal uncertainty to the detriment of BBVA. In this sense, articles 64.2 and 67 of the LOPDGDD establish a regulated procedure with clearly marked time limits, differentiating those that are a consequence of a claim of those in which the AEPD decides on its own initiative. At In the first case, three successive phases are established, without a break in continuity: (i) admission to processing of the claim within a period of three months; (ii) the (optional) realization of investigation actions for a maximum period of twelve months; and (iii) the opening of a sanctioning procedure, which will last a maximum of nine months. The AEPD may choose to dispense with investigative actions, but that decision cannot imply a stoppage or stagnation of the claim admitted to process for an indefinite period of time, only limited by the statute of limitations, given that this availability contravenes the principle of legal security of the company. In case of deciding not to carry out any type of investigation, the claim must proceed immediately to the opening of sanctioning procedure. In this case, there has been a delay of ten months, without there being a decision to carry out investigative actions. The AEPD should have agreed to open the procedure at the time it decided to admit the claim of claimant 2, that is, on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without However, that opening took place on 12/02/2019, almost a month after the date on which the procedure should have concluded by means of the corresponding resolution. Understands BBVA that this unjustified inactivity results in the expiration of this procedure, given that the term to resolve would be expired on the same date that the start agreement. It is applicable to this case the doctrine established by the National Court (AN) in its Judgment of 10/17/2007 (appeal 180/2006), in which it revealed the illegality of the inadequate or unfounded prolongation of the preliminary investigation actions: “[…] When the delay in initiating the sanctioning procedure occurs, as in the present case, for a long period of time, in which the relevance or not of said C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 24 12/24 initiation, but no action is carried out by the Administration and ultimately, there is no justification for such delay, there is a spurious and fraudulent use of the provided for both in article 12 of RD 1398/1993 and in article 69.2 of the LRJ-PAC. […] And this because, as has also been indicated, and once the AEPD had information and data sufficient, provided in the first two months of the processing of the repeated actions previous, and could now direct the accusation against [...] , complying with legal requirements, left without However, almost eleven more months go by without taking any action, maintaining such open request for information, but completely inactive. […] We consider for all this, […] that there has been a fraudulent use of the institution of preliminary proceedings. Consequently, we are faced with an assumption of law fraud contemplated in Article 6.4 of the Civil Code, as it is intended to circumvent the application of Article 42.2 of the Law 30/1992 using the request for information to avoid expiration of the file sanctioner. Fraudulent use that entails the invalidity of the sanctioning procedure and the consequent estimate of the claim of the claim, with revocation of the sanction imposed on […] in the contested resolution. " The AEPD deliberately decides not to process any procedure and wait for the moment that it deems appropriate to initiate the sanctioning procedure, which implies, taking into account of the doctrine supported by the SAN that has just been reproduced, a fraud of Law aimed at the violation of the regulations governing the terms and deadlines of resolution established in both the LPACAP and the LOPDGDD, with the consequent damage to BBVA. Faced with this, it cannot be argued that the AN doctrine cannot be extrapolated by the fact that it refers to a fraudulent use of the previous actions of investigation whose conduct was not agreed in this case, given that precisely the fraud of The law derives from the complete inaction of the Administration, which considers it possible to ad aeternum of the initiation of the sanctioning procedure for some facts regarding the that he has already collected all the information that, in his opinion, is relevant to direct the sanctioning action against BBVA. BBVA's conduct is aggravated by the continuing nature of the infringement, at least until the moment it proceeded to modify the aforementioned policy in July 2020. BBVA acted from the moment it responded to the requirements that it was led until the date on which the initiation of this procedure was agreed, in the confidence legitimate that the AEPD considered that its Privacy Policy was in accordance with the data protection legislation, having not directed any reproach or carried out, with knowledge of my client, no investigative action. All this results in the nullity of full right of the action of the Administration, which deliberately dispenses with the clearly and explicitly established legal procedure prejudice to the principles of legitimate confidence and legal certainty that assist BBVA. On the other hand, the aforementioned entity dedicates a section of this second allegation to the necessary link between the object of the sanctioning procedure and the claims made, in the assumptions of ex officio initiation of the complaint procedure, already made manifest in their arguments at the opening of the procedure. It questions whether the AEPD may decide to open a procedure in relation to the extremes that it deems appropriate (the resolution proposal itself allows on issues that are not subject to processing). C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 25 25/124 The relevant question is found in the factual account of the proposal, which founds the processing of the procedure in the existence of five claims against BBVA, and not in the Decision of the AEPD to initiate its processing on its own initiative, using its powers. Thus, once the claim is admitted for processing, you must continue with its processing and there must be a precise and direct link between the content of said claims and the sanctioning reproach. The AEPD equates the fact that the procedure is initiated ex officio with the beginning “by its own initiative ” . And in the present case, it begins as a result of five claims, a the terms of which the procedure must adjust, which cannot be a kind of general doctrine directed against BBVA. BBVA points out that this argument derives from the doctrine emanated from the Sentence of the AN of 04/23/2019, already exposed in the allegations to the opening, from which it follows that a proposal that does not refer in its foundation to The claims made exceed the necessary consistency required between the facts and the infractions, converting the five claims into a kind of general cause against BBVA. In BBVA's opinion, such a conclusion affects the principle of legal certainty and implies a flagrant violation of the principle of interdiction of the arbitrariness of public powers, enshrined in article 9.3 of the Constitution. 3. On the change in the classification of the sanction imputed to BBVA and some considerations general information about the application of articles 13 and 14 of the RGPD. a) Regarding the change in the classification of the offense attributed to BBVA and the non-application to the present case of article 14 of the RGPD. While in the Initiation Agreement only Article 13 of the RGPD, the Proposed Resolution extends the sanctioning reproach to the provisions of the Article 14 of the aforementioned legal text, which is not applicable to this case, taking into account what is established in section 5 c) of the same article 14 and in article 2.1 of the RGPD: (…) The same argument supports the exclusion of the duty to inform with respect to the credit information, whose access is provided for in the aforementioned article 12.1 of the LCCI. BBVA adds that, however, in its Privacy Policy it informs about the treatment of these data and, within the categories of data that it submits to treatment, indicates expressly “[d] economic and financial solvency figures (including those relating to all the products and services that you have contracted with BBVA or for which BBVA is marketer) " . b) On the supposed obligation to include the categories of data in the information that must be provided to the interested party. BBVA has made an effort to clarify the preparation of its Policy on Privacy, incorporating the categories of data that would be subject to treatment, despite not being required in article 13 of the RGPD. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 26 26/124 The AEPD indicates that the aforementioned article 13 imposes the obligation to inform each and every one of the data subjected to treatment, breaking down that information for each of the specific purposes, regardless of whether the origin of the data is the interested party, in the cases in which the treatment is intended to be based on the legitimate interest of BBVA or in the consent of the interested parties. Go to what is indicated in the document "Guidelines on consent" , adopted by the European Committee of Data Protection (hereinafter, “EDPB”), “which has been updated by the European Data Protection Committee on 05/04/20 ” , that is, five months later of the initiation agreement, so this issue does not merit further consideration. An additional obligation is imposed that is not expressly included in the RGPD. And that It cannot be modified by the AEPD in a sanctioning resolution nor by the European Committee of Protection of Data in an Opinion, for the simple reason that they lack powers normative. The LOPDGDD (article 55) attributes to the AEPD the competence to set its criteria for action in Circulars, which will be mandatory, but this cannot imply the imposition of an obligation not recognized in the regulations. In this case, in addition, the AEPD modifies its criteria regarding what is supported in its “Guide on compliance with the duty to inform ” and it does so in a singular resolution, violating the principle of interdiction of the arbitrariness of public powers, by not exposing the motives underlying such a surprisingly novel criterion, and the principle of singular non-derogability of the regulations, enshrined by article 37 of the LPACAP. Finally, it invokes again what was indicated by the AN in Judgment of 04/23/2019, which admits that a sanctioning procedure is used to establish criteria interpretative. 4. Regarding the AEPD's assessments regarding the alleged inadequacy, imprecision and intentional indeterminacy of the information provided by BBVA. a) Subjective evaluations made by the AEPD in relation to the transparency of the BBVA Privacy Policy. - Pronouncements regarding the terminology and expressions used. Despite the foregoing, BBVA makes allegations on the above issues in which limits itself to stating that the Agency bases its previous findings on appraisals subjective; that the terms used are clear and precise, widely used in the topicality and that meet the intelligibility requirement; that uses those expressions with the intention to provide its clients with a service adapted to their specific circumstances, for which it is essential to "know" them ; and that the context in which the information, which is determined by the contractual relationship, as well as the system of document in two layers, allow a better understanding of the expressions used. It provides an explanation of some expressions to which the AEPD refers: . "We will apply statistical and classification methods to correctly adjust your profile ” . It involves a specification of two of the techniques used to better understand the client, frame him appropriately and thus be able to offer him a service C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 27 12/27 properly adapted to your personal circumstances. . “Analyzing the uses of BBVA products, services and channels” , used in the BBVA's Privacy Policy in the context of personalizing the experience of the user, in order to be able to offer a service adapted to their circumstances and needs. The AEPD qualifies this expression as unclear, imprecise and ambiguous. However, in a later point of the Proposal (p. 73), she herself explains its meaning: “[t] odo this refers to the data processed by reason of the products and services contracted ” . Add that some of the expressions explained above are similar to expressions offered as examples in the "Guide on the use of cookies" : . "Carry out statistics, surveys, actuarial calculations, measurements and / or studies of market that may be of interest to BBVA or third parties ” , is similar to the expression “for analytical purposes” . . "Analyzing the uses of BBVA products, services and channels" is similar with the expression "show you personalized advertising based on a profile prepared by starting from your browsing habits ”. - Similarity between the expressions used in the BBVA Privacy Policy and the included in the AEPD's “Guide for compliance with the duty to inform” . Change of unjustified criteria: violation of legitimate expectations and of the jurisprudence of the AN The AEPD avoids ruling on the contradiction posed by the reproach made to BBVA and the recommendations included in the cited Guide, which offers examples of possible formulas to inform about the purposes of the treatment similar to those included in the Policy of Privacy. The publication of a Guide by the AEPD generates legitimate confidence in its recipients, who adapt their behavior in the belief that its application contributes to the compliance with the regulations, so that we now consider those expressions would mean acting against their own acts and would determine the violation of the legitimate expectations and legal certainty that documents must provide published by a supervisory authority, as well as the jurisprudence of the AN collected in the Judgment of 04/23/2019, already cited, which declared contrary to the principles of law sanctioning the establishment of general criteria within a procedure sanctioner. - Subrogation of the AEPD in the position of the interested parties. Reproach of an action of marketing carried out by BBVA under the protection of free enterprise. The AEPD engages in conduct similar to one of the reproaches it makes against me represented, the impersonation of the interested parties, when he puts himself in the place of recipients of the information to conclude is not easy to understand for any interested party or he can deduce the meaning of expressions from the context. In this regard, it is established as a proven fact that BBVA analyzed during 2017 and 2018 the impact of the RGPD on its activity and carried out two investigations by third-party experts to C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 28 28/124 assess the content and format of the text, or test its understanding, resulting in undisputed that he acted with proactive responsibility to know people about the that collects information and determine if said audience is capable of understanding, adapting the information provided and the terminology for it. The reproach of the Agency reaches the way of presenting the document to the interested parties, pointing out that it intends to offer an image of courtesy and good treatment to the client, criticizing with This is nothing more than a simple business decision by BBVA about how to present a document to its clients, for which the Bank is fully legitimized by virtue of its right to freedom of enterprise enshrined in article 38 of the EC. b) Excessive information requirements for interested parties that could cause information fatigue. (…) The incorporation of all that information related to the type of data to a document already already excessively long, it would be liable to cause information fatigue in the interested parties, contrary to the GT29 Guidelines, which recommends efficient information and succinct; or the AEPD itself, which has highlighted the importance of not overwhelming with the information, as in the "Guide on the use of cookies" . c) Supposed lack of determination of the interested parties affected by the communication of data to the BBVA Group companies. As indicated in the Privacy Policy, the data of representatives, guarantors, authorized or beneficiaries are treated only for the management of the contract in which intervene as a result of their legal relationship with a client of the Bank. In no case these data are communicated to the BBVA Group companies. 5. About profiling. Purpose 2 of the Privacy Policy seeks to personalize the experience of its customers and concludes by indicating the usefulness of said profiles. The treatment carried out is detailed (analyze and assess the data), the type of data that is uses in said treatment (data that allows you to be identified, financial evolution and products and services contracted, operations - payments, income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels) and the purpose for the one in which said analysis is carried out (elaborating a profile and using it in business models). This entity considers that the knowledge of the clients, the analysis of their interrelation with the products and services offered and the assessment of their preferences expressed to through the use or not of them, and the way they are used, is the basis of the information that any company uses to assess its business strategy and improve it, in short, to design their business models and for customer relationship management. This treatment in no case will imply an individualized analysis for the performance of commercial communications, which involves additional and differentiated treatment, which only It could be done with clients who have given their consent to do so. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 29 29/124 This AEPD seems to understand that the only purpose of profiling is to personalization of the offers, when said treatment may also be aimed at many other purposes, such as improving the business model, the portfolio of products and services offered by the person in charge or the customer's experience. For this, reason this part understands that the Agency confuses in this point two purposes that are listed in two different sections of the Privacy Policy. 6. On the legality of the treatments that BBVA protects in the legitimate interest in its policy Of privacy. The arguments on this issue included in the proposal are presented in a dispersed, making it difficult for BBVA to really understand the reasons why the AEPD found their reproach. However, it seems to be concluded that, in the opinion of the Agency, they would not attend in this case, the requirements derived from Recitals 41 and 47 of the RGPD. Understands BBVA that the AEPD intends to highlight that legitimate interests are not clearly described, the treatment described in purpose 2 does not comply with the principle of necessity, the reasonable expectation of the interested party concurs and, ultimately, a adequate weighting of the rights and interests at stake. a) On the concepts of legitimate interest and purpose and their supposed confusion on the part of BBVA. The AEPD in its Proposed Resolution highlights the, in its opinion, substantial difference between the legal concepts of purpose and legitimate interest. BBVA understands that it deals with elements inextricably linked to each other. Only in this way can the article be understood 6.1 f), which considers the treatment based on legitimate interest lawful; that is, the interest Legitimate is the purpose (to be satisfied) for which the data is processed. Following the reasoning of the AEPD, any treatment carried out on the basis of the legitimate interest in a business environment is illicit because the sole purpose is the mere obtaining an economic benefit (or reducing a loss). Even the treatments that the AEPD has considered based on legitimate interest would be contrary to the Law, since all would fit into the assumption outlawed by the STS of 06/20/2020, which refers to data processing of people receiving jokes for the purpose merely chrematistics. And the same can be said of assumptions accepted by the CJEU, the AN or the AEPD when the treatment is carried out by a company (cites several examples: treatment for the promotion of free competition in a given sector - for example, access by electrical traders to the Information System of Supply Points of the dealers; data processing by search engines; treatments based on freedom of information from the media; treatments carried out in the exercise by the employer of his business control functions; creating systems common fraud prevention; credit information systems; even the treatments for management and internal administration of business groups or the processing of personal data for marketing purposes - indicated in Recital 47 of the RGPD). The legitimate interest that BBVA intends to fulfill is to continuously improve the relationship with its clients and the portfolio of products and services it offers, being able to respond diligently to your needs in case they require them. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 30 12/30 Obviously, this legitimate interest is aimed at the continuous improvement of the business and ensure that customers are satisfied with the service provided. Otherwise would choose to break the business relationship with the entity and hire the services of a competitor. As is logical, this circumstance will entail a loss for BBVA that, lawfully, intends to avoid. But that does not mean that the legitimate interest that justifies the treatment of data by BBVA is not to provide the best service to its customers, to be able to anticipate their needs, offer them, if they consent, products that can better match your profile and, consequently, continually improve and refine your business model. BBVA has a legitimate interest in knowing its clients as well as possible in order to provide their services with the highest degree of excellence possible, even when this leads, in his case, coupled (obvious that is to say in the case of a mercantile) the consequence of obtaining an economic benefit. (…) b) Regarding the reference to the principle of necessity made in the Proposed Resolution. The AEPD considers that the principle of necessity required in article 6.1 f) of the RGPD in relationship with the satisfaction of legitimate interest, does not occur in this case. And part of the doctrine sitting in the ECHR Judgment of 03/25/1983, referring to an assumption of possible violation of the secrecy of communications, in which the term "need" is not corresponds to the one that results from the application of the RGPD. As regards the principle of necessity, the interpretation is much simpler and also of the doctrine of the ECHR, which has been repeatedly applied and summarized in Spain by our Constitutional Court when analyzing the proportionality of a restrictive measure of a fundamental right. STC 207/1996, cited by the AEPD in the statement of reasons for its Instruction 1/2006, notes: “[…] To verify whether a restrictive measure of a fundamental right exceeds the judgment of proportionality, it is necessary to verify whether it meets the following three requirements or conditions: "if such measure is capable of achieving the proposed objective (suitability judgment); yes, in addition, it is necessary, in the sense that there is no other more moderate measure to achieve such purpose with equal effectiveness (judgment of necessity); and, finally, if it is weighted or balanced, for deriving from it more benefits or advantages for the general interest than damages on others goods or values in conflict (judgment of proportionality in the strict sense) ”. Well, in the present case, the purpose pursued by BBVA can only be carried out with the same probabilities performing the treatment that has been described and establishing models that allow you to really know the preferences of your customers. (…) c) On the application to the present case of the principle of reasonable expectation of the interested party. As already stated in our submissions to the Initiation Agreement, the reasoning of the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 31 12/31 Proposed Resolution can only be classified as contradictory: . The AEPD considers that the treatment must be directly foreseen by the interested party, without this forecast being mediated by the indications of the person in charge. However, the Article 13 of the RGPD imposes on that person in charge the obligation to inform about the treatment and indicate that it is based on a prevailing legitimate interest under penalty of breach said rule. BBVA wonders if the AEPD intends to say that they should not be informed treatments based on legitimate interest. Once the information is produced, It is impossible to know whether or not the interested party was able to foresee the treatments in advance. . The assessment of the concurrence of the reasonable expectation can be derived from the relationship of the affected party with the person responsible. However, the AEPD considers that the interested party is irrelevant the excellence that may exist in the Bank's relationship with him. (…) d) (…) A different matter is that the data collection form of the interested party is used not only as the initiator of the client's relationship with BBVA, but also to comply with the Due diligence obligations established in the anti-money laundering legislation capitals. The data is kept for the period established in this legislation, for the purposes provided therein, but not for the controversial treatment. However, as it appears to be clear from the Motion for a Resolution, the subjects Obligors should request the same data from the affected party on as many occasions as treatments of the same to be carried out, which obviously does not conform to the norm, nor it would be reasonable. Finally, the Proposal for Resolution considers the reference to the Report 195/2017 of the Legal Office of the AEPD, considering that “the premises valued in This report does not fit the present assumption. In the aforementioned aspects, this report analyzes the performance of treatments for marketing purposes, provided that the offer is refer to products similar to those contracted by the interested party, and only use the information available as a consequence of product management ” . BBVA declares not understanding how the aforementioned assumption differs from the one currently analysis. 7. On obtaining consent and its compliance with the RGPD and the LOPDGDD. a) Previous considerations; precise identification of the eventual illicit. In relation to the informed condition that is required regarding consent, it is BBVA refers to what is indicated in the previous sections. Regarding the form of obtaining consent, it refers firstly to the considerations formulated by this Agency regarding the “conscious design” carried out by BBVA with the purpose of favoring the consent of the majority of its clients, which that entity does not consider legally relevant. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 32 32/124 (…) Lawfully pretending to process large amounts of data for as many more purposes is legitimate, It is in the interest of the interested party and does not imply the non-observance of the regulations, so it cannot be subject to sanction or be considered in the graduation of responsibility. It would be relevant to assess the element of fault, if BBVA had designed the mechanism "Knowingly" that he was breaking the rules, which he categorically denies. b) On the characteristics that consent must meet (other than the form, mechanism or formula for obtaining it). The AEPD considers that the criteria contained in recital 43 of the RGPD are not met, that requires that the processes to accept the treatments allow “to authorize separately the different personal data processing operations ” , and reproaches that there is no adequate separation of the different treatments, understanding that the signing of the Privacy is the consent or the "only action" that the interested party performs to authorize the treatments whose consent BBVA requests. It is paradoxical that “inaction” is argued as the basis for the responsibility that imputes and it is also pointed out that said "sole action" is also punishable. In any case, it is irrefutable that the different purposes for which the sought the consent of the interested party, as can be seen from the mere reading of the text, which foresees varied and different purposes. As many consents as purposes or uses is intended. c) On the way in which consent has been obtained. The Agency considers that consent is not unequivocal. Estimate that we We are faced with a statement or a clear affirmative action, which is intended to obtain a consent through the inaction of the interested party ( “do not check the boxes in which indicates “I don't want to…” ” ). The BBVA entity does not share this criterion, as anticipated in the brief of allegations to the Initiation Agreement, in which he presented a series of considerations in relation to the so-called power of control of the interested party over their data, which is respected if we analyze the mechanism devised as a whole and not in isolation, paying attention only to the boxes contained in the Privacy Policy. This question is on which the AEPD does not argue. And, as already indicated, the RGPD admits many and different formulas to obtain the consent, provided that it is clearly derived from them that the interested party "accepts the proposed treatment of your data ” . The AEPD is based exclusively on the "negative" character of the boxes without analyzing whether the set of actions that the interested party can perform allows to conclude whether or not there is a will deliberate to consent or not to certain treatments, knowing that it can never be achieved absolute certainty of the motivation of the interested party. In this case, whatever the option of the interested party (whether or not the boxes are marked), it will never be possible to consider that there has been an inaction of it, since that specific inactivity cannot be isolated from the set of actions that the interested party must carry out to register as a client. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 33 33/124 Next, it highlights some essential aspects of any registration process of a interested as a BBVA client: . In any registration process, the subscription and signing of the Policy of Privacy, in which the options offered, manifest and obvious to the interested party. It is a clear affirmative action carried out with full knowledge of the scope and consequences. In addition, the client has at his disposal, at through the application, a procedure to manage your preferences. . The established formula allows the interested party to make different decisions in relation to the processing of your data, it being obvious that if the interested party does not use them, they will not it is reprehensible to the entity. There is a clear affirmative action, since all interested parties subscribe digitally or in person the Privacy Policy, but, previously, the interested party takes various decisions, choosing options or preferences. On paper, the signature is inserted in a place where the options offered are visible, then there is a conduct that implies acceptance of what is signed; in digital form, the affected party agrees to different screens enabled to manage your consent, you have a “Check acceptance ” and after collecting the data the document is available again to proceed with your signature, if you agree. Neither does a presumed consent take place since in no case does a declaration or act of "positive silence" that implies acceptance of the Policy of Privacy in its entirety; These are not already marked boxes; nor the inactivity supposes the continuity of a service or functionality. The claim made by the claimant 3 is a sample of the fulfillment by BBVA of their obligations. In short, the registration processes through digital and face-to-face channels comply with the requirements expressed in the Guide for heads of the AEPD, which recalls that the consent “may be unequivocal and be given implicitly when it is deduced from an action of the interested party ” . Finally, it deserves to pay further attention, in relation to the written statement, to case referred to as “example 17” in the EDPB Consent Guidelines, since it is a case that can be assimilated to the one that is the subject of this file, by supporting a scenario that contains the dialing options of a "yes" and a "no" . So, notes that: “A data controller can also obtain explicit consent from a person who visit your website by offering an explicit consent screen that contains Yes and No boxes, provided that the text clearly indicates consent, for example, “I, give my consent to the treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike say that the conditions of informed consent must be met, as well as the rest of the conditions necessary to obtain valid consent ” . 8. Application to the present case of the principles of guilt proportionality and modifying circumstances of the concurrent responsibility in the same. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 34 34/124 a) Of the non-concurrence of guilt in the actions of BBVA. Has acted at all times with full diligence, following the guidelines of the AEPD and including in its Privacy Policy the mandatory content established in article 13 of the RGPD and extremes that neither the norm nor its interpretation impose; and in the conviction, after it reported on the claims made, that the Agency had not warned element that contravenes the provisions of the RGPD and LOPDGDD. It invokes the Sentence of the AN of 11/19/2008, in which the concurrence of the principle is justified of legitimate confidence, having acted in the belief that their conduct conformed to the legality. And the Sentence, also of the AN, of 10/15/2012 (resource 608/2011), which assesses “the active participation of the Administration ”, which could lead the interested party to the conclusion that his performance was in accordance with the law; that his conduct is not covered by a reasonable legal interpretation of the applicable rules; and the difficulties in interpretation described by the Administration. b) The application of the principle of proportionality. BBVA considers that certain aggravating factors appreciated by the Agency would not be applicable to the conduct of BBVA and that certain circumstances concur that reduce its responsibility. c) Aggravating circumstances appreciated by the AEPD. - Nature, seriousness and duration of the infringement (article 83.2 a) of the RGPD). The Agency considers an element of the type as an aggravating circumstance, such as the alleged breach of the principle of transparency, intrinsically related to the non-compliance with articles 13 and 14 of the RGPD, which is not acceptable in law. And the The same can be said in relation to the violation of article 6 of the RGPD, which according to the Agency is aggravated by affecting the principle of transparency. - Supposed absence of adequate procedures for action in the collection and processing of personal data (article 83.2 k) of the RGPD). It can be concluded in the same sense expressed in the previous subsection, since the fact that the Agency considers that BBVA does not have procedures in place appropriate course of action derives from your understanding that the Privacy Policy does not complies with the information obligations or with the requirements for obtaining the consent. - Presumed intentionality in the commission of the offense (article 83.2 b) of the RGPD). (…) All of this, which appears in the Bank's annual reports from 2016 to 2019, is proof of BBVA's firm and determined will to achieve full compliance with the RGPD and C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 35 35/124 since before its application, as well as the LOPDGDD. The advance with which they started the aforementioned works, as well as the fact of having involved the stakeholders themselves in the development of the new privacy policy, attest to goodwill, responsibility proactive and diligence of BBVA in terms of compliance with the regulations on the protection of data. The good faith of the Bank and the will to adapt its activities to the aforementioned is shown normative. If the Agency considers that the work of adaptation to the RGPD and the LOPDGDD are irregular or insufficient, the aforementioned regulation contemplates other mechanisms other than the imposition of a fine to correct the deficiencies that could be appreciated by the supervisory authority. It cannot be accepted that having developed diligent and proactive actions in order to adapt their activities to the new regulatory framework is used against them and considered as an aggravating circumstance of their alleged responsibility. Especially, having note that BBVA has adjusted its actions to the guidelines issued by the AEPD. - Supposed continuous nature of the offense. The Agency was perfectly aware of BBVA's Privacy Policy for almost a year before agreeing to start this sanctioning procedure. He let ten months go by between the first admission for processing and the start of the procedure, without making any reproach formally to BBVA, which acted with the confidence that it was not appreciated by the supervisory authority the existence of any violation. Well, the reproach derived from the maintenance over time of the Privacy Policy BBVA should only be attributable to those who, knowing that they considered the conduct as Reprehensible, he kept that opinion hidden for such a long period of time. The AEPD, through its inaction, made it possible for BBVA not to adopt any measure to correct or modify the Privacy Policy. d) Extenuating circumstances concurrent in the alleged object of this procedure. - Intentionality or negligence in the infringement (article 83.2 b) of the RGPD) and degree of BBVA's responsibility taking into account technical or organizational measures applied (article 83.2 d) of the RGPD): adaptation work to the RGPD and the LOPDGDD. The actions carried out since 2016 to adapt its activities to the RGPD, already exposed, give account of the special diligence and proactivity with which it faced the approval and entry into force of the new regulatory framework. Such actions cannot used against them as an aggravating circumstance, even less to indicate that they were made with the intention of violating the rule. He understands that the lack of intentionality in the commission of the infractions that are imputed and the high degree of proactive responsibility shown to through the aforementioned works. - Measures taken by BBVA to mitigate the effects of the alleged infractions. Diligent regularization (article 83.2 c) of the RGPD). Regularization measures C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 36 36/124 taken in relation to claims. Development of a new version of the BBVA Privacy Policy. BBVA has developed a large number of actions to fully comply with the regulations on data protection and correcting any failures revealed for the aforementioned claims. It may be mentioned that the Bank met the wishes of each of the claimants as soon as they became aware of them, with independence of the validity or correctness of the arguments put forward by them, immediately implementing the precise and sufficient actions to prevent your data from were treated against their will. Likewise, BBVA carried out a whole set of internal actions aimed at repeatedly remind the whole of its commercial network, the policies adopted in data protection matters; one more sample of the diligence employed. Known the opening of the procedure, it has intensified its activity with the purpose of reinforce the information provided to customers and has developed a new version of the Privacy Policy, without this implying in any case the recognition of the infractions that are imputed. According to BBVA, this new version of BBVA's Privacy Policy would leave the content of the all the reproaches made by the AEPD in relation to the transparency of the herself. It highlights the following aspects: . It exposes in an even more clear and differentiated way the purposes of the treatment of data of representatives, guarantors, authorized or beneficiaries, separate from customers (In this way, the communication of data is only one of the purposes of the treatment of customer data). Likewise, the New Privacy Policy specifies the categories of data affected in each case. . It offers more detailed information in relation to the categories of personal data of clients subject to treatment, distinguishing between those provided directly by the interested party, those collected or generated by BBVA and those obtained from other sources. . The purposes related to the development of commercial profiles and risk, systematically indicating the types and purposes, the basis of legitimation - describing, where appropriate, the legitimate interest of BBVA-, the data used and the period time they understand, as well as the sources of such data. . Indicates what personal data of customers will be communicated to third parties, who can being said third parties, the purpose of the communication and the basis of legitimacy for the herself. For this, communications are referred to as a specific purpose. and differentiated from the treatment of BBVA customer data. Finally, BBVA points out that, despite what is alleged in this sanctioning file, given that the Agency does not share the criteria of that entity (despite the full legality of its action), and exclusively taking into account the very serious consequences that for BBVA may imply the maintenance by the Agency of this criterion, the mechanism for obtaining the consent of the interested party, including in the first layer informative differentiated and granular boxes that the interested party must mark if they wish C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 37 37/124 authorize BBVA to process your data for each of the purposes indicated. Each box is accompanied by a description of the treatment and a referral to the additional information on the purpose contained in the second layer. BBVA considers that all of the above shows the diligence, proactivity and speed shown to improve the information provided to clients, representatives, guarantors, authorized and beneficiaries and rectify the defects of which, in the opinion of the Agency, such information. Consequently, in BBVA's opinion, in the event that the AEPD consider that you are responsible for the two offenses that are charged, the measures taken by the Bank should be taken into account as extenuating circumstances of its eventual liability. