AEPD (Spain) - PS/00070/2019: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page AEPD - PS/00070/2019 to AEPD (Spain) - PS/00070/2019) |
||
| (2 intermediate revisions by 2 users not shown) | |||
| Line 71: | Line 71: | ||
|Party_Link_5= | |Party_Link_5= | ||
|Appeal_To_Body= | |Appeal_To_Body=AN (Spain) | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name=104/2021 | ||
|Appeal_To_Status= | |Appeal_To_Status=Annulled | ||
|Appeal_To_Link= | |Appeal_To_Link=https://gdprhub.eu/index.php?title=AN_-_0000104%2F2021 | ||
|Initial_Contributor=n/a | |Initial_Contributor=n/a | ||
| | |}} | ||
}} | |||
The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first fine was imposed for breaching the principle of transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing). | The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first fine was imposed for breaching the principle of transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing). | ||
Latest revision as of 13:56, 13 December 2023
| AEPD - PS/00070/2019 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(11) GDPR Article 5 GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 13(1)(c) GDPR Article 13(1)(d) GDPR Article 14 GDPR Article 14(1)(d) GDPR Article 21(2) GDPR Article 21(3) GDPR Article 11(1) LOPDGDD Article 6 LOPDGDD Article 11(2) LOPDGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 11.12.2020 |
| Fine: | 5000000 EUR |
| Parties: | Banco Bilbao Vizcaya Argentaria, SA |
| National Case Number/Name: | PS/00070/2019 |
| European Case Law Identifier: | n/a |
| Appeal: | Annulled AN (Spain) 104/2021 |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first fine was imposed for breaching the principle of transparency as found in Articles 12, 13 and 14 GDPR. The second fine was imposed as BBVA breached Article 6 GDPR (legality of processing).
English Summary
Facts
The decision relates that various joint complaints against Banco Bilbao Vizcaya Argentaria, SA (BBVA).
The first complainant complained that BBVA sent promotional SMS to his mobile phone without acquiring consent. In relation to this claim, BBVA argued that the claimant had consented to the sending of advertisement by subscribing to the document entitled "Customer identification, processing of personal data and digitized signature".
The second complainant complained that BBVA did not comply with the legal requirements of free and informed consent. The complainant outlined that they sent an email to BBVA’s data protection officer outlining that BBVA’s application did not provide the possibility to refuse data processing, in breach of Article 12 GDPR. BBVA’s response to this email was that this method of gathering consent was valid according to BBVA as well as according to other forums where such a question has been raised. The complainant provided a copy of the privacy policy document produced by the application. In this copy, Section 1 contained identification data. All the options activated were ticked to gather consent with buttons with the options “I do not want…”.
The third complainant complained that BBVA asked them to sign the privacy policy document to unblock their account. This document, which enables the data subject to provide consent to processing of personal data, includes a ticked option which stated “I don’t want BBVA to process my data to offer me other products and services by email”. This was signed by the data subject.
The fourth complainant complained that they received advertisement communications that they had not authorised or requested. The BBVA argued that the complainant did not oppose themselves to this data processing in the privacy policy document they signed. The Spanish DPA highlighted that there was no possibility to refuse in this specific document.
The fifth complainant complained that they received calls and SMS with advertisements. BBVA outlined that the complainant signed the privacy policy document and consented to such processing of personal data for commercial purposes. It also said that the complainant signed the document a second time expressing their refusal to the processing for commercial purposes. In the first document that was no option to indicate consent and in the second document, the complainant signed the “I don’t want…”.
The privacy policy document in question contained personal data including name, tax ID, date of birth, nationality, address, matrimonial status, fixed and varying income and annual revenue. The purposes and legal bases for processing are also outlined: BBVA relied on legitimate interest for the purpose of “Get to know [the client] better and personalize [the client’s] experience”. It relied on the client’s consent for the following purposes:
- i) offer products and services from BBVA, the BBVA Group and others, customized for the client;
- ii) communicating the client’s personal data to BBVA Group companies so that they can offer them personalised products and services; and
- iii) improve the quality of products and services.
According to the BBVA’s policy, signature by the client indicates acceptance of the privacy policy. However, for a data subject to be a client, they must sign it. After the signature point is a section on “additional information” with a glossary of the terminology. With regards to obtaining consent, the section just above the signature point provides different options for the data subject. This includes:
"We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below.
Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer own products and services customized for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data"
Upon request by the Spanish DPA, BBVA provide the data protection impact assessment (DPIA) for profiling for the purpose of advertisements and the DPIA for risk profiling. The DPA also requested a report where BBVA balanced legitimate interest for the processing relying on that legal basis as well a register of all data processing activities.
Dispute
Did the defendant’s privacy policy lack clarity and specificity in breach of Articles 12, 13 and 14 GDPR?
Did the defendant rely on valid legal bases for processing personal data within the scope of Article 6 GDPR?
Holding
The Spanish DPA (AEPD) jointly decided 5 complaints filed against BBVA in relation to its privacy policy and commercial communications (SMS and emails).
The DPA clarified that as the 5 data subjects complained about the effect of BBVA’s privacy policy, the issue is not the data controller’s allegedly illegal processing of personal data as a result of the privacy policy but rather an issue relating to the privacy policy itself. It is the privacy policy which infringes the GDPR. The DPA therefore decided to inspect the ways in which BBVA gathers consent and its validity by inspecting the privacy policy document. As the privacy policy is used for all clients, the alleged GDPR breach do not only affect the 5 complainants.
The DPA imposed two distinct fines. The first one was a fine of €2 million for the absence of clear information in the privacy policy in breach of the principle of transparency as per Articles 12, 13 and 14. The second fine of €3 million was imposed as BBVA breached Articles 6 (legality of processing). The DPA also required from BBVA that they amend their privacy policy to ensure that they rely on a valid legal basis for processing and that sufficient information is provided to clients.
On the information within the privacy policy
The DPA first addressed the issue of the provision of information in the privacy policy.
Imprecise terminology and vague formulations
The Spanish DPA referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles 11(1) and (2) of the Spanish Data Protection Law (LOPDGDD) to highlight the importance of the principle of transparency in data protection law. The DPA then held that BBVA, as a data controller that processes personal data, must in particular respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a).
According to the DPA, BBVA’s privacy policy used terminology that was too imprecise and formulations that were too vague when providing information to the data subject. For example, the expressions “get to know [the client] better and personalize [the client’s] experience” or “offer products and services from BBVA, the BBVA Group and others, customized for the client” were considered too vague by the DPA (the DPA provides a whole list of vague formulations at pages 61-62). It lacked precision as expressions were repeated throughout without clarification, making the privacy policy unclear and ambiguous. It was not easy for the clients to deduce any meaning from these expressions either. The DPA therefore held that privacy policy could not be easily understood by the data subject.
The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA’s privacy policy fell within the examples of poor transparency practices. It used the guidelines as support for its decision that the privacy policy was too vague and unclear.
Information on categories of data processed and specific categories for each purposes
The Spanish DPA held that information on the categories of personal data processed in the privacy policy was incomplete. The DPA referred to the Article 29 Working Party Guidelines on consent to highlight the requirements for valid consent, as defined in Article 4(11) GDPR. Accordingly, such consent must be freely given, specific informed and an unambiguous indication of the data subject’s wishes.
The DPA held that there was insufficient information in relation to the type of data that was processed on the basis of consent by the controller (BBVA). Therefore, it cannot be said that informed consent was gathered. The DPA highlighted that BBVA provides, in a generic way, that they may process "Economic and solvency data (including those related to all the products and services that you have contracted with BBVA or of which BBVA is a marketer)” or “Sociodemographic data (such as age, family situation, residences, studies and occupation)” for example. Accordingly, the DPA considered that it is not clear whether BBVA processes economic data unrelated to the products contracted with or marketed by the entity; or what sociodemographic data will be processed. Similarly, consent was not free, specific nor a manifestation of the data subject’s wishes either.
Where the legal basis is legitimate interest, the Spanish DPA held that the absence of information entails a breach of Article 14(1)(d) GDPR. BBVA failed to report on the categories of data that will be subjected to data processing. For example, there was no mention in the policy that BBVA gathered data on the data subject through third parties.
Referring to the Guidelines on transparency and the GDPR Recitals, the DPA outlined the importance of transparency as a fundamental aspect of lawful and fair processing Article 5(1)(a) GDPR). Lack of clear information would, in turn, likely lead to an infringement of other principles under Article 5 such as purpose limitation and data minimisation.
Information on purpose for which personal data is used and legal basis
The Spanish DPA identified several sections in the privacy policy where BBVA outlined that similar treatments for different purposes were at time on the basis of consent whereas other times on the basis of legitimate interest. For example, processing of personal data for the purpose of personalised offers relied on consent, and a similar processing activity, for improving customer experience was based on legitimate interest.
The DPA held that whilst the legal bases may be accurate, the similar processing activities with different legal bases meant that the privacy policy lacked clarity for an average citizen. The Spanish DPA also highlighted that having too general formulas for purposes in the privacy policy would fall short of the purpose limitation principle (Article 5(1)(b)).
Information on legitimate interest of the data controller and third parties
The DPA held that information provided by BBVA was vague with regards to the legal basis for processing. BBVA did not substantiate the legality of its data processing, in breach of the principle of transparency. For example, BBVA’s definition of legitimate interest in the privacy policy did not provide sufficient information as to the justification for relying on this legal basis. The DPA held that BBVA did not elaborate on the parties’ (including third parties) interests at stake nor their “reasonable expectations” (quoting Recital 47). There was therefore a breach of Article 13.
According to the DPA, sufficient information, which in this case lacked, would have enabled the client or data subject to be able to object to this legal basis.
Information on profiling
The Spanish DPA clarified that BBVA used personal data to elaborate profiles for various purposes outlined in the privacy policy, including for commercial purposes. This relied on consent and legitimate interest, which as mentioned above was not sufficiently defined in the privacy policy.
The DPA added that BBVA does not provide sufficiently information in breach of the obligation to inform the data subject with regards to elaborations of profiles (Article 13(1)(c) GDPR specifically). Additionally, the DPA held that BBVA did not clarify what types of profiles were made and what the intended uses were, nor did BBVA inform the data subject of their right to object to such profiles for direct marking purposes (as per Article 21(2) GDPR). At certain points in the privacy policy, BBVA did not explain that profiling occurred at all (e.g. for the “Get to know [the client] better and personalize [the client’s] experience” purpose). This was also an infringement of Article 11 LOPDGDD which clarifies the minimum content that must be provided to the data subject. Other times, the concept of profiling for the “Get to know [the client] better and personalize [the client’s] experience” purpose was mentioned briefly and vaguely.
The DPA highlighted that at no point does the privacy policy refer to whether the profiling falls within the scope of Article 22 GDPR, which would trigger information obligations within Article 13(2)(f) GDPR. However, the DPA held that lack of mention of automated decision making in the policy can be understood as establishing that no such action is carried out. The DPA mentioned Article 22 purely as a warning with regards to information on profiling in privacy policies generally
To summarise, the DPA held Articles 13 and 14 GDPR, which regulate the application of the principle of privacy, were breached as a result of the lack of information in the privacy policy on all the above mentioned circumstances.
Legal basis for processing
The DPA then went on to assess the legality of the legal bases relied upon by BBVA.
Processing of personal data based on consent
The Spanish DPA outlined the conditions for consent as a legal basis for processing as prescribed within Articles 4(11), 6 and 7 GDPR. It also referred to the correlating article in the Spanish data protection law (Article 6 LOPDGDD). Finally, it outlined the Article 29 Working Party Guideline on consent. The DPA highlighted that these Articles enable the data subject to have true control over their personal data and their destination.
The DPA then inspected BBVA’s privacy policy and held that the defendant did not design a specific mechanism to collect valid consent when relying on consent as a legal basis for processing personal data for 3 specific purposes (see facts). BBVA limited the data subject’s options in the way it presented the boxes to tick. The boxes outlined possibilities to object rather than boxes to consent to processing. As such, the DPA held that BBVA relied on “inaction” of the data subject to gather consent. This was in breach of the GDPR’s requirements for gathering valid consent (quoting Recital 32).
Additionally, the DPA held that a general signature of the privacy policy could not be valid consent as it was not specific to the distinct purposes. There was no possibility for opting and choosing one’s own preferences (only the possibility to reject or object) meaning that the data subject could not control their own personal data.
Finally, the consent given was not informed as the privacy policy lacked crucial information as highlighted in the above sections.
Therefore, BBVA processed data without a legal basis for the 3 purposes relying on consent. This was a breach of Article 6 GDPR in connections with Articles 4(11) and 7 on valid consent.
Other processing without legal basis
There were other processing activities conducted by BBVA which lacked any legal basis.
Processing of personal data on the basis of legitimate interest of the data controller or third party
The Spanish DPA held that there was no sufficient legal basis for processing personal that the BBVA claimed was on the basis of legitimate interest. Additionally, some processing supposedly relying on legitimate interest were very similar to those based on consent, which as mentioned, was invalid. Therefore, the DPA held that processing based on legitimate interest were not legal.
The DPA relied on Article 6 GDPR to highlight that processing must be lawful and that it is the responsibility of the controller to rely on a valid legal basis (in connection with Articles 5(1)(a) and 5(2) GDPR). The DPA also considered that lack of information meant that the data subject could not assess the evaluation done by the controller and therefore, would not be in an informed position to oppose to processing on the basis of legitimate interest. This would mean that the data subject cannot fully exercise its rights under Article 21(3) GDPR.
Additionally, lack of information on the actual interests considered in the balancing exercise was considered by the Spanish DPA to indicate that the legal basis of legitimate interest was not valid: the absence of a weighing exercise means that Article 6(1)(f) cannot be relied upon as a valid legal basis for processing. The DPA then outlined that since information on the balancing exercise lacked, it was difficult to assess whether BBVA’s interests were legitimate. It nonetheless went on to hold that the interests are of an economic nature. Whilst this can be a legitimate interest the DPA held that it cannot prevail over the fundamental rights of the data subject.
Additional information was also considered, including: how data used based on legitimate interest were collected, the excessive scale on which they are collected, the use of data collected from third parties without the knowledge of the interested party, techniques used, lack of transparency about the logic used in profiling, large number of affected data subjects, loss of control for the data subject and the controller’s dominant position. Similarly, there were no additional guarantees or measures taken by BBVA.