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS 1. On 10/16/2018, a claim made by the Claimant 1 against BBVA, for sending to his mobile phone line, on 10/11/2018, of a promotional SMS without your authorization. In relation to this claim, BBVA informed this Agency that claimant 1 provided his compliance with the sending of advertising by subscribing, on 06/07/2016, of the document "Customer identification, processing of personal data and digitized signature" , contributed to the actions by the entity itself. 2. On 12/09/2018, a claim made by the claimant 2 against BBVA, noting that the BBVA App does not meet the legal requirements related to free and informed consent. In relation to his complaint, complainant 2 provided a copy of an email addressed to to BBVA, dated 11/09/2018, in which it expressly indicates the following: “Dear BBVA DPO The document attached to the previous message comes from the BBVA APP offered on the Android platform. The aforementioned application requires the user, as a step prior to its use, to provide consent through the electronic signature of a document that only offers the possibility of opposing data processing personal for purposes other than those necessary for the purposes of providing financial services if the Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the GDPR) should be considered as activated. The informative text is inconsistent with the transparency principle of article 12 of the RGPD… ”. BBVA responded to this email through another dated 11/29/2018 in which literally indicates: “The way in which the consent to which you refer is obtained has been considered valid not only in the internal analyzes of our own entity, but in all those forums where it has been raised the question, since the interested party has the option of choosing in a simple and easily understandable the option you prefer ”. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 38 38/124 The claimant contributed a copy of the document generated by the App to the proceedings, with the "Declaration of economic activity and personal data protection policy" label , at whose section 1 contains the identification data of the client (the claimant 2) and his declaration of economic activity. In this document, all the enabled options are checked so that the interested party gives their consent to the processing of personal data with the purposes expressed in said options ( "I don't want ..." ). 3. On 02/13/2019, a claim made by the claimant 3 against BBVA, in which it shows that the aforementioned entity required it, to unlocking your account, signing the personal data protection document. Said document, which is provided to the proceedings by the claimant 3, corresponds with the so-called "Declaration of Economic Activity and Data Protection Policy Personal ” . This document appears dated 02/11/2019 and without the interested party's signature. Of the options enabled in this document for the interested party to give their consent to the processing of your personal data for the purposes that are expressed in each case, The option “I do not want BBVA to process my data to offer me products and BBVA, the BBVA Group and other personalized services for me by email ”. With its brief of allegations, BBVA also provided another copy of the aforementioned "Statement" signed by claimant 3 on 01/17/2019 and with the mark in the same option of the consents. 4. On 05/23/2019, a claim made by the Claimant 4 against BBVA, for sending commercial communications that have not been requested nor authorized. In relation to this claim, BBVA informed this Agency that claimant 4 was not opposed the data processing reported in the document "Declaration of Activity Economic and Data Protection Policy ” , signed by the same on 11/26/2018. In the cited document, which has been contributed to the proceedings by BBVA, there is no marked none of the options offered to the interested party to consent to the treatment of their personal information. 5. On 08/27/2019, a claim made by the Claimant 5 against BBVA, for making phone calls and sending SMS advertising. In relation to this claim, BBVA informed this Agency that the claimant 5, on the date 06/18/2018, signed the document “Declaration of Economic Activity and Protection Policy Personal Data ” , consenting to the processing of your data for commercial purposes. Add that said document was signed a second time by claimant 5, on 05/27/2019, expressing their opposition to the aforementioned treatments. Both documents are provided to the proceedings by the entity BBVA. In the first of them there is no mark in the boxes enabled for the client to express their consent to the treatments indicated and in the second the interested party marked all the options ("I don't want ..."). C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 39 39/124 6. To adapt its actions to the RGPD, the BBVA entity enabled the form of collection of personal data called "Declaration of economic activity and policy of protection of personal data ” . Section 1 of this document contains the data identification of the client and its declaration of economic activity. Other data include those related to name, surname, tax identifier, date of birth, nationality, address, marital status, matrimonial status, contact details, fixed and variable income, entity in which it provides service or gross annual income. Through this document, established by BBVA as mandatory for all customers, the said entity discloses the terms of its privacy policy and establishes the mechanisms so that clients can give their consent for the treatment of your personal data for the purposes indicated in the aforementioned document. The signature of the document by the client and the date is included at the end of section 2 " protection of personal data ” , expressly indicating to the interested party that with the process of signature agrees to the "Declaration of economic activity and protection policy of personal data ” . Immediately after signing, the "Extended Information" on the subject of protection of personal data and a glossary of terms. In relation to the provision of consent, immediately before the space provided For the signature, interested parties are offered the possibility of marking the following options: "We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. . Products and prices more adjusted to you [] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data ". (The content of the form "Declaration of Economic Activity and Protection Policy of Personal Data ” provided by the claimant 3 is similar to that reproduced in Annex 1, except the detail relating to the box through which the customer is offered the option "I do not want BBVA treats my data to offer me products and services from BBVA, Grupo BBVA and others personalized for me ” , which allows you to mark the following channels: [ ] By email [] By SMS [] By phone (phone call) [] By post) The entire content of this "Declaration of economic activity and policy for the protection of C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 40 40/124 personal data ” is declared reproduced in this act for evidentiary purposes (section 2 "Personal Data Protection Policy" and "Extended Information" is included as Appendix 1). 7. (…) 8. (…) 9. In response to the test requirement that was made by the instructor of the procedure, BBVA provided the following documents for the proceedings: . Impact evaluation on the protection of personal data of the treatments related to the realization of commercial profiling (The detail of the content of this document, as far as the present procedure is concerned, is outlined in the Antecedent Eighth). . Impact evaluation on the protection of personal data of the treatments related to the performance of risk profiling (The detail of the content of this document, as far as the present procedure is concerned, is outlined in the Antecedent Eighth). . Report on the weighting of the prevalence of legitimate interest in the treatments to which the purpose numbered as 2 is referred to in the section “For what purposes are the we will use?" , contained in the personal data collection form "Declaration of economic activity and personal data protection policy ” (The content of this document is also outlined in Antecedent Eight). . Record of treatment activities (the content of this document is extracted from in Antecedent Ninth). These documents are declared reproduced in this act for evidentiary purposes. 10. BBVA has stated in its brief of allegations that the total number of natural person clients it amounts to eight million thirty-one thousand. On the entity's website it is reported that the number customers exceeds ten million. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and solve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they are not contradicted, in the alternative, by the general rules C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 41 41/124 on administrative procedures. " II Previously, it is deemed appropriate to analyze the formal questions raised by BBVA in its brief of allegations. First of all, BBVA considers that the initiation agreement is invalid. due to the defenselessness produced by the setting of the amount of the sanction in the openness, instead of expressing only the limits of the possible sanction, and without The aggravating factors have been motivated, nor has the entity had the opportunity to express itself respect. For this same circumstance, it considers that the initiation agreement exceeds the legally foreseen content, violated article 68 of the LOPDGDD, and understands affected the impartiality of the investigating body, which knows before starting the procedure the criteria of the body to which the file must be submitted, in clear breach of the principle of separation of the investigation and sanction phase (article 63.1 of the LPACAP). In this regard, BBVA adds that article 85 of the LPACAP, which is invoked in the operative part of the agreement to open the procedure to specify the reductions that entails the acknowledgment of responsibility, determines that the amount of the sanction pecuniary may be determined "initiated the sanctioning procedure" and that is only applicable to cases that give rise to the imposition of a fine of a fixed and objective nature. This Agency does not share the position expressed by BBVA in relation to the content of the agreement to open this sanctioning procedure. In the opinion of this Agency, the initiation agreement issued is in accordance with the provisions of the Article 68 of the LOPDGDD, according to which it will be enough that the agreement to initiate the procedure specify the facts that motivate the opening, identify the person or entity against which the procedure is directed, the offense that could have been committed and its possible sanction (in this case, of the different corrective powers contemplated in article 58.2 of the RGPD, the Agency deemed appropriate the imposition of a fine, in addition to the adoption of measures to adjust its performance to the regulations, without prejudice to what may result from the procedure instruction). In the same sense, article 64.2 of the LPACAP is expressed, which establishes expressly the minimum content of the initiation agreement. According to this precept, among others details, must contain “the facts that motivate the initiation of the procedure, its possible legal qualification and the penalties that may correspond, without prejudice to what results of the instruction ” . In this case, not only are the aforementioned requirements fully met, but also that goes further by offering reasons that justify the possible legal qualification of the facts assessed at the beginning and even mention the circumstances that may influence the the determination of the sanction. In accordance with the foregoing, it cannot be said to indicate the possible sanction that may correspond for the imputed infractions is determining of defenselessness or that suppose a break of the principle of separation of the phases of instruction and resolution. To the On the contrary, this complies with one of the requirements set forth in the regulations C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 42 42/124 reviewed. It cannot be forgotten, likewise, that article 85 of the LPACAP contemplates the possibility of applying reductions on the amount of the sanction if the offender recognizes his responsibility and in case of voluntary payment of the penalty. This precept establishes the obligation to determine those reductions in the notification of initiation of the procedure, which entails the need to set the amount of the penalty corresponding to the facts accused. Contrary to what BBVA has stated, this article 85 of the LPACAP does not establish that the amount of the sanction is determined once the procedure has started. It is the recognition of the responsibility and the voluntary payment of the sanction, which must occur subsequently at that time, and not the setting of the amount of the penalty, as stated by BBVA. If this acknowledgment of responsibility or voluntary payment does not occur, which would determine the termination of the procedure, it is instructed and subsequently dictated the proposed resolution, in which the facts that are considered proven and their exact legal qualification, the infringement that, in its case, those constitute, the person or persons responsible and the sanction that propose, the assessment of the tests carried out, especially those that constitute the basic fundamentals of the decision. This must be notified to the interested party, granting him a period of time to formulate allegations and present the documents and information deemed relevant. In no case will a resolution be adopted without the interested party have the opportunity to express themselves on all the points considered. No argument contains the brief of allegations to the resolution proposal presented by BBVA that modifies this approach and the conclusion set forth. BBVA, in this case, has seen all the guarantees of the interested party that it provides for the procedural regulations and it cannot be said that the determination of the amount of the fine in the The opening agreement does not imply any loss of said guarantees causing defenselessness. Nor does this circumstance break the impartiality of the investigating body, which has all the powers conferred by the regulations in question and full freedom to dictate its motion for resolution. You just have to go to the Agency website, where they are published all resolutions issued in sanctioning procedures, to verify the great number of them that end with a resolution of the action file, following the proposal issued by the procedure instructor, as well as those others in which said proposal increased or decreased the amount of the penalty set in the opening agreement or even proposed the application of a corrective power other than the fine. The interested entity also questions that the initiation agreement is "exceeded" adding to its content a brief statement of the circumstances that in the opinion of the body sanctioner justify the initiation of the procedure, understanding that this violates their rights. This Agency does not understand this argument, especially if it is considered that BBVA has alleged the concurrence of some reason causing defenselessness on several occasions. Article 68 regulates the content that the agreement to initiate the procedure for the exercise of the sanctioning power, stating that the facts, the identification of the person or entity against whom the procedure is directed, the infraction that could have been committed and its possible sanction. However, it is the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 43 43/124 minimum content required, of the elements that must be detailed in the aforementioned agreement to determine its validity. But nothing prevents that, as indicated above, offer reasoning regarding the possible legal classification of the facts assessed at the initiation or mention of the circumstances that may influence the determination of the sanction, which will undoubtedly benefit the interested party, who sees their right of defense. It is true, on the other hand, that during the validity of the sanctioning regime prior to the LPACAP this Agency did not set the amount of the possible sanction in the initiation agreement, indicating instead the minimum and maximum limits that corresponded to the infraction charged. And so it was until the entry into force of the aforementioned LPACAP in October 2016; moment in which that approach was modified, precisely to address the established in article 85 of said Law and offer the interested party the alternatives that establishes. Likewise, BBVA understands that the provisions of this article 85 of the LPACAP It means that the amount of the fine is determined once the procedure has started. So, warns that this standard provides that the acknowledgment of responsibility may determine the imposition of the " appropriate " sanction , so that such fixation seems to be foreseen with subsequent to the acknowledgment of responsibility; and that in its section 3 establishes that the reductions should be adopted on the “proposed” sanction , which seems to refer to the proposed resolution as the ideal place to determine the aforementioned amount. This Agency cannot share this argument. Suffice it to point out that the payment Voluntary can be done by the interested party at any time during the previous procedure to the resolution and implies its termination. This being the case, so that the interested party can use of this option, the amount of the sanction must be established at the beginning. In the same way, it will be difficult for said interested party to recognize their responsibility by initiating a procedure sanctioning if the agreement that determines that initiation does not indicate the scope that will be attributed to that acknowledgment of responsibility. On the other hand, BBVA alleges that the AEPD has shown a manifest inactivity, having limited itself to transferring the claims, and not all, to the DPD of the entity already agree to its admission for processing. It considers that the previous phase of investigation for ten months without carrying out any activity aimed at investigating the content of the claims, and that it waited for a significant number of claims to reactivate a procedure that had been "suspended" since the first admissions to process, which deals only with the "Declaration of Activity Economic and Data Protection Policy ” , held by the Agency from the presentation of the claim by the claimant 2. It adds that during that time BBVA acted in the confidence that there was no irregularity, so that the inaction of the AEPD has aggravated the reproach. Finally, in relation to these questions, it indicates that it gave an answer to the transfer of the claim made by the claimant 3, contrary to what is indicated in the agreement to open the procedure, in which it is indicated that the Agency did not receive reply. The procedures carried out by this Agency to which BBVA refers in its allegation above have to do with the process of admission for processing of the claims received, which included for four of the five claims received their transfer to the person responsible, C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 44 44/124 prior to the agreement to admit the claim. In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for Data Protection is competent to perform the functions assigned to it in its Article 57, including that of enforcing the Regulation and promoting awareness of the controllers and data processors about their obligations, as well as dealing with claims submitted by an interested party and investigating the reason for the themselves. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a delegate of data protection, article 39 of the RGPD attributes to it the function of cooperating with said authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has provided a mechanism prior to the admission for processing of claims that are made before the Spanish Data Protection Agency, which consists of transferring the same to the data protection delegates designated by those responsible or responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or these when they have not designated them, so that they proceed to the analysis of said complaints and to respond to them within a month. It is an optional procedure, so that this transfer is carried out if the Agency so deems it. In accordance with these regulations, prior to the admission for processing of the claims that give rise to the present procedure, in four of them a transfer of the same to the responsible entity so that it could proceed to its analysis, respond to this Agency within a month and certify having provided the complainant with the proper response. The result of said transfer was not satisfactory, therefore, for the intended purposes In its article 64.2 of the LOPDGDD, it was agreed to admit the claims for processing presented through agreements that were duly notified to the claimants, and not to BBVA, in accordance with the provisions of article 65.5 of the LOPDGDD. In this regard, said entity has stated that it responded to the transfer of the claim made by claimant 3 and provides proof of its posting, although said response does not It is included in the corresponding file for admission to processing. On the other hand, BBVA makes a mistake when stating that the previous phase of investigation was kept open for ten months without any activity, without no specific investigative action is recorded. In this case, it should be clarified, not agreed to open a preliminary investigation phase, established as optional in the Article 67 of the LOPDGDD. No legal consequence can be attributed to this fact, nor to the time elapsed between the admission to processing of the claims and the opening of the procedure, as there is no regulation that limits the time that the Administration has to start this type of procedure, beyond the rule of prescription and the effects attribute. During that time interval there was no procedure in progress that It could be understood as suspended, as indicated by the responsible entity, nor can it be sustained that said period endorses BBVA's privacy policy or that during that time the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 45 45/124 responsibility of the entity in compliance with regulations. Regardless of effect that can be attributed to the time interval prior to the opening of the procedure sanctioner, there can be no doubt about the inexistence of circumstances that have allowed BBVA during that time frame to understand, even incidentally, that there was no reproach on the part of this Agency in relation to the issues raised by the claims submitted. BBVA was aware of the claims made and He also knew that there was no statement from this Agency in this regard. Nor is there any rule that prevents the opening of a single procedure sanctioner originating from several claims directed against the same responsable. In its brief of allegations to the resolution proposal, BBVA reiterates its protest on the inactivity of the Administration. In his understanding, this inactivity is manifest, once the AEPD agreed to dispense with the performance of previous actions of investigation, for the entire period between the admission for processing of the claim made by claimant 2, on 02/01/2019, and the opening of the procedure on 12/02/2019, ten months later. On the other hand, it rejects the approach set out above, according to which the The only time limitation for the opening of the sanctioning procedure is determined for the limitation periods of the alleged infringement. Consider that articles 64.2 and 67 of the LOPDGDD establish three successive phases without solution of continuity (admission to procedure, preliminary investigation actions and opening of the sanctioning procedure), each one of them with marked time limits, so that, if you choose not to preliminary investigation actions, once the claim has been admitted for processing, proceed immediately to the opening of the sanctioning procedure. In this case, according to BBVA, the AEPD should have agreed to open the procedure at the time it decided to admit the claim of claimant 2, that is, on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without However, that opening took place on 12/02/2019, almost a month after the date on which the procedure should have concluded by means of the corresponding resolution. Understands BBVA that this unjustified inactivity results in the expiration of this procedure, given that the term to resolve would be expired on the same date that the start agreement. It should be noted that BBVA's approach to this issue in its allegations to the opening does not conform to law. On the one hand, it should be noted that there is no no rule applicable to the sanctioning procedure in terms of data protection personnel that establish a preclusive period to agree to its opening; and, on the other hand, that the expiration period of this procedure, established in nine months, is computed from the date on which its start is agreed, making it inappropriate to add to that computation, effects of measuring the duration of the administrative file, no other period, such as the time of the preliminary investigation actions, in the event that their completion, or, in this case, the time corresponding to the phase of admission for processing of the claims filed. This has been repeatedly stated by our Supreme Court. In Judgment of 10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following: C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 46 46/124 “[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which obviously excludes from the computation the time of the reserved information ";" […] The major or minor duration of the preliminary phase does not entail the expiration of the subsequent procedure " . Also in the Supreme Court Judgment of 10/13/2011 (resource 3987/2008) that examines a ground of appeal relating to the computation of the expiration period of the procedure, the following is declared: “We cannot share the reasoning presented by the Court of Instance to establish a dies a quo different from that established by law, indicating as the initial date of the computation the day following the completion of preliminary informational proceedings. […] Well, once these previous actions have been carried out, the time it takes the Administration to agreeing to initiate the procedure […] may have the appropriate consequences regarding the calculation of the prescription (extinction of the right); but it cannot be taken into consideration effects of expiration, since this figure is intended to ensure that once the procedure the Administration does not exceed the term available to resolve. On the foundation third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not according to the nature of the institution of expiration, since unlike the prescription, which is cause of extinction of the right or responsibility in question, expiration is a way of termination of the procedure due to the expiration of the period established in the norm, so its appreciation does not prevent, if the period established for the prescription of the action of restoration of urban legality by the Administration, the initiation of a new process". On this same issue, BBVA invokes the doctrine established by the National High Court (AN) in its Judgment of 10/17/2007 (appeal 180/2006), which is outlined in the Background, in which it revealed the illegality of the inappropriate extension or unfounded of the previous investigation actions. This Judgment refers to a assumption processed by the AEPD in which the preliminary investigation actions are remained inactive for almost eleven months, when the entity in question had attended the request for information in the first two months of the processing of said actions. The National Court concluded that there was a “[…] fraudulent use of the institution of preliminary proceedings. We are therefore faced with an assumption of fraud of Law contemplated in article 6.4 of the Civil Code, inasmuch as it is intended to circumvent the application of Art. 42.2 of Law 30/1992 using the request for information to, with it, avoid the expiration of the sanctioning file ”. It is necessary to specify that the National Court modified this criterion based on the Judgment of 11/19/2008 (appeal 90/2008). In any event, this file does not conform to the assumption analyzed in the Judgment invoked, not only because it refers to a case of fraudulent use of the previous investigation actions, which have not been carried out in the event that we occupies; but because in this case no procedure has been used nor has any precept to avoid the expiration of the procedure, which has not occurred. It is not breached the provisions of article 6.4 of the Civil Code, according to which "Acts carried out under of the text of a norm that pursue a result prohibited by the legal system, or contrary to it, they will be considered executed in fraud of law and will not prevent the due application of the rule that has been tried to evade ” . C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 47 47/124 Furthermore, in that case it cannot even be said that the period to which BBVA refers, which includes the time elapsed between the admission for processing of the claim of the claimant 2 (02/01/2019) and the opening of the procedure (12/02/2019), in the case of a period of inactivity of the Administration, since during that time the Admission procedures for the rest of the claims. Claims submitted by Claimants 3 to 5 had entry into this Agency on 02/13/2019 (a few days after that admission for processing on 02/01/2019), 05/23/2019 and 08/27/2019; and admitted for processing through agreements of 08/06/2019, 09/13/2019 and 10/30/2019, respectively. On the other hand, BBVA understands that the procedure is used to adopt general criteria for interpreting the rules to the detriment of BBVA. In this regard, quote the Judgment of the National High Court of 04/23/2019 (appeal 88/2017), which declared contrary to the principles of sanctioning law the establishment of general criteria within the of a sanctioning procedure. This Agency does not share the conclusion expressed by BBVA. How can be verified in the opening agreement, and much more in this act, the agreements that are adopt are based on what is expressed in the applicable regulations and in consolidated interpretations of it. III Taking into account the regulatory change that the approval of the RGPD has entailed, applicable as of May 25, 2018, these actions are carried out for the analysis of the personal data collection form used by the BBVA entity with after that date, called by said entity as "Declaration of activity economic and personal data protection policy ” , to determine the scope of said document and possible irregularities that may be appreciated from the point of view of the personal data protection regulations. Therefore, any reference to the document regarding the processing of personal data signed by the claimant 1 in the year 2016. From the perspective of personal data protection regulations, it will be analyzed In this resolution, the information offered by BBVA to its clients on the subject of protection of personal data through said document, and specifically: (1) the compliance by BBVA with the principle of transparency established in articles 5, 12 and following of the RGPD, and related precepts; (2) the different data processing personal data of its clients that the entity carries out according to the information provided; and (3) the analysis of the mechanisms used to obtain the consent of the interested. All this, within the framework of the new regulations, constituted by the RGPD, applicable since 05/25/2018, and the LOPDGDD, in force from the day following its publication in the Official State Gazette, which took place on 12/06/2018. The information offered in this matter through any another channel or document, such as the forms used to contract C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 48 48/124 products or services that, due to their specialty, include their own Data Protection. Nor is it examined the actions that the companies that make up the so-called “BBVA Group” in relation to the personal data that is communicated to them by BBVA in accordance with the provisions of the "Declaration of economic activity and policy of protection of personal data ” . The analysis of the procedures established by BBVA for the management of customer rights, as well as the mechanisms used by the aforementioned entity for the modification of the consents given through the repeated form. Likewise, although the information contained in the Evaluations of Impact provided by BBVA, which has been outlined in the Background, is not carried out any analysis on data security. In accordance with the foregoing, the conclusions that could be derived from this procedure will not suppose any pronouncement regarding the previous aspects discarded, or in relation to the entities of the BBVA Group. It constitutes, therefore, the object of the procedure, thus expressly stated in the opening agreement, the form that discloses the terms applicable to the protection of personal data and requires the consent of the interested parties. In BBVA's opinion, the non-existent cause is justifying the filing of the proceedings. link between the claims made and the stated object of the procedure, for as the allegedly infringing facts that are invoked cannot be the basis in that the AEPD supports the opening of this procedure. Understand what is analyzed the scope of the Privacy Policy contained in that form without linking any reasoning to the content of the claims, and invokes the same Judgment of the National Court cited in the previous Law Foundation (SAN of 04/23/2019; appeal 88/2017), which annuls the sanction of the AEPD, among other reasons, due to discrepancy between the complaint and the object of the sanctioning resolution. This claim should also be rejected for several reasons, the first being of them (i) that the doctrine established in the cited judgment is applicable to events prior to the RGPD, which establishes a new and different legal regime that must be taken into account in The procedure; (ii) in addition, the facts revealed in the claims of the claimants / complainants are closely linked to the document containing the privacy policy and through which BBVA collects the consents for the activities carried out, and the examination of said claims, documentation provided by BBVA, and the form used shows that BBVA's actions transcend of the five claims presented, since his performance in those five proceedings described by each of the claimants responds to the general policy of the entity in data protection matter, which this AEPD understands is carried out, in the words of the RGPD itself, "in violation of the Regulation"; and (iii) that unlike what was reported in the sentence of such repeated appointment of the National High Court (see its legal basis Ninth), in this resolution reference is made to the specific complaints, a assessment of the tests carried out around them, which are specific behaviors and C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 49 49/124 individualized in relation to certain natural persons, but also these complaints transcend. The RGPD has established its own and specific regime regarding procedures before the control authorities in matters of data protection. The chapter VIII of the RGPD is entitled "Resources, responsibility and sanctions", and the first of the Articles of said Chapter VIII, Article 77, establishes the right to present a claim before a control authority. Art. 77.1 Without prejudice to any other resource administrative or judicial action, any interested party will have the right to file a claim before a supervisory authority, in particular in the Member State where it has its habitual residence, place of work or place of the alleged offense, if you consider that the processing of personal data that concerns you violates this Regulation. At the same time, the art. 79 RGPD establishes that [s] without prejudice to administrative or extrajudicial remedies available, including the right to file a claim with a supervisory authority in By virtue of article 77, all interested parties shall have the right to effective judicial protection when consider that your rights under this Regulation have been violated as consequence of a processing of your personal data. We therefore see that a "claim" from an individual can give rise to two types of procedures, one of them related to violations of the RGPD, in general, and another for violation of their rights. In the LOPDGDD this distinction has been reflected in Title VIII, which regulates jointly the procedures in case of possible violation of the regulations of Data Protection. Thus, its art. 63.1, Legal regime, includes (a) the procedures in case of infringement of the RGPD and the LOPDGDD itself and (b) those derived from a possible violation of the rights of the interested parties. The LOPDGDD does not foresee any additional type of procedure in case of possible violation of data protection regulations, of so that all the functions and powers that the RGPD grants to the control authorities in arts. 57 and 58 RGPD will have to be exercised through said procedures in case possible violation of data protection regulations. There are no others. It follows from this, also taking into account art. 64 LOPDGDD, which when the procedure is directed exclusively to the lack of attention of a request from the rights articles 15 to 22 RGPD a claim will be necessary, but that (art. 64.2 LOPDGDD) [ when the purpose of the procedure is to determine the possible existence of an infringement of the provisions of Regulation (EU) 2016/679 and in this Organic law, will be initiated through an initiation agreement adopted on its own initiative or as consequence of claim. That is, both the RGPD and the LOPDGDD consider that a claim by an affected party may be the way or the means of bringing the control authority a possible infringement of data protection regulations but in no case restricts the action of the supervisory authority to the specific and concrete complaint of those affected. And this for many reasons, among which stands out, as may be the case in the present procedure, that from the confluence of several claims of persons affected individuals, an action of the person in charge that with general character (that is, not only in the specific cases presented by the claimants) from which it turns out that these specific cases are the reflection of a common guideline or policy applied to all those affected who are in the same case as the interested. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 50 50/124 With a different example of the current procedure, it can be understood more clearly. An entity could be considered to be in breach of protection regulations of data in a specific case when said action individually considered involves a deviation from the norm or general company policies (for example, the introduction of a debt in a delinquent file in a specific case in breach of your own Privacy); but when an action that is considered incorrect derives from a policy adopted by the controller, so that it is not about errors in five cases, but these five cases are only the button or the sample of a general policy adopted that is considered in violation of the GDPR, the violation does not resides exclusively in the five cases examined but in the privacy policy adopted by the person in charge. It will be said privacy policy that constitutes a infringement of the RGPD, and not only specific infringements based on said privacy policy Privacy. The opposite would be inconsistent with the purpose and will of the community legislator, expressly set forth in the RGPD that the control authorities control and make apply the RGPD, and with the provisions of the RGPD that can be revealed "Infractions" of the data protection regulations through "claims" that may transcend the individual claims made. It is enough to point out in this regard, already in this specific case, that all the actions of processing of personal data that are the subject of the claims made are justified by BBVA with the aforementioned document "Declaration of Economic Activity and Policy of Data Protection ”and its signature by the claimants, as recorded in the Proven Facts. The BBVA entity itself declares in its allegations that the claim made by the Complainant 2 refers to the content of the privacy policy and the process of obtaining the consent; makes a general reference to “those cases in which the claimant has shown its disagreement with the way to obtain consent ” ; and also in relationship with the claimant 2 BBVA expresses itself by referring to the “accusations made on the privacy policy… or the legality of the data processing ” ; what dismantles his argument about the lack of relationship between the claims and the settlement of start. In this case, claimant 2 expressly warned that to give consent "It only offers the possibility of opposing the processing of personal data for different purposes to those necessary for the purposes of providing financial services if the client activates the Boxes of opposition to a treatment that BY DEFAULT (see article 25 of the RGPD) should be considered as activated ” and that “ The informative text is inconsistent with the principle of transparency of article 12 of the RGPD ”. In the case of claimant 1, the sending to his mobile phone line of a Promotional SMS, which is justified by BBVA stating that claimant 1 provided his consent by signing, on 06/07/2016, the document “Identification of the client, processing of personal data and digitized signature ” . The claim made by the claimant 3 refers specifically to the "Declaration of Economic Activity and Personal Data Protection Policy" . Claimant 4, for his part, denounces the sending of commercial communications that has not requested or authorized, which is also justified by BBVA noting that this The claimant did not object to the data processing reported in the document “Declaration of Economic Activity and Data Protection Policy ” , signed by the same on the date C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 51 51/124 11/26/2018. And, finally, the claimant 5 makes a claim against BBVA for the receipt of telephone calls and advertising SMS, also justified by that entity based on the consent given by the claimant with the signature of the document “Declaration of Economic Activity and Personal Data Protection Policy ” for the treatment of your data for commercial purposes. Based on the foregoing, all these claims have to do with treatment of personal data of the claimants that BBVA protects in the consent given by the holders of the data by signing the repeated "Declaration of Economic Activity and Data protection policy". To assess the regularity of these treatments it is It is essential to analyze the consent given and its validity, for which it is decisive, in particular, check the information offered on the protection of personal data and the mechanisms enabled to obtain the consent of the affected, without forgetting the rest of the principles and guarantees established in the applicable regulations. Consequently, the AEPD has decided to analyze the impact of the repeated document "Declaration of economic activity and personal data protection policy" , which contains the information that BBVA provides as a priority to its customers and the mechanisms of collection of consents. In view of the deficiencies noted in the same regarding the data protection regulations, it turns out that such deficiencies have a general scope, so that all the clients of the entity are affected, and not just the five claimants, which would result, as has been stated, that the infringement does not occur exclusively with respect to the five claimants, but generally as consequence of said privacy policy. It cannot be said, therefore, that there is no link between the object of the procedure and claims. Proof of this is the definition of the object of the file contained in the initial paragraphs of this Legal Basis. As the sentence of the AN so merited states, “the account of" proven facts ", both in criminal and administrative sanctioning proceedings, it is essential to establish the facts and the typified conducts, since only in this way will the principle of typicity, which, according to the doctrine is "the legal description of a conduct specific to which the administrative sanction will be connected. "In the present case, it is reiterated, The proven facts are clear in that it is BBVA itself that highlights that its action responds to the fact that all the claimants agreed to and signed the "Declaration of economic activity and personal data protection policy", therefore in no case is there helplessness. In any case, no rule prevents the body that exercises the power sanctioning procedure, when it determines the opening of a sanctioning procedure, always official letter (art. 63.1 law 39/2015, of October 1), determine its scope in accordance with the revealed circumstances, although they do not strictly conform to the manifestations and claims of the complainant. That is, the agreement to initiate the sanctioning procedure is not constrained by the complaint (the “claim”) presented by the individual. This is not the case in the case of procedures processed at the request of the interested party, in which article 88.2 of the LPACAP requires that the resolution be congruent with the requests made by him. Even in this case, the authority of the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 52 52/124 Administration to initiate a new procedure ex officio. This same article 88 of the LPACAP, referring to the content of the resolution, in its paragraph 1 establishes the obligation to decide all questions raised by the interested parties and those others that derive from the procedure, including related matters not raised by interested parties. This article expressly states the following: "1. The resolution that puts an end to the procedure will decide all the questions raised by the interested parties and those others derived from it. In the case of related questions that have not been raised by the interested parties, the body competent authority may rule on them, making it clear to them by a term not exceeding fifteen days, so that they formulate the allegations that they consider pertinent and contribute, where appropriate, the means of proof ”. In the sanctioning procedure, even the facts that are revealed during their instruction, which will be determined in the resolution, and may motivate the modification of the allegations contained in the initiation of the procedure or its legal qualification. In this sense, when referring to the specialties of the resolution in the sanctioning procedures, article 90 of the LPACAP establishes: "2. In the resolution, events other than those determined in the course of the procedure, regardless of its different legal assessment… ”. IV The aforementioned form enabled by BBVA to collect personal data from its clients disclose the new terms applicable to the protection of said data personal due to the contracted services and the consent of the interested parties for use for the purposes indicated in the document. He The full content of this information is reproduced in Annex 1 to this agreement of opening of proceedings. However, it is considered relevant to highlight the following aspects: In the information provided to customers, the BBVA entity is identified as data controller, the types of personal data that will be object of treatment, the treatment operations that will be carried out, including the data communications, and the purposes for which the data in question are processed, as well as the legitimizing basis of the treatment. The final two sections are dedicated to the conservation of personal data and the rights of the interested parties. On the types of data of clients, representatives, guarantors, authorized or beneficiaries, in the section "What personal data does BBVA process about you?" , included in the "Extended information", the following categories are expressly specified: ". Identification and contact data (including postal and / or electronic addresses). . Signature data (including the digitized and electronic signature that we will comment on later). . Codes or identification keys for access and operation in the remote channels that you use in C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 53 53/124 your relationship with BBVA. . Economic and financial solvency data (including those related to all products and services that you have contracted with BBVA or of which BBVA is a marketer). . Transactional data (income, payments, transfers, debits, receipts, as well as any other operation and movement associated with any products and services that you have contracted with BBVA or of which BBVA is a marketer). . Sociodemographic data (such as age, family situation, residences, studies and occupation) ”. Regarding the purposes for which the personal data of clients will be used the document lists the following: 1. Manage the products and services that you have, request or contract with BBVA. 2. Get to know yourself better and personalize your experience. "At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is more adapted to your customer profile and your needs. To achieve this we have to know you better, analyzing not only the data that allow us to identify you as a client, but also your financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels. Additionally, we will apply statistical and classification methods to correctly adjust your profile. Based on the above, we managed to develop our business models. Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and services that we consider according to your profile (own or marketed by BBVA), as well as offers personalized with more adjusted prices for you. As we will know you better, we can congratulate you for your anniversary, wish you a good day or happy holidays. If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or at any of our offices. This section is only applicable to BBVA clients ”. 3. Offer you products and services from BBVA, the BBVA Group and others, customized for you. No we are going to flood you with information. “Offer you BBVA products and / or services We would like to keep you up to date on new BBVA products and services, as well as give you advice recommendations to better manage your financial situation. We can also send you information about BBVA products and services with prices more adjusted to your profile, informing you of what may interest you as a client. Offer of products and / or services of the BBVA Group and third parties We can send you information, according to your customer profile, about products, services and offers financial and non-financial activities of BBVA Group companies and third parties (including products and services of which BBVA is a marketer) belonging to these sectors of activity: financial, parabanking, insurance, automotive travel, telecommunications, supplies, security, IT, education, real estate. consumer products, leisure and free time, professional services and services social. Channels for sending commercial information We will contact you through different channels: postal mail, email push notifications, SMS, social networks, banners, web pages or other means of communication equivalent electronics. This section only applies to BBVA customers ”. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 54 54/124 4. Communicate your data to BBVA Group companies so that they can offer you products and services own personalized for you. “If you want the BBVA Group companies included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services personalized in characteristics and price, we need your authorization to communicate data related to your customer profile (amount of income and expenses, balances and use of our channels). This information will be processed to try to improve the characteristics and prices of the product offering and services. The BBVA Group companies will only process your data for that purpose ”. 5. Improve the quality of products and services. "We need to use your information anonymously without any characteristics that can identify, because at BBVA we want to: Increase your degree of customer satisfaction. Meet your expectations. Perfect our internal processes. Improve the quality of existing products and services. Develop new products and services of your own or of third parties. Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be of interest of BBVA or third parties. Improve instruments to combat fraud. This information is obtained from the use of BBVA products, services and channels. Throughout At the moment, we process the data using secure and up-to-date internal protocols. This section only applies to BBVA customers ”. BBVA refers to the legitimate interest as a legitimate basis for the use of the data with the purpose indicated with number 2 and the consent in relation to the purposes 3, 4 and 5. Regarding the use of data based on legitimate interest, it is warned about the possibility to object by sending an email to the address indicated or in any of the entity offices. And it adds: “For the legitimate interest of BBVA, so that from BBVA we can better meet your expectations and we can increase your level of customer satisfaction by developing and improving the quality of own or third-party products and services, as well as perform statistics, surveys or studies of market that may be of interest. Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a good day or happy holidays. These legitimate interests respect your right to the protection of personal data, to honor and to personal and family privacy. At BBVA we consider that, as a customer, you have an expectation reasonable to have your data used so that we can improve products and services and you can enjoy a better customer experience. In addition, we estimate that you also have a reasonable expectation of receiving congratulations on your anniversary. wish you a good day or Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise your right to object if you consider it appropriate at the following address: rightsprotecciondatos@bbva.com or at any of our offices ”. On the data of representatives, guarantors, authorized or beneficiaries, it is reported that will be treated solely for the management of the contract. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 55 55/124 On the other hand, in the repeated document it is reported that communication of personal data to the BBVA Group companies, basing this communication of data in the consent of the interested party. In this case, it is not distinguished whether The data that will be communicated correspond to clients or representatives, guarantors, authorized and beneficiaries, but since the data of these interested parties is only used for the fulfillment of the contractual relationship, it is understood that the information about the communication of data to the companies of the Group does not refer to them. In relation to the communication of personal data, in the "extended information" is indicates the following: "We will not transfer your personal data to third parties, unless we are required by law or you do you have previously agreed with BBVA As we have indicated, if you consent previously, we may communicate to the companies of the BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus identification, contact and transactional data so that you can receive offers personalized. In order to provide you with an adequate service and manage the relationship that we maintain with you as client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by categories of companies that process your data on behalf of BBVA, as part of the provision of services that we have contracted. We also inform you that, for the same purpose as that indicated in the previous paragraph, certain companies that provide services to BBVA may access your personal data (international data transfers). These transfers are made to countries with a level of protection comparable to that of the Union European (adaptation decisions of the European Commission, standard contractual clauses as well as certification mechanisms) For more information you can contact the Delegate for the Protection of BBVA data at the following email address: dpogruppbbva@bbva.com ”. The signature of the document by the client and the date is included at the end of section 2 "Personal data protection policy" , in which it is indicated that with the process of signature agrees to the Declaration of Economic Activity and Protection Policy of data. Immediately before the space provided for signature, it is reported as follows: "We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. . Products and prices more adjusted to you [] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data ". V C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 56 56/124 Article 5 "Principles relating to treatment" of the RGPD establishes: "1.The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be further processed as way incompatible with said purposes; according to Article 89 (1), further processing of personal data for archival purposes in the public interest, scientific research purposes and historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of purpose "); c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed ("Data minimization"); d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that delete or rectify without delay personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties for no longer than necessary for the purposes of processing personal data; personal data may be kept for longer periods provided they are treated exclusively for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89 (1), without prejudice to the application of technical and organizational measures regulations imposed by this Regulation in order to protect the rights and freedoms of the data subject ("limitation of the conservation period"); f) processed in such a way as to guarantee adequate security of personal data, including the protection against unauthorized or illegal processing and against its loss, destruction or damage accidental, through the application of appropriate technical or organizational measures ('integrity and confidentiality '). 2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and able to prove it ('proactive responsibility') ”. In relation to the aforementioned principles, what is stated in the Recital 39 of the aforementioned RGPD: "39. All processing of personal data must be lawful and fair. For natural persons it should be totally clear that data is being collected, used, consulted or otherwise processed personal information concerning them, as well as the extent to which said data is or will be processed. He The principle of transparency requires that all information and communication regarding the treatment of said data is easily accessible and easy to understand, and that simple and clear language is used. Saying The principle refers in particular to the information of the interested parties about the identity of the person in charge treatment and the purposes thereof and the information added to ensure fair treatment and transparent regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. The natural persons must be aware of the risks, regulations, safeguards and rights relating to the processing of personal data as well as how to enforce your rights in relation to treatment. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. The data Personal data must be adequate, relevant and limited to what is necessary for the purposes for which be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum. conservation. Personal data should only be processed if the purpose of the treatment could not be reasonably accomplished by other means. To ensure that personal data is not kept longer than necessary, the controller must establish deadlines for its deletion or Periodic revision. All reasonable steps should be taken to ensure that they are rectified or delete personal data that are inaccurate. Personal data must be treated in a way that guarantees adequate security and confidentiality of personal data, including for C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 57 57/124 prevent unauthorized access or use of said data and the equipment used in the treatment ”. SAW Article 4 of the RGPD, under the heading "Definitions", provides the following: "2)" treatment ": any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of access authorization, collation or interconnection, limitation, deletion or destruction ”. In accordance with these definitions, the collection of personal data through of forms enabled for this purpose constitutes data processing, with respect to which the data controller must comply with the principle of transparency, established in article 5.1 of the RGPD, according to which personal data will be “treated in a manner lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and developed in Chapter III, Section 1, of the same Regulation (articles 12 and following). Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for treatment of taking the appropriate measures to "provide the interested party with all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way access, in clear and simple language, in particular any information addressed to a child". In the same sense, article 7 of the RGPD is expressed for cases in which the consent of the interested party is given in the context of a written statement, such as occurs in the present case. According to this article, said request for consent “is presented in such a way that it is clearly distinguished from other matters, in an intelligible way and easily accessible and using clear and simple language ” . It is added in this precept that no part of the declaration that constitutes an infringement of these Regulations will be binding. Article 13 of the aforementioned legal text details the “information that must be provided when the personal data is obtained from the interested party ” and the aforementioned article 14 is refers to the “information that must be provided when personal data has not been obtained from the interested party ” . In the first case, when the personal data is collected directly from the interested party, the information must be provided at the same time that that data Collect. Article 13 of the RGPD details this information in the following terms: 1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment, at the time these are obtained, you will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are intended and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the responsible or a third party; e) the recipients or categories of recipients of the personal data, if applicable; C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 58 58/124 f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph second, reference to adequate or appropriate warranties and means of obtaining a copy of these or the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the data controller will provide the interested, at the time the personal data is obtained, the following information necessary to guarantee fair and transparent data processing: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this term; b) the existence of the right to request the data controller access to personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to data portability; c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as as the importance and expected consequences of said treatment for the interested party. 3.When the controller plans the further processing of personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional information relevant to the of section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the interested party already has the information ”. Article 14 regulates the information that must be provided in relation to the data that are not collected directly from the interested party: "1. When the personal data has not been obtained from the interested party, the person responsible for the treatment will provide you with the following information: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the treatment; d) the categories of personal data in question; e) the recipients or categories of recipients of the personal data, if applicable; f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third country or international organization and the existence or absence of a decision on the adequacy of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to obtain a copy of them or the fact that they have been loaned. 2. In addition to the information mentioned in section 1, the data controller will provide the interested party the following information necessary to guarantee fair data processing and transparent with respect to the interested party: a) the period during which the personal data will be kept or, when that is not possible, the criteria used to determine this term; C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 59 59/124 b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the responsible for the treatment or a third party; c) the existence of the right to request the data controller access to personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the treatment, as well as the right to data portability; d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting to the legality of the treatment based on the consent before its withdrawal; e) the right to file a claim with a supervisory authority; f) the source from which the personal data come and, where appropriate, if they come from access sources public; g) the existence of automated decisions, including profiling, referred to in the Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of such treatment for the interested. 3.The person responsible for the treatment will provide the information indicated in sections 1 and 2: a) within a reasonable period, once the personal data has been obtained, and at the latest within a month, taking into account the specific circumstances in which said data is processed; b) if the personal data are to be used for communication with the interested party, no later than the moment of the first communication to said interested party, or c) if it is planned to communicate them to another recipient, at the latest at the time the data personal information are communicated for the first time. 4. When the person responsible for the treatment plans the subsequent treatment of personal data for a purpose other than that for which they were obtained, will provide the interested party, before said further processing, information on that other purpose and any other relevant information indicated in the section 2. 5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that: a) the interested party already has the information; b) the communication of such information is impossible or involves a disproportionate effort, in particular for the treatment for archival purposes in the public interest, scientific research purposes or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89, paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article may prevent or seriously impede the achievement of the objectives of such treatment. In such cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests legitimate interests of the interested party, including making the information public; c) the obtaining or the communication is expressly established by the Law of the Union or of the Member States that applies to the controller and that establishes appropriate measures to protect the legitimate interests of the data subject, or d) when personal data must continue to be confidential on the basis of a obligation of professional secrecy regulated by the law of the Union or of the Member States, including an obligation of secrecy of a statutory nature ” . For its part, article 11.1 and 2 of the LOPDGDD provides the following: "Article 11. Transparency and information to the affected 1. When personal data are obtained from the affected party, the person responsible for the treatment may give compliance with the duty of information established in article 13 of Regulation (EU) 2016/679 providing the affected party with the basic information referred to in the following section and indicating a electronic address or other means that allows easy and immediate access to the remaining information. 2. The basic information referred to in the previous section must contain, at least: C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 60 60/124 a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for profiling, the information You will also understand this circumstance. In this case, the affected party must be informed of your right to object to the adoption of automated individual decisions that produce effects legal acts on him or significantly affect him in a similar way, when this right to in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” . In relation to this principle of transparency, it also takes into account the expressed in Recitals 32, 39, reproduced in the previous Legal Basis, 42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below Considering ourselves: (32) Consent must be given by a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party to accept the processing of data from personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not they must constitute consent. Consent must be given for all activities of treatment carried out for the same or the same purposes. When the treatment has several purposes, you must give consent for all of them ... (42)… In particular in the context of a written statement made on another matter, you must have guarantees that the interested party is aware of the fact that he gives his consent and of the extent to which it does. According to Council Directive 93/13 / EEC (LCEur 1993, 1071), you must provide a model declaration of consent previously prepared by the person in charge treatment with an easily accessible and intelligible formulation that uses clear language and simple, and that does not contain abusive clauses. For the consent to be informed, the The interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment for which the personal data is intended. Consent must not be considered freely provided when the interested party does not have a true or free choice or not You can deny or withdraw your consent without suffering any harm. (47) The legitimate interest of a data controller, including that of a controller who is may communicate personal data, or that of a third party, may constitute a legal basis for the treatment, provided that the interests or rights and freedoms of the interested party do not prevail, taking into account the reasonable expectations of the interested parties based on their relationship with the responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and appropriate between the interested party and the controller, as in situations in which the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a meticulous evaluation, even if a data subject can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In In particular, the interests and fundamental rights of the interested party could prevail over the interests of the data controller when the personal data is processed in circumstances in which the interested party does not reasonably expect a treatment to take place further ... The processing of personal data strictly necessary for the prevention of Fraud also constitutes a legitimate interest of the person responsible for the treatment in question. He processing of personal data for direct marketing purposes can be considered carried out by legitimate interest. (58) The principle of transparency requires that all information directed to the public or the interested party be concise, easily accessible and easy to understand, and use clear and simple language, and, also, if applicable, it is displayed ... (60) The principles of fair and transparent treatment require that the interested party be informed of the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 61 61/124 existence of the treatment operation and its purposes. The controller must provide the interested party as much additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which the data is processed personal. The interested party must also be informed of the existence of profiling and the consequences of such elaboration. If the personal data is obtained from the interested parties, They should also be informed of whether they are obliged to provide them and of the consequences in the event that don't ... (61) Data subjects should be provided with information on the processing of their personal data in the time they are obtained from them or, if they are obtained from another source, within a reasonable time, depending on the circumstances of the case ... (72) Profiling is subject to the rules of this Regulation that govern the processing of personal data, such as the legal bases of the processing or the principles of Data Protection… BBVA, according to proven facts, processes personal data obtained from customers, directly or "indirectly" , as well as personal data Obtained from sources other than those interested or inferred by the entity itself. Comes Therefore, obliged to provide information on all the aspects included in the aforementioned Articles 13 and 14 of the RGPD. After analyzing the information offered by BBVA, it is verified that it is incomplete or inadequate in relation to the provisions of articles 13 and 14 of the RGPD. - Use of imprecise terminology and vague formulations In accordance with the foregoing, at the time of collecting personal data the responsible for the treatment must provide the interested parties with the information established in the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a clear and simple language ” . BBVA does not report clearly and systematically on data processing personal or the purposes for which they will be used; nor does it delimit the nature of the information submitted to treatment and its subsequent use. When referring to these questions, he uses imprecise terminology and vague formulations, alien to strict compliance with the principle of transparency, preventing interested parties to know the meaning and real meaning of the indications provided and the real scope of the consents that may be given. The privacy policy analyzed contains imprecise formulas and expressions and vague throughout the entire text: . "Get to know yourself better and improve your experience." . "Offer you products and services ... personalized for you." . "Improve the quality of products and services." . "Your data is yours and you control it." . "... make your experience more personalized." C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 62 62/124 . "Products and prices more adjusted to you." . "I DO NOT want BBVA to process my data to offer me products and services ... personalized for me." . “I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can to offer products and personalized services for me ”. . “I DO NOT want BBVA to process my data to improve the quality of new products and services and existing ”. . "Properly manage the products and services that you request and hire us." . "Follow the relationship we maintain with you and your financial evolution." . “At BBVA we treat your personal data to always serve you with the same level of quality, and thus to be able to offer you a better treatment and service appropriate to your condition of client ”. . "If you want to streamline the application process, we will need." . “At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is more adapted to your customer profile and your needs. To make it we have to get to know you better… ”. . “Thanks to this analysis we will be able to get to know you better, assess new features for you… as well as personalized offers with more adjusted prices for you ”. . “We would like to keep you up to date on new BBVA products and services, as well as give you advice recommendations to better manage your financial situation. We can also send you information about BBVA products and services with prices more adjusted to your profile, informing you of what may interest you as a client ”. . “If you want the BBVA Group companies… to offer you products and services personalized in characteristics and price, we need your authorization to communicate data related to your customer profile ... This information will be processed to try to improve the characteristics and prices of the supply of products and services ”. . “… So that BBVA can better meet your expectations and increase your grade of satisfaction". . “… To be a bank close to you as a client and to be able to accompany you during our relationship contractual, we could congratulate you on your anniversary, wish you a good day or happy holidays ”. . “At BBVA we consider that, as a customer, you have a reasonable expectation that your data so that we can improve products and services and you can enjoy a better experience as a customer ”. . "In addition, we believe that you also have a reasonable expectation to receive congratulations on the occasion of your anniversary. wish you a good day or happy holidays ”. . "In order to provide you with an adequate service and manage the relationship that we maintain with you as client…". It follows that the data protection policy is shown as a benefit for the client, implying that its non-acceptance will mean the loss of advantages as a customer. (…) In addition, the information is indeterminate, considering those generic expressions and unclear what it uses, which is why the privacy policy is not easy to understood by any interested party, regardless of their qualification, and shows up to what point it takes to be an expert to understand such information and its scope. It supposes to understand violated the right to the protection of personal data, understood as the ability of the affected person to decide on treatment. Information on key aspects such as categories of personal data treaties, the purposes or the legal basis that enables the treatment uses little expressions clear and imprecise, with ambiguous meanings in some cases, whose true scope does not it develops; expressions that are repeated throughout the text, as indicated, and that BBVA uses to support different actions, treatments, purposes or legitimations. Expressions such as “meet you C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 63 63/124 better ”“ personalize your experience ”,“ offer you personalized products and services ”, "Improve product quality", "relationship adapted to your profile", "prices adjusted to your profile "," develop our business models "," analyzing the uses of the products, BBVA's services and channels ”,“ we will apply statistical and classification methods to correctly adjust your profile "or" perform statistics, surveys, actuarial calculations, media and / or market studies that may be of interest to BBVA or third parties ”. Nor can the interested party clearly deduce the meaning of these expressions from starting from the context in which the information is offered and the expression of will is collected of the interested party, or from the context of the contractual relationship that binds the interested party with the responsible entity. On this contextual basis or factual context, the client is not able to understand the meaning of the purposes pursued by BBVA with the processing of your personal data, such as "knowing you better" , "developing our business models ” or “ improve the quality of products and services ” . The expressions that are so often repeated by BBVA throughout the document “Declaration of Economic Activity and Personal Data Protection Policy ” are included as examples of bad practices in the Article 29 Working Group document "Guidelines on transparency under Regulation 2016/679" , adopted on 11/29/2017 and revised on 04/11/2018. These Guidelines analyze the scope to be attributed to the elements of transparency established in article 12 of the RGPD, according to which the person responsible for treatment will take the appropriate measures to "provide the interested party with all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way access, with clear and simple language ” , which must be related to what is expressed in Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is highlight at this time the following: "The requirement that the information be" intelligible "means that it must be understandable to the average member of the target audience. Intelligibility is closely linked to the requirement of use clear and simple language. A data controller who acts responsibly You will proactively get to know the people you collect information about and can use this knowledge to determine what said audience is likely to understand… ”. << Clear and simple language In the case of “written” information »(and when written information is communicated verbally, or through auditory or audiovisual methods, also for people with vision problems), have to follow best practices to write clearly. The EU legislator has already used previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and it is also explicitly mentioned in the context of consent in recital 42 of the RGPD. The obligation to use clear and simple language implies that the information must be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The information must be concrete and categorical; should not be formulated in abstract or ambivalent terms nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment of personal data must be clear. Examples of Poor Practice The following statements are not clear enough regarding the purpose of the treatment: . "We may use your personal data to develop new services" (since it is not clear what “services” are treated and how the data will help to develop them); C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 64 64/124 . "We may use your personal data for research purposes" (since it is not clear what type of "research" refers); and . "We may use your personal data to offer you personalized services" (since there is no clear what this "customization" implies). Examples of good practices . "We will retain your purchase history and use details of the products you have purchased above to suggest other products that we think might also interest you ”(it is clear that types of data will be processed, that the interested party will be the object of personalized product advertising and that your data will be used in this regard); . “We will retain and evaluate information about your recent visits to our website and how navigate through the different sections of the same in order to analyze and understand the use that people make our website and be able to make it more intuitive ”(it is clear what type of data is will treat and the type of analysis that the person in charge will carry out); and . “We will keep a record of the articles on our website that you have clicked on and we will use that information to personalize, from the articles you have read, the advertising that we show you on this website to suit your interests ”(it is clear what personalization entails and how the interests attributed to the interested party have been identified) >> . The foregoing must be interpreted, in any case, taking into account the principles established in article 5 of the RGPD, especially the principle of loyalty. Recital 42 of the same text also refers that the form in which the information is offered in Personal data protection matter must not contain unfair terms. BBVA alleges that the “Guide for compliance with the duty to inform”, published by this Agency, contains some examples when referring to the information on the purpose ( “to facilitate the interested parties offers of products and services of their interest ” ; "To be able to offer you products and services according to your interests ” ; "Improve your user experience" ) that can be considered similar to the expressions used in the Privacy Policy. However, this circumstance does not have enough potential to overcome the important objections that here They describe. In this regard, it should be noted that, although it is true that these expressions are similar to those used in some specific examples of the aforementioned guide, BBVA does not reference or has taken into account other statements in the guide that are basic to frame and interpret the meaning of those that the entity reproduces. Thus, it omits that these examples are included in the rubric “What information should be included in each heading? " ; rubric that begins by establishing criteria general that conditions the application of the examples included in it (such as the cited by BBVA) when noting that “the extent and level of detail of each heading will depend on the complexity of their particular circumstances ” (the underlining is from the AEPD). Then adding another important qualification such as that the examples Practices included in the guide are “related to the previous hypothetical cases ( “Warren & Brandeis SA editions” ) ”(Page 9). On the other hand, the reference expressions are found in the example included in section 7.2 "purpose" of the guide, which links the purpose of "... to provide interested parties offers of products and services of your interest… ” and “… according to your interests… ” exclusively to "the information provided by the interested parties" (the underlining is from the AEPD). C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 65 65/124 Finally, the Guide completes the aforementioned section with a new warning by pointing out that “practices such as including overly generic purposes or nonspecific, which may lead to further treatments that exceed expectations reasonable of the interested party ” . The framework of the Guide, which has been described in its entirety and not with a partial citation and selective as in BBVA's allegations, it presents substantial differences with that of the informative clauses of this entity, such as the following: the variety of the data object of treatment; the diversity of sources from which they are obtained, which go beyond the data provided by the interested party, including even those obtained in their condition of mere person in charge of the treatment; as well as the variety and complexity of the purposes object processing of personal data in its capacity as a financial entity that occupies a relevant position in the market, unlike the more schematic of an editor, which is the example cited in the Guide (the details of said data and treatments are described in different sections of the resolution omitting here to avoid repetitions). Additionally, it should be noted that the guidelines in the guide do not may be taken as final, since the aforementioned guide expressly advises that the The only specific objective it covers is to provide guidance on best practices and adds that it should be completed with other guides that the Data Protection Authorities may issue, in relation with the application of the GDPR. The previous argument about the terminology used in the Privacy Policy it is not taken into account by BBVA when making its allegations. This entity is limited to performing statements such as qualifying the arguments of this Agency as appraisals subjective; affirm that the terms used are clear and precise; who uses those expressions with the intention of providing their clients with a service adapted to their specific circumstances, for which it is essential to "know" them ; and that the context in the one who provides the information, which is determined by the contractual relationship, as well as the systematic document in two layers, allow a better understanding of the expressions used. It has been previously denied that the context in which the information is offered and collects the manifestation of will allow the interested party to know the meaning and scope of the expressions that have been pointed out. And, on the other hand, it cannot be said that the end cited by BBVA (know the customer better) justify the use of unclear expressions and indeterminate. It also tries to explain two of the many referenced above, which, obviously, does not resolve the deficiencies noted in the entire text of the Privacy Policy. Specifically, BBVA refers to the expression “we will apply statistical and classification to correctly adjust your profile ” , which he tries to explain without success, highlighting that with this expression two of the techniques used to better understand the client. Secondly, it refers to the indication “analyzing the uses of the products, BBVA services and channels ” , which according to BBVA is explained by this Agency in the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 66 66/124 motion for a resolution stating that “[t] he all refers to the data processed by reason of the products and services contracted ” . This Agency does not share the idea put forward by BBVA. In the first case, the simple Reference to the techniques used does not help the interested party the scope of the information when signals that the profile will be adjusted. Regarding the second expression, it was already indicated in the opening of the procedure and in the proposed resolution, the interested party has no opportunity to know the true scope of that expression, starting with the specific information the one referred to. Add that some of the expressions explained above are similar to expressions offered as examples in the "Guide on the use of cookies" (in the opinion of BBVA, “carry out statistics, surveys, actuarial calculations, measurements and / or studies of market that may be of interest to BBVA or third parties ” , is similar to the expression "For analytical purposes" ; and "analyzing the uses of BBVA products, services and channels" is similar to the expression "show you personalized advertising based on a profile elaborated from your browsing habits ” ) . Regarding the quotes that have been transcribed verbatim and in quotation marks, it is striking, First of all, that at the time BBVA carries out the process of adaptation to the RGPD, including informative clauses, the Guide on cookies published by the Agency at that time was the one presented on April 29, 2013 and it did not include the literality of said expressions. The only example of an informative clause included in said Guide literally indicated that “we use our own and third-party cookies to improve our services and show them advertising related to your preferences by analyzing your habits navigation ” . Therefore, BBVA could not, in any way, take this text into account as a reference when preparing its informative clauses. The examples referred to by BBVA literally reproduce the wording included in the "Guide on the use of cookies" published in November 2019 (both the one relating to cookies analytical purposes such as that related to personalized advertising based on the habits of navigation in example number 2 on page 20). However, his claim when taking as reference said legends in order to justifying the information clauses of the entity is again partial, since it is limited to collect only two limited subsections of the examples in the Guide. But without taking into account other substantive considerations included in the Guide that allow to substantiate an assessment contrary to the exculpatory effect intended by the entity. And, in particular, those that refer to the requirement to “use clear language and simple, avoiding the use of phrases that lead to confusion or distort the clarity of the message ” . In this sense, the Guide specifically indicates in section 3.1.2.b) the following (page 18): C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 67 67/124 << b) Clear and simple language must be used, avoiding the use of phrases that induce confusion or detract from the clarity of the message. For example, phrases such as “we use cookies to personalize your content and create a better experience for you "or" to improve your navigation ", or phrases such as" we can use your personal data to offer personalized services ”to refer to advertising cookies behavioral. Terms such as “may”, “could”, “some”, “often”, and "Possible" >>. Expressions that come to confirm the foundations for the declaration of the BBVA's information clauses as illegal in this procedure. Based on the foregoing, BBVA's allegation regarding the application of the principle of legitimate expectations. Regarding the above issues, BBVA also adds in its allegations that it acted with proactive responsibility, (…); and that offering a courtesy image is a decision commercial, a “marketing action” , according to its own terms, for which it is legitimized by virtue of their right to free enterprise. (…) On the other hand, it is clear and indisputable that the Privacy Policy cannot used as a “marketing action” . This is how BBVA has rated it and the result is the one that has been described in the previous paragraphs. - Information on the categories of personal data subjected to treatment; and on the specific categories of personal data that will be processed for each one of the specific purposes. On the other hand, it is verified that the information offered is incomplete in relation to with key aspects established in the repeated articles, such as the categories of the data treated personnel. In accordance with the criteria stated by the European Committee for the Protection of Data, information on the type of personal data would be necessary in relation to those data processing whose legal basis is determined by the consent of the interested. This is how the Article 29 Working Group understood it in its document “Guidelines on consent under Regulation 2016/679 ” , adopted on 11/28/2017, revised and approved on 04/10/2018 (these Guidelines have been updated by the Committee European Data Protection Regulation on 05/04/2020 through the document “Guidelines 05/2020 on consent pursuant to Regulation 2016/679 ” , which literally maintains identical the parts that are transcribed below). The Article 29 Working Group draws its conclusions from the definition of the "consent" contained in article 4 of the RGPD, which is expressed in the terms following: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear action C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 68 68/124 affirmative, the processing of personal data that concerns him ” . From this definition, they are specified as necessary elements for the validity of the consent to the following: . Manifestation of free will . specific . informed and . unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data concerning you. In relation to the element "manifestation of specific will" it is said: “3.2. Specific manifestation of will (…) Ad. ii) The consent mechanisms should not only be separated in order to comply with the "free" consent requirement, but must also comply with the consent requirement "specific". This means that a data controller seeking consent to several different purposes, it must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, the data controllers must provide, with each request for separate consent, specific information on the data that will be processed for each purpose, with the In order for the interested parties to know the impact of the different options they have. Of this Thus, data subjects are allowed to give specific consent. This question overlaps with the requirement that those responsible provide clear information ”. Furthermore, consent, to be valid, must be informed. This item is analyzed in the aforementioned "guidelines" as follows: 3.3. Informed manifestation of will The GDPR reinforces the requirement that consent must be informed. In accordance with the Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles, closely related to the principles of loyalty and legality. Provide information to interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing and, for example, exercise your right to withdraw your consent. If the person in charge does not provide accessible information, the user's control will be Illusory and consent will not constitute a valid basis for the processing of the data. If the requirements for informed consent are not met, the consent will not be valid and the person in charge may be in breach of article 6 of the RGPD. 3.3.1. Minimum content requirements for consent to be "informed" In order for consent to be informed, it is necessary to communicate to the interested party certain elements that they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information following to obtain valid consent: i) the identity of the data controller, ii) the purpose of each of the processing operations for which consent is requested, iii) what (type of) data will be collected and used, iv) the existence of the right to withdraw consent, v) information on the use of the data for automated decisions in accordance with article 22, paragraph 2, letter c), where relevant, and vi) information on the possible risks of data transfer due to the absence of a decision of adequacy and adequate guarantees, as described in article 46 >> . C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 69 69/124 In view of the interpretive criteria on the notion of "informed consent" offered by the European Data Protection Committee, it is considered that BBVA does not provides sufficient information on the type of data that will be submitted to treatment in relation to all those treatments whose legal basis is the consent of the interested parties. This insufficiency is observed in relation to the purpose “To improve the quality of products and services ” , where it is indicated again that: “ Said information is obtained from from the use of BBVA products, services and channels ” ). All this refers to the data treated by reason of the products and services contracted, so that, although these are known to the user, he cannot know which ones will be selected from the use of such products and services. The same can be said regarding the use of BBVA channels. In relation to the category of personal data that may be processed, BBVA warns the interested party, in a generic way, that they may process "Economic and solvency data patrimonial (including those related to all the products and services that you have contracted with BBVA or of which BBVA is a marketer); Transactional data (income, payments, transfers, debts, receipts, as well as any other operation and movement associated with any products and services that you have contracted with BBVA or for which BBVA is marketer); Sociodemographic data (such as age, family situation, residences, studies and occupation). In view of this information, it is not clear whether BBVA will process economic data unrelated to the products contracted with or marketed by the entity, what data personnel will register for each transaction (will the corresponding concept and issuer register to the payment of a union dues?); or what sociodemographic data will be processed, in addition to those cite as an example. It could even happen that the information collected by the entity responsible "from the use of BBVA products, services and channels" was integrated for sensitive data or special categories of personal data, for example, the quota aforementioned union or fees paid to political parties, or entities of a religious, or for the use of services provided by health or religious entities. It is not concluded that BBVA processes personal data such as indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the information offered by BBVA to its customers, that this information is faulty in the insofar as it does not allow the recipient of the information to know with certainty all the categories of personal data that will be used by that entity and that, even, the repeated information, due to its lack of specificity, could be covering a collection and unacceptable processing of personal data. Also when referring to the personal data that will be used to carry out data processing based on the legitimate interest of the entity, reference is made back to the "uses of BBVA products, services and channels" , as well as to information regarding the “financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts ”. In this case, insufficient information on the categories of data to be processed is not related to the need for consent be informed, given that these are treatments based on the legitimate interest of the entity. However, in these treatments data not provided by the interested parties will be used, C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 70 70/124 so that the obligation contained in article 14.1.d) of the RGPD would be applicable. All this without prejudice to the relationship between data processing based on the consent of the interested parties to which reference is subsequently made. (…) In another vein, at this time, it is interesting to note that the use of data Personal based on legitimate interest gives rise to the creation of profiles, which are subsequently used to offer products and services (purpose 3) to customers who give their consent to do so, and that said profile is communicated to the companies of the BBVA Group, also based on the consent of the interested party. This being the case, the defects in information in relation to the processing of data based on legitimate interest affect by equal to the validity of the consent. It is also interesting to note that the information offered on the data subject to treatment by BBVA to which reference has been made includes “those related to all the products and services… of which BBVA is a marketer ” . This Agency questions the use of these data by the aforementioned entity and for the purposes that are indicated, considering that they are not own products, but third party products marketed by it. BBVA intervenes in the commercialization of these products under the status of data processor, which limits the possibility of using the information in question for its own purposes. Likewise, failure to comply with the obligation to report on the category of data that will be subjected to treatment is also breached in relation to data that is not are provided to the person in charge by the interested party, but are obtained by the latter from sources external or inferred by the entity itself. As has been exposed, in these cases, Article 14 of the RGPD requires you to provide this information. Among this information from third parties is that obtained from products and services marketed by BBVA, but which are not its own, to the which has already been referenced. It follows that BBVA processes personal data that it does not obtain directly from the interested parties under the condition of data controller. I know consider personal data from third parties that BBVA uses for the purposes expressed in the Privacy Policy. The responsibility for these personal data corresponds to the entity that owns the product purchased by the interested party or provider of the service contracted by the same. BBVA access such data under the condition of person in charge of treatment, by their intervention mediator in the commercialization of the product. In the Privacy Policy, in the section “What personal data does yours treat? BBVA? " , the following are mentioned: ". Economic and financial solvency data (including those related to all products services that you have contracted with BBVA or of which BBVA is a marketer); . Transactional data (income, payments, transfers, debits, receipts, as well as C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 71 71/124 any other operation and movement associated with any products and services that you have contracted with BBVA or of which BBVA is a marketer) ”. As mentioned above, in relation to data processing based on the legitimate interest also mentions the information regarding the “financial evolution and that of the products and services that you have contracted ... through BBVA as marketer, With the information provided, as indicated above, it is not clear what financial and solvency personal data are processed or what data will BBVA record by every transaction. (…) The use by BBVA of personal data from products and services of Third parties require that the interested parties be provided with the appropriate information and have a legal basis that protects the treatment. (…) The only reference to the information coming from files of patrimonial solvency and credit and to CIRBE in this privacy policy is contained in the information regarding the use of personal data to manage the products and services contracted, legitimized as it is necessary for the execution of the contract. Even so, the consultation of the client's data in solvency and credit files is submits to the consent of the interested party “to analyze the economic viability of your requests and operations ” ; and in the second case, it indicates “We can consult the data that can appear on you in the CIRBE to assess your solvency, if you request or maintain financing products or services with us ” . Nothing is indicated in the privacy policy about this personal data and its use in the elaboration of profiles based on legitimate interest. In its brief of allegations to the proposed resolution, BBVA does not make any mention of personal data obtained from third party products and services marketed by BBVA. It only states that the obligation to inform about the categories of sociodemographic data, those obtained from CIRBE and from files of Solvency is not applicable in this case, by virtue of the provisions of section 5 c) of said precept, taking into account that such personal data is obtained by BBVA from conformity with the indicated standards. The obtaining of such data by BBVA is not questioned in this case. As said above, the use of personal data from patrimonial and credit solvency files and CIRBE files to manage the products and contracted services, provided that it is necessary for the execution of the contract. This is the foundation that determines access to information provided in the rules that are they invoke. However, the use of this personal data by BBVA is not limited to C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 72 72/124 check the situation of the interested party for the formalization of a risk operation, but also for other purposes based on legitimate interest, as well as for the preparation of Profiles that are used for commercial purposes, to offer products and services. In addition, in relation to data from solvency and credit files, The Privacy Policy informs that they will only be consulted with the consent of the interested party and that the rule invoked by BBVA refers exclusively to the duty to consult the information on a specific type of operations, such as granting loans with real collateral or whose purpose is to acquire or retain property rights over land and real estate; not just any risky operation. (…) And not only does it not specify what data will be processed, but it also does not duly informs about the specific categories of personal data that will be processed for each of the specified purposes. The need to complete the information offered to customers in the sense expressed is especially relevant when it comes to data not provided by the customer, but inferred by the entity itself from the use of products, services and channels. It cannot be accepted that all information is intended for all uses, that all data collected or inferred can be used for all purposes, without delimiting. This serves The same in relation to the personal data that will be communicated to third parties. In this regard, the Opinion of the aforementioned Article 29 Working Group, "Guidelines on consent under Regulation 2016/679" , adopted on 11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020, When referring to the obligation to inform about the data that will be collected and used, it refers to Opinion 15/2011 on the definition of consent, as “manifestation of specific will ” : “To be valid, consent must be specific. In other words, consent indiscriminate without specifying the exact purpose of the treatment is not admissible. To be specific, consent must be understandable: clearly and precisely refer to the scope and consequences of data processing. It cannot refer to an indefinite set of treatment activities. This means, in other words, that consent applies in a limited context. Consent must be given in relation to the various aspects of the treatment, clearly identified. This implies knowing what the data is and the reasons for the treatment. This knowledge It should be based on the reasonable expectations of the parties. Therefore, the "specific consent" it is intrinsically related to the fact that consent must be informed. Exists a requirement of precision of consent with respect to the different elements of the treatment of data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller treatment. The consent must refer to the treatment that is reasonable and necessary in relationship with the purpose ”. In General, as has been said, the principle of transparency should be understood as a fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate expressed in Considering paragraphs 39 and 60 and the references they contain to the need to provide information to ensure fair and transparent treatment: "39. All processing of personal data must be lawful and fair. For natural persons it should be totally clear that data is being collected, used, consulted