Following these considerations, DPA deemed that the processing could not be interpreted as being in the data subject’s interests. Therefore, it held that there was no evidence that the legitimate interest relied upon by BBVA was valid and prevailed over the interests and fundamental rights and freedoms of the data subject. Lack of guarantees meant that nothing could overcome any imbalances in the processing of this personal data.
Therefore, the DPA held that BBVA did not satisfy the conditions of Article 6(1)(f). There was no, legal basis for processing the data allegedly relying on legitimate interest.
Comment
Comment from @Francesc Julve:
Many are looking at the amount of the fine imposed but the sanction is also important with regards to the prohibition of processing data and the obligation to delete the unlawful processed data that the AEPD also imposed.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1
1/124
Procedure Nº: PS / 00070/2019
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following
BACKGROUND
FIRST: On 10/16/2018, a claim submitted to this Agency
by D. AAA (hereinafter claimant 1), against the entity BANCO BILBAO VIZCAYA
ARGENTARIA, SA (hereinafter BBVA), for sending to its mobile phone line, at
dated 10/11/2018, of a promotional SMS. He adds that he has not authorized the sending of such
messages and has been on the Robinson List for a long time.
With your claim, you only provide a copy of the SMS object of the same, the text of which
is the following:
“Publi BBVA: You lend UP TO 9,000 EUROS to start your projects. Info
912975969. https://bbva.info/2xLgPps. No + publi send BAJA to 217582 ".
This claim was transferred to the entity BBVA. In response to what was stated by
Claimant 1, BBVA informs this Agency that it agreed to the
content of the document "Customer identification, processing of personal data and signature
digitized ” , signed by the claimant on 06/07/2016, by virtue of which the client
He consented to the sending of advertising by BBVA " through any means" .
BBVA adds that, however, in view of the claim made, it has proceeded to
disable the option relating to the sending of commercial communications to the claimant 1.
BBVA provides the document "Customer identification, processing of personal data
and digitized signature ” signed by the complainant on 06/07/2016.
SECOND: On 12/09/2018, a claim submitted to this Agency
by D. BBB (hereinafter claimant 2), against the entity BBVA, noting that the App
BBVA for the entity's Android systems does not meet the legal requirements regarding
free and informed consent. In this claim it shows that the past
11/09/2018 the aforementioned App, through a pop-up screen, required the provision of
consent whose scope should be known through a link to another page, in which
the option to transfer data to third parties was activated by default.
It adds that on the previous June 6, BBVA recognized by letter the right of opposition of the
claimant to the processing of their data for commercial purposes (provide a copy of this
communication), and that this circumstance should have been taken into account by BBVA before
require again the provision of your consent to the processing of data through
the BBVA App.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/124
On the other hand, the claimant warns that he addressed the aforementioned entity stating the
same circumstances and that said claim was rejected on 11/29/2019.
The claimant provides a copy of one of the emails sent to BBVA, dated
11/09/2018, in which it expressly indicates the following:
“Dear BBVA DPO
The document attached to the previous message comes from the BBVA APP offered on the Android platform.
The aforementioned application requires the user, as a step prior to its use, to provide consent through the
electronic signature of a document that only offers the possibility of opposing data processing
personal for purposes other than those necessary for the purposes of providing financial services if the
Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the
GDPR) should be considered as activated. The informative text is inconsistent with the
principle of transparency of article 12 of the RGPD and above all because after activating the aforementioned boxes
opposition, a pop-up screen appears with a new warning that clearly restricts the
freedom of consent in the terms of article 7 of the RGPD.
I hope I have more clearly described the problem related to the aforementioned APP and the document
of consent generated by it.
Finally, I would like to attach your communication regarding my exercise of the right to object to
processing of personal data already registered by your department, and that should have been taken in
account regarding the operation of the BBVA APP ”.
BBVA responds to this email by means of another dated 11/29/2018 in which
literally indicates:
“The way in which the consent to which you refer is obtained has been considered valid
not only in the internal analyzes of our own entity, but in all those forums where it has been
raised the question, since the interested party has the option of choosing in a simple and
easily understandable the option you prefer. About pop-up screens that you tell us
comments, BBVA understands that it must provide interested parties with the necessary information so that
know what happens when you activate these boxes, so that with all the information in your hand, decide the
option that most satisfies them ” .
The claimant also accompanies the document generated by the App, with the label
"Declaration of economic activity and personal data protection policy" (as
also "Privacy Policy" ), in which section 1 contains the data
identification of the client (the claimant) and his declaration of economic activity. Among others
data, include those related to name, surname, tax identifier, date of birth,
nationality, address, marital status, matrimonial status, contact details, fixed income and
variables, entity in which it provides services, gross annual income.
Section 2 of this document is dedicated to the "data protection policy
personal ” . The full content of this section, the "extended information" that is offered to the
interested party and part of the "glossary of terms" contained in the same document, which is
declares reproduced in this act, it is attached as Annex 1.
In the document provided by claimant 2 all the options are marked
enabled for the interested party to give their consent to the processing of data
personal with the purposes that are expressed in said options:
". Products and prices more adjusted to you
[x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/124
[x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[x] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make your data ".
THIRD: On 02/13/2019, a claim submitted to this Agency
by D. CCC (hereinafter claimant 3), against the entity BBVA, noting that for the
unlocking your account it was necessary to sign the data protection document
personal information, that it was sent to him electronically, and that he had no possibility to mark the
options on the treatment of information.
Provides printing of the information available in the BBVA App, in the personal area
of the claimant (February 1 to 6, 2019), which includes a section "Use of personal data"
in which a box is made available to the interested party that can be marked with the indication
"I have read, understand and accept the Personal Data Protection Policy to be a client
of BBVA ” .
Also, provide a copy of an email sent to the claimant's address
from the address notifications-bbva@bbva.com, with an attached file called
"LOPDDAE", in pdf format, and the text "You have a pending signature ... (name and surname of
Claimant 3), you have a document pending signature. We recommend that you read with
calm down the document that we enclose, before signing it ” . Below is a
button labeled “Sign Now” . Subsequently, the interested party is informed that he has
other channels for signing the document in question (office, App, web and telephone banking).
Said document, which is also attached to the claim, corresponds to the
"Declaration of Economic Activity and Policy of Protection of Personal Data" , whose
content coincides with that which is reproduced in Annex 1, except for the detail related to the
box through which the customer is offered the option "I do not want BBVA to process my data
to offer me products and services from BBVA, Grupo BBVA and others customized for
me ” , which allows you to mark the following channels:
[ ] By email
[] By SMS
[] By phone (phone call)
[] By post
The document provided appears dated 02/11/2019 and without signature. Of the options
enabled in this document so that the interested party gives their consent to the treatment
of your personal data for the purposes that are expressed in each case, the
option “I do not want BBVA to process my data to offer me BBVA products and services,
from the BBVA Group and others personalized for me by email ” .
The aforementioned claim was forwarded to BBVA so that it could analyze it and send
the information pertinent to this Agency. The period granted to BBVA to respond to
Said transfer occurred without any response from this Agency.
FOURTH: On 05/23/2019, a claim submitted to this Agency
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/124
by D. DDD (hereinafter claimant 4), against BBVA, noting that, under the pretext
If you have been informed by means of a document that you have not signed, said entity sends you
commercial communications that you have not requested or authorized. He adds that he informed him about the
adoption of measures to prevent you from continuing to receive commercial communications,
who stopped sending emails, but continued to receive SMS, in which no
unsubscribe mechanisms are provided.
It provides several SMS in which pre-granted loans are offered; copy of a
writing in which BBVA estimates the right of opposition exercised by the claimant, of
04/10/2019; another previous letter, dated 02/25/2019, in which BBVA informs you that your data
Personal are treated according to the attached document, signed on 11/26/2018, in which
He was offered the possibility of refusing the aforementioned purposes. The attached document
the last written review corresponds to the "Declaration of Economic Activity and Policy of
Data Protection ” , which contains the details of the complainant as a BBVA customer. In
This document does not include any of the options offered to the interested party to
consent to the processing of your personal data,
This claim was transferred to the entity BBVA. In response to what was stated by
Claimant 4, BBVA informs this Agency that commercial communications were sent
to the same, that he did not object to this data processing in the document signed on
11/26/2018. Notices that communications ceased after the exercise of the right to
opposition by the claimant, although the mobile phone line cited in the claim
as a recipient of commercial communications, it is not associated with its data in
your information system.
Subsequently, BBVA stated that the SMS were sent manually by a manager
commercial from the corporate mobile phone without previously checking that the client was
included in the Robinson listing.
FIFTH: On 08/27/2019, a claim submitted to this Agency
by D. EEE (hereinafter the claimant 5), against the entity BBVA, for the performance of
telephone calls and sending of advertising SMS, to offer insurance, credit cards and
financing of receipts, despite the fact that he exercised the right to object to the transfer of his
data for promotional purposes and that it was attended by said entity. In its
claim details the telephone lines that issue the calls and messages, the line
receiver and the date and time of the last call.
With your claim, provide a copy of an invoice corresponding to the receiving line
of calls and messages, issued on behalf of the claimant; letter from BBVA addressed to
same, dated 03/07/2018, in which your request to oppose the use and
transfer of your data to third parties for the purposes of commercial or advertising prospecting of the entity
or other Group companies; transcription of messages sent to BBVA warning
again on your wish not to receive advertising, of 05/26/2019, answered the day
next by the person in charge with a message of apology; screen printing
08/27/2019, on the inclusion of its mobile phone line in the Robinson List; and detail of
calls received (there is a call from the number that is the subject of the claim,
made on 08/27/2019.
This claim was transferred to the entity BBVA. In response to what was stated by
Claimant 5, BBVA informs this Agency that, on 06/18/2018, the interested party signed
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/124
digitally the document "Declaration of Economic Activity and Protection Policy of
Personal Data ” , giving your consent to the processing of your data for the
commercial, even though he was given the opportunity to object to the use of his
data to offer you products and services from BBVA and from Group entities. This option is
formalized the claimant by signing that document later through the
remote banking. It adds that the lines to which the claim refers belong to
BBVA Seguros, of which the claimant is a client, which made three calls in August
2019 (days 20, 21 and 27); and that BBVA forwarded the complainant's opposition letter to BBVA
Seguros, which took the appropriate measures to stop commercial communications on
same day 08/27/2019.
BBVA provides the documents "Declaration of Economic Activity and Policy of
Protection of Personal Data ” , signed by the claimant on 06/18/2018 and
05/27/2019. In the first of them there is no mark in the boxes enabled to
that the client expresses his consent to the following treatments:
. Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make your data ".
In the one signed on 05/27/2019, these three boxes are marked.
SIXTH: The claims to which the proceedings refer were admitted for processing
through resolutions dated 02/01/2019 (those relating to claimants 1 and 2), 08/06/2019
(the one related to claimant 3), 09/13/2019 (the one related to claimant 4) and 10/30/2019 (the one related
to the claimant 5).
SEVENTH: On 11/21/2019, the General Sub-Directorate of Data Inspection
Access the BBVA website ( “bbva.com” ) and obtain available information about the entity.
This website indicates:
"BBVA in Spain
As one of the leading entities in the country, with more than 10 million clients and close to 30,000
employees, we provide financial services through our network of 3,200 offices ” .
Financial information is also obtained, of which it is worth highlighting that relating to the
Income Statement, which "as of 09/30/2019" reflects a "Net Margin" of 9,304 million
euros. In the "Geographical diversification" section , the breakdown by country is indicated,
corresponding to Spain 23.4%.
According to the information contained in the Central Mercantile Registry, the "Subscribed Capital"
amounts to 3,267,264,424.20 euros.
EIGHTH: On 12/02/2019, the Director of the Spanish Agency for Data Protection
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/124
agreed to initiate a sanctioning procedure against the BBVA entity, in accordance with the provisions
in article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of
04/27/2016, relating to the Protection of Natural Persons with regard to Treatment
of Personal Data and the Free Circulation of this Data (General Regulation of
Data Protection, hereinafter RGPD), for the alleged violation of article 13 of the
RGPD, typified in article 83.5.b) of the aforementioned Regulation; and for the alleged violation of
Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation, determining that
the penalty that may correspond would amount to a total of 6,000,000.00 euros
(3,000,000.00 euros for each of the infringements charged), without prejudice to what
result of the instruction.
The indicated imputations result from the analysis of the data collection form
personal data used by the BBVA entity after 05/25/2018, called
"Declaration of economic activity and personal data protection policy" , through
which BBVA announces the terms applicable to the protection of personal data and
requires the consent of the interested parties. The reasons underlying the accusations
indicated are, succinctly, the following:
a) Infringement of article 13 of the RGPD:
. Use of imprecise terminology to define the privacy policy.
. Insufficient information on the category of personal data that will be submitted to
treatment, especially in relation to the data that BBVA says it obtains from the use by the
customer of products, services and channels; the economic and solvency data obtained from
products contracted with BBVA or of which BBVA is a marketer; and the data
personal data that will be transferred to BBVA Group companies.
. Breach of the obligation to report on the purpose of the treatment and legal basis
that legitimizes it, especially in relation to the processing of personal data that
BBVA is based on legitimate interest.
. Insufficient information on the type of profiles to be made, the uses
specific to which they will be used
b) Infringement of article 6 of the RGPD:
. Non-existence of a specific mechanism for collecting the consents of the
clients for the processing of personal data. The interested party's options are
limited to marking a box by which you record your
opposition to data processing.
. Non-compliance with the requirements established for the provision of a
specific, unequivocal and informed consent.
. Insufficient justification of the processing of personal data based on interest
legitimate of the person in charge.
Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of
At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the
imposition on the entity BBVA of the obligation to adopt the necessary measures to
adapt to the personal data protection regulations the processing operations that
performs, the information offered to its clients and the procedure by which they
give their consent for the collection and processing of their personal data, with the
scope expressed in the Basis of Law of the repeated agreement and without prejudice to the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/124
resulting from the instruction.
NINTH: Once the aforementioned initiation agreement was notified, BBVA presented a brief of allegations in the
that requests that a resolution be issued declaring the nullity of full right of the
procedure for the reasons set out in its following first allegation or, in its
default, your file is remembered. In summary, the aforementioned entity bases its request on the
following considerations:
1. The setting of the amount of the sanction in the agreement to initiate the procedure, which is
justified in Law Foundation VI, produces helplessness to the interested party who vitiates
nullity the same. Understand that determining the sanctioning reproach in said act, evaluating
even concurrent aggravations without minimally motivating them, on which he has not had
occasion to demonstrate, affects the application of the fundamental principles of law
criminal, applicable with certain qualifications to the administrative sanctioning procedure, such as
has revealed settled jurisprudence.