or otherwise processed C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 73 73/124 personal data that concern them, as well as the extent to which said data is or will be processed ... Said The principle refers in particular to the information of the interested parties about the identity of the person in charge treatment and the purposes thereof and the information added to ensure fair treatment and transparent regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. The natural persons must be aware of the risks, regulations, safeguards and rights relating to the processing of personal data ”. "60. The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The controller must provide the interested party as much additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which the data is processed personal ”. And in the also cited document of the Article 29 Working Group “Guidelines on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, which analyzes the scope to be attributed to the principle of transparency, it indicates: “A fundamental consideration of the principle of transparency outlined in these provisions is that the interested party must be able to determine in advance the scope and consequences derived from the treatment, and that you should not be surprised at a later time by the use that has been made of your personal information. It is also an important aspect of the principle of loyalty by virtue of of article 5 (1) of the GDPR and, indeed, it is related to recital 39, which establishes that “natural persons must be aware of the risks, regulations, safeguards and rights relating to the processing of personal data [...] ”. Specifically, the posture of GT29 regarding complex, technical or unforeseen data processing is that, in addition to facilitating the information prescribed in articles 13 and 14 (aspect that will be dealt with later in these guidelines), data controllers should also detail separately and in plain language. ambiguities what will be the most important “consequences” of the treatment: in other words, What kind of repercussions will the specific treatment described in a privacy statement / notice? In accordance with the principle of proactive responsibility, and in In line with recital 39, data controllers should assess whether this type of treatment poses some specific risk to natural persons that must be put into knowledge of stakeholders. This can help to get an overview of the types of treatment that could have a greater impact on the fundamental rights and freedoms of interested parties in relation to the protection of their personal data ”. In short, personal data is collected and processed without the owners of the same are aware that BBVA is accessing them to register them in their information systems, subjects them to treatments about which the client is not informed clearly, precisely and simply, and with non-explicit and undetermined purposes, against of the principles relating to the treatment established in article 5 of the RGPD (loyalty, limitation of the purpose and minimization of data), since, from the information provided, considering their lack of discretion, the interested party cannot know, as the Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose that possession and uses ” . This lack of precision renders the information provided ineffective about the data processing that is intended. The same objection must be expressed in relation to the communication of data personal to BBVA Group companies. With the information offered it is not possible that the interested party has a clear idea about the information that will be transferred to the entities that make up the Group (“… communicate data related to your customer profile -income amount and C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 74 74/124 expenses, balance and use of our channels ” ; “… Your identification, contact and transactional data ” ). The BBVA entity considers in its allegations that the incorporation of all those Information regarding the type of data in an already excessively long document would be liable to cause information fatigue in the interested parties. The GT29 Guidelines recommend avoiding that consequence, but such a purpose cannot be taken as a justification for omitting necessary information. It forces to structure the information adequately, but not to limit it. On the other hand, BBVA has stated that it cannot be required to report on the personal data subjected to treatment and that this information is broken down for each one of the purposes based on the guidelines that have been mentioned, which do not have normative character. However, it should be noted that the Working Group of the Article 29 was established by Directive 95/46 / EC on an advisory and independent, and whose opinions and recommendations serve as an interpretive element in the matter at hand, admitted by jurisprudence. At present it is the Committee European Data Protection the body with competence to issue guidelines, recommendations and good practices in order to promote the consistent application of the GDPR. Regarding the above questions, it claims again that the conclusions presented modify what is stated in the "Guide on compliance with the duty to inform" and that no the establishment of interpretive criteria in a procedure can be admitted sanctioner. Both questions have been answered previously, pointing out, on the one hand, the terms in which the expressions of the "Guides" edited by this Agency should be considered and, on the other hand, that this resolution is based on widely consolidated criteria for a long time, as has been well exposed. - Information on the purposes to which the personal data of the clients and the legal basis of the treatment Regarding the purposes to which the personal data of the clients will be used and the legal basis of the treatment of the treatment, the entity BBVA, in the document through the that facilitates information on the protection of personal data, refers treatments similar in relation to different purposes, protected by the legitimate interest in some cases and in consent in another. This may mean that an average citizen understands that a Non-consensual treatment is finally carried out under the legitimate interest of the responsible, and your ability to decide on the destination of your data is undermined personal. Specifically, BBVA reports on the realization of personalized offers and the use of data to improve its products and services as treatment of data with legal basis in the consent of the interested party and, at the same time, such treatments are also mentioned among those that can be performed to know better customer and enhance your experience, based on legitimate interest. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 75 75/124 On the treatments based on legitimate interest, information is provided in the following terms: . "Know you better and personalize your experience" . "May your experience be as satisfactory as possible" . "Get to know yourself better by analyzing your financial evolution ... the uses of products, services and channels." . "Assess new functionalities ..., products and services" . "Rate ... personalized offers with more adjusted prices for you" . "Better meet your expectations and we can increase your degree of customer satisfaction" . "Improve the quality of products and services" . "Carry out statistics, surveys or market studies that may be of interest." Information on consent-based treatment is provided in the following terms: . "Offer you products and services from BBVA, the BBVA Group and others, customized for you" . "Give you advice and recommendations to better manage your financial situation" . "Improve the quality of products and services" . "Increase your degree of customer satisfaction." . "Meet your expectations." . "Improve the quality of existing products and services." . Develop new products and services ”. . "Carry out statistics, surveys, actuarial calculations, averages and / or market studies that can be of interest to BBVA or third parties. . "This information is obtained from the use of BBVA products, services and channels." It is not concluded that they are similar treatment operations, but rather that the information offered may cause confusion, to an average citizen, on the legal basis that justifies the treatment, in the sense expressed. The information on the purposes, in general, is closely linked to the principle of limitation of the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following: "1. The personal data will be: b) collected for specific, explicit and legitimate purposes, and will not be further processed as way incompatible with said purposes; according to Article 89 (1), further processing of personal data for archival purposes in the public interest, scientific research purposes and historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of purpose ")". The importance of this principle is determined by its object, which is none other than establish the limits within which personal data can be processed and the extent to which they can be used, as well as determining the data that can be collected. To be "explicit" , an end must be unequivocal and clearly stated, in detail enough for the interested party, any interested party, to know in a certain way how they will be or data not processed and favoring the exercise of their rights and the evaluation of the compliance with regulations. To be "explicit" , the purpose must also be disclosed, as which must take place at the time the personal data is collected On this issue, the Article 29 Working Group ruled in its Opinion 03/2013, on limitation of purposes. In this work, it was considered that they should be rejected, by nonspecific, the purposes expressed with vague or too general formulas, such as "improving user experience" , "marketing purposes" or C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 76 76/124 "Future research". This Opinion indicates that the more complex the data processing is personal, the purposes should be specified in a more detailed and exhaustive manner, "including, among other things, the way in which personal data is processed. They must also to reveal the decision criteria used for the elaboration of customer profiles ” . In accordance with the foregoing, the purposes for which the data will be processed personal information about which BBVA informs its clients, except for the management of products, do not conform to the aforementioned transparency requirements, especially if We consider the huge amount of personal data that it submits to treatment, individual or globally considered, and the complex technical processes to which they are subjected, on all for the elaboration of profiles, which are used for all the purposes described in the privacy policy: "2. To get to know you better and personalize your experience. 3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No we are going to flood you with information. 4. To communicate your data to BBVA Group companies so that they can offer you products and own personalized services for you. 5. To improve the quality of products and services ”. - Information on the legitimate interest of the person in charge and third parties Likewise, the aforementioned precepts establish the obligation of the person responsible to inform on the legitimate interests on which the processing of personal data is based (the Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests of the person in charge or of a third party ” ). However, the information provided by BBVA remains indefinite regarding the basis of the treatment, so that it does not properly support this authorization for the processing of data, resulting, therefore, contrary to the principle of transparency. The definition of “legitimate interest” that BBVA includes in the "Glossary of terms" : "Legitimate interest is one of the legal bases that authorize BBVA to process your data. This means that BBVA can process your data because have an interest in doing so, as long as that interest does not harm your rights ”. Recital 47 of Regulation (EU) 2016/679 are especially clarifying in the task of specifying the content and scope of this legitimizing basis of the treatment, described in letter f) of article 6.1 of the RGPD. From what is stated in this Recital, It is interesting to highlight as an interpretive criterion that the application of this legitimizing base has to be predictable for your recipients, taking into account their reasonable expectations. The Article 29 Working Group prepared Opinion 6/2014 regarding the “ Concept of legitimate interest of the person responsible for data processing under article 7 of the Directive 95/46 / CE ”, dated 04/09/2014. Although Opinion 6/2014 was issued for favor a uniform interpretation of Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having Note that the reflections that the Opinion offers are an exponent and application of principles that also inspire the GDPR -such as the principle of proportionality- or of principles principles of Community law - the principle of fairness and respect for the law and C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 77 77/124 Law- many of his reflections can be extrapolated to the application of current regulations, Regulation (EU) 2016/679. The said Opinion refers to the "Concept of interest" in the following Terms: "The concept of" interest "is closely related to the concept of" purpose "mentioned in Article 6 of the Directive, although these are different concepts. In terms of protection of data, "purpose" is the specific reason why the data is processed: the purpose or intention of the data processing. An interest, on the other hand, refers to a greater involvement than the responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the treatment obtains -or that the company can obtain- from the treatment. For example, a company may have an interest in ensuring the health and safety of personnel who work at your nuclear power plant. Therefore, the company may have the purpose of applying specific access control procedures that justify the processing of certain data specific personnel in order to ensure the health and safety of personnel. An interest must be articulated clearly enough to allow the balancing test It is carried out contrary to the interests and fundamental rights of the interested party. Furthermore, the interest at stake must also be "pursued by the controller." This requires a real and current interest, which corresponds to present activities or benefits that are wait in the very near future. In other words, interests that are too vague or speculative will not be enough. The nature of the interest can vary. Some interests may be compelling and beneficial to society in general, such as the interest of the press in publishing information on corruption government or interest in conducting scientific research (subject to appropriate safeguards). Other interests may be less pressing for society as a whole or, in any case, the impact of your search on society may be more disparate or controversial. This can, for For example, apply to the economic interest of a company in learning as much as possible about its potential clients in order to better target advertising on their products and services ”. In the conclusions section of this Opinion the following is added: "The concept of" interest "is the broadest implication that the controller may have in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment. This can be compelling, clear, or controversial. The situations referred to in the article 7, letter f), may therefore vary from the exercise of fundamental rights or the protection of important personal or social interests to other less obvious or even problematic contexts. … It must also be articulated with sufficient clarity and must be specific enough to allow the balancing test to be performed against interests and rights fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be speculative". The "interest" goes beyond the "purpose" . in terms of the GT29 it represents "a greater implication that the controller may have in the treatment, or the benefit that the data controller obtains ” ; while "purpose", in terms of data protection, “is the specific reason why the data is processed: the objective or the intention to process the data. In this case the "interest" is not expressed. The entity does not inform in its policy of privacy on any specific interest when referring to the data processing that has planned to be carried out under this legal basis. It is limited to indicating purposes and objectives C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 78 78/124 intended with these data processing, but no interest in the sense expressed. BBVA has stated in its brief of allegations that the information on the specific legitimate interests on which it is based for these treatments is included in the section "Why do we use your personal data?" of the "Extended Information" , in which details the bases that legitimize the treatment ( “… so that from BBVA we can better meet your expectations and we can increase your degree of customer satisfaction when developing and improving the quality of own or third party products and services, as well as carry out statistics, surveys or market studies that may be of interest ... to be a bank close to you as a customer… ” ). This is also indicated in the "Basic information" of the privacy policy when it states “for what reason do we use your personal data (legal base)? Get to know yourself better and make your experience more personalized. Legitimate interest BBVA is explained in the "Extended information" section. It can be easily verified that this information on "interest" is similar to the expressed when describing the purposes: The basic information indicates: For what purposes will we use them? 2. To get to know you better and personalize your experience . And in the extended information: What do we use your personal data for? 2. Get to know yourself better and personalize your experience At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is more adapted to your customer profile and your needs. To achieve this we have to know you better, analyzing not only the data that allow us to identify you as a client, but also your financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels. Additionally, we will apply statistical and classification methods to correctly adjust your profile. Based on the above, we managed to develop our business models. Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and services that we consider according to your profile (own or marketed by BBVA), as well as offers personalized with more adjusted prices for you. As we will know you better, we can congratulate you for your anniversary, wish you a good day or happy holidays ”. (…) In any case, the use of personal data in order to "know" better to the client, as stated, can be understood as a follow-up of the interested party without a justifiable reason, which cannot be protected by the legitimate interest. This follow-up involves a thorough analysis of customer information, which is intended to be justified with the mention of a generic and simple purpose ( "to know you better" ), whose consequences can be much more serious than those mentioned as examples (congratulations on the birthday). The same can be said about using customer data to “improve products and services ” of BBVA, which this entity also bases on the interest legitimate, considering, as indicated by it, that the interested party has an expectation C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 79 79/124 reasonable for your personal data to be used for that purpose. This Agency considers that this treatment of the data, as it appears based on BBVA's privacy policy, it cannot rely on the legal basis legitimate interest, which requires an evaluation to determine the interests or rights that prevail. This weighting must take into account, indeed, "the expectations reasonable of the interested parties based on their relationship with the person in charge ” , but understood as what the interested party can perceive or deduce as reasonable by itself based on the specific circumstances that occur in each case, what he could foresee at the time of collecting data reasonably. Not what the responsible entity understands as a “Reasonable expectation” of the client, nor what it informs the client about meets those expectations. The term “reasonable expectation” should always be used sparingly, taking into account the position held responsible and interested and the legal nature of the relationship or service that links them, which could lead to the subsequent use of the data personal of it. Context, already referred to, is taken into account above, in order to define, based on all this, the subsequent processing of the data that the interested party can expect to be done. This "reasonable expectation" of the customer is has to deduce by itself, without the need for the information provided by the responsible to the interested party or client defines or specifies said expectation, as this assumes that the Bank impersonates the customer, trying to clarify the expectation that expect precisely because it does not emerge by itself from the information it offers or from the relationship that unites responsible and interested. It is intended, with this, to convey an appearance reasonable expectation and displace the interested party in this deduction. Therefore, the information offered by BBVA on data uses based on the expectation that the recipient of the information you have as a customer. The specific determination of BBVA's interest, articulated with sufficient clarity, It will allow the interested party to oppose their own interests. It also enables a better analysis of the reality and actuality of said interest. On the legitimate interest of the person in charge and the weighting test, the document of the Working Group on Article 29 “Guidelines on transparency under the Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the following criteria: “The specific interest in question must be identified for the benefit of the interested party. As a matter of good practice, the data controller can also provide the data subject with the information resulting from the "weighting test" that must be carried out in order to benefit from the provisions in article 6, paragraph 1, letter f), as a lawful basis for the treatment, prior to any collection of the personal data of the interested parties. To avoid information fatigue, this can be included within a tiered privacy statement / notice (see section 35). In any case, the position of the WG29 is that the information addressed to the interested party must make clear that he can obtain information on the weighting test upon request. This turns out essential for transparency to be effective when stakeholders doubt whether the examination of weighting has been carried out loyally or wish to file a claim with the control". C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 80 80/124 In this brief of allegations it indicates that the legitimate interest that it intends to fulfill is the to continuously improve the relationship with its customers and the portfolio of products and services What it offers, and thus anticipate their needs in case they require them; what this interest is aimed at the continuous improvement of the business model and achieving satisfaction of the client with the service provided; provide the best service to its customers and offer them products that can better fit your profile; get to know your customers as well as possible to be able to provide them with their services with the highest degree of excellence possible. (…) As can be seen, the legitimate interest is not clearly described, but rather The purposes about which customers are informed in the Privacy Policy are reiterated Privacy. According to the above, and contrary to what BBVA stated in its allegations to the resolution proposal, the legitimate interest is not the purpose for which the data is processed personal. All this without forgetting what has already been indicated in relation to the use of imprecise terms and vague formulations in the information provided, in particular with regard to the definition of the purposes. In relation to the previous indications regarding the reasonable expectation of the interested in the subsequent use of their personal data, BBVA has stated that the References to this expectation contained in the Privacy Policy are a consequence of the compliance with the obligations imposed by article 13 of the RGPD on information about the treatment based on a prevailing legitimate interest; and wonders if the AEPD It is intended to say that treatments based on legitimate interest should not be reported. BBVA's interpretation of legitimate interest and expectations reasonable clients' reasons cannot be shared by the AEPD, for the reasons already exposed. What this Agency has questioned is that the Privacy Policy defines or try to define to the data subject what their reasonable expectation is. - Information on profiling Another important aspect related to the subject analyzed has to do with the use of personal data for the preparation of customer profiles, understood as any form of personal data processing that evaluates personal aspects related to a Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of the purposes of the treatment, as well as its legal basis, which means that you must inform on the elaboration of profiles when the person in charge has foreseen such purpose and specify the legal basis that protects the treatment for that purpose. Article 11 of the LOPDGDD establishes the minimum content of the basic information to be provided to the interested party: "2. The basic information referred to in the previous section must contain, at least: (…) If the data obtained from the affected party were to be processed for profiling, the information basic knowledge will also understand this circumstance ”. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 81 81/124 Recital 60 of the RGPD also refers to the obligation to “inform the interested party about the existence of profiling and the consequences of said elaboration". On the principles relating to the processing of personal data, when these consist of profiling, the Guidelines of the Article 29 Working Group on automated individual decisions and profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what following: “Transparency of treatment is a fundamental requirement of the GDPR. The profiling process is usually invisible to the person concerned. It works by creating data derived or inferred about people ("new" personal data that have not been directly provided by the interested parties themselves). People have different levels of understanding and It can be difficult to understand the complex techniques of profiling processes and automated decisions ”. “Taking into account the basic principle of transparency that underpins the RGPD, those responsible for the treatment must ensure that they clearly and easily explain to people the operation profiling or automated decisions. In particular, when the treatment involves decision-making based on the preparation of profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must clarify to the user the fact that the treatment is for both a) profiling and of b) adoption of a decision based on the profile generated Recital 60 establishes that providing information about profiling is part of the of the transparency obligations of the data controller according to article 5, paragraph 1, letter a). The interested party has the right to be informed by the person responsible for the treatment, in certain circumstances, about your right to object to "profiling" regardless of whether individual decisions have been made based solely on the automated processing based on profiling ”. “The person responsible for the treatment must explicitly mention to the interested party details about the right opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any other information (Article 21, paragraph 4). According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration of profiles) for reasons related to your particular situation. Those responsible for the treatment are specifically obliged to offer this right in all cases in which the treatment is based on article 6, paragraph 1, letters e) or f) ”. The BBVA privacy policy that is the subject of these actions refers to the profiling on numerous occasions when describing the purposes for which the will use the data, or include indications that lead to the conclusion that it will perform operations profiling. This can be understood in relation to the realization of product offers and personalized services or price offers tailored to the customer's profile; or when I know informs about the communication to the BBVA Group companies of personal data related to the client's profile. Excluding those carried out for the execution of the contract between the client and responsible, the following are cited: b) Get to know you better and personalize your experience. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 82 82/124 . “At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is best adapted to your customer profile and your needs. To achieve this we have to know you better, analyzing not only the data that allow us to identify you as a client, but also your financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels. Additionally, we will apply statistical and classification methods to correctly adjust your profile. Based on the above, we managed to develop our business models. Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and services that we consider according to your profile (own or marketed by BBVA), as well as offers personalized with more adjusted prices for you… ”. c) Offer products and services from BBVA, the BBVA Group and others, customized for the client: “… We can send you information about BBVA products and services with prices more adjusted to your profile, informing you of what may interest you as a client ”; "We can send you information, according to your customer profile, about products, services and offers financial and non-financial of the BBVA Group companies and third parties… ”. d) To communicate customer data to BBVA Group companies so that they can offer products and services customized for it. “If you want the BBVA Group companies included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services personalized in characteristics and price, we need your authorization to communicate data related to your customer profile (amount of income and expenses, balances and use of our channels). This information will be processed to try to improve the characteristics and prices of the product offering and services. The BBVA Group companies will only process your data for that purpose ”. Therefore, BBVA processes the personal data of its customers to proceed to its profiling, which is subsequently used for the stated purposes. In all the cases in which it refers to the elaboration of profiles or the use of data that are the result of profiling activities, the basis of their action is based, in accordance with the information provided to interested-clients, in the consent of these; Except in what refers to the use of the data in order to better know the customer and improve their experience, which BBVA protects in the legitimate interest. For the reasons already expressed in relation to the lack of justification of interest legitimate, processing operations that include the preparation of profiles or that are based on these profiles and that have a legal basis in the legitimate interest of the person in charge. Furthermore, in this case, in the opinion of this Agency, the requirements of information described above. BBVA limits itself to reporting on actions that may be develop adapted to the "customer profile" or "personalized" , but does not offer information on the type of profiles to be made, the specific uses to which they will be put these profiles or the possibility that the interested party can exercise the right of opposition in application of article 21.2 RGPD, when profiling is related to activities of direct marketing. In the terms of the GT29, it is not “ explained to people in a clear and simple way the profiling ” nor are they warned about adopting decisions “on the basis of the generated profile” , regardless of whether they fall within the scope of the provisions of article 22. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 83 83/124 The concept of profiling is not treated in a systematic way in the privacy policy of BBVA. In fact, the first layer only talks about “knowing you better and personalizing your experience ” , omitting the elaboration of profiles, despite the fact that this purpose, according to appears stated, it is necessary to do a previous profiling of each and every one of the clients. This is a breach of the provisions of article 11 of the LOPDGDD. In the second layer or "extended information" , when describing the purpose "To know you better and personalize your experience ” , the concept profile is only mentioned twice, one of them qualified with the expression "customer profile" and another when it is indicated that "it will be adjusted correctly ” the profile with the application of statistical and classification methods, without describe what these methods will consist of and the consequences of their application, and presenting this type of action as if it were something alien to the activity of the responsible whose result is precisely that profiling. In this case, in addition, treatment operations based on customer profiling referred to in section a) above go beyond the improvement of the experience of the latter, to the point that said profiling is used by BBVA to develop its business model, assess new functionalities and products and make personalized offers. BBVA dedicates a section of its brief of allegations to the resolution proposal to this question regarding profiling, but without offering any explanation about the deficiencies appreciated, to which it does not refer. He simply tries to justify the use of personal data for the design of its business model and to point out that informs the interested parties about the treatment carried out (analyze and assess the data), the data typology and purpose. On this same question, he reiterates that within the framework of goal 2 "Know you better and personalize your experience ” no offers or commercial communications are sent and that the Agency confuses both purposes. However, in the foregoing it is not produces no confusion in the sense expressed by BBVA. What stands out in the previous paragraphs are those parts of the text that refer to data processing that involve the elaboration of profiling operations, about which there is no information duly, as has been said. Finally, it is interesting to point out that the Privacy Policy does not warn in in no case if those profiling operations correspond to the decisions individual automated regulated in article 22 of the RGPD, if said profiles are to serve to make automated decisions with legal effects for the interested party or that will significantly affect in a similar way, in which case the interested party would have right to be informed by virtue of the provisions of article 13.2.f) of the RGPD, including in that information all the issues that that letter mentions (the logic applied, the importance and the expected consequences of such treatment for the interested party, also warning about the possibility of opposing the adoption of these automated individual decisions), and the right to have all the guarantees provided (in addition to the information specific to the interested party, the right to obtain human intervention, to express their point of view, to receive an explanation of the decision taken after such evaluation and to challenge the decision). Although it is not said On the contrary, that is, it is not said that any interested party will be the subject of an individual decision automated system of this nature, it should be understood that such actions are not carried out cape. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 84 84/124 No imputation is made for regulated automated individual decisions in the aforementioned article 22 (nor on the treatment of category data special). This comment is included as a mere warning, considering that the policy of Privacy informs about data processing that involves the use of profiles of the that could result discriminatory effects for the interested parties (such as, for example, credits pre-granted, prices adjusted to the client's profile). In accordance with the foregoing, the facts set forth imply a violation of the principle of transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Agency for Data Protection. VII On the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the "Legality of the treatment" and the "Conditions for consent": Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller treatment or by a third party, provided that the interests or interests do not prevail over said interests. fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with respect to the treatment in compliance with the section 1, letters c) and e), setting more precisely specific treatment requirements and other measures to ensure lawful and equitable treatment, including other specific situations treatment in accordance with Chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the controller. The purpose of the treatment must be determined in said legal basis or, in relation to the Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible for treatment. Said legal basis may contain specific provisions to adapt the application of rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the person in charge; the types of data being processed; the interested C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 85 85/124 affected; the entities to which personal data may be communicated and the purposes of such communication; the limitation of the purpose; the data conservation periods, as well as the processing operations and procedures, including measures to ensure processing lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be proportional to the legitimate aim pursued. 4. When the treatment for a purpose other than that for which the personal data was collected is not based on the consent of the interested party or on the law of the Union or of the States members that constitute a necessary and proportionate measure in a democratic society to safeguard the objectives indicated in article 23, paragraph 1, the data controller, with in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: a) any relationship between the purposes for which the personal data was collected and the purposes the planned further treatment; b) the context in which the personal data was collected, in particular with regard to the relationship between the interested parties and the data controller; c) the nature of the personal data, specifically when special categories of data are processed personal data, in accordance with article 9, or personal data regarding convictions and offenses criminal, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization ”. Article 7 of the RGPD. "1. When the treatment is based on the consent of the interested party, the person in charge must be capable of demonstrating that he consented to the processing of his personal data. 2. If the consent of the interested party is given in the context of a written statement that is also refer to other matters, the consent request will be presented in such a way that it distinguishes clearly of the other matters, in an intelligible and easily accessible way and using clear and simple. Any part of the declaration that constitutes infringement of this will not be binding. Regulation. 3. The interested party will have the right to withdraw their consent at any time. The withdrawal of Consent will not affect the legality of the treatment based on the consent prior to its withdrawal. Before giving consent, the interested party will be informed of this. It will be so easy to remove the consent how to give it. 4. When assessing whether consent has been freely given, the fullest extent will be taken into account possible the fact whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that are not necessary for the execution of said contract ”. The statement in recitals 32, 40 to 44 and 47 is taken into account (already cited in Basis of Law VI) of the RGPD in relation to the provisions of articles 6 and 7 previously reviewed. From what is expressed in these recitals, the following should be highlighted: (32) Consent must be given by a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party to accept the processing of data from personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not they must constitute consent. Consent must be given for all activities of treatment carried out for the same or the same purposes. When the treatment has several purposes, you must give consent for all of them ... (42) When the treatment is carried out with the consent of the interested party, the person responsible for the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 86 86/124 treatment must be able to demonstrate that he has given his consent to the operation of treatment. In particular in the context of a written statement made on another matter, there must be guarantees that the interested party is aware of the fact that he gives his consent and to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071), A model declaration of consent must be provided previously prepared by the data controller with an intelligible and easily accessible formulation that uses a language clear and simple, and that does not contain abusive clauses. For the consent to be informed, the The interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment for which the personal data is intended. Consent must not be considered freely provided when the interested party does not have a true or free choice or not You can deny or withdraw your consent without suffering any harm. (43) (…) It is presumed that consent has not been freely given when it does not allow authorizing by separate the different personal data processing operations despite being appropriate in the case specific, or when the performance of a contract, including the provision of a service, is dependent on consent, even when it is not necessary for such compliance. It is also necessary to take into account the provisions of article 6 of the LOPDGDD: "Article 6. Treatment based on the consent of the affected party 1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term consent of the affected party any manifestation of free, specific, informed and unequivocal will by which he accepts, either through a declaration or a clear affirmative action, the treatment of personal data concerning you. 2. When it is intended to base the processing of the data on the consent of the affected party for a plurality of purposes, it will be necessary to state specifically and unequivocally that said consent is given for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the treatment of the personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ” . - Processing of personal data based on the consent of the interested parties In accordance with the above, data processing requires the existence of a legal basis that legitimizes it, such as the consent of the interested party validly given, necessary when there is no other legal basis than those mentioned in article 6.1 of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected data. Article 4 of the RGPD) defines “consent” as follows: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear action affirmative, the processing of personal data that concerns him ” . Consent is understood as a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the interested party to accept the processing of personal data that concerns you, provided with guarantees sufficient so that the person in charge can prove that the interested party is aware of the fact that you consent and the extent to which you do so. And it must be given to all the treatment activities carried out for the same or same purposes, so that, when C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 87 87/124 the treatment has several purposes, consent must be given for all of them in a specific and unequivocal, without the execution of the contract being subject to the fact that the affected consent to the processing of your personal data for purposes that are not related with the maintenance, development or control of the business relationship. In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which they are intended the data (informed consent). Consent must be given freely. It is understood that consent does not is free when the interested party does not have a true or free choice or cannot deny or withdraw your consent without suffering any harm; or when you are not allowed to authorize separate the different personal data processing operations despite being adequate in the specific case, or when the fulfillment of a contract or service provision is dependent on consent, even when it is not necessary for such compliance. This occurs when consent is included as a non-negotiable part of the general conditions or when the obligation to agree to the use of personal data additional to those strictly necessary. Without these conditions, the provision of consent would not offer the interested party a true control over your personal data and their destination, and this would make it illegal to treatment activity. The Article 29 Working Group analyzed these issues in its document "Guidelines on consent under Regulation 2016/679" , adopted on 11/28/2017, reviewed and approved on 04/10/2018. These Guidelines have been updated by the European Data Protection Committee on 05/04/2020 through the document “Guidelines 05/2020 on consent with according to Regulation 2016/679 ” (it keeps the parts that are transcribed then). In this document 5/2020 it is expressly stated that the opinions of the Article 29 (WP29) Working Group on consent remain relevant, provided they are consistent with the new legal framework, stating that these guidelines do not they replace the previous opinions, but rather expand and complete them. From what is indicated in the GT29 document cited above, it is interesting now highlight some of the criteria related to the validity of consent, specifically on the elements "specific" , "informed" and "unequivocal" : “3.2. Specific manifestation of will Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of your data must be given "for one or more specific purposes" and that an interested party can choose with with respect to each of these purposes. The requirement that consent must be "specific" has in order to guarantee a level of control and transparency for the interested party. This requirement has not been amended by the GDPR and remains closely linked to the consent requirement "informed". At the same time, it must be interpreted in line with the 'disassociation' requirement for obtain "free" consent. In short, to fulfill the character of "specific" the responsible for the treatment must apply: i) the specification of the purpose as a guarantee against deviation of use, ii) disassociation in consent requests, and iii) a clear separation between the information related to obtaining consent for the data processing activities and information on other issues. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 88 88/124 Ad. i): In accordance with article 5, section 1, letter b), of the GDPR, obtaining consent Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the planned treatment activity. The need for specific consent in combination with the notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out of the data once an interested party has given their authorization to the initial collection of the data. This phenomenon, also known as diversion of use, poses a risk to stakeholders already that may lead to an unforeseen use of personal data by the person responsible for the treatment or third parties and the loss of control by the interested party. If the controller is based on article 6, paragraph 1, letter a), the interested parties must always give your consent for a specific purpose for the processing of data. In consonance with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the Recital 32, consent may cover different operations, provided that said operations have the same purpose. Needless to say, specific consent can only be obtained when the interested parties are expressly informed about the purposes envisaged for the use of the data that concern them. Without prejudice to the provisions on compatibility of purposes, consent must be specific for each purpose. The interested parties will give their consent understanding that they have control about your data and that these will only be processed for said specific purposes. If a responsible treats data based on consent and, in addition, you want to process said data for another purpose, you must obtain consent for that other purpose, unless there is another legal basis that better reflects the situation… Ad. ii) The consent mechanisms should not only be separated in order to comply with the "free" consent requirement, but must also comply with the consent requirement "specific". This means that a data controller seeking consent to several different purposes, it must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, the data controllers must provide, with each request for separate consent, specific information on the data that will be processed for each purpose, with the In order for the interested parties to know the impact of the different options they have. Of this Thus, data subjects are allowed to give specific consent. This question overlaps with the requirement that those responsible provide clear information, as stated above in section 3.3 ". "3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of Previous right). "3.4. Unequivocal manifestation of will The RGPD clearly establishes that consent requires a declaration by the interested party or a clear affirmative action, meaning that consent must always be given through action or statement. It must be evident that the interested party has consented to an operation specific data processing ... A "clear affirmative action" means that the data subject must have acted deliberately to give your consent to that particular treatment. Recital 32 offers additional guidance on this point ... The use of already checked acceptance boxes is not valid under the GDPR. The silence or the inactivity of the interested party, or simply continuing with a service, cannot be considered as a active indication of having made a choice ... A data controller must also take into account that consent cannot be obtained through the same action by which the user agrees a contract or accepts the terms and general conditions of a service. Global acceptance of the general terms and conditions does not can be considered a clear affirmative action aimed at giving consent to the use of data C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 89 89/124 personal. The RGPD does not allow those responsible for the treatment to offer boxes marked previously or opt-out mechanisms that require the intervention of the interested party to avoid the agreement (eg "opt-out boxes") ... ”. Those responsible for the treatment must design the consent mechanisms so that are clear to stakeholders. They must avoid ambiguity and ensure that action by means of which consent is given is distinguished from other actions… ”. This document cites Opinion 15/2011 of the WG29, on the definition of the consent. Regarding consent as a manifestation of unequivocal will, in this Last Opinion indicates: "For consent to be unequivocally granted, the procedure for obtaining it and granting does not have to leave any doubt about the intention of the interested party when giving his consent. In other words, the manifestation by which the interested party consents must not leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the person will produce an equivocal situation. As described below, this requirement obliges data controllers to create rigorous procedures for people to give their consent… ”. “This example illustrates the case of the person who remains passive (eg, inaction or 'silence'). Unequivocal consent does not fit well with procedures for obtaining consent to starting from the inaction or silence of the people: the silence or inaction of one party is inherently misleading (the interested party's intention could be assent or simply not perform the action) ”. “… Individual behavior (or rather, lack of action) raises serious doubts about the will according to the person. The fact that the person does not take a positive action does not allow conclude that you have given your consent. Therefore, it does not meet the consent requirement unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the data processing provide proof that shows that the person has consented ”. In this case, BBVA contemplates in its privacy policy the use of the personal data of your customers for purposes other than mere compliance with the business relationship. Specifically, the aforementioned entity mentions the following purposes, excluding that relating to the management of the products and services contracted: “2) To get to know you better and personalize your experience. 3) To offer you products and services from BBVA, the BBVA Group and others, customized for you. We are not going to flood you with information. 4) To communicate your data to BBVA Group companies so that they can offer you products and own personalized services for you. 5) To improve the quality of products and services ”. In relation to these purposes, BBVA refers to legitimate interest as the basis legitimizing for the use of the data for the purpose indicated in section 2) above and to consent in relation to the other purposes indicated. The responsible entity did not design a specific mechanism to collect the consent of their clients in order to use personal data with the purposes 3), 4) and 5), BBVA having estimated that the acceptance without further ado of the privacy, by means of the client signing the repeated form, entails the provision of C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 90 90/124 that consent. BBVA limits the options of the interested party to marking a box through which You record your opposition to the indicated data processing. The form data collection and provision of consent reads as follows: "We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. . Products and prices more adjusted to you [] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make of your data. We remind you that when you enter the key that is requested in the signing process, you will be giving your In accordance with this Declaration of Economic Activity and Personal Data Protection Policy. SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL PERSONAL DATA / DAE, version 13 09-23-2018) ”. Contrary to what is established in the RGPD, with this mechanism there is no option to that the client gives his consent to the treatments in question, but that the Consent is intended to be obtained through the inaction of the interested party (do not mark the boxes indicating “I DO NOT want to…” ). It is not an affirmative action, but an pure inaction that does not ensure that the interested party unequivocally grants consent (usually when you mark something it is because you want it, not because you don't want it; it may not having understood the double negation; may not have paid due attention when reading quickly the indications in question). It is, in short, a consent that is intended to be deduced from inaction and, therefore, contrary to the RGPD. The requirement according to which “consent must be given through a clear affirmative act that reflects a manifestation of free will, specific, informed, and unequivocal of the interested party to accept the data processing of personal character that concerns him ” , understanding that “ inaction should not constitute consent ” (Recital 32). With the designed mechanism, BBVA understands all treatments consented detailed with the signature of the Privacy Policy. This acceptance by action unique of all the treatments, which results from the acceptance of the privacy policy (says expressly the repeated document: "We remind you that when you enter the password that is requested in the signing process, you will be agreeing to this Declaration of Economic Activity and Personal Data Protection Policy ” ), also becomes Invalid consent given by the interested party, regarding the use of the data for purposes other than the execution of the contract or business relationship maintained by the C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 91 91/124 interested party and the responsible entity or, what is the same, with respect to all those treatments that require a differentiated and granular consent. Consent must be given for all processing activities carried out with the same or the same purposes and, when the treatment has several purposes, the consent for all of them, although through a manifestation of expressed will for each of the purposes separately or differently, allowing the interested party to choose for choosing all, a part or none of them. As expressed in Recital 43, no consent can be understood to have been freely given by not being allowed to "authorize separately the different personal data processing operations despite being appropriate in the specific case ” . Recital 32 states that "consent must cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent must be given for all of them ” . "When data processing is carried out for various purposes, the solution to meet with the conditions of valid consent lies in the granularity, that is, the separation of these purposes and obtaining consent for each purpose ” (Guidelines of the GT29). Understand that the signature of the form enabled by BBVA for data collection personal and for the provision of consent implies acceptance of all of them not It meets this requirement to authorize the various options separately. Accept as valid signing the document as the only action would be the same as accepting the provision of a global consent for all processing operations without considering whether their purposes are diverse or not, which is contrary to all the bases expressed about this issue. In addition, as noted, the formula used is not articulated as a authorization or consent, but in the opposite direction. With this formula, that only allows the interested party to “not authorize” , BBVA understands that consent has been given when it is not check the option offered. In these cases, that is, when the interested party does not mark the options "I do not want ..." , it will not be possible to conclude with absolute certainty if the interested party acted deliberately leaving those boxes unchecked. For the same reason, the person responsible never will be in a position to demonstrate that it acted with the consent of the owners of the personal information. This formula responds to what the Article 29 Working Group calls “Opt-out mechanisms” : << The RGPD does not allow those responsible for the treatment offer previously checked boxes or opt-out mechanisms that require the intervention of the interested party to avoid the agreement (for example, check boxes voluntary exclusion ”) >>. (…) Furthermore, the consent given is not considered informed. It has already been said here the importance of providing information to data subjects before obtaining their consent, essential so they can make decisions having understood what you are authorizing. Yes the person in charge does not provide clear and accessible information, the user's control will be Illusory and consent will not constitute a valid basis for the processing of the data. What is stated in Law Foundation VI, on the objections observed in the information that BBVA provides regarding the protection of personal data, affect C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 92 92/124 equally to the consent that could have been given, making it invalid as it is not an informed consent, in relation to data collection operations or data processing with respect to which defects in the information, including the processing of data that has not been provided directly by the interested party or that are not necessary for the fulfillment of the contractual relationship that bind to the entity. It is not necessary to reiterate here the circumstances already expressed in relation to the language used in the privacy policy or the lack of a clear and intelligible formulation of the purposes and processing operations. All these deficiencies prevent those interested from knowing the meaning and real meaning of the indications provided and the real scope of the consents that they could give. Therefore, all the detailed treatments whose legal basis comes from determined, as expressed by the BBVA entity itself, by the consent of the interested parties, which include the following processing of personal data, with the detail that in each case is included in the information provided by BBVA, already detailed: . The use of personal data of clients to offer them products and services of BBVA, the BBVA Group and third parties. . The communication of personal data to BBVA Group companies. . The use of personal data to improve the quality of products and services. BBVA, in its brief of allegations, has made a considerable effort to justify the mechanism designed, that is, to justify that the signature of the document of privacy policy is affirmative action. However, no argument provided by the entity is valid to save the need to give consent separately through an affirmative action (the consent that BBVA understands given to from a box that the interested party leaves unchecked). This earlier conclusion is so sharp that the foregoing to substantiate it is considered sufficient to reject said allegations. Contrary to what is indicated in the brief of allegations prepared by BBVA, there is no offers the interested party the possibility of opting and choosing their preferences, but the possibility of reject or oppose; It is not true that control over the data is guaranteed by the client; Nor is it that BBVA has opted for a clear affirmative action, referring to the signing of the "Declaration" . Regarding the formulas for obtaining consent, BBVA warns that the Recital 32 admits many different ones. This is true, but the same Recital 32 requires for all these formulas that consent is given by an affirmative act that reflects a free, specific, informed and unequivocal manifestation of the will of the interested in accepting the processing of personal data that concerns him. Already has previously explained the scope of these demands. BBVA cites examples of consents that it says are valid, although none of them can be estimated similar to the mechanism designed by this entity in the repeated form of data Collect. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 93 93/124 One of the examples you cite is the case numbered "example 17" in the Guidelines on WG consent29. BBVA understands that it can be assimilated to what it is object of this file, when admitting a scenario that contains the options for marking a "yes" and a "no" : “A data controller can also obtain explicit consent from a person who visit your website by offering an explicit consent screen that contains Yes and No boxes, provided that the text clearly indicates consent, for example, “I, give my consent to the treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike say that the conditions of informed consent must be met, as well as the rest of the conditions necessary to obtain valid consent ” . In the opinion of this Agency, this example is not comparable to the present case. In that For example, the marking of the box is given validity, giving or denying consent, while the mechanism of BBVA's Privacy Policy is taken for granted the consent without taking any action. It would be different if in the example shown, consent will be given if you do not check either of the two available boxes, in which case, that presumed “manifestation of will” would not be acceptable. Likewise, in its brief of allegations to the proposed resolution, it insists on the same reasoning already contained in his brief of allegations at the opening and indicates that the Agency has not argued anything in this regard. This Agency, however, believes otherwise. The standards outlined and arguments presented in this Legal Basis are considered sufficient to give answer and disprove the allegations presented by BBVA, and these allegations are the that they have not taken into consideration what is established in the norms and the arguments of the Agency. (…) It adds that it is lawful and legitimate to process a large amount of personal data and that this fact cannot be penalized. And this is so, provided that the principles and Provided guarantees and any applicable regulations. - Other processing of personal data without legal basis On the other hand, this Agency considers that there are other data processing that They are stated in the privacy policy that they are carried out without any basis of legitimacy: . Purpose 4 refers to the communication of customer data to Group companies BBVA so that they can offer you personalized products and services. However, in the privacy policy is added that the information communicated "will be treated to try improve the characteristics and prices of the offer of products and services ”. The use of data by the BBVA Group companies for this purpose is not covered by the consent given by the client in relation to this purpose. . Nor is there a legal basis that legitimizes the use of personal data "related to C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 94 94/124 all the products and services… of which BBVA is a marketer ” with the purposes that are indicated in the privacy policy. BBVA is not the entity responsible for this data obtained from third-party products marketed by it, which limits the possibility to use the information in question for their own purposes, as stated above. The allegations to the proposed resolution made by the BBVA entity do not They contain no comments on these questions. - Processing of personal data based on the legitimate interest of the person responsible or third party It is considered, on the other hand, that there is not sufficient legal basis for the treatment of personal data that BBVA bases on your legitimate interest, carried out for the purpose of get to know the customer better and improve their experience, including profiling, depending on the terms used in the form under analysis. In this regard, the legitimate interest in the treatment of customer data in order to develop the business model of the entity, assess new features or send congratulations to customers. It should also be noted that in the description of the data processing that BBVA plans to perform on the basis of legitimate interest, includes the making of offers personalized or the development and improvement of the quality of products and services; being these processing of data similar to those outlined by citing other purposes based on the consent (offer personalized products and services and improve the quality of products and services), motivating that the description of the purposes and enumeration of processing of data contained in the information offered causes confusion to interested. Thus, data processing based on interest cannot be admitted. legitimate similar to others carried out on the basis of the client's consent, which, furthermore, it is not provided in a valid way. The information included in the “Declaration economic activity and personal data protection policy ” on these treatments of data based on the legitimate interest of BBVA: What do we use your personal data for? 2. Get to know yourself better and personalize your experience At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is more adapted to your customer profile and your needs. To achieve this we have to know you better, analyzing not only the data that allow us to identify you as a client, but also your financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels. Additionally, we will apply statistical and classification methods to correctly adjust your profile. Based on the above, we managed to develop our business models. Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and services that we consider according to your profile (own or marketed by BBVA), as well as offers personalized with more adjusted prices for you. As we will know you better, we can congratulate you for your anniversary, wish you a good day or happy holidays. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 95 95/124 If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or at any of our offices. This section is only applicable to BBVA customers. Why do we use your personal data? 2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA. For the legitimate interest of BBVA, so that BBVA can better meet your expectations and we can increase your level of customer satisfaction by developing and improving the quality of own or third-party products and services, as well as perform statistics, surveys or studies of market that may be of interest. Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a good day or happy holidays. These legitimate interests respect your right to the protection of personal data, to honor and to personal and family privacy. At BBVA we consider that, as a customer, you have an expectation reasonable to have your data used so that we can improve products and services and you can enjoy a better customer experience. In addition, we estimate that you also have a reasonable expectation of receiving congratulations on your anniversary. wish you a good day or Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise your right to object if you consider it appropriate at the following address: rightsprotecciondatos@bbva.com or at any of our offices. With this information, it is difficult for the interested party to have a clear idea about the data processing that will be carried out. (…) The information inferred by BBVA based on legitimate interest, including profiles prepared, is also used, based on the consent of the interested party, to offer products and services from BBVA, the BBVA Group and personalized third parties; and with the same legal basis is communicated to the BBVA Group companies so that they can also offer personalized products and services and “try to improve the characteristics and prices of the offer of products and services ” . The analysis of the question raised must initially take into account the provisions of Article 1.2 of the RGPD, according to which “This Regulation protects the rights and fundamental freedoms of natural persons and, in particular, their right to protection of personal data ” . For this, all the circumstances that surround the collection and processing of data and the way in which they are fulfilled or reinforced the principles, rights and obligations required by the data protection regulations of personal character. Article 6 of the RGPD requires that the processing of personal data, to be lawful, can be protected by any of the bases of legitimacy that it establishes and that the responsible for the treatment is able to demonstrate that, indeed, it concurred in the processing operation the legal basis that it invokes (article 5.2, principle of proactive responsibility). The legal bases of the treatment that are detailed in article 6.1 RGPD are related to the broader principle of legality of article 5.1.a) of the RGPD, precept which provides that personal data will be treated " lawfully, loyally and transparently in relationship with the interested party ”. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 96 96/124 In relation to the legal basis of the legitimate interest, invoked by BBVA for the treatments described in the previous sections, the aforementioned article 6 establishes: "1. The treatment will only be lawful if at least one of the following conditions is met: f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller treatment or by a third party, provided that the interests or interests do not prevail over said interests. fundamental rights and freedoms of the interested party that require the protection of personal data, particularly when the interested party is a child ... ”. Recital 47 of the RGPD specifies the content and scope of this base legitimizing the treatment. The interpretive criteria that are extracted from this Considering are, among others, (i) that the legitimate interest of the controller prevails over the interests or rights and freedoms fundamentals of the data owner, in view of the reasonable expectations that the latter has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out, also in those cases in which the interested party can reasonably foresee, in the moment and in the context of the data collection, that the treatment with such an end; (iii) the interests and fundamental rights of the owner of the personal data could prevail over the legitimate interests of the controller when the data is processed is carried out in such circumstances in which the interested party " does not reasonably expect" that a further processing of your personal data is carried out. It should be added that the interested party, in all cases, can exercise the right to opposition, which also involves a new evaluation of the interests of the controller and owner of the data, except in cases of commercial prospecting, in which the exercise of the right forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD). It is interesting to highlight some aspects collected in the Opinion 6/2014 prepared by the Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the processing of data under article 7 of Directive 95/46 / CE ", dated 04/09/2014, especially the factors that can be assessed when the mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 is issued to favor a uniform interpretation of Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and that the reflections offered are an example and application of principles that inspire also the RGPD, such as the principle of proportionality, or general principles of the Community law, such as the principles of equity and respect for the law and the law, many of his reflections can be extrapolated to the application of current regulations. As indicated, so that section f) of article 6.1. RGPD may constitute the legitimizing basis for the processing of personal data that is carried out, mandatory, and prior to the treatment, a weighting, an “evaluation meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the treatment, on the one hand, and on the other, both the interests and the rights and freedoms fundamentals of those affected. Weighting that is essential, because only when I eat As a result of it, the legitimate interest of the data controller prevails over the rights or interests of the owners of the data may operate as legal basis of the treatment of the aforementioned interest. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 97 97/124 Regarding the weighting test, the repeated Opinion indicates the following: "The legitimate interest of the controller, when it is minor and not very pressing, in general, only nullifies the interests and rights of data subjects in cases where the impact on these rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest may, in some cases and subject to guarantees and measures, justify even a significant intrusion into privacy or any other significant impact on the interests or rights of the interested parties. Here it is important to highlight the special role that guarantees can play in reducing a undue impact on data subjects and therefore to change the balance of rights and interests to the extent that the legitimate interest of the data controller prevails. By Of course, the use of guarantees alone is not sufficient to justify any type of treatment in any context. Furthermore, the guarantees in question must be adequate and sufficient, and must, without question and significantly, reduce the repercussion for the interested parties ” . The aforementioned Opinion refers to the multiple factors that can operate in the weighting of the interests at stake and groups them into these categories: (a) the evaluation of the legitimate interest of the controller, the nature and source legitimate interest and if the data processing is necessary for the exercise of a right fundamental, is otherwise in the public interest or benefits from recognition of the affected community; (b) the impact or repercussions on data subjects and their reasonable expectations about what will happen to your data ( “what a person considers reasonably acceptable under circumstances ” ), as well as the nature of the data and the way in which they are processed; underlining that the claim is not that the data processing carried out by the responsible does not have any negative impact on the interested parties but prevent the impact is “ disproportionate ”; (c) the provisional equilibrium and (d) additional guarantees that could limit an undue impact on the interested party, such such as data minimization, privacy protection technologies, increased transparency, the general and unconditional right to opt-out and the data portability. First of all, the Opinion underlines that the implication that the person responsible for the treatment may have in the data processing carried out is that of "interest", which is already referenced in the previous Legal Basis to indicate that it is related to purpose, but it is a broader concept ( “purpose is the specific reason why process the data: the purpose or intention of the data processing. One interest for another On the other hand, it refers to a greater involvement that the controller may have in the treatment, or the benefit that the controller obtains from the treatment ” ). It is also broader than that of fundamental rights and freedoms, hence, regarding those affected are weighed not only their fundamental rights and freedoms, but also their "Interests" . According to GT29, “an interest must be articulated with sufficient clarity to allow the balancing test to be carried out against the interests and fundamental rights of the interested party. Furthermore, the interest at stake must also be pursued by the controller. This requires a real and current interest, which is corresponds to present activities or benefits that are expected in a very future next. In other words, interests that are too vague or speculative are not C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 98 98/124 they will be enough ” . In addition, the "interest" of the data controller, as established in article 6.1.f) of the RGPD and before article 7.f) of the Directive, must be "legitimate" , which means, says the Opinion, which must be "lawful" (respectful of applicable national and EU legislation). However, the WG29 adds that "The legitimacy of the interest of the data controller it is only a starting point, one of the elements that must be analyzed under article 7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend the result of the next balancing test ”; "If the interest pursued by the controller is not compelling, it is more likely that the interest and rights of the interested party prevail over the legitimate - but less important - interest of the responsible for the treatment. Similarly, this does not mean that less interest compelling of the data controller cannot sometimes prevail over the interests and rights of the data subjects: this normally happens when the impact of the treatment about stakeholders is also less important ” . And exposes the following example: "Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the preferences of your customers so that this allows them to better personalize their offers and, ultimately term, offer products and services that better respond to the needs and desires of your customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in some types of market activities, online and offline, provided that adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and beyond). However, this does not mean that data controllers can refer to article 7, letter f), as a legal basis for improperly monitoring online and offline activities line of your customers, combine huge amounts of data about them, from different sources, which were initially collected in other contexts and for different purposes, and create -and, for For example, with the intermediation of data brokers, also trade with them - complex profiles of the personalities and preferences of customers without their knowledge, without a viable mechanism of opposition, not to mention the absence of informed consent. It is likely that said profiling activity represents a significant intrusion on customer privacy and, When this happens, the interests and rights of the interested party will prevail over the interest of the responsible for the treatment ” . Ultimately, the concurrence of said interest in the data controller does not necessarily means that article 6.1 f) RGPD can be used as a basis legal treatment. Whether or not it can be used as a legal basis it will depend on the result of the balancing test. In addition, the treatment must be that necessary to satisfy the legitimate interest pursued by the person in charge, so that less invasive means are always preferred to serve the same purpose. Need means here that the treatment is essential for the satisfaction of the aforementioned interest, so that, if said objective can be achieved reasonably otherwise less impactful or intrusive, the interest legitimate cannot be invoked. The term " need " used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a own and independent meaning in Community legislation. It is a " concept Autonomous Community Law ” (CJEU of 12/16/2008, case C-524/2006, section C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 99 99/124 52). On the other hand, the European Court of Human Rights (ECHR) has also offered guidelines for interpreting the concept of need. In section 97 of its Judgment of 03/25/1983 affirms that the " necessary adjective is not synonymous with" indispensable "nor does it have the flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”. On the impact or repercussion that the data processing has on the interests or fundamental rights and freedoms of the interested parties, indicates that the more "negative" or “Uncertain” may be the impact of treatment, it is more unlikely than treatment in its set may be considered legitimate. “The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a concept much broader than damage or harm to one or more interested parties in particular. The term 'Impact' as used in this Opinion covers any possible consequences (potential or actual) of data processing. For the sake of clarity, we also emphasize that the concept is not related to the notion of violation of personal data and is much broader than the repercussions that may arise from said violation. On the contrary, the notion of impact, such as used here, it encompasses the various ways in which an individual may be affected, positively or negatively, due to the processing of your personal data ”. “In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is. that the treatment is considered, as a whole, legitimate. The availability of methods alternatives to achieve the objectives pursued by the data controller, with less negative impact on the data subject, should certainly be a consideration relevant in this context ”. As sources of potential repercussions for stakeholders he cites the probability that the risk may materialize and the seriousness of the consequences, noting that this concept of “severity may take into account the number of potentially affected ” . The assessment of the nature of the personal data that has been object of treatment ) , if the data has been made available to the public by the interested party or by a third party, a fact - says the Opinion - that can be an evaluation factor especially whether the publication was made with a reasonable expectation of data reuse for certain purposes: “… Does not mean that data that appears in and of itself innocuous can be processed freely ... even such data, depending on how it is processed, can have an impact significant about people ”. The way in which the person in charge treats the data; whether they have been disclosed to the public or have been made available to large numbers of people or if large amounts of data are process or combine with other data ( “for example, in the case of profiling, with commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said: “Apparently innocuous data, when treated on a large scale and combined with other data, can lead to interference with more sensitive data, as demonstrated in Scenario 3 above, which gives as an example the relationship between pizza consumption patterns and insurance premiums for healthcare. In addition to potentially leading to the processing of more sensitive data, such analysis may also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the behavior or personality of the affected persons. Depending on the nature and C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 100 100/124 impact of these predictions, this can be highly intrusive in the privacy of the person ” . All this, without forgetting the reasonable expectations of the interested parties: “… It is important to consider whether the position of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of data collection) could give rise to reasonable expectations of a stricter confidentiality and stricter limitations on further use. Usually, the more specific and restrictive the context of data collection, the more constraints it is likely to be used. In this case, again, it is necessary to take into account the factual context and not simply be based on the fine print of the text ” . The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the position of the data controller and the interested party; your position may be more or less dominant with respect to the interested party depending on whether the person responsible for the treatment is a person, a small organization or a large company, even a multinational company: “A multinational company may, for example, have more resources and bargaining power than the individual data subject and may therefore be in a better position to impose on the data subject what you think is your "legitimate interest". This may all the more so if the company has a dominant position in the market ” . When it comes to weighing the interests and rights at stake, the WG29 understands that the compliance with the general obligations imposed by the regulations, including the principles proportionality and transparency, help to ensure that the requirements are met legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those horizontal requirements, by itself, are always sufficient. If, finally, after the evaluation, it is not clear how to achieve equilibrium, the taking additional guarantees can help reduce undue impact and ensure that the treatment may be based on legitimate interest. As additional measures includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms, or increased transparency: “The concept of responsibility is closely linked to the concept of transparency. With the purpose of allow data subjects to exercise their rights and allow for wider public scrutiny by part of the interested parties, the Working Group recommends that those responsible for the treatment explain to stakeholders clearly and easily the reasons why they believe their interests prevail over the interests or fundamental rights and freedoms of the interested parties, and also explain the guarantees they have adopted to protect their personal data, including, where appropriate, the right to opt out of treatment ”. “As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of the purpose (cited in footnote 9 above), in the case of profiling and taking automated decisions, interested parties or consumers must be given access to their profiles to guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave place to the development of said profiles. In other words: organizations should disclose their criteria for decision making. This is a fundamental guarantee and is especially important in the world of big data. Whether or not an organization offers this Transparency is a very pertinent factor that should also be considered in the proof of balancing ”. By referring to the right to object and the opt-out mechanism or right C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 101 101/124 unconditional opposition, the GT29 reflects on advertising based on profiles of the client, which requires a follow-up of the activities and personal data of the interested parties, which are analyzed with sophisticated automated methods. He concludes the following: “In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the purpose, where it was specifically stated that when an organization wishes to analyze or predict specifically the personal preferences, behavior and attitudes of customers individuals that will subsequently motivate the «decisions or measures» adopted in relation to such clients ... free, specific, informed and informed consent should almost always be required unequivocal of "voluntary inclusion", since otherwise the reuse of the data will not be able to considered compatible. Most importantly, such consent must be required, for For example, for tracking and profiling for prospecting, advertising behavioral, data marketing, location-based advertising, or digital research market based on monitoring ” . In this case, the existence of a prevailing legitimate interest of the responsible for legitimizing the data processing that BBVA intends to base on this basis legal. It is worth highlighting in the first place, the defects expressed in the Foundation of Previous law in relation to compliance with the principle of transparency, by the limitations and difficulties, if not an impediment, that they pose when carrying out a true assessment of the concurrence of a prevailing legitimate interest, real and not speculative. What has already been indicated about the language used is reiterated here; the indefiniteness of purposes for which the personal data will be used ( "to better understand the customer" and "to improve products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the information related to clients that carry such purposes; or about the types of profiles what will be done and the specific uses and applications that will be given to these profiles; and, especially, the lack of information on the specific interest of the person in charge, which is not expressed with the clarity and precision required by regulations. Considering that it is not even possible to clearly know the purposes of the treatment, they can hardly be associated with legitimate interests of BBVA that may, in addition, prevail over the rights of the interested parties, who are not informed clearly about the extremes required by data protection regulations. The legitimate interest expressed, which is described in the same terms as the purposes, it is vague and speculative (the details on the description of the legitimate interest they are outlined in the previous Law Foundation, (…)). It has as consequence that the treatments carried out are not predictable for a citizen means, medium. This being the case, it is impossible for the interested party, or this supervisory authority, to be able to assess whether the processing operations carried out are necessary, or if, on the contrary, The same result could be obtained by less invasive means; it cannot be concluded either, even less, that the interest invoked is prevalent. Rather, it seems that the "interests" expressed by BBVA, whether in the Privacy or (…) respond to economic interests of the entity, which are not expressed. The C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 102 102/124 obtaining an economic benefit through the business activity that BBVA develops it is still a legitimate interest, but in no case may it prevail over the fundamental right to data protection of affected persons. With total clarity the STS of 06/20/2020 has recently ruled on this matter (R. cassation 1074/2019). In the sixth Legal Foundation he says, regarding one of the questions of appeal interest raised in the writ of admission of the appeal, “Commercial interests of a company responsible for a data file must yield to the legitimate interest of the owner of the data to the protection of the same ”. These economic interests cannot be rated as pressing. It is not said, as BBVA seems to indicate in its allegations to the proposal, that the pursued interest responds to economic interests and that, based on this, the processing of personal data based on legitimate interest. What stands out here is that if that is the legitimate interest, in itself considered and without taking into account the rest of factors that may operate in the weighting of the interests at stake, it is not estimated sufficient to accept the existence of a legitimate interest that protects the treatment of data in accordance with the provisions of article 6.1 f) of the RGPD. Now, even admitting BBVA's thesis, which qualifies as the legal interest of the responsible or third parties which we believe is nothing but the purpose of the treatment, that purported interest in no case could be qualified as necessary. (…) Without prejudice to the fact that the treatment of the claimants' data is “useful” , “Desirable” or “reasonable” , as stated by the ECHR in its Judgment of 3/25/1983, the term "Necessary" does not have the flexibility that is implicit in those expressions. As can be seen, what has been said above is in accordance with the doctrine of the Constitutional Court on the proportionality judgment that must be carried out on a restrictive measure of a fundamental right, to which BBVA refers in its allegations to the motion for a resolution. According to this doctrine, three requirements must be verified: suitability (if the measure allows to achieve the proposed objective); need (that does not exist another more moderate measure); proportionality in the strict sense (more benefits or advantages what damages). On these issues, it is not understood what BBVA indicated in those allegations when it indicates that it has adopted the necessary measures to minimize the information treated, and clear that the identifying data of the client is excluded. It has been said before that The information related to the client used is all the information related to the client, including the identifying data. (…) In addition to the above, the following circumstances are taken into account: . The manner in which the data used is collected based on legitimate interest and scale in data collection, which is excessive; as well as the use of personal data collected from third parties without the knowledge of the interested party (external solvency files assets and credits) or third-party products marketed by BBVA. . The techniques used (data processing in order to obtain algorithms) and the lack of transparency on the logic of the treatment consisting of profiling, which can lead to price discrimination and potentially financial impact which may have the character of excessive. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 103 103/124 . The high number of affected, as well as the large amount of data that is processed and combined with other data. The unlimited combination of personal data of all products and services contracted by the client, including third-party products marketed by BBVA and others obtained from external sources, and the lack of means that allow the user real control of their data is enough to consider that the interest of BBVA It cannot prevail over the rights of those affected. Said combination of data, due to its massive nature and due to the lack of definition of the data that will be used and the purposes, respects the aforementioned proportionality nor does it allow the necessary weighing judgment to assess the concurrence of a legitimate interest that justifies the processing of the data. It is significant that (…); and that the information obtained in accordance with the regulations for the prevention of money laundering and terrorist financing (...) . The dominant position of the person in charge over the interested party, due to his condition of great company and one of the market leaders in its sector. No consideration does BBVA make on the above circumstances in its writing of allegations to the proposal, despite its importance, except in relation to the deadline conservation. BBVA understands that the AEPD erroneously interprets what has been stated about the period of conservation of the data to carry out the treatment. (…). And clarifies that Data collected in compliance with the legislation on the prevention of money laundering is kept for the period established in this legislation, for the purposes provided in it, but not for controversial treatment. As can be seen, this Agency does not misinterpret the question regarding the age of the data subjected to treatment based on legitimate interest and not questions the conservation of the corresponding data in compliance with the legislation of money laundering. (…) And the use of data is questioned significantly collected in accordance with said regulations for the treatment operations that we occupy. A special importance must also be given to the absence of measures or additional guarantees. Among them, the increased transparency and enabling opt-out mechanisms. Regarding transparency, BBVA refers to the information provided in the “Declaration of Economic Activity and Data Protection Policy ” , without making available to the interested parties, the Report on the weighting of legitimate interest or the impact assessments; and mentions as a guarantee the exercise of the right of opposition, which is nothing more than a requirement normative. This right requires a new weighting, in accordance with the provisions of the Article 21 of the RGPD ( “the data controller will stop processing personal data, Unless it proves compelling legitimate reasons for the treatment that prevail over interests, rights and freedoms of the interested party ” ) and has nothing to do with the opt-out or unconditional opt-out mechanisms recommended. (…) Finally, it should be noted that BBVA repeatedly, throughout its brief of allegations, states that the processing of personal data carried out with this database legal benefit of the client. Consider achieving excellence in service through adequate knowledge of your customers, which allows you to anticipate your needs and improve BBVA's portfolio of products and services so that they meet the preferences of those; as well as enabling the use of the optimal channels for each client, C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 104 104/124 It is not only done for the benefit of the Bank but, in particular, of its clients. This entity affirms that the treatment is necessary for the fulfillment of that legitimate interest of BBVA and the client. The legitimate interest of the client is considered, in the terms of article 6.1 f) of the RGPD, as the legitimate interest of third parties. In this case, there is no such approach, according to which personal data processing operations are carried out on the basis of the legitimate interest of the client. Accepting it would be as much as admitting a legitimate interest that has arisen, or later, in respect of which the requirements set forth in the regulations have not been respected protection of personal data and about which is not informed in the Privacy Policy. In summary, for the reasons expressed, it is not proven that the alleged legitimate interest for the treatment of data that BBVA claims prevail over the interests and fundamental rights and freedoms of clients. Furthermore, the guarantees offered are not enough to overcome the imbalance that occurs with these treatment operations of personal data. Consequently, it must be concluded that the legitimate interest of BBVA does not prevail as legitimate basis for the treatment. The conclusion obtained from this examination does not contradict what was expressed in the Report of the Legal Office of the AEPD 195/2017, to which BBVA repeatedly refers, both (...) as in your brief of allegations. According to BBVA, this 195/2017 Report concludes the prevalence of the legitimate interest of financial entities for the analysis of the transactional movements and / or customer savings capacity, to make observations and offer recommendations on products and services, as well as for profiling more detailed that allows to specify with precision the products to be offered. However, the premises assessed in said report do not conform to the assumption present, in which the processing of personal data has a much more broader than those analyzed in said report, both with regard to the purposes of the treatment such as the information or personal data used. There is more to note that that report simply analyzes the performance of treatments for marketing purposes, provided that the offer refers to products similar to those contracted by the interested party and is use only the information available as a consequence of the management of the products. On the other hand, the aforementioned Legal Cabinet Report also responds to the queries raised regarding the anonymization of transactional data for develop new products, to analyze patterns of use of services to develop new ones. These uses coincide with the data processing that BBVA carries out based on to legitimate interest, but with non-anonymous information. Regarding the anonymization of data expressed, it is concluded that they must be distinguished two treatments. Namely, the one that gives rise to anonymous information (the anonymization itself), subject to data protection regulations, and the treatment that is carry out with the data already anonymized, excluded from said regulations. Exposes the report that when the anonymization is complete, it is impossible to link the information C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 105 105/124 directly or indirectly with a specific affected person, and much more if the data resulting are aggregated, the treatment may be protected in the legitimate interest. Based on everything stated in this report, BBVA alleges that the data processing that are carried out with the purposes 3 and 5 of the "Declaration of Economic and Political Activity of Data Protection ” (3. Offer personalized products and services of BBVA, the Group BBVA and others; 5. Improve the quality of products and services) could have been based in the concurrence of legitimate interest, so that when obtaining the consent of the stakeholders has adopted by reinforced measures of active responsibility. This Agency does not share the idea that consent constitutes a basis reinforced legal. As stated here, consent is subject to specific requirements in its provision, so that its provision by itself does not guarantee the legality of the treatments. The same can be said about the performance of those treatments based on the legitimate interest. It would be necessary, as has been seen here, an exhaustive analysis of all the concurrent circumstances in relation to the treatments intended to assess this the relevance of legal basis. In any case, it has been the BBVA entity itself that decided, in the design of its treatment operations, protect in the consent those that are described in the purposes 3 and 5. Consequently, in accordance with the above findings, the aforementioned facts represent a violation of article 6 of the RGPD, in relation to article 7 of the same legal text and article 6 of the LOPDGDD, which gives rise to the application of the powers corrective measures that article 58 of the RGPD grants to the Spanish Data Protection Agency. VIII In the event of an infringement of the RGPD precepts, among the corrective powers available to the Spanish Data Protection Agency, such as control authority, article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers indicated at continuation: (…) b) punish any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; " (...) d) order the person in charge or in charge of the treatment that the treatment operations conform to the provisions of this Regulation, where appropriate, in a certain way and within a specified term; (…) i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; " . C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 106 106/124 According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. IX In the present case, the breach of the principle of transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality of the treatment regulated in article 6 of the same Regulation, with the scope expressed in the previous Fundamentals of Law, which implies the commission of respective infractions typified in article 83.5 of the RGPD, which under the heading " General conditions for the imposition of administrative fines ” provides the following: "Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, a amount equivalent to a maximum of 4% of the total annual global business volume for the year previous financial statement, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for consent in accordance with Articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” . In this regard, the LOPDGDD, in its article 71 establishes that “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this law organic ” . For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate: “Article 72. Violations considered very serious. 1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679 ”. “Article 74. Infractions considered minor. The remaining infringements of a merely formal nature are considered minor and will prescribe a year. the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in in particular, the following: a) Failure to comply with the principle of transparency of information or the right to information of the affected by not providing all the information required by articles 13 and 14 of Regulation (EU) 2016/679 " . In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that state : "1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, to C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 107 107/124 additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each individual case, the due account: a) the nature, seriousness and duration of the offense, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damage and damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the responsible or the manager notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance of said measures; j) adherence to codes of conduct under Article 40 or to certification mechanisms approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement". For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are will be applied taking into account the graduation criteria established in section 2 of the aforementioned Article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the processing of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger by absorption process subsequent to the commission of the offense, which does not it can be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of alternative conflict resolution, in those cases in which there are controversies between those and anyone interested ”. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 108 108/124 In this case, considering the seriousness of the violations found, the imposition of a fine, in addition to the adoption of measures. The request cannot be accepted formulated by BBVA to impose other corrective powers that would have allowed the correction of the irregular situation, such as the warning, which is planned to natural persons and when the sanction constitutes a disproportionate burden (considering 148 of the RGPD). BBVA states that it does not understand that in the past the Agency resorted to plans sectorial and in this case the sanctioning proceedings are initiated. This entity does not consider that These plans are carried out ex officio with the purpose of examining a sector in general and concluding recommendations that facilitate entities to adjust their processes in terms of protection of personal data. Likewise, in its brief of allegations to the resolution proposal, BBVA has requested that in determining the sanction that may be imposed the application of the principles of culpability and proportionality. He alleges the non-concurrence of guilt in his actions, considering that he has acted at all times with total diligence. It emphasizes that it has followed the guidelines of the AEPD included in the "Guide for compliance with the duty to inform" and that it has reported on all the points established in article 13 of the RGPD, as well as on other extremes that this rule does not impose and that neither did the interpretation of the AEPD; and He adds that he acted in the conviction, after having reported on the claims made, that the Agency had not noticed an element that contravened the established in the RGPD and LOPDGDD. Based on this, it invokes the principle of legitimate expectations, having acted in the belief that his conduct was in accordance with the law, and the Judgment of the National Court of 10/15/2012 (resource 608/2011), in which “the active participation of the Administration ”, which could lead the interested party to the conclusion that his action was in accordance with law; that his conduct is not covered by a reasonable legal interpretation of the applicable rules; and the difficulties in interpretation described by the Administration ”. BBVA refers to the different appreciation of some specific expressions contained in the Privacy Policy regarding the indications contained in this regard in the aforementioned Guide and what BBVA has described as "inactivity of the Administration" , by the time elapsed between the admission for processing of the claims made by the Claimants 1 and 2, which took place on 02/01/2019, and the adoption of the agreement to open the present sanctioning procedure, dated 12/02/2019. On this basis, he invokes the principle of legitimate confidence and understands that the actions of this Agency have influenced the commission of the infractions. This claim should be rejected for the reasons that have already been set out in this resolution when dealing with these allegations. On the one hand, it must be reiterated that BBVA has partially interpreted the “Guide for compliance with the duty to inform ” , basing its conclusions on three expressions specific points that are cited as an example in it, but without considering the general criteria and warnings it contains, which also cover important concerns that have determined the classification of the facts as constituting an infringement, referring not to C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 109 109/124 only to the language but also to the content of the Privacy Policy, in what it says and in what omitted, as well as all the processing operations carried out by BBVA. It is also indicated in the cited Guide itself that it must be completed with others that are related to the RGPD, as in this case in relation to the aspect to which we we refer. Specifically, the document of the Working Group on Article 29 “Guidelines on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, which must be known by an entity such as BBVA, when referring to the language that should be used in the information on the protection of personal data cites the expressions in question as " examples of poor practice". On the other hand, the actions of this Agency have not influenced in any way the BBVA's conduct determining the infractions analyzed. The alleged "inactivity of the Administration ” , for the time elapsed between the admission for processing of the first claims made and the adoption of the agreement to open the procedure, does not influence at all in the commission of the infractions or aggravate them, and this Agency has not carried out any action that has allowed BBVA to conclude that this Control Authority does not noted in the claims made any element that contravened the provisions of the RGPD and LOPDGDD. BBVA cannot provide any statement or action from this Agency that led him to this alleged confusion, simply because there is no action some in that sense. On the other hand, actions were carried out against BBVA from which it was able to deduce that the matter was ongoing. We refer to the procedures carried out by this Agency during the process of admission for processing of claims received after the 02/01/2019, prior to the acceptance agreement of the respective claim, consisting of transfer these claims to the BBVA entity itself so that it could proceed to its analysis and respond to this Agency and the claimant. As mentioned in the previous Fundamentals of Law, BBVA knew the claims made and also knew that there was no pronouncement of this Agency about it. Thus, one cannot speak of “inactivity of the Administration” , since during that time the admission procedures were carried out for the rest of the claims. As has been detailed, the claims submitted by claimants 3 to 5 were entered in this Agency on the dates 02/13/2019 (a few days after that admission to the processing of 02/01/2019), 05/23/2019 and 08/27/2019; and they were admitted for processing through 08/06/2019, 09/13/2019 and 10/30/2019, respectively. Prior to admission, the claims made by the claimants 3 5 were transferred to BBVA for the indicated purpose. The transfer of these claims was notified to BBVA on 05/21/2019, 06/28/2019 and 09/19/2019. In the case of Complainant 4, BBVA requested an extension of the time allowed to respond and was granted said extension by writing notified to that entity on 08/19/2019. Ultimately, no legal consequence can be attributed to the time elapsed between the admission for processing of the claims and the opening of the procedure, even less the one claimed by BBVA. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 110 110/124 In accordance with the transcribed precepts, in order to set the amount of the sanctions of fine to be imposed in the present case on the defendant, as responsible for infractions typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine impose for each of the offenses charged as follows: 1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD. It is estimated that the following factors concur as aggravating factors that reveal greater unlawfulness and / or culpability in the conduct of the BBVA entity: a) The nature, seriousness and duration of the offense: the facts found affect very seriously to one of the basic principles relating to data processing, such as the transparency, calling into question all the actions carried out by BBVA, in its as a whole, since the infractions result from the data management procedures personnel designed by BBVA to adapt these processes to the RGPD, which are considered irregular from the moment of collection of personal data. Without However, the present case does not refer to an assumption of total absence of information, but that the disputed facts result from not providing the interested parties with information sufficient in relation to the various treatments performed . BBVA considers that it is not acceptable in Law to assess as a circumstance aggravate an element of the offending type, such as the principle of transparency. However, what is taken into account here is not the offending type, even if it is mentioned in the presentation of the argument. As indicated, the fact that the Appreciated deficiencies call into question all the actions carried out by BBVA since same moment of the collection of the personal data of its clients. No reference is made by BBVA to these specific circumstances. b) The intentionality or negligence appreciated in the commission of the offense: the actions have proven an intentional conduct in relation to the violation of the regulations of personal data protection. (…) We do not see, on the other hand, what "guidelines emanating from the AEPD" has adjusted the design of this mechanism. c) The continuing nature of the offense, in the sense interpreted by the National High Court, as a permanent offense. BBVA warns in its allegations that this reproach is attributable to this Agency, that he was aware of the Privacy Policy almost a year before the opening of the procedure and, through its inaction, “it made it possible for BBVA not to adopt any measure to correct or modify the Privacy Policy ” . C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 111 111/124 This claim must also be rejected. We refer to what has already been stated in this same Legal Basis on the alleged "inactivity of the Administration". d) The high link of the activity of the offender with the performance of data processing personal: all operations that constitute the business activity carried out by BBVA involve personal data processing operations. e) The condition of a large company of the responsible entity and its volume of business: it is a leading company in the financial sector with a strong international presence. According to information that appears on the website “bbva.com” , the Income Statement for the 2019 financial year, to dated 09/30/2019, reflects a “Net Margin” of 9,304 million euros. In section “Geographical diversification” the breakdown by country is indicated, with Spain corresponding to 23.4%. f) High volume of data and processing that constitutes the object of the file: the Infractions affect all data processing carried out by BBVA that does not result in necessary for the execution of the contract, for which all the information is used relative to customers. g) High number of interested parties: the perceived defects affect all clients natural persons of the entity (eight million thirty-one thousand, as stated by BBVA in its brief of allegations). h) The imputed entity does not have adequate procedures in place for action in the collection and processing of personal data, so that the infringement is not consequence of an anomaly in the functioning of these procedures, but a defect in the personal data management system designed by the person in charge. In relation to this aggravating circumstance, BBVA again claims that it cannot considered as such the offending type, understanding that the breach of the obligations information and the requirements for obtaining consent already imply that the responsible does not have proper procedures. This claim must be rejected. The circumstance expressed is taken to mean literal established in the standard. Furthermore, in this case, it is not taken into consideration for justify this aggravating information obligation. It is taken into account that the offense consisting of carrying out data processing operations without legal basis is structural and is not the result of a specific breach. And this results not only from non-compliance of the requirements for obtaining consent and not only affects operations carried out with this legal basis. For this reason, there is talk of the absence of adequate procedures in the collection and processing of personal data. Considering the exposed factors, the assessment of the fine for this offense is 2,000,000 euros. 2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD: C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 112 112/124 It is estimated that they concur as aggravating factors, in addition to all the factors exposed in relation to the previous infraction indicated with letters c), d), e), f), g) and h), the following factors that reveal greater unlawfulness and / or culpability in the conduct of the BBVA entity: a) The nature, severity and duration of the offense: the offenses result from the personal data management procedures designed by BBVA for the adaptation of those processes to the RGPD, which are considered irregular from the moment of the collection of personal data and the provision of consents requested from the customers at the same time. The severity of the infractions increases according to the scope or purpose of the processing operations in question, which include the profiling using excessive information. b) The intentionality or negligence appreciated in the commission of the offense: the actions have proven an intentional conduct in relation to the violation of the regulations of personal data protection. It has already been said in this document that BBVA was aware that the mechanism enabled to obtain consent to the treatment of personal data would result in the majority accepting all purposes for default. The absence of specific guarantees in relation to data processing based on legitimate interest is one more circumstance to consider in this case, considering the scope of such treatments. (…) b) The benefits obtained as a result of the commission of the offense: the information relating to customers is used to improve the entity's business and to disseminate their products. c) The nature of the damages caused to the interested persons or third parties: the high degree of intrusion into the privacy of BBVA customers is taken into account and that The information is communicated to third parties (BBVA Group companies) for non-legitimate purposes. Considering the exposed factors, the assessment of the fine for this offense is 3,000,000 euros. The allegations to the proposed resolution made by the BBVA entity do not contain no observations on the circumstances indicated by letters d), e), f) and g) of point 1 (non-compliance with articles 13 and 14 of the RGPD), and those indicated with the letters a) and b) of point 2 above (breach of article 6 of the RGPD). Instead, it requests that the measures taken be taken into account as mitigating to regularize the situation of the claimants and the preparation of a new version of the BBVA Privacy Policy, in July 2020. Regarding the actions carried out in relation to the claims made, they basically limit themselves to marking claimants as excluded from commercial actions. In some cases as a consequence of the exercise of the right of opposition by the interested party and, in others, in view of the claim made. In two of the cases, the action carried out consisted in the formalization of the “Declaration of economic and political activity of C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 113 113/124 protection of personal data ” in the same terms analyzed in this resolution. These actions are not relevant enough to be considered in this procedure for the purposes intended by BBVA. It can be said that, in some cases, Those in which the subscription is formalized by the client of the "Declaration" does not exist no regularization; and in the others, the action complies with the regulations in that regard to the exercise of rights by the interested parties. It is not a true regularization of the irregular situation that is determined in the present sanctioning procedure. Therefore, rejects the request to consider such actions as a mitigating circumstance. On the other hand, BBVA considers that circumstances should be taken into account mitigating diligence, proactivity and speed shown, once the opening of the procedure, with the improvement of the information provided to the interested parties and the establishment of a new mechanism for obtaining the consent of the interested party, including in the first informative layer differentiated and granular boxes that the The interested party must check if they wish to authorize BBVA to process their data with each of the stated purposes It indicates that it has carried out a series of internal actions and has intensified its activity with the purpose of reinforcing the information provided to customers, having prepared, in July 2020, a new version of the Privacy Policy. However, it does not provide any details or justification about the actions it says have developed. Regarding the new version of the Privacy Policy, with which it intends correct or leave without "content all of the reproaches made by the AEPD" , and modifies the mechanism enabled to obtain consent, nor does it even provide the text of it, but only some fragments. Nor does BBVA provide any report or evaluation, nor does it explain how it has adapted the rest of the documents that determine the configuration of this new Privacy Policy and their subsequent analysis (e.g., recording of treatment activities, evaluation reports impact or weighting of legitimate interest). This documentation is especially necessary considering that the fragments of this new Privacy Policy included in the allegations make reference to treatment operations and other specific aspects that do not appear in the documentation that makes up the file. Furthermore, BBVA has not justified having transferred this new information on data protection, not even having planned this transfer. And the same can be said in relation to the consents given and the data processing carried out. BBVA, in its allegations, makes no mention of the regularization in its records of the annotations corresponding to the consents collected to date, or the suspension of personal data processing classified as illegal in these actions or the deletion of personal data collected from third parties or inferred by the entity itself. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 114 114/124 BBVA has enjoyed numerous opportunities to provide this documentation during the processing of the procedure. In each and every communication that you have been sent has been warned about the principle of permanent access regulated in the Article 53 "Rights of the interested party in the administrative procedure" of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, which recognizes those interested in the procedure the right to know, at any time, the status of the processing and to formulate allegations, use the admitted means of defense by the Legal System, and to provide documents at any stage of the procedure prior to the hearing process. So that Consequently, it is not possible to consider the irregular situation regularized. X In accordance with the provisions of article 58.2.d) of the RGPD, each control may “order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, of a in a certain way and within a specified period… ” . In this case, considering the circumstances expressed in relation to the Appreciated breaches, from the point of view of data protection regulations personnel, it is appropriate to require the BBVA entity so that, within the period indicated in the operative, adapt to the personal data protection regulations the operations of processing of personal data carried out, the information offered to its customers and the procedure by which they give their consent for the collection and processing of your personal data. All this with the scope and in the sense expressed in the Bases of Law of this act. In those cases in which the client has not been duly informed about the circumstances regulated in articles 13 and 14 of the RGPD or had not provided valid consent, BBVA will not be able to carry out the collection and processing of data personal. The same applies in relation to data processing based on the legitimate interest of BBVA or third parties. In accordance with the above, in relation to the personal data of clients who have given their consent using the form called "Declaration of economic activity and personal data protection policy" , proceeds that BBVA, within the period indicated in the operative part, cease data processing following personal data: personal data processing consisting of offering customers products and services of the BBVA entity itself, of the BBVA Group and others customized for the client; cessation of the processing of personal data of its clients consisting of communicate such data to the BBVA Group companies so that they can offer them products and own personalized services for the client; and cessation of data processing your customers' staff to improve the quality of new products and services and existing. Likewise, it is appropriate to require BBVA so that, within the period indicated in the operative, notify the BBVA Group entities to which you have communicated data C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 115 115/124 personal data of the clients who have given their consent using the form called "Declaration of economic activity and data protection policy personal data ” that must delete such data and cease using them to offer their owners products and services of the Group's entities customized for the client and to improve the characteristics and prices of the offer of products and services. In the same way, it is necessary to require BBVA so that, within the period indicated in the operative part, cessation of the processing of personal data that said entity based on the legitimate interest of BBVA or third parties. It is noted that not meeting the requirements of the AEPD may be considered as a serious administrative offense by "not cooperating with the Control Authority" before the requirements made, and such conduct may be sanctioned with a pecuniary fine. The allegations to the proposed resolution made by the BBVA entity do not They contain no comments on these questions. Therefore, in accordance with the applicable legislation and the graduation criteria of the sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, with NIF A48265169 , for an infringement of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD, a fine of 2,000,000 euros (two million euros). SECOND: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, for a infringement of article 6 of the RGPD, classified in article 83.5.a) and classified as very serious For the purposes of prescription in article 72.1.b) of the LOPDGDD, a fine in the amount of 3,000,000 euros (three million euros). THIRD: REQUIRE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA so that, within six months, adapt to the personal data protection regulations the processing operations carried out, the information offered to its customers and the procedure by which they must give their consent for the collection and processing of your personal data, with the scope expressed in the Basis of Right X. Within the indicated period, BBVA must justify before this Spanish Agency for Data Protection attention to this requirement. FOURTH: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, SA FIFTH: Warn the sanctioned person that he must enforce the sanction imposed once this resolution is executive, in accordance with the provisions of art. 98.1.b) of the Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the established voluntary payment period in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 116 116/124 income, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000 0000 , opened in the name of the Spanish Agency for Data Protection in the bank CAIXABANK, SA. Otherwise, it will be collected in the executive period. Once the notification has been received and once it is executed, if the date of execution is between the days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to on the 20th of the following or immediately subsequent business month, and if it is between the 16th and last of each month, both inclusive, the payment term will be until the 5th of the second month next or immediately after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution It will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties They may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a month from the day after the notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of July, regulating the Contentious-administrative Jurisdiction, within two months to count from the day after notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final resolution through administrative channels if the interested party states his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the following notification of this resolution, it would terminate the suspension precautionary. 938-300320 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 117 117/124 APPENDIX 1 "DECLARATION OF ECONOMIC ACTIVITY AND DATA PROTECTION POLICY PERSONAL " << 2. Personal Data Protection Policy Below we explain BBVA's Personal Data Protection Policy according to which we will process your personal data. Who is responsible for the processing of your personal data? Banco Bilbao Vizcaya Argentaria, SA ("BBVA"), with registered office at Plaza de San Nicolás 4, 48005 Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com For what purposes will we use them? • If you are a BBVA customer: 1. To manage the products and services you have, request or contract with BBVA. 2. To get to know you better and personalize your experience. 3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No we are going to flood you with information. 4. To communicate your data to BBVA Group companies so that they can offer you products and own personalized services for you. 5. To improve the quality of products and services. . If you are a representative, guarantor, authorized or beneficiary, we will treat your personal data in BBVA for the management of the contract in which you intervene for your legal relationship with a BBVA client. Who will your data be communicated to? Never to third parties, unless the law requires us. Only if you want, to the following BBVA Group companies https://www.bbva.es/estaticos/mult/Sociedades-grupo.pdf as we explain in the document "Extended information" that you will find later. What are your rights? Your data is yours and you control it. Therefore, you can access at any time, rectify and delete the data, as well as request other rights, as explained in the section "Information enlarged ”. For what reason do we use your personal data (legal basis)? We use your data to: . If you are a BBVA customer: . Manage the products and services that you request or contract from us. . Comply with the law. . Get to know yourself better and make your experience more personalized. The legitimate interest of BBVA is explained in the "Extended information" section. If you do not agree, you can object by sending an email to rightsprotecciondatos@bbva.com or at any of our offices. . The purposes for which you give us your consent and which we describe in the section C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 118 118/124 "Extended information". . If you are a representative, guarantor, authorized or beneficiary: • Manage the contracting of the products and services in which you participate. • Comply with the law. Do you want to expand this information? You can find more information by accessing and downloading the document [Extended information]. We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. . Products and prices more adjusted to you [x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer personalized products and services for me. Quality improvement [x] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make of your data. We remind you that when you enter the key that is requested in the signing process, you will be giving your In accordance with this Declaration of Economic Activity and Personal Data Protection Policy. SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL PERSONAL DATA / DAE, version 13 09-23-2018) … (Date) >> In the section "Extended information" cited above is offered to the interested the following detail: << Extended information Do you want to know more about our new personal data protection policy? Below we show you all the details about how we treat your personal data at BBVA. Who is responsible for the processing of your personal data? Banco Bilbao Vizcaya Argentaria, SA (BBVA), with registered office at Plaza de San Nicolás 4, 48005, Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com How can you get in touch with the BBVA Data Protection Officer? You can contact the BBVA Data Protection Officer at the following email address email: dpogrupobbva@bbva.com What personal data of yours does BBVA process? On the occasion of your relationship with us, BBVA may process the following categories of data C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 119 119/124 personal: . If you are a BBVA customer . Identification and contact data (including postal and / or electronic addresses). . Signature data (including the digitized and electronic signature that we will comment on later). . Codes or identification keys for access and operation in the remote channels that you use in your relationship with BBVA. . Economic and financial solvency data (including those related to all products and services that you have contracted with BBVA or of which BBVA is a marketer). . Transactional data (income, payments, transfers, debits, receipts, as well as any other operation and movement associated with any products and services that you have contracted with BBVA or of which BBVA is a marketer). . Sociodemographic data (such as age, family situation, residences, studies and occupation). . If you are a representative, guarantor, authorized or beneficiary: . Identification and contact data (including postal and / or electronic addresses). . Signature data (including the digitized and electronic signature that we will comment on later). . Codes or identification keys for access and operation in the remote channels that you use in your relationship with BBVA. . Economic and financial solvency data (including those related to all products and services that you have contracted with BBVA or of which BBVA is a marketer). . Transactional data (income, payments, transfers, debits, receipts, as well as any other operation and movement associated with any products and services that you have contracted with BBVA or of which BBVA is a marketer). . Sociodemographic data (such as age, family situation, residences, studies and occupation). From BBVA we ask you to keep your data duly updated to guarantee that in At all times the data we process is true. If you modify them, let us know so that we are aware of your current situation. What do we use your personal data for? 1. Manage the products and services that you have, request or contract with BBVA . If you are a BBVA customer At BBVA we process your personal data to: . Properly manage the products and services that you request and hire us. . Follow the relationship we maintain with you and your financial evolution (which includes the analysis of your status as a customer and the products and services you have with BBVA or of which BBVA is marketer). . Send you non-commercial notifications to manage your relationship with BBVA. . Show you your financial data in a simple and intuitive way. . Control, analyze and manage risk situations, defaults, incidents or claims. . If you are a representative, guarantor, authorized or beneficiary, we will process your personal data at BBVA for the management of the contract in which you intervene for your legal relationship with a BBVA client. At BBVA we treat your personal data to always serve you with the same level of quality, with regardless of the channel you want to use to communicate with us (eg office, web, mobile applications, ATM, telephone) and thus be able to offer you a better deal and service appropriate to your customer status. Information to CIRBE At BBVA we are obliged to notify the Bank of Spain's Risk Information Center (CIRBE) the risks of your banking operations as a client or guarantor, together with your data C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 120 120/124 personal and your status as an individual entrepreneur, if applicable. We can consult the data that may appear about you in the CIRBE to assess your solvency, if you request or maintain products or financing services with us. Check solvency and credit files When you give us your consent, you authorize us to consult the data that appears in your name in solvency and credit files, to analyze the economic viability of your requests and operations. We inform you that we can communicate the data of your debts to companies with financial solvency and credit of monetary obligations, when: . It is a true, past due and enforceable debt that has been unpaid. . 5 years have not elapsed since the date on which the debt should have been paid, from maturity of the obligation or of the specific term, if it is of periodic maturity. . We have previously requested the payment. Fraud prevention When you apply for financing, we will need you to prove your working life and your personal income tax return, to prevent fraud. If you want to speed up the application process, we will need: . Verify your work life: you can provide us with the online access code that you receive from the Treasury General Social Security (single-use key), in this way you will authorize us to we can consult it on your behalf (just check it). . Verify that your personal income tax return is authentic: we will use the secure verification code that appears in your copies of the declaration, when you authorize us to do so. Prevention of money laundering and financing of terrorism To prevent money laundering, the financing of terrorism, we have the obligation to: . Declare monthly to the Financial Ownership File the opening, cancellation or modification of any checking, savings, securities or time deposit accounts. For the Therefore, your identification data will be part of that file, whose responsibility is the Secretariat of State of Economy and Business Support. . Collect information about you, identify you, as well as provide information on payment operations to the authorities of other countries, inside and outside the European Union, on the basis of the legislation of some countries and agreements signed between them. 2. Get to know yourself better and personalize your experience At BBVA we want your experience as a customer to be as satisfactory as possible, through a personalized relationship that is more adapted to your customer profile and your needs. To achieve this we have to know you better, analyzing not only the data that allow us to identify you as a client, but also your financial evolution and that of the products and services you have contracted with us or through BBVA as a marketer, your operations -payments. income, transfers, debts, receipts- as well as the uses of BBVA products, services and channels. Additionally, we will apply statistical and classification methods to correctly adjust your profile. Based on the above, we managed to develop our business models. Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and services that we consider according to your profile (own or marketed by BBVA), as well as offers personalized with more adjusted prices for you. As we will know you better, we can congratulate you for your anniversary, wish you a good day or happy holidays. If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or at any of our offices. This section is only applicable to BBVA customers. 3. Offer you products and services from BBVA, the BBVA Group and others, customized for you Offer you BBVA products and / or services We would like to keep you up to date on new BBVA products and services, as well as give you advice C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 121 121/124 recommendations to better manage your financial situation. We can also send you information about BBVA products and services with prices more adjusted to your profile, informing you of what may interest you as a client. Offer of products and / or services of the BBVA Group and third parties We can send you information, according to your customer profile, about products, services and offers financial and non-financial activities of BBVA Group companies and third parties (including products and services of which BBVA is a marketer) belonging to these sectors of activity: financial, parabanking, insurance, automotive travel, telecommunications, supplies, security, IT, education, real estate. consumer products, leisure and free time, professional services and services social. Channels for sending commercial information We will contact you through different channels: postal mail, email push notifications, SMS, social networks, banners, web pages or other means of communication equivalent electronics. This section only applies to BBVA customers. 4. Communicate your data to BBVA Group companies so that they can offer you products and services customized for you. If you want the BBVA Group companies included at this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services personalized in characteristics and price, we need your authorization to communicate data related to your customer profile (amount of income and expenses, balances and use of our channels). This information will be processed to try to improve the characteristics and prices of the product offering and services. The BBVA Group companies will only process your data for that purpose. 5. Improve the quality of products and services We need to use your information anonymously without any characteristics that can identify, because at BBVA we want to: Increase your degree of customer satisfaction. Meet your expectations. Perfect our internal processes. Improve the quality of existing products and services. Develop new products and services of your own or of third parties. Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be of interest of BBVA or third parties. Improve instruments to combat fraud. This information is obtained from the use of BBVA products, services and channels. Throughout At the moment, we process the data using secure and up-to-date internal protocols. This section only applies to BBVA customers. Why do we use your personal data? Below we explain the legal basis that allows us to process your data for each of the purposes that we have indicated before: 1. Manage the products and services that you have, request or contract with BBVA: in compliance with a contract. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 122 122/124 BBVA must also comply with the legal obligations imposed by and between laws. by Law 10/2010, for the Prevention of Money Laundering and Terrorism Financing; Law 44/2002. Reform of the Financial System; Law 10/2014 on the Management, Supervision and Solvency of Credit Institutions, as well as the regulations on the protection of personal data valid. 2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA. For the legitimate interest of BBVA, so that BBVA can better meet your expectations and we can increase your level of customer satisfaction by developing and improving the quality of own or third-party products and services, as well as perform statistics, surveys or studies of market that may be of interest. Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a good day or happy holidays. These legitimate interests respect your right to the protection of personal data, to honor and to personal and family privacy. At BBVA we consider that, as a customer, you have an expectation reasonable to have your data used so that we can improve products and services and you can enjoy a better customer experience. In addition, we estimate that you also have a reasonable expectation of receiving congratulations on your anniversary. wish you a good day or Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise your right to object if you consider it appropriate at the following address: rightsprotecciondatos@bbva.com or at any of our offices. 3. To offer you products and services from BBVA, the BBVA Group and others, customized for you: when you give us your consent. 4. To communicate your data to BBVA Group companies so that they can offer you products and personalized services for you: when you give us your consent. 5. Improve the quality of new and existing products and services: when you give us your consent. Sections 2, 3, 4 and 5 above only apply to BBVA customers. How long will we keep your data? We will keep your personal data for the duration of the contractual relationship. Requests for Transactions that are not signed will be kept by BBVA for a maximum period of 6 months, except that in the request we agree on a longer term, to avoid duplication of procedures before your new requests. Once your contracts have ended, at BBVA we will keep your personal data blocked for the statutory limitation periods, generally 10 years due to regulations on the prevention of money laundering and financing of terrorism, and up to 21 years by application of the Civil Code and mortgage legislation. After the statutory limitation periods have elapsed, we will destroy your data. Who will we communicate your data to? We will not transfer your personal data to third parties, unless we are required by law or you you have previously agreed with BBVA As we have indicated, if you consent previously, we may communicate to the companies of the BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus identification, contact and transactional data so that you can receive offers personalized. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 123 123/124 In order to provide you with an adequate service and manage the relationship that we maintain with you as client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by categories of companies that process your data on behalf of BBVA, as part of the provision of services that we have contracted. We also inform you that, for the same purpose as that indicated in the previous paragraph, certain companies that provide services to BBVA may access your personal data (international data transfers). These transfers are made to countries with a level of protection comparable to that of the Union European (adaptation decisions of the European Commission, standard contractual clauses as well as certification mechanisms) For more information you can contact the Delegate for the Protection of BBVA data at the following email address: dpogruppbbva@bbva.com What are your rights when you provide us with your data? RIGHT CONTENT Access You can check your personal data included in BBVA files Rectification You can modify your personal data when they are inaccurate Deletion You can request the deletion of your personal data Opposition You can request that your personal data not be processed Limitation You can request the limitation to the processing of your data in the following cases: . While the challenge to the accuracy of your data is being verified. . When the treatment is illegal, but you oppose the deletion of your data. . When BBVA does not need to process your data but you need it for the exercise or defense of claims. . When you have opposed the processing of your data for the fulfillment of a mission in the public interest or for the satisfaction of a legitimate interest, while verifying whether the legitimate reasons for the treatment prevail over yours. Portability You can receive, in electronic format, the personal data that you have provided us and those that have been obtained from your contractual relationship with BBVA, as well as transmit them to another entity. CHANNELS OF ATTENTION: Derechosprotecciondatos@bbva.com; Group Customer Service BBVA, APDO: 1598-28080 Madrid; BBVA offices If you consider that we have not processed your personal data in accordance with the regulations, you can contact the Data Protection Delegate at the address dpogrupobbva@bbva.com However, you can file a claim with the Spanish Agency for Data Protection (www.agpd.es). To exercise your rights, accompany your request with a copy of your ID or equivalent document accrediting your identity. The exercise of these rights is free. Likewise, if you are a BBVA customer, at any time, you can withdraw the consent given without that this affects the legality of the treatment by sending your request to the email address rightsprotecciondatos@bbva.com, to the BBVA Group Customer Service, APDO: 1598 - 28080 Madrid, or by going to one of our offices. Remember to accompany your request a Copy of your ID or equivalent document proving your identity. Digitized and Electronic Signature… >>. << Glossary (…) Legitimate interest Legitimate interest is one of the legal bases that authorize BBVA to process your data. That means that BBVA can process your data because it has an interest in doing so, provided that this interest is not C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 124 124/124 harm your rights >>. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es