It considers that the initiation agreement exceeds the legally foreseen content, as
It should only incorporate the limits of the possible sanction that could be imposed, and not
determine a specific amount that implies a summary assessment of the circumstances
concurrent. The agreement issued goes beyond what is admitted in article 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of
Digital Rights (hereinafter LOPDGDD).
This anticipated and lacking motivation assessment of BBVA's responsibility, indicating
even the mitigating and aggravating ones, even if it is by their mere mention, and even when
intends to save what finally proceeds according to the instruction, in the opinion of that
entity, an unprecedented part is carried out , without any allegation of the accused that allowed the
sanctioning body assess the circumstances appreciated in light of said allegations,
generating helplessness to the part.
The fact that the amount comes from the mere enumeration also produces defenselessness
circumstances, without stating how they affect liability.
This is a matter that affects the impartiality of the investigating body designated in the
same agreement to initiate the procedure, which he knows before beginning the procedure the
criterion of the body to which the file will finally be submitted, on which it hierarchically depends.
This supposes a rupture of the principle of separation between the investigation phase and the sanction phase.
(Article 63.1 of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations - hereinafter LPACAP), depriving the instructor of a
objective knowledge of the facts and the possibility of making an assessment of the
circumstances arising from the instruction.
On the other hand, article 85 of the LPACAP is cited to specify in the operative part of the
opening agreement the reductions that entail the recognition of responsibility or the
voluntary payment of the penalty. However, the BBVA entity considers that this precept
establishes that the amount of the pecuniary sanction may be determined “beginning on
sanctioning procedure ” and that it is only applicable to cases that give rise to the
imposition of a fine of a fixed and objective nature. In the present case, the sanction is not fixed and
nor necessarily of a pecuniary nature, given that the RGPD establishes a wide
range of possible sanctions and corrective measures, including issuing a warning.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/124
2. The non-existent link between the
claims made for the purpose of the procedure and the content of the file
administrative, since the allegedly infringing facts that are invoked cannot
be the basis on which the AEPD relies for the opening of this proceeding, nor
the alleged violations can support the sanction sought.
The scope of the Privacy Policy is analyzed without linking any reasoning to the
content of the claims and without stating any action carried out by the AEPD
that motivates the opening of the procedure. In this regard, it notes that the Agency has
limited, in the previous phases, to transfer the claim to the DPD of the entity, except for the
relative to claimant 2, and to agree to its admission for processing once clarifications are received
of the aforementioned DPD.
This was understood by the National Court in Judgment of 04/23/2019 (appeal 88/2017), that
annuls the sanction of the AEPD, among other reasons, due to a discrepancy between what was denounced
and the object of the sanctioning resolution:
"This Chamber considers that the proven facts of the resolution are not adjusted to the requirements
that, according to the principles set out, must be respected in a sanctioning procedure.
In the first place, because such proven facts appear totally disconnected from the facts.
denounced, and which led to the opening of preliminary investigation actions, since
no mention is made in said proven facts about the behaviors denounced by the
three participants in the procedure, the AEPD totally disregarding the result of the
investigations carried out as a result of these complaints, as well as the numerous tests
practiced.
The account of "proven facts", both in the criminal procedure and in the administrative sanctioning procedure,
It is essential to establish the facts and the typified behaviors, since only in this way is it possible to respect
the principle of typicity, which, according to the doctrine is “the legal description of a specific conduct to
that the administrative sanction will be connected ”. This principle is just the projection of the need for
certainty that should guide the exercise of the sanctioning power of the Administration that includes the
Article 25.1 CE and its foundation is in the respect of two other values such as freedom
and legal security ” .
At the same time, the AEPD has revealed throughout the entire file a
manifests inactivity, taking into account that the claim of the
Claimants 1 and 2 dated 02/01/2019, the last of them without prior transfer to the DPD, and
that the request sent by BBVA on 02/21/2019 was not even answered requesting
information on the status of the claim (it was not reported on its admission for processing).
Subsequently, without any additional action, three other claims were admitted before
to dictate the initiation agreement. In other words, the preliminary investigation phase was kept open
for ten months without any action aimed at investigating the content of the
claim. It could be considered that the AEPD waited for a number of
claims that he considered significant, in this case, five, although they related to
different issues, to reactivate a procedure that had been "suspended" since the
first admissions to process, and which deals only with the "Declaration of Activity
Economic and Data Protection Policy ” , held by the AEPD from the presentation of
the claim by claimant 2, dated 12/09/2018. We are faced with an assumption
in which the authority considers it necessary to allow a period of time to elapse from the
admission for processing of a claim related to a specific treatment, to
verify if the conduct is due to a specific or structural failure of the person in charge.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/124
During that time, BBVA acted with the confidence that, being the Agency aware of
the circumstances manifested in the claims and no actions having taken place
investigation or other nature, the existence of irregularity was not appreciated. Would fit
consider whether it has not been the inaction of the AEPD during those ten months that has aggravated
the reproach that it considers concurrent in BBVA, given that the Agency knew the Policy
of Privacy and did not warn about the admission for processing of claims or the eventual
illegality of this Privacy Policy. The reproach derived from its maintenance over time
it should be attributable to whoever kept that opinion hidden.
Regarding the specific claims made, it indicates that they show common elements that
illustrate the good work of BBVA in respecting data protection regulations
personal, which represent a tiny and irrelevant percentage of the wide universe of
treatments carried out and the number of clients. In this regard, it provides certificate
issued by the DPD relative to the year 2019, noting that, out of a total of personal clients
eight million thirty-one thousand, received nine hundred six communications and only
six referred to comments on the Privacy Policy. Understand that it shows
that customers have not considered their rights violated, except for the five
claimants.
As elements common to all claims, the following stand out:
. All interested parties / claimants could choose between all the alternatives offered and
manage your consent to the processing of your data when they formalized the document and
They were able to change their preferences through multiple channels, thus respecting the power of
disposition of those affected.
. It has respected the rights exercised, responding in a timely manner to the
Revocations of consent or exercise of opposition rights. This has happened in the
case of any of the claimants.
. In the cases in which the claimant shows his disagreement with the way to obtain
consent, he had made use of the mechanisms made available to him, since
outside at the time of signing the "Declaration" or later electronically.
It is contradictory, in BBVA's opinion, that the signature of the document accompanied by the
Checking the boxes should be considered an affirmative action and the signature of the
document without checking the boxes does not have, according to the Agency, the same scope or nature
affirmative action (implicit consent, other than tacit, presumed or inaction).
. When an error has occurred, as in the case of claimant 4, it has been recognized and
repaired with the utmost diligence, having led to the development of a large number of
actions to fully comply with the regulations (also on the occasion of the
claims).
Next, BBVA dedicates a part of this second allegation to highlighting
some specific considerations for each of the claims:
a) Claimant 1 refers to the sending of advertising via SMS, carried out with the
consent of the interested party, as evidenced in the response made in the
framework of E / 08334/2018, and their right to object was immediately addressed. Does not exist
any subsequent complaint or claim.
b) The claim presented by claimant 2 was not known by BBVA until the opening
of the procedure, so he has not had the opportunity to refute the accusations
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/124
made on the Privacy Policy, the operation of the application or the legality of the
data processing. In this case, the right to object to the treatment of
the data for commercial purposes; and so it was marked on the document whose signature was
required when downloading the APP. The download process offers the customer the possibility of
decide on the treatments and purposes, as the claimant did, and report on the
consequences of those decisions, without any of the messages that appear
condition the interested party. The result was that, through the application, during the process of
obtaining consent, was able to manage the use of data freely and in an informed manner.
Provides a printed copy of the "become a customer" process that the application follows, which includes the
hiring an online account. This process offers the interested party basic information on
data protection, whose content coincides with that contained in Annex 1, and a
link to extended information. Likewise, in both processes consent is requested
to the interested party for the processing of their data ... and they are offered the possibility of marking
different options on consent for the processing of your personal data, which
coincide with those enabled in the "Declaration of Economic Activity and Policy of
Data Protection".
c) Contrary to what is indicated in the initiation agreement, BBVA responded to the transfer
made by the AEPD of the claim submitted by claimant 3 (file
E / 04690/2019) and also responded to the complainant himself, although these responses have not
been incorporated into the file. BBVA blocked this client's account in accordance with
provided for in Law 10/2010, of April 28, on the Prevention of Money Laundering and
Financing of Terrorism, until the signing of the “Declaration of Economic Activity and
Personal Data Protection Policy ” , which took place on two occasions (in the office and
through the mobile application), and in both the interested party incorporated their preferences on the
refusal to receive publicity. Raise again if action is not to be considered
affirmative signing of the privacy policy and marking one of the boxes
enabled, or if there is a difference between that action and the subscription of said policy without marking
none of the boxes; all of them easily accessible, intelligible, simple and clear.
It adds that there is no complaint from this client, beyond the claim made
before the AEPD.
Provide a copy of a written response to the transfer of the claim made within the framework
of the file E / 4690/2019, dated 06/21/2019 and proof of sending it to this
Agency via postal mail on the same date. This answer, whose content
basically coincides with what has been stated above, accompanies a copy of the statements
of economic activity and personal data protection policy completed with the
Claimant 3's personal data, dated 01/17/2019 and 02/11/2019; the first of them
signed and the second unsigned. In both declarations the option “No
I want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others personalized for me by email ”.
d) The background information regarding claimant 4 is contained in file E / 06420/2019, which
sufficiently explain the facts. In this case, until the moment of opposition BBVA
was authorized to send commercial communications such as the one denounced and ceased in
these treatments after the exercise of the right, although an SMS was sent later
It was due to a specific error of little interference, committed by an office manager, which was
remedied immediately and led to the sending of communications on the policies adopted
to the branch network. These facts do not justify the reproach that is claimed. Add that BBVA
there was no record of the proceedings file or the admission for processing until the agreement of
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/124
initiation of the sanctioning file.
It says Provide supporting documentation of the points indicated. However, only
provides what appear to be messages addressed to private clients, SMEs or freelancers with
information regarding the protection of personal, entity or commercial data. Some of
They are dated May and July 2018, February 2019 and a final date of 09/24/2019, but not
include no indication that relates these alleged messages to the complainant 4.
e) It refers to the content of the information provided on the occasion of the file
E / 08740/2019, which shows that BBVA was respectful of the claimant's decisions 5
in relation to the use of your data. In this case, claimant 5 signed the repeated
statement on two occasions, not stating his refusal to the treatments in the first
occasion and doing it in the second.
3. On compliance with the principle of transparency and the right of information to its
clients about the processing of their data, BBVA exposes the following:
A) Previously, said entity refers to the scope, content and derived obligations
of the principle of transparency, as regulated in the applicable regulations and
interpreted by the AEPD itself, the set of European Authorities, the Working Group
of article 29 and, subsequently, the European Committee for Data Protection. Make a
statement on the information requirements derived from the aforementioned principle, the
information to be provided, how it should be provided and the reporting system
levels or layers that can be used.
From what is expressed in these sections, it is worth mentioning the indications that BBVA includes on
issues or aspects outlined in the agreement to initiate the procedure that, in their opinion,
They do not correspond to the requirements established by the standards analyzed. Specific,
BBVA points out that the obligation to inform interested parties about the data or categories
data subject to treatment is not provided for in article 13 of the RGPD; and is only required in
Article 14 of the same text for cases in which the data is not collected from the interested party,
Although this obligation refers to the categories of data and not to the specific data object
treatment.
Likewise, it also highlights that articles 12 to 14 of the RGPD do not require “the person responsible for the
treatment to provide interested parties with such detailed information that includes the
characteristics that the treatment does not have, that is, it will not proceed to inform about, for
For example, what data or categories of data are not subject to treatment or the purposes
for which the data will not be processed, such as the fact that it is not produced
profiles ” .
And neither do those articles require, “when a treatment is based on the interest
legitimate entity of the person in charge or of a third party, is included in the information provided to
the interested parties the weighing trial carried out to verify that the rights or
interests of those affected do not prevail over said legitimate interest, despite the fact that the AEPD
reproaches this party in the Initiation Agreement for not having informed about the aforementioned
weighting ” .
B) (…)
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/124
C) Regarding the content of the Privacy Policy, it highlights that it follows the recommendations
contained in the Guide prepared by the AEPD. It is organized around a series of questions
and the purposes are grouped, with basic and additional information, both with the
same sections.
In relation to purpose 2 "To get to know you better and personalize the experience" , he warns
that does not imply the referral of personalized commercial offers, but that the treatments
that are described refer to the analysis and assessment of customer data, but not to the
sending advertising. The only communications mentioned in this section are the
Congratulations. In the extended information, it is reported that the legitimation basis is the interest
legitimate and the specific interest pursued is indicated. In both sections the
possibility to object to this treatment.
Purpose 3 “To offer you products and services from BBVA, the BBVA Group and others
personalized for you ” is the one that refers to the sending of all types of communications for
commercial, through the channels indicated.
Purpose 4 also refers to business purposes, but communication is described
of the data to other entities of the Group so that they are the ones that directly
communicate with the client, provided that they have authorized it. Entities are identified
recipients, the purpose and the categories of data that will be communicated.
Purpose 5 details the treatments carried out by BBVA to “Improve the quality of the
products and services ” , although, as indicated in the “ Extended Information ” , the information
obtained from the use of BBVA products, services and channels is anonymized and, therefore,
excluded from the scope of the regulation. Even so, it was decided to submit this purpose to the
consent of the client.
D) In relation to the assessments carried out in the Initiation Agreement on the Policy
of Privacy, BBVA states the following:
. As a preliminary consideration, it reiterates that it does not understand the criteria that have determined the
initiation of the procedure and the penalty amounts proposed for claims that are not
they are related to the facts that justify said opening; and that among the different
corrective powers has been chosen for the most serious, instead of other alternatives that
would have allowed the correction of a hypothetical situation of default.
Understand that it is necessary to bear in mind the environment and the problems that the
interpretation of the provisions of the RGPD, to which the Agency itself has not been abstracted; and
cites the “Report on privacy policies on the Internet. Adaptations to the RGPD ” to point out
which is a sample of these difficulties, although their conclusions did not assume the same
reproach.
Furthermore, BBVA understands that the procedure is used to adopt criteria
general interpretation of the protection norms, which is not admissible in light of the
doctrine of the National Court.
. This subsection is dedicated to analyzing the content of the Initiation Agreement as it relates to
the information provided to customers by BBVA.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/124
The procedure begins for violation of article 13 of the RGPD, but refers to the
breach of the obligation to inform the interested parties about the categories of
Personal data processed, which is required in article 14 of said Regulation and not in 13.
Even so, BBVA includes the data categories at the beginning of the extended information, following
the example published in the AEPD's “Guide for compliance with the duty to inform” ,
adding, in addition, a description of the type of data, offering more information
exhaustive of what the EAPD itself suggests in the aforementioned Guide.
On the other hand, the Agency, in the repeated agreement, suggests that it should be informed
on what specific data is used for each treatment, despite the fact that this requirement does not
It is provided for in the RGPD or in any guideline published by the Agency, the GT29 or the EDPB.
In the same way, neither text indicates that you should inform yourself about the data or
treatments that the person in charge does not carry out. Consider mere conjecture without any proof
indications about what could happen if the information collected by the Bank from the
use of BBVA products, services and channels will include information related to “the share
union ... or fees paid to political parties, or religious entities, or by the
use of services provided by health or religious entities ” , that is, categories
special personal data. The truth, adds BBVA, is that the privacy policy does not
refers to these data or treatments simply because they are not carried out.
If all the details that the AEPD now seem to require were added, it would lead to a text
extensive and predictably not very understandable, leading to information fatigue or fatigue,
proscribed by both the Agency and the GT29.
Along the same lines, the Agency indicates that the information provided does not allow the interested party
have a clear idea about the data that will be communicated to the Group's entities. To this
In this regard, the aforementioned article 13 of the RGPD requires informing about the recipients or categories
of recipients of personal data, not to mention the category of data. Still I know
informs that the identification, contact and transactional data will be provided, to
that the interested party may receive commercial offers. Transactional data is detailed in
the description of purpose 4 (amounts of income and expenses, balances and use of our
channels).
The AEPD carries out an interpretation of article 13 of the RGPD that exceeds its
content and their own interpretation. With this, he would be issuing new guidelines on the
content of the duty to inform more demanding than that indicated in its Guide, using for this
a sanctioning procedure clearly detrimental to BBVA. In this regard, he cites the Judgment of
the National Court of 04/23/2019 (appeal 88/2017), which declared contrary to the principles
of sanctioning law the establishment of general criteria within a
sanctioning procedure.
The Agency also considers inadequate or insufficient the information provided in relation to
with the purpose 2 "To know you better and personalize your experience" , and indicates said Authority of
control that is reported on the realization of personalized offers and the improvement of products
and services with a legal basis in the consent of the interested party and in the legitimate interest. Without
However, in the description of this purpose it is spoken of evaluating new functionalities,
products and services and assess personalized offers, but no reference is made to the referral
of commercial or advertising offers. Purpose 2 allows to know the channel that the
customer, what products perform better, what new products could be
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
12/14
interesting for customers, respond to a customer who is interested in the products of the
entity offering those that fit your needs. In this sense, the description
carried out in purpose 2 refers only to the realization of an internal profiling of
customers to personalize their experience or respond more efficiently to their requests.
The referral of advertising, which may be based on said profile, is part of the purpose
3, whose basis of legitimacy is consent.
Only purpose 2 refers to the use of the profile. In this sense, adds BBVA, the expressions
unclear and imprecise to which the Agency refers, such as " customize your
experience ” , “ offer you personalized products and services ” or “ commercial profile ” , are
substantially similar to those contained in the second layer example on page 11
of the "Guide for compliance with the duty to inform" of the AEPD: "to be able to offer you
products and services according to your interests ” , “ improve your user experience ” ,
"We will develop a commercial profile . "
In short, purpose 2 describes the treatments for profiling and their use does not
commercial; while the purpose 3 the treatments that, being able to take advantage of said profile,
involves the remission of commercial offers.
Additionally, and contrary to what is stated by the AEPD, in purpose 2 it is reported how
the client's profile is elaborated and that to achieve it different data are analyzed, which are detailed
below, and the possibility of opposing the treatment is expressed.
On the other hand, regarding the objections indicated by the AEPD for not reporting on the
specific legitimate interests on which BBVA relies for these treatments, warns that
This information is included in the section "Why do we use your personal data?"
in which the bases that legitimize the treatment are detailed ( “… so that BBVA
we can better meet your expectations and we can increase your degree of satisfaction
as a customer by developing and improving the quality of own or third party products and services,
as well as carry out statistics, surveys or market studies that may result from
interest… to be a bank close to you as a client… ” ).
Finally, it states that the privacy policy does not mention the existence of decisions
automated regulated in article 22 of the RGPD since they are not carried out. The
decisions referred to in the section on purpose 2 would not fit into the regime
established in article 22 of the RGPD, since they would not produce legal effects in the
recipients of the advertising that had been sent nor could it be considered that said
Referral significantly affects customers in a similar way.
4. On the existence of a legal basis for the treatment of customer data of
BBVA.
A) Legality of data processing carried out on the basis of legitimate interest
prevalent.
As indicated, this question has to do with the treatments that are carried out with the
purpose of "Knowing you better and personalizing your experience" (purpose 2), which in no
The moment refers to the sending of commercial communications that BBVA bases on the
consent of the interested party. Those treatments consist only of the analysis of the
customer behavior in relation to the channels, products and services offered
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
12/15
by BBVA to obtain indicators that will allow it to properly adjust its
business, develop and improve its portfolio of products and services, adjusting them to the
customer preferences, as well as the quality of services. Only if you have the
consent of the interested party, you can apply the result of that treatment for the referral
of commercial communications to clients (purpose 3). There is therefore no confusion
some between both treatments
In this regard, the Agency concludes that the legal basis of Article 6.1 f) of the GDPR is not
applicable to these treatments considering that the interests are not clearly stated
legitimate interests of BBVA (based on an incomplete definition of the legitimate interest contained in the
glossary), the evaluation of the prevalence of legitimate interest is not reported and because the
clause makes explicit the reasonable expectations of the interested parties that BBVA appreciates that
concur in them.
BBVA considers that none of these arguments allow reaching the intended conclusion
by the Agency because the legitimate interest does not support, as has been said, the sending of
commercial communications.
In addition, the extended information details the legitimate interest of BBVA (better serve the
customer expectations and increase their degree of satisfaction, develop and improve the
quality of its products and services, as well as carrying out statistics, surveys or studies of
market); the AEPD has not proven that the weighting test has not been carried out and the
The regulation does not require that this information be passed on to the interested parties. BBVA considers that no
it must be public knowledge.
On the other hand, it understands that it is contradictory to object to the absence of the weighting and
consider, at the same time, excessive for BBVA to make explicit what it understands that customers expect from
your financial institution, what is your reasonable expectation, capital element to determine the
prevalence of the legitimate interest of a data controller.
Based on this, the Agency understands that said expectation is induced by BBVA and that the
customers do not reasonably expect their data to be used to improve products and
services and improve the customer experience. (…)
Understand that the reasonable expectation must remain hidden, that by making it manifest
in the informative clause it loses its character of expectation, it is contrary to logic and
It undermines the obligation to guarantee the greatest clarity of information.
In relation to the Agency's statements about the possibility that the use of the
data in order to better know the customer can lead to an exhaustive analysis of
the same, which is based on the possible use of data unrelated to the contracted products,
collected from the use of BBVA products, services and channels; understand the entity that is
It deals with mere conjectures that do not respond to the reality of the treatments carried out.
BBVA does not carry out these treatments, (…)
Thus, the treatment analyzed is linked to legitimate interest and allows BBVA
optimize the business model; improve the quality of the products and services offered;
perfect internal management and personalized relationship with the client; determine the
propensity of customers to a certain product preferences in terms of channels to
through which they are related and the groups to which they can offer certain
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/124
products (commercial communications are not sent to these unless they had granted
your consent in accordance with purpose 3).
In this sense, the existence of a reasonable expectation from customers is logical.
about the processing of your data to design products that may be of interest to you.
In addition, for this, data of third parties linked to the client are not processed in the
transactions you make. Only data referring to behavior in relation to
products and channels, which meet the principle of suitability and necessity.
This conclusion coincides with the criteria supported by the AEPD in its report 195/2017,
issued at the request of the Spanish Banking Association. In section VII he analyzes the
prevalence of the legitimate interest of financial entities for the analysis of the
transactional movements and / or customer savings capacity, to make observations
and offer recommendations on products and services. And the same report also refers
to the treatment of all transactions in order to be able to perform a more profiling
detailed that allows to specify with precision the products to be offered. AND
contemplates the adoption of additional guarantees, such as detailing in more detail the
treatment to be carried out, and particularly the fact that the data
Transactional will be used to create profiles and offer the interested party the
possibility to specifically object to this treatment. Therefore, you understand that the Agency
they would be acting against their own acts and violating the principle of legitimate expectations.
Finally, on this issue, it points out that the Agency conjectures about the treatments that
BBVA would be doing it, without having proof to prove it.
B) Of the legality of the treatments carried out by BBVA based on the consent of
their clients and the compliance of said consent with the data protection regulations.
a) On the power of control of the affected party over their data
The client, from the moment they manage their registration and while maintaining the relationship,
has absolute power and control over the processing of your data, insofar as it is
offers the possibility to opt and choose your preferences in relation to the operations of
processing carried out, at any time and through the different channels
made available to you in person and digitally.
This power of control is what the regulations intend to guarantee and that is how the
AEPD. In his recent document "User control in the personalization of ads in
Android ” , referring to the duty to provide the user with real control over their data
personal information, and in the document "Guide on the use of cookies" when it states "... the
need to implement a system in which the user is fully aware of the
use of those devices and the purpose of their use, being ultimately
aware of the destination of their data and the incidents that this system implies in their
privacy ” .
This result is the one obtained with the processes and means enabled by BBVA,
adjusted to the provisions of article 7.2 of the RGPD, in which the interested party has absolute
freedom of choice and control over your data, the different options are presented for
different treatments and purposes separately, does not refer to documents that are not
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
12/17
easily accessible and uses a granular structure when providing the information,
promoted by the legislator, the AEPD and the GT29 in their “Guidelines on consent in
the meaning of Regulation (EU) 216/679 ” in its revised version of 04/10/2018.
The provisions of Recital 32 are also respected, which admits many and different
formulas to obtain consent, insofar as it is clear that the interested party
accepts the proposed treatment of your data, separately for the different
processing activities carried out for the same or the same purposes; as well as the ban
contained in article 7.4 of the RGPD, referring to the contingency of the execution of a
contract to which the affected party consents to the processing of their data for purposes that
are related to the maintenance, development or control of the contractual relationship; and the
reference to Recital 43 when it states that “it is presumed that consent is not
has freely given ... when the performance of a contract, including the provision of a
service, is dependent on consent, even when it is not necessary for said
compliance ” or the separate authorization of the different treatment operations
of personal data.
There is no reproach in the Initiation Agreement for these key issues, so
only the way in which consent has been obtained seems to be disputed.
b) On obtaining consent by taking an affirmative action of
the clients.
The GT29, in relation to the unequivocal nature of consent, refers to an action
by the affected party that reveals a behavior, a manifestation of will or, as
It is said in the RGPD, "a clear affirmative action" , which means that the interested party must
having acted deliberately. For its part, the “RGPD Guide for Responsible for the
Treatment ” of the AEPD refers to a manifestation of the interested party or a clear action
affirmative.
In this regard, BBVA points out that it has opted for this clear affirmative action:
. Through any of the channels provided, BBVA enables the signing of the “Declaration
of Economic Activity and Data Protection Policy ” , which offers the interested party the
different options in relation to the purposes additional to the management of the relationship
contractual. The signing of this document is a clear affirmative action, which is carried out
carried out with full knowledge of the scope and consequences that it entails (the
claimants have effectively managed their preferences). Furthermore, through the
application, the interested party has at their disposal a simple procedure to manage in
your preferences at all times (claimant 2).
. The registration process, through the indicated digital and face-to-face channels, complies with the
requirements expressed in the "GDPR Guide for data controllers" of the AEPD,
which recalls that consent “can be unequivocal and be given implicitly
when it is deduced from an action of the interested party ” . Furthermore, the Inception Agreement incurs
contradiction given that the AEPD, in relation to claimant 2, has considered valid the
process in which the client has checked any of the boxes enabled for the provision
consent, but not when you have not checked those boxes and authorize with your signature the
processing of your personal data for the purposes that are made available to you. The
holographic or digital signature of the document is a clear affirmative action that is carried out with
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/124
full knowledge of its scope, considering the clear content of these boxes and that, for
their positioning, are clearly visible and directly accessible.
In the field of managing cookies or similar technologies, the control authority has
admitted as affirmative actions such as navigating in a different section
of the website that would use them, close the privacy notice of the first layer or click on
some content of the service offered on the web. In this area, Document 02/2013
of the WG29 states that “ensure that the active behavior is close to the location
where the information is presented is essential to be sure that the user must submit
the action to the requested information ” . The Agency's "Guide on the use of cookies"
supports as valid a link or button to manage preferences along with the possibility
to "accept" or "reject" or support "pressing specific keys" as affirmative action.
In the same way, the non-marking of the boxes and the subsequent subscription of the aforementioned
document involve a “physical movement” that can be considered as an action
clear affirmative in accordance with the RGPD, with which the interested party achieves control over their data
personal.
Moreover, in the regime of explicit consent, which reinforces "ordinary" consent
in attention to the treatments and data submitted to it, the Guidelines on the
consent of the GT29 admit as valid explicit consents formulas or
less demanding processes than the one implemented by BBVA. Thus, in a written statement,
These Guidelines cite an assumption that could be assimilated, in which it admits a “yes” or a “no”
(example 17: “A data controller can also obtain explicit consent
from a person visiting your website by offering an explicit consent screen
that contains Yes and No boxes, as long as the text clearly indicates… ” ). I also know
cites as an example, in the digital or online context, the one in which an interested party can issue
the required declaration by filling in an electronic form, sending an email,
uploading a scanned document with your signature or using an electronic form.
. The consent provided by BBVA cannot be considered a consent by omission
or due to inaction, as there is in any case an active behavior of the interested party: on paper
insert the signature in the same place or having in sight the options offered; at
digital channel, on many occasions the affected person will have accessed, browsed through the different
Screens enabled to manage your consent, having chosen, or not, to reject
certain treatments.
In the latter case, the process involves carrying out two actions:
First, the affected person has an interactive document included as a hyperlink
in the text that accompanies a box ( "I have read and accept the data processing
personal ” ), whose dialing is blocking to continue with the registration process; he
The repeated document used in this channel is configured in two layers: a first
that incorporates the boxes under discussion, and a second layer with expanded information;
Second, after the collection of personal data, the interested party again has
available the document with the result of the affirmative action so that, if it is
agree, you must proceed to your signature.
Therefore, there is no inactivity or “silence” that is interpreted as an act of acquiescence or
acceptance, there is a specific activity or, at least, the option to carry it out. BBVA,
nor any other responsible party, cannot materially assure that the client's signature has
place after the leisurely reading of the privacy policy. However, in order to
guarantee that this action takes place, facilitates repeated and insistent messages remembering
this need, so that the interested party is responsible for their decisions. And he can't
responsible to complete or replace the autonomy of the affected will.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/124
Neither does a presumed consent take place since there is no statement or act
positive that implies acceptance of the privacy policy in its entirety. He
interested party knows this policy and chooses to choose their preferences either by marking the
boxes, either by subscribing to said privacy policy without checking them.
There is no inaction, for the same reasons and it is not a case of squares either
pre-marked, the continuity of a service or functionality as a result of silence or
obtaining consent in the context of the acceptance of a contract or of the
terms and conditions of a service. What's more, the subscription of the document is necessary
to register as a BBVA customer, which implies the need for customers to
access the documents, opt for any of the alternatives offered and
sign the document, expressing their agreement or disagreement with the specific
treatment operations subject to your consent.
C) The consent requested by BBVA as a reinforcement of the clients' rights in
treatments that could be based on the prevailing legitimate interest of the entity.
The processing of the data for most of the purposes for which the
Customer consent could have been based on BBVA's concurrence of interest
legitimate prevailing law of BBVA, so that the entity, when obtaining the consent of the
stakeholders has adopted strengthened active liability measures.
The entity refers to purposes 3 and 5 of the Privacy Policy (offer products and
personalized services from BBVA, the BBVA Group and others; and to improve the quality of
products and services).
In this regard, it recalls the 195/2017 report of the AEPD, cited in section A) of the
present point 4, whose sections VII and VIII are applicable to the case now analyzed,
referred to the treatments that a financial institution can protect the legitimate interest in
relationship with purposes that, in BBVA's opinion, fit with those listed as 3 and 5 of the
basic information contained in the informative clause.
In view of what is stated in that report, it can be concluded that the AEPD considers that, in
certain assumptions and under certain circumstances, the processing of data with the
purpose of knowing the client's preferences and their behavior in relation to
products, as well as for the establishment of profiles that allow the submission of
personalized commercial communications, would be covered by article 6.1.f) of the
GDPR, which would exclude the need for customers to give their consent.
Thus, the entity has reinforced the power of disposition of the interested parties on their data
personal, allowing you to express your refusal or opposition to the treatment from the same
moment of the collection of your data, without having to make use of the right of opposition in a
later moment. In addition, the exercise of this right must be justified in some
assumptions ( "reasons related to your particular situation" ), while in the option
offered by the client is based on his sole and exclusive will.
Therefore, if the reasoning of the initiation agreement is followed, the AEPD would be considering
more harmful to request consent when it is not required than to report on the
treatments that the responsible entity intends to base on the prevailing legitimate interest.
Based on everything set out in this point 4 of BBVA's allegations, this entity
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
12/20
concludes that the treatment carried out for purpose 2 is fully
based on legitimate interest; those carried out for purposes 3, 4 and 5 are based on the
consent granted by the interested parties with all the established requirements; and what in
In the case of purposes 3 and 5, this request for consent constitutes a measure
reinforced active responsibility adopted by BBVA.
TENTH: By letter of 07/02/2020, notified to BBVA on the 6th of the same month, the
The instructor of the procedure agreed to open a period of practice tests,
Considering the claims filed and their
attached documentation, as well as the documents and statements obtained by the
Subdirectorate General for Data Inspection in relation to such claims in the
information application process prior to admission for processing. Likewise, they were considered
submitted the allegations to the initiation agreement formulated by BBVA and the documentation
that accompanies them.
On the other hand, it was agreed to require the entity BBVA so that within a period of ten days
able to provide the following information and / or documentation:
a) Copy of the record of all personal data processing activities carried out under the
BBVA's responsibility mentioned in the personal data collection form
called "Declaration of economic activity and personal data protection policy" , in its
initial version, together with any addition, modification or exclusion in its content.
b) Copy of the evaluation / s of the impact on the protection of personal data relative / s to any
type of personal data processing operations carried out under the responsibility of BBVA,
of those mentioned in the form “Declaration of economic activity and protection policy of
personal data ” , which pose a high risk to the rights and freedoms of natural persons,
in its initial version and, where appropriate, with details of the modifications or updates that could
have been made.
Likewise, if there has been a change in the risk represented by the processing operations
and if deemed necessary, the result of the examination that BBVA may have carried out was requested
to determine if the treatment is in accordance with the impact assessment related to the protection of
data (article 35.11 of the RGPD).
c) A copy of the documents stating the evaluation carried out by the BBVA entity on the
prevalence or not of the interests and fundamental rights of the interested parties over the interests of
BBVA in relation to the personal data processing operations carried out under the
responsibility of BBVA, of those mentioned in the form “Declaration of economic activity and
personal data protection policy ” , with which the satisfaction of interests
legitimate laws pursued by the BBVA entity itself or by a third party.
d) Copy of the report in which the results of the opinion study carried out among the
months of January and February 2018 among new customers, to which BBVA refers on page 44 of its
brief of allegations and Document 9 attached to said brief.
In response to BBVA's request, the term granted was extended by five days
skillful.
Once the total term granted was exceeded, on 08/03/2020, a letter was received from
response to which BBVA attached the following documentation:
A) Impact evaluation on the protection of personal data of the treatments
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
12/21
related to the realization of commercial profiling.
(…)
B) Impact evaluation on the protection of personal data of the treatments
related to carrying out risk profiling.
(…)
C) Report on the weighting of the prevalence of legitimate interest in the treatments to which
the purpose numbered as 2 is referred to in the section “For what purposes are the
we will use?" , contained in the personal data collection form "Declaration of
economic activity and personal data protection policy ”.
(…)
ELEVENTH: By letter of 08/11/2020, notified to BBVA on 08/17/2020,
granted BBVA a new period of five business days to provide a copy of the
documentation indicated in section a) of the requirement indicated in the antecedent
above (record of treatment activities), which was not incorporated by BBVA into its
Answer from 08/03/2020.
The response to this second requirement also occurred once the
total term granted. On 09/16/2020, a letter was received from the aforementioned entity to which
accompanied the record of treatment activities.
(…)
TWELFTH: On 10/07/2020, a resolution proposal was issued in the sense
following:
"1. That the Director of the Spanish Data Protection Agency sanctions the
BBVA entity, for an infringement of articles 13 and 14 of the RGPD, typified in article
83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD,
with a fine of 3,000,000 euros (three million euros).
2. That the Director of the Spanish Data Protection Agency sanction the
BBVA entity, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and
classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD,
with a fine of 3,000,000 euros (three million euros).
3. That the Director of the Spanish Agency for Data Protection proceed to impose
to the BBVA entity, within the period to be determined, the adoption of the necessary measures to
adapt to the personal data protection regulations the processing operations that
performs, the information offered to its clients and the procedure by which they
must give their consent for the collection and processing of their personal data, with
the scope expressed in Law Foundation X of the proposed resolution ” .
THIRTEENTH: BBVA has been notified of the aforementioned resolution proposal, with
On 11/03/2020, this Agency received a written statement of allegations requesting
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
12/22
once again that the nullity of the procedure is declared or, where appropriate, the
expiration of the same. Alternatively, it requests that its file be agreed or, failing that,
the penalty of warning or a significant reduction of the amount is imposed
established in the proposed resolution.
Declares reproduced in its entirety its allegations to the initiation agreement, that, in its opinion, the
motion for a resolution does not take into account or contest; and formulates the considerations
following, which basically reproduce those allegations at the opening of the
process:
1. Regarding the setting of the amount of the sanction in the commencement agreement, it indicates again that
a substantial defect of nullity is incurred, produces defenselessness and breaks the principle of
impartiality of the investigating body. It considers that this causes a confusion between the phases
instruction and resolution, as evidenced by the fact that the proposed
resolution sets an amount identical to that indicated by the sanctioning body in the
start and reproduce the concurrent circumstances. This supposes a bankruptcy of the principles
inspiring the sanctioning law that is not remedied by the mere fact that the entity
has been able to issue arguments to the opening and to the resolution proposal.
BBVA understands that the proposal incurs a contradiction when considering that the
Determining the amount of the penalty is an obligation imposed by article 64.2 of the
LPACAP and then point out that “not only are the requirements
mentioned, but goes further by offering legal reasoning that justifies the
possible legal classification of the facts assessed at the beginning and, even, the
circumstances that may influence the determination of the sanction ” . BBVA considers that
that rule imposes no such obligation nor is it possible for the Administration to "go beyond" what
provided for in the standard, which constitutes an excess of the powers of the body
sanctioner that violates the rights of the entity against which the procedure is directed.
It warns that article 64.2 of the LPACAP does not represent an important innovation of the
legal system regarding the sanctioning regime in force previously, which already
indicated that the initiation agreement should incorporate “the sanctions that could
correspond, without prejudice to what results from the instruction ” , under which the AEPD
indicated in its initiation agreements the maximum and minimum limits of the aforementioned offense
in the agreement, without establishing the exact amount or amount of the penalty.
Likewise, neither article 85.1 of the LPACAP requires that prior determination of the amount,
since it does not refer to a pre-established sanction, but to the imposition of the sanction that
proceed. This norm, applicable “the procedure has begun” , provides that the recognition of
responsibility may determine the imposition of the sanction "appropriate" , so that
this fixation seems to be foreseen after the acknowledgment of responsibility itself.
In its section 3, the same article provides that the reductions must be adopted on the
“Proposed” sanction , which requires that it has actually been determined in the procedure
what is that amount, and the diction of the precept itself seems to refer to the
resolution proposal as the ideal place to determine the aforementioned amount,
this power corresponding to the examining body.
According to BBVA, this conclusion is not contradicted by the fact that the discounts
would proceed for the recognition of responsibility and advance payment of the sanction
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/124
must be disclosed in the initiation agreement. Both benefits can be awarded
although the sanction is not quantified.
2. Regarding the non-existent link between what was attributed to my client and the claims against the
referred to in the proposed resolution and on the inactivity of the AEPD.
In relation to this issue, it considers that the arguments contained in the proposal for
resolution are not admissible, as there is no doubt about the inactivity of the Administration, which has
contributed to the maintenance of BBVA's conduct and affects the validity of the procedure.
The AEPD expressly considers that there has been no phase of previous actions of
investigation, prior to the adoption of the opening agreement, but that the claims
were admitted for processing without any decision being made on them until
initiation of this procedure, and that you can maintain that situation with the sole limitation
that said decision does not violate the statute of limitations of the alleged
infringement, which would not begin to be computed until BBVA modified its
Privacy. However, this situation is contrary to the principles of the procedure
sanctioning, generating a situation of legal uncertainty to the detriment of BBVA.
In this sense, articles 64.2 and 67 of the LOPDGDD establish a regulated procedure
with clearly marked time limits, differentiating those that are a consequence
of a claim of those in which the AEPD decides on its own initiative. At
In the first case, three successive phases are established, without a break in continuity: (i) admission to
processing of the claim within a period of three months; (ii) the (optional) realization of
investigation actions for a maximum period of twelve months; and (iii) the opening of a
sanctioning procedure, which will last a maximum of nine months.
The AEPD may choose to dispense with investigative actions, but
that decision cannot imply a stoppage or stagnation of the claim admitted
to process for an indefinite period of time, only limited by the statute of limitations,
given that this availability contravenes the principle of legal security of the company.
In case of deciding not to carry out any type of investigation, the
claim must proceed immediately to the opening of sanctioning procedure.
In this case, there has been a delay of ten months, without there being a decision to
carry out investigative actions. The AEPD should have agreed to open the
procedure at the time it decided to admit the claim of claimant 2, that is,
on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without
However, that opening took place on 12/02/2019, almost a month after the date on which
the procedure should have concluded by means of the corresponding resolution. Understands
BBVA that this unjustified inactivity results in the expiration of this procedure,
given that the term to resolve would be expired on the same date that the
start agreement.
It is applicable to this case the doctrine established by the National Court (AN) in its
Judgment of 10/17/2007 (appeal 180/2006), in which it revealed the illegality of the
inadequate or unfounded prolongation of the preliminary investigation actions:
“[…] When the delay in initiating the sanctioning procedure occurs, as in the present case,
for a long period of time, in which the relevance or not of said
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
12/24
initiation, but no action is carried out by the Administration and ultimately,
there is no justification for such delay, there is a spurious and fraudulent use of the
provided for both in article 12 of RD 1398/1993 and in article 69.2 of the LRJ-PAC.
[…]
And this because, as has also been indicated, and once the AEPD had information and data
sufficient, provided in the first two months of the processing of the repeated actions
previous, and could now direct the accusation against [...] , complying with legal requirements, left without
However, almost eleven more months go by without taking any action, maintaining such
open request for information, but completely inactive.
[…]
We consider for all this, […] that there has been a fraudulent use of the institution of
preliminary proceedings. Consequently, we are faced with an assumption of law fraud contemplated in
Article 6.4 of the Civil Code, as it is intended to circumvent the application of Article 42.2 of the Law
30/1992 using the request for information to avoid expiration of the file
sanctioner.
Fraudulent use that entails the invalidity of the sanctioning procedure and the consequent
estimate of the claim of the claim, with revocation of the sanction imposed on […] in the
contested resolution. "
The AEPD deliberately decides not to process any procedure and wait for the moment
that it deems appropriate to initiate the sanctioning procedure, which implies, taking into
account of the doctrine supported by the SAN that has just been reproduced, a fraud of Law
aimed at the violation of the regulations governing the terms and deadlines of
resolution established in both the LPACAP and the LOPDGDD, with the consequent
damage to BBVA. Faced with this, it cannot be argued that the AN doctrine cannot be extrapolated by
the fact that it refers to a fraudulent use of the previous actions of
investigation whose conduct was not agreed in this case, given that precisely the fraud of
The law derives from the complete inaction of the Administration, which considers it possible to
ad aeternum of the initiation of the sanctioning procedure for some facts regarding the
that he has already collected all the information that, in his opinion, is relevant to direct the
sanctioning action against BBVA.
BBVA's conduct is aggravated by the continuing nature of the infringement, at least
until the moment it proceeded to modify the aforementioned policy in July 2020.
BBVA acted from the moment it responded to the requirements that it was
led until the date on which the initiation of this procedure was agreed, in the confidence
legitimate that the AEPD considered that its Privacy Policy was in accordance with the
data protection legislation, having not directed any reproach or carried out, with
knowledge of my client, no investigative action.
All this results in the nullity of full right of the action of the Administration, which
deliberately dispenses with the clearly and explicitly established legal procedure
prejudice to the principles of legitimate confidence and legal certainty that assist BBVA.
On the other hand, the aforementioned entity dedicates a section of this second allegation to the necessary
link between the object of the sanctioning procedure and the claims made, in
the assumptions of ex officio initiation of the complaint procedure, already made manifest
in their arguments at the opening of the procedure.
It questions whether the AEPD may decide to open a procedure in relation to the
extremes that it deems appropriate (the resolution proposal itself allows
on issues that are not subject to processing).
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/124
The relevant question is found in the factual account of the proposal, which founds the
processing of the procedure in the existence of five claims against BBVA, and not in the
Decision of the AEPD to initiate its processing on its own initiative, using its powers.
Thus, once the claim is admitted for processing, you must continue with its processing and
there must be a precise and direct link between the content of said claims and the
sanctioning reproach.
The AEPD equates the fact that the procedure is initiated ex officio with the beginning “by its own
initiative ” . And in the present case, it begins as a result of five claims, a
the terms of which the procedure must adjust, which cannot be a kind of
general doctrine directed against BBVA. BBVA points out that this argument derives from the doctrine
emanated from the Sentence of the AN of 04/23/2019, already exposed in the allegations to the
opening, from which it follows that a proposal that does not refer in its foundation to
The claims made exceed the necessary consistency required between the facts and the
infractions, converting the five claims into a kind of general cause against
BBVA.
In BBVA's opinion, such a conclusion affects the principle of legal certainty and implies a
flagrant violation of the principle of interdiction of the arbitrariness of public powers,
enshrined in article 9.3 of the Constitution.
3. On the change in the classification of the sanction imputed to BBVA and some considerations
general information about the application of articles 13 and 14 of the RGPD.
a) Regarding the change in the classification of the offense attributed to BBVA and the non-application to the
present case of article 14 of the RGPD.
While in the Initiation Agreement only Article 13 of the
RGPD, the Proposed Resolution extends the sanctioning reproach to the provisions of the
Article 14 of the aforementioned legal text, which is not applicable to this case, taking into account
what is established in section 5 c) of the same article 14 and in article 2.1 of the RGPD:
(…)
The same argument supports the exclusion of the duty to inform with respect to the
credit information, whose access is provided for in the aforementioned article 12.1 of the LCCI.
BBVA adds that, however, in its Privacy Policy it informs about the treatment of
these data and, within the categories of data that it submits to treatment, indicates
expressly “[d] economic and financial solvency figures (including those relating to all
the products and services that you have contracted with BBVA or for which BBVA is
marketer) " .
b) On the supposed obligation to include the categories of data in the information that must
be provided to the interested party.
BBVA has made an effort to clarify the preparation of its Policy on
Privacy, incorporating the categories of data that would be subject to treatment,
despite not being required in article 13 of the RGPD.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/124
The AEPD indicates that the aforementioned article 13 imposes the obligation to inform each and every one
of the data subjected to treatment, breaking down that information for each of the
specific purposes, regardless of whether the origin of the data is the
interested party, in the cases in which the treatment is intended to be based on the legitimate interest of
BBVA or in the consent of the interested parties. Go to what is indicated in the
document "Guidelines on consent" , adopted by the European Committee of
Data Protection (hereinafter, “EDPB”), “which has been updated
by the European Data Protection Committee on 05/04/20 ” , that is, five months later
of the initiation agreement, so this issue does not merit further consideration.
An additional obligation is imposed that is not expressly included in the RGPD. And that
It cannot be modified by the AEPD in a sanctioning resolution nor by the European Committee of
Protection of Data in an Opinion, for the simple reason that they lack powers
normative. The LOPDGDD (article 55) attributes to the AEPD the competence to set its
criteria for action in Circulars, which will be mandatory, but this cannot
imply the imposition of an obligation not recognized in the regulations.
In this case, in addition, the AEPD modifies its criteria regarding what is supported in its “Guide
on compliance with the duty to inform ” and it does so in a singular resolution, violating
the principle of interdiction of the arbitrariness of public powers, by not exposing the
motives underlying such a surprisingly novel criterion, and the principle of
singular non-derogability of the regulations, enshrined by article 37 of the LPACAP.
Finally, it invokes again what was indicated by the AN in Judgment of 04/23/2019, which
admits that a sanctioning procedure is used to establish criteria
interpretative.
4. Regarding the AEPD's assessments regarding the alleged inadequacy, imprecision and
intentional indeterminacy of the information provided by BBVA.
a) Subjective evaluations made by the AEPD in relation to the transparency of the
BBVA Privacy Policy.
- Pronouncements regarding the terminology and expressions used.
Despite the foregoing, BBVA makes allegations on the above issues in which
limits itself to stating that the Agency bases its previous findings on appraisals
subjective; that the terms used are clear and precise, widely used in the
topicality and that meet the intelligibility requirement; that uses those expressions with the
intention to provide its clients with a service adapted to their specific circumstances,
for which it is essential to "know" them ; and that the context in which the
information, which is determined by the contractual relationship, as well as the system of
document in two layers, allow a better understanding of the expressions used.
It provides an explanation of some expressions to which the AEPD refers:
. "We will apply statistical and classification methods to correctly adjust your
profile ” . It involves a specification of two of the techniques used to better understand the
client, frame him appropriately and thus be able to offer him a service
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
12/27
properly adapted to your personal circumstances.
. “Analyzing the uses of BBVA products, services and channels” , used in the
BBVA's Privacy Policy in the context of personalizing the experience of the
user, in order to be able to offer a service adapted to their circumstances and needs.
The AEPD qualifies this expression as unclear, imprecise and ambiguous. However, in
a later point of the Proposal (p. 73), she herself explains its meaning: “[t] odo
this refers to the data processed by reason of the products and services contracted ” .
Add that some of the expressions explained above are similar to
expressions offered as examples in the "Guide on the use of cookies" :
. "Carry out statistics, surveys, actuarial calculations, measurements and / or studies of
market that may be of interest to BBVA or third parties ” , is similar to the
expression “for analytical purposes” .
. "Analyzing the uses of BBVA products, services and channels" is similar
with the expression "show you personalized advertising based on a profile prepared by
starting from your browsing habits ”.
- Similarity between the expressions used in the BBVA Privacy Policy and the
included in the AEPD's “Guide for compliance with the duty to inform” . Change
of unjustified criteria: violation of legitimate expectations and of the jurisprudence of
the AN
The AEPD avoids ruling on the contradiction posed by the reproach made to BBVA
and the recommendations included in the cited Guide, which offers examples of possible formulas
to inform about the purposes of the treatment similar to those included in the Policy of
Privacy.
The publication of a Guide by the AEPD generates legitimate confidence in its
recipients, who adapt their behavior in the belief that its application contributes to the
compliance with the regulations, so that we now consider those
expressions would mean acting against their own acts and would determine the violation of
the legitimate expectations and legal certainty that documents must provide
published by a supervisory authority, as well as the jurisprudence of the AN collected in the
Judgment of 04/23/2019, already cited, which declared contrary to the principles of law
sanctioning the establishment of general criteria within a procedure
sanctioner.
- Subrogation of the AEPD in the position of the interested parties. Reproach of an action of
marketing carried out by BBVA under the protection of free enterprise.
The AEPD engages in conduct similar to one of the reproaches it makes against me
represented, the impersonation of the interested parties, when he puts himself in the place of
recipients of the information to conclude is not easy to understand for any interested party or
he can deduce the meaning of expressions from the context.
In this regard, it is established as a proven fact that BBVA analyzed during 2017 and 2018 the
impact of the RGPD on its activity and carried out two investigations by third-party experts to
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/124
assess the content and format of the text, or test its understanding, resulting in
undisputed that he acted with proactive responsibility to know people about the
that collects information and determine if said audience is capable of understanding,
adapting the information provided and the terminology for it.
The reproach of the Agency reaches the way of presenting the document to the interested parties,
pointing out that it intends to offer an image of courtesy and good treatment to the client, criticizing with
This is nothing more than a simple business decision by BBVA about how to present a
document to its clients, for which the Bank is fully legitimized by virtue of its
right to freedom of enterprise enshrined in article 38 of the EC.
b) Excessive information requirements for interested parties that could
cause information fatigue.
(…)
The incorporation of all that information related to the type of data to a document already
already excessively long, it would be liable to cause information fatigue in the
interested parties, contrary to the GT29 Guidelines, which recommends efficient information
and succinct; or the AEPD itself, which has highlighted the importance of not overwhelming with the
information, as in the "Guide on the use of cookies" .
c) Supposed lack of determination of the interested parties affected by the communication of data
to the BBVA Group companies.
As indicated in the Privacy Policy, the data of representatives, guarantors,
authorized or beneficiaries are treated only for the management of the contract in which
intervene as a result of their legal relationship with a client of the Bank. In no case
these data are communicated to the BBVA Group companies.
5. About profiling.
Purpose 2 of the Privacy Policy seeks to personalize the experience of its customers
and concludes by indicating the usefulness of said profiles.
The treatment carried out is detailed (analyze and assess the data), the type of data that is
uses in said treatment (data that allows you to be identified, financial evolution and
products and services contracted, operations - payments, income, transfers, debts,
receipts- as well as the uses of BBVA products, services and channels) and the purpose for
the one in which said analysis is carried out (elaborating a profile and using it in business models).
This entity considers that the knowledge of the clients, the analysis of their interrelation with
the products and services offered and the assessment of their preferences expressed to
through the use or not of them, and the way they are used, is the basis of the information
that any company uses to assess its business strategy and improve it, in short,
to design their business models and for customer relationship management.
This treatment in no case will imply an individualized analysis for the performance of
commercial communications, which involves additional and differentiated treatment, which only
It could be done with clients who have given their consent to do so.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/124
This AEPD seems to understand that the only purpose of profiling is to
personalization of the offers, when said treatment may also be aimed at
many other purposes, such as improving the business model, the portfolio of
products and services offered by the person in charge or the customer's experience. For this,
reason this part understands that the Agency confuses in this point two purposes that
are listed in two different sections of the Privacy Policy.
6. On the legality of the treatments that BBVA protects in the legitimate interest in its policy
Of privacy.
The arguments on this issue included in the proposal are presented in a
dispersed, making it difficult for BBVA to really understand the reasons why the AEPD
found their reproach. However, it seems to be concluded that, in the opinion of the Agency, they would not attend
in this case, the requirements derived from Recitals 41 and 47 of the RGPD. Understands
BBVA that the AEPD intends to highlight that legitimate interests are not clearly
described, the treatment described in purpose 2 does not comply with the principle of necessity,
the reasonable expectation of the interested party concurs and, ultimately, a
adequate weighting of the rights and interests at stake.
a) On the concepts of legitimate interest and purpose and their supposed confusion on the part of
BBVA.
The AEPD in its Proposed Resolution highlights the, in its opinion, substantial
difference between the legal concepts of purpose and legitimate interest. BBVA understands that
it deals with elements inextricably linked to each other. Only in this way can the article be understood
6.1 f), which considers the treatment based on legitimate interest lawful; that is, the interest
Legitimate is the purpose (to be satisfied) for which the data is processed.
Following the reasoning of the AEPD, any treatment carried out on the basis of the
legitimate interest in a business environment is illicit because the sole purpose is the mere
obtaining an economic benefit (or reducing a loss). Even the treatments
that the AEPD has considered based on legitimate interest would be contrary to the Law, since
all would fit into the assumption outlawed by the STS of 06/20/2020, which refers to
data processing of people receiving jokes for the purpose merely
chrematistics. And the same can be said of assumptions accepted by the CJEU, the AN or the AEPD
when the treatment is carried out by a company (cites several examples: treatment for
the promotion of free competition in a given sector - for example, access by
electrical traders to the Information System of Supply Points of the
dealers; data processing by search engines; treatments based on
freedom of information from the media; treatments carried out in the
exercise by the employer of his business control functions; creating systems
common fraud prevention; credit information systems; even the
treatments for management and internal administration of business groups or the
processing of personal data for marketing purposes - indicated in Recital 47
of the RGPD).
The legitimate interest that BBVA intends to fulfill is to continuously improve the relationship
with its clients and the portfolio of products and services it offers, being able to respond
diligently to your needs in case they require them.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
12/30
Obviously, this legitimate interest is aimed at the continuous improvement of the
business and ensure that customers are satisfied with the service provided. Otherwise
would choose to break the business relationship with the entity and hire the services of a
competitor.
As is logical, this circumstance will entail a loss for BBVA that, lawfully,
intends to avoid. But that does not mean that the legitimate interest that justifies the treatment of
data by BBVA is not to provide the best service to its customers, to be able to
anticipate their needs, offer them, if they consent, products that can
better match your profile and, consequently, continually improve and refine
your business model.
BBVA has a legitimate interest in knowing its clients as well as possible in order to provide
their services with the highest degree of excellence possible, even when this leads, in
his case, coupled (obvious that is to say in the case of a mercantile) the consequence of obtaining
an economic benefit. (…)
b) Regarding the reference to the principle of necessity made in the Proposed Resolution.
The AEPD considers that the principle of necessity required in article 6.1 f) of the RGPD in
relationship with the satisfaction of legitimate interest, does not occur in this case. And part of the doctrine
sitting in the ECHR Judgment of 03/25/1983, referring to an assumption of possible
violation of the secrecy of communications, in which the term "need" is not
corresponds to the one that results from the application of the RGPD.
As regards the principle of necessity, the interpretation is much simpler and
also of the doctrine of the ECHR, which has been repeatedly applied and summarized in
Spain by our Constitutional Court when analyzing the proportionality of a
restrictive measure of a fundamental right.
STC 207/1996, cited by the AEPD in the statement of reasons for its Instruction 1/2006,
notes:
“[…] To verify whether a restrictive measure of a fundamental right exceeds the judgment of
proportionality, it is necessary to verify whether it meets the following three requirements or conditions: "if such
measure is capable of achieving the proposed objective (suitability judgment); yes, in addition, it is
necessary, in the sense that there is no other more moderate measure to achieve such
purpose with equal effectiveness (judgment of necessity); and, finally, if it is weighted or balanced,
for deriving from it more benefits or advantages for the general interest than damages on others
goods or values in conflict (judgment of proportionality in the strict sense) ”.
Well, in the present case, the purpose pursued by BBVA can only be carried out
with the same probabilities performing the treatment that has been described and establishing
models that allow you to really know the preferences of your customers.
(…)
c) On the application to the present case of the principle of reasonable expectation of the interested party.
As already stated in our submissions to the Initiation Agreement, the reasoning of the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
12/31
Proposed Resolution can only be classified as contradictory:
. The AEPD considers that the treatment must be directly foreseen by the interested party,
without this forecast being mediated by the indications of the person in charge. However, the
Article 13 of the RGPD imposes on that person in charge the obligation to inform about the
treatment and indicate that it is based on a prevailing legitimate interest under penalty of
breach said rule. BBVA wonders if the AEPD intends to say that they should not be informed
treatments based on legitimate interest. Once the information is produced,
It is impossible to know whether or not the interested party was able to foresee the treatments in advance.
. The assessment of the concurrence of the reasonable expectation can be derived from the relationship
of the affected party with the person responsible. However, the AEPD considers that the interested party is
irrelevant the excellence that may exist in the Bank's relationship with him.
(…)
d) (…)
A different matter is that the data collection form of the interested party is used not only
as the initiator of the client's relationship with BBVA, but also to comply with the
Due diligence obligations established in the anti-money laundering legislation
capitals. The data is kept for the period established in this legislation, for the purposes
provided therein, but not for the controversial treatment.
However, as it appears to be clear from the Motion for a Resolution, the subjects
Obligors should request the same data from the affected party on as many occasions as
treatments of the same to be carried out, which obviously does not conform to the norm, nor
it would be reasonable.
Finally, the Proposal for Resolution considers the reference to the Report
195/2017 of the Legal Office of the AEPD, considering that “the premises valued in
This report does not fit the present assumption. In the aforementioned aspects, this report
analyzes the performance of treatments for marketing purposes, provided that the offer is
refer to products similar to those contracted by the interested party, and only use the
information available as a consequence of product management ” . BBVA declares
not understanding how the aforementioned assumption differs from the one currently
analysis.
7. On obtaining consent and its compliance with the RGPD and the LOPDGDD.
a) Previous considerations; precise identification of the eventual illicit.
In relation to the informed condition that is required regarding consent, it is
BBVA refers to what is indicated in the previous sections.
Regarding the form of obtaining consent, it refers firstly to the
considerations formulated by this Agency regarding the “conscious design” carried out by BBVA
with the purpose of favoring the consent of the majority of its clients,
which that entity does not consider legally relevant.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/124
(…)
Lawfully pretending to process large amounts of data for as many more purposes is legitimate,
It is in the interest of the interested party and does not imply the non-observance of the regulations, so
it cannot be subject to sanction or be considered in the graduation of responsibility.
It would be relevant to assess the element of fault, if BBVA had designed the mechanism
"Knowingly" that he was breaking the rules, which he categorically denies.
b) On the characteristics that consent must meet (other than the form,
mechanism or formula for obtaining it).
The AEPD considers that the criteria contained in recital 43 of the RGPD are not met,
that requires that the processes to accept the treatments allow “to authorize separately
the different personal data processing operations ” , and reproaches that there is no
adequate separation of the different treatments, understanding that the signing of the
Privacy is the consent or the "only action" that the interested party performs to authorize the
treatments whose consent BBVA requests.
It is paradoxical that “inaction” is argued as the basis for the responsibility that
imputes and it is also pointed out that said "sole action" is also punishable.
In any case, it is irrefutable that the different purposes for which the
sought the consent of the interested party, as can be seen from the mere reading of the text, which
foresees varied and different purposes. As many consents as purposes or
uses is intended.
c) On the way in which consent has been obtained.
The Agency considers that consent is not unequivocal. Estimate that we
We are faced with a statement or a clear affirmative action, which is intended to obtain a
consent through the inaction of the interested party ( “do not check the boxes in which
indicates “I don't want to…” ” ).
The BBVA entity does not share this criterion, as anticipated in the brief of allegations to the
Initiation Agreement, in which he presented a series of considerations in relation to the so-called
power of control of the interested party over their data, which is respected if we analyze the
mechanism devised as a whole and not in isolation, paying attention only to the boxes
contained in the Privacy Policy. This question is on which the AEPD does not argue.
And, as already indicated, the RGPD admits many and different formulas to obtain the
consent, provided that it is clearly derived from them that the interested party "accepts the
proposed treatment of your data ” .
The AEPD is based exclusively on the "negative" character of the boxes without analyzing whether the
set of actions that the interested party can perform allows to conclude whether or not there is a will
deliberate to consent or not to certain treatments, knowing that it can never be achieved
absolute certainty of the motivation of the interested party. In this case, whatever the
option of the interested party (whether or not the boxes are marked), it will never be possible to consider that
there has been an inaction of it, since that specific inactivity cannot be isolated from the
set of actions that the interested party must carry out to register as a client.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/124
Next, it highlights some essential aspects of any registration process of a
interested as a BBVA client:
. In any registration process, the subscription and signing of the Policy of
Privacy, in which the options offered, manifest and
obvious to the interested party. It is a clear affirmative action carried out with full
knowledge of the scope and consequences. In addition, the client has at his disposal, at
through the application, a procedure to manage your preferences.
. The established formula allows the interested party to make different decisions in relation to the
processing of your data, it being obvious that if the interested party does not use them, they will not
it is reprehensible to the entity.
There is a clear affirmative action, since all interested parties subscribe digitally or
in person the Privacy Policy, but, previously, the interested party takes
various decisions, choosing options or preferences. On paper, the signature is
inserted in a place where the options offered are visible, then there is a
conduct that implies acceptance of what is signed; in digital form, the affected party agrees
to different screens enabled to manage your consent, you have a “Check
acceptance ” and after collecting the data the document is available again
to proceed with your signature, if you agree.
Neither does a presumed consent take place since in no case does a
declaration or act of "positive silence" that implies acceptance of the Policy of
Privacy in its entirety; These are not already marked boxes; nor the inactivity
supposes the continuity of a service or functionality.
The claim made by the claimant 3 is a sample of the fulfillment by BBVA
of their obligations.
In short, the registration processes through digital and face-to-face channels comply with
the requirements expressed in the Guide for heads of the AEPD, which recalls that the
consent “may be unequivocal and be given implicitly when it is deduced from
an action of the interested party ” .
Finally, it deserves to pay further attention, in relation to the written statement, to
case referred to as “example 17” in the EDPB Consent Guidelines,
since it is a case that can be assimilated to the one that is the subject of this file,
by supporting a scenario that contains the dialing options of a "yes" and a "no" . So,
notes that:
“A data controller can also obtain explicit consent from a person who
visit your website by offering an explicit consent screen that contains Yes and No boxes,
provided that the text clearly indicates consent, for example, “I, give my consent to the
treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike
say that the conditions of informed consent must be met, as well as the rest of the
conditions necessary to obtain valid consent ” .
8. Application to the present case of the principles of guilt proportionality and
modifying circumstances of the concurrent responsibility in the same.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/124
a) Of the non-concurrence of guilt in the actions of BBVA.
Has acted at all times with full diligence, following the guidelines of the AEPD and
including in its Privacy Policy the mandatory content established in article 13
of the RGPD and extremes that neither the norm nor its interpretation impose; and in the conviction,
after it reported on the claims made, that the Agency had not
warned element that contravenes the provisions of the RGPD and LOPDGDD.
It invokes the Sentence of the AN of 11/19/2008, in which the concurrence of the principle is justified
of legitimate confidence, having acted in the belief that their conduct conformed to the
legality.
And the Sentence, also of the AN, of 10/15/2012 (resource 608/2011), which assesses “the
active participation of the Administration ”, which could lead the interested party to the conclusion that
his performance was in accordance with the law; that his conduct is not covered by a
reasonable legal interpretation of the applicable rules; and the difficulties in
interpretation described by the Administration.
b) The application of the principle of proportionality.
BBVA considers that certain aggravating factors appreciated by the Agency would not be applicable to the
conduct of BBVA and that certain circumstances concur that reduce its
responsibility.
c) Aggravating circumstances appreciated by the AEPD.
- Nature, seriousness and duration of the infringement (article 83.2 a) of the RGPD).
The Agency considers an element of the type as an aggravating circumstance, such as the
alleged breach of the principle of transparency, intrinsically related to the
non-compliance with articles 13 and 14 of the RGPD, which is not acceptable in law. And the
The same can be said in relation to the violation of article 6 of the RGPD, which according to the
Agency is aggravated by affecting the principle of transparency.
- Supposed absence of adequate procedures for action in the collection and
processing of personal data (article 83.2 k) of the RGPD).
It can be concluded in the same sense expressed in the previous subsection, since the
fact that the Agency considers that BBVA does not have procedures in place
appropriate course of action derives from your understanding that the Privacy Policy does not
complies with the information obligations or with the requirements for obtaining the
consent.
- Presumed intentionality in the commission of the offense (article 83.2 b) of the RGPD).
(…)
All of this, which appears in the Bank's annual reports from 2016 to 2019, is
proof of BBVA's firm and determined will to achieve full compliance with the RGPD and
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/124
since before its application, as well as the LOPDGDD. The advance with which they started
the aforementioned works, as well as the fact of having involved the stakeholders themselves in the
development of the new privacy policy, attest to goodwill, responsibility
proactive and diligence of BBVA in terms of compliance with the regulations on the protection of
data.
The good faith of the Bank and the will to adapt its activities to the aforementioned is shown
normative. If the Agency considers that the work of adaptation to the RGPD and the LOPDGDD
are irregular or insufficient, the aforementioned regulation contemplates other mechanisms
other than the imposition of a fine to correct the deficiencies that could be appreciated
by the supervisory authority.
It cannot be accepted that having developed diligent and proactive actions in order to
adapt their activities to the new regulatory framework is used against them and considered
as an aggravating circumstance of their alleged responsibility. Especially, having
note that BBVA has adjusted its actions to the guidelines issued by the AEPD.
- Supposed continuous nature of the offense.
The Agency was perfectly aware of BBVA's Privacy Policy for almost a year
before agreeing to start this sanctioning procedure. He let ten months go by
between the first admission for processing and the start of the procedure, without making any reproach
formally to BBVA, which acted with the confidence that it was not appreciated by the supervisory authority
the existence of any violation.
Well, the reproach derived from the maintenance over time of the Privacy Policy
BBVA should only be attributable to those who, knowing that they considered the conduct as
Reprehensible, he kept that opinion hidden for such a long period of time. The
AEPD, through its inaction, made it possible for BBVA not to adopt any measure to correct or
modify the Privacy Policy.
d) Extenuating circumstances concurrent in the alleged object of this procedure.
- Intentionality or negligence in the infringement (article 83.2 b) of the RGPD) and degree of
BBVA's responsibility taking into account technical or organizational measures
applied (article 83.2 d) of the RGPD): adaptation work to the RGPD and the
LOPDGDD.
The actions carried out since 2016 to adapt its activities to the RGPD,
already exposed, give account of the special diligence and proactivity with which it faced the
approval and entry into force of the new regulatory framework. Such actions cannot
used against them as an aggravating circumstance, even less to indicate that they were
made with the intention of violating the rule.
He understands that the lack of intentionality in the commission of
the infractions that are imputed and the high degree of proactive responsibility shown to
through the aforementioned works.
- Measures taken by BBVA to mitigate the effects of the alleged infractions.
Diligent regularization (article 83.2 c) of the RGPD). Regularization measures
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/124
taken in relation to claims. Development of a new version of the
BBVA Privacy Policy.
BBVA has developed a large number of actions to fully comply with the
regulations on data protection and correcting any failures revealed
for the aforementioned claims. It may be mentioned that the Bank met the wishes of
each of the claimants as soon as they became aware of them, with
independence of the validity or correctness of the arguments put forward by them,
immediately implementing the precise and sufficient actions to prevent your data from
were treated against their will.
Likewise, BBVA carried out a whole set of internal actions aimed at
repeatedly remind the whole of its commercial network, the policies adopted in
data protection matters; one more sample of the diligence employed.
Known the opening of the procedure, it has intensified its activity with the purpose of
reinforce the information provided to customers and has developed a new version of the
Privacy Policy, without this implying in any case the recognition of the
infractions that are imputed.
According to BBVA, this new version of BBVA's Privacy Policy would leave the content of the
all the reproaches made by the AEPD in relation to the transparency of the
herself. It highlights the following aspects:
. It exposes in an even more clear and differentiated way the purposes of the treatment of
data of representatives, guarantors, authorized or beneficiaries, separate from customers
(In this way, the communication of data is only one of the purposes of the
treatment of customer data). Likewise, the New Privacy Policy
specifies the categories of data affected in each case.
. It offers more detailed information in relation to the categories of personal data of
clients subject to treatment, distinguishing between those provided directly
by the interested party, those collected or generated by BBVA and those obtained from other sources.
. The purposes related to the development of commercial profiles and
risk, systematically indicating the types and purposes, the basis of legitimation -
describing, where appropriate, the legitimate interest of BBVA-, the data used and the period
time they understand, as well as the sources of such data.
. Indicates what personal data of customers will be communicated to third parties, who can
being said third parties, the purpose of the communication and the basis of legitimacy for the
herself. For this, communications are referred to as a specific purpose.
and differentiated from the treatment of BBVA customer data.
Finally, BBVA points out that, despite what is alleged in this sanctioning file, given
that the Agency does not share the criteria of that entity (despite the full legality of its
action), and exclusively taking into account the very serious consequences that for BBVA
may imply the maintenance by the Agency of this criterion, the
mechanism for obtaining the consent of the interested party, including in the first layer
informative differentiated and granular boxes that the interested party must mark if they wish
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/124
authorize BBVA to process your data for each of the purposes indicated. Each
box is accompanied by a description of the treatment and a referral to the
additional information on the purpose contained in the second layer.
BBVA considers that all of the above shows the diligence, proactivity and speed shown
to improve the information provided to clients, representatives, guarantors,
authorized and beneficiaries and rectify the defects of which, in the opinion of the Agency,
such information. Consequently, in BBVA's opinion, in the event that the AEPD
consider that you are responsible for the two offenses that are charged, the measures
taken by the Bank should be taken into account as extenuating circumstances of its
eventual liability.
Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:
PROVEN FACTS
1. On 10/16/2018, a claim made by the
Claimant 1 against BBVA, for sending to his mobile phone line, on 10/11/2018, of
a promotional SMS without your authorization.
In relation to this claim, BBVA informed this Agency that claimant 1 provided his
compliance with the sending of advertising by subscribing, on 06/07/2016, of the
document "Customer identification, processing of personal data and digitized signature" ,
contributed to the actions by the entity itself.
2. On 12/09/2018, a claim made by the
claimant 2 against BBVA, noting that the BBVA App does not meet the legal requirements
related to free and informed consent.
In relation to his complaint, complainant 2 provided a copy of an email addressed to
to BBVA, dated 11/09/2018, in which it expressly indicates the following:
“Dear BBVA DPO
The document attached to the previous message comes from the BBVA APP offered on the Android platform.
The aforementioned application requires the user, as a step prior to its use, to provide consent through the
electronic signature of a document that only offers the possibility of opposing data processing
personal for purposes other than those necessary for the purposes of providing financial services if the
Client activates the boxes of opposition to a treatment that BY DEFAULT (see article 25 of the
GDPR) should be considered as activated. The informative text is inconsistent with the
transparency principle of article 12 of the RGPD… ”.
BBVA responded to this email through another dated 11/29/2018 in which literally
indicates:
“The way in which the consent to which you refer is obtained has been considered valid
not only in the internal analyzes of our own entity, but in all those forums where it has been
raised the question, since the interested party has the option of choosing in a simple and
easily understandable the option you prefer ”.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/124
The claimant contributed a copy of the document generated by the App to the proceedings, with the
"Declaration of economic activity and personal data protection policy" label , at
whose section 1 contains the identification data of the client (the claimant 2) and his declaration
of economic activity. In this document, all the enabled options are checked
so that the interested party gives their consent to the processing of personal data with
the purposes expressed in said options ( "I don't want ..." ).
3. On 02/13/2019, a claim made by the
claimant 3 against BBVA, in which it shows that the aforementioned entity required it, to
unlocking your account, signing the personal data protection document.
Said document, which is provided to the proceedings by the claimant 3, corresponds
with the so-called "Declaration of Economic Activity and Data Protection Policy
Personal ” . This document appears dated 02/11/2019 and without the interested party's signature. Of
the options enabled in this document for the interested party to give their consent
to the processing of your personal data for the purposes that are expressed in each case,
The option “I do not want BBVA to process my data to offer me products and
BBVA, the BBVA Group and other personalized services for me by email ”.
With its brief of allegations, BBVA also provided another copy of the aforementioned "Statement"
signed by claimant 3 on 01/17/2019 and with the mark in the same option of the
consents.
4. On 05/23/2019, a claim made by the
Claimant 4 against BBVA, for sending commercial communications that have not been requested
nor authorized.
In relation to this claim, BBVA informed this Agency that claimant 4 was not
opposed the data processing reported in the document "Declaration of Activity
Economic and Data Protection Policy ” , signed by the same on 11/26/2018.
In the cited document, which has been contributed to the proceedings by BBVA, there is no marked
none of the options offered to the interested party to consent to the treatment of their
personal information.
5. On 08/27/2019, a claim made by the
Claimant 5 against BBVA, for making phone calls and sending SMS
advertising.
In relation to this claim, BBVA informed this Agency that the claimant 5, on the date
06/18/2018, signed the document “Declaration of Economic Activity and Protection Policy
Personal Data ” , consenting to the processing of your data for commercial purposes. Add
that said document was signed a second time by claimant 5, on 05/27/2019,
expressing their opposition to the aforementioned treatments.
Both documents are provided to the proceedings by the entity BBVA. In the first
of them there is no mark in the boxes enabled for the client to express their
consent to the treatments indicated and in the second the interested party marked all
the options ("I don't want ...").
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/124
6. To adapt its actions to the RGPD, the BBVA entity enabled the form of
collection of personal data called "Declaration of economic activity and policy of
protection of personal data ” . Section 1 of this document contains the data
identification of the client and its declaration of economic activity. Other data include
those related to name, surname, tax identifier, date of birth, nationality,
address, marital status, matrimonial status, contact details, fixed and variable income,
entity in which it provides service or gross annual income.
Through this document, established by BBVA as mandatory for all customers, the
said entity discloses the terms of its privacy policy and establishes the
mechanisms so that clients can give their consent for the treatment of
your personal data for the purposes indicated in the aforementioned document.
The signature of the document by the client and the date is included at the end of section 2 "
protection of personal data ” , expressly indicating to the interested party that with the process of
signature agrees to the "Declaration of economic activity and protection policy
of personal data ” .
Immediately after signing, the "Extended Information" on the subject of
protection of personal data and a glossary of terms.
In relation to the provision of consent, immediately before the space provided
For the signature, interested parties are offered the possibility of marking the following options:
"We inform you that if you do not agree with the acceptance of any of the following purposes,
you can select them below.
. Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make your data ".
(The content of the form "Declaration of Economic Activity and Protection Policy of
Personal Data ” provided by the claimant 3 is similar to that reproduced in Annex 1, except
the detail relating to the box through which the customer is offered the option "I do not want
BBVA treats my data to offer me products and services from BBVA, Grupo BBVA and others
personalized for me ” , which allows you to mark the following channels:
[ ] By email
[] By SMS
[] By phone (phone call)
[] By post)
The entire content of this "Declaration of economic activity and policy for the protection of
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/124
personal data ” is declared reproduced in this act for evidentiary purposes (section 2
"Personal Data Protection Policy" and "Extended Information" is included as
Appendix 1).
7. (…)
8. (…)
9. In response to the test requirement that was made by the instructor of the
procedure, BBVA provided the following documents for the proceedings:
. Impact evaluation on the protection of personal data of the treatments
related to the realization of commercial profiling (The detail of the content of this
document, as far as the present procedure is concerned, is outlined in the Antecedent
Eighth).
. Impact evaluation on the protection of personal data of the treatments
related to the performance of risk profiling (The detail of the content of this
document, as far as the present procedure is concerned, is outlined in the Antecedent
Eighth).
. Report on the weighting of the prevalence of legitimate interest in the treatments to which
the purpose numbered as 2 is referred to in the section “For what purposes are the
we will use?" , contained in the personal data collection form "Declaration of
economic activity and personal data protection policy ” (The content of this
document is also outlined in Antecedent Eight).
. Record of treatment activities (the content of this document is extracted from
in Antecedent Ninth).
These documents are declared reproduced in this act for evidentiary purposes.
10. BBVA has stated in its brief of allegations that the total number of natural person clients
it amounts to eight million thirty-one thousand. On the entity's website it is reported that the number
customers exceeds ten million.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of
Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection is competent to initiate and
solve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of Regulation (EU)
2016/679, in this organic law, by the regulatory provisions issued in its
development and, insofar as they are not contradicted, in the alternative, by the general rules
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/124
on administrative procedures. "
II
Previously, it is deemed appropriate to analyze the formal questions raised
by BBVA in its brief of allegations.
First of all, BBVA considers that the initiation agreement is invalid.
due to the defenselessness produced by the setting of the amount of the sanction in the
openness, instead of expressing only the limits of the possible sanction, and without
The aggravating factors have been motivated, nor has the entity had the opportunity to express itself
respect. For this same circumstance, it considers that the initiation agreement exceeds the
legally foreseen content, violated article 68 of the LOPDGDD, and understands affected
the impartiality of the investigating body, which knows before starting the procedure the criteria
of the body to which the file must be submitted, in clear breach of the principle of separation of
the investigation and sanction phase (article 63.1 of the LPACAP).
In this regard, BBVA adds that article 85 of the LPACAP, which is invoked in the
operative part of the agreement to open the procedure to specify the reductions
that entails the acknowledgment of responsibility, determines that the amount of the sanction
pecuniary may be determined "initiated the sanctioning procedure" and that is only applicable
to cases that give rise to the imposition of a fine of a fixed and objective nature.
This Agency does not share the position expressed by BBVA in relation to the
content of the agreement to open this sanctioning procedure.
In the opinion of this Agency, the initiation agreement issued is in accordance with the provisions of the
Article 68 of the LOPDGDD, according to which it will be enough that the agreement to initiate the
procedure specify the facts that motivate the opening, identify the person or entity
against which the procedure is directed, the offense that could have been committed and its possible
sanction (in this case, of the different corrective powers contemplated in article 58.2 of the
RGPD, the Agency deemed appropriate the imposition of a fine, in addition to the adoption of
measures to adjust its performance to the regulations, without prejudice to what may result from the
procedure instruction).
In the same sense, article 64.2 of the LPACAP is expressed, which establishes
expressly the minimum content of the initiation agreement. According to this precept, among others
details, must contain “the facts that motivate the initiation of the procedure, its possible
legal qualification and the penalties that may correspond, without prejudice to what results
of the instruction ” .
In this case, not only are the aforementioned requirements fully met, but also
that goes further by offering reasons that justify the possible legal qualification of
the facts assessed at the beginning and even mention the circumstances that may influence the
the determination of the sanction.
In accordance with the foregoing, it cannot be said to indicate the possible sanction that
may correspond for the imputed infractions is determining of defenselessness or that
suppose a break of the principle of separation of the phases of instruction and resolution. To the
On the contrary, this complies with one of the requirements set forth in the regulations
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/124
reviewed.
It cannot be forgotten, likewise, that article 85 of the LPACAP contemplates the
possibility of applying reductions on the amount of the sanction if the offender recognizes his
responsibility and in case of voluntary payment of the penalty. This precept establishes the
obligation to determine those reductions in the notification of initiation of the procedure,
which entails the need to set the amount of the penalty corresponding to the facts
accused.
Contrary to what BBVA has stated, this article 85 of the LPACAP does not establish that the
amount of the sanction is determined once the procedure has started. It is the recognition of
the responsibility and the voluntary payment of the sanction, which must occur subsequently
at that time, and not the setting of the amount of the penalty, as stated by BBVA.
If this acknowledgment of responsibility or voluntary payment does not occur, which
would determine the termination of the procedure, it is instructed and subsequently dictated
the proposed resolution, in which the facts that are
considered proven and their exact legal qualification, the infringement that, in its
case, those constitute, the person or persons responsible and the sanction that
propose, the assessment of the tests carried out, especially those that constitute the
basic fundamentals of the decision. This must be notified to the interested party,
granting him a period of time to formulate allegations and present the documents and
information deemed relevant. In no case will a resolution be adopted without the
interested party have the opportunity to express themselves on all the points considered.
No argument contains the brief of allegations to the resolution proposal
presented by BBVA that modifies this approach and the conclusion set forth.
BBVA, in this case, has seen all the guarantees of the interested party that it provides for
the procedural regulations and it cannot be said that the determination of the amount of the fine in the
The opening agreement does not imply any loss of said guarantees causing defenselessness.
Nor does this circumstance break the impartiality of the investigating body, which has
all the powers conferred by the regulations in question and full freedom to dictate its
motion for resolution. You just have to go to the Agency website, where they are published
all resolutions issued in sanctioning procedures, to verify the great
number of them that end with a resolution of the action file, following the
proposal issued by the procedure instructor, as well as those others in which
said proposal increased or decreased the amount of the penalty set in the opening agreement
or even proposed the application of a corrective power other than the fine.
The interested entity also questions that the initiation agreement is "exceeded"
adding to its content a brief statement of the circumstances that in the opinion of the body
sanctioner justify the initiation of the procedure, understanding that this violates their rights.
This Agency does not understand this argument, especially if it is considered that BBVA has
alleged the concurrence of some reason causing defenselessness on several occasions.
Article 68 regulates the content that the agreement to initiate the
procedure for the exercise of the sanctioning power, stating that
the facts, the identification of the person or entity against whom the procedure is directed,
the infraction that could have been committed and its possible sanction. However, it is the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/124
minimum content required, of the elements that must be detailed in the aforementioned agreement
to determine its validity. But nothing prevents that, as indicated above,
offer reasoning regarding the possible legal classification of the facts assessed at the
initiation or mention of the circumstances that may influence the determination of the sanction,
which will undoubtedly benefit the interested party, who sees their
right of defense.
It is true, on the other hand, that during the validity of the sanctioning regime prior to the
LPACAP this Agency did not set the amount of the possible sanction in the initiation agreement,
indicating instead the minimum and maximum limits that corresponded to the infraction
charged. And so it was until the entry into force of the aforementioned LPACAP in October 2016;
moment in which that approach was modified, precisely to address the
established in article 85 of said Law and offer the interested party the alternatives that
establishes.
Likewise, BBVA understands that the provisions of this article 85 of the LPACAP
It means that the amount of the fine is determined once the procedure has started. So,
warns that this standard provides that the acknowledgment of responsibility may determine the
imposition of the " appropriate " sanction , so that such fixation seems to be foreseen with
subsequent to the acknowledgment of responsibility; and that in its section 3 establishes
that the reductions should be adopted on the “proposed” sanction , which seems to refer
to the proposed resolution as the ideal place to determine the aforementioned amount.
This Agency cannot share this argument. Suffice it to point out that the payment
Voluntary can be done by the interested party at any time during the previous procedure
to the resolution and implies its termination. This being the case, so that the interested party can use
of this option, the amount of the sanction must be established at the beginning. In the same way,
it will be difficult for said interested party to recognize their responsibility by initiating a procedure
sanctioning if the agreement that determines that initiation does not indicate the scope that will be attributed to that
acknowledgment of responsibility.
On the other hand, BBVA alleges that the AEPD has shown a manifest inactivity,
having limited itself to transferring the claims, and not all, to the DPD of the entity already
agree to its admission for processing. It considers that the previous phase of
investigation for ten months without carrying out any activity aimed at investigating the
content of the claims, and that it waited for a significant number of
claims to reactivate a procedure that had been "suspended" since the
first admissions to process, which deals only with the "Declaration of Activity
Economic and Data Protection Policy ” , held by the Agency from the presentation
of the claim by the claimant 2. It adds that during that time BBVA acted in the
confidence that there was no irregularity, so that the inaction of the AEPD has
aggravated the reproach. Finally, in relation to these questions, it indicates that it gave an answer
to the transfer of the claim made by the claimant 3, contrary to what is indicated in the
agreement to open the procedure, in which it is indicated that the Agency did not receive
reply.
The procedures carried out by this Agency to which BBVA refers in its allegation
above have to do with the process of admission for processing of the claims received,
which included for four of the five claims received their transfer to the person responsible,
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/124
prior to the agreement to admit the claim.
In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for
Data Protection is competent to perform the functions assigned to it in its
Article 57, including that of enforcing the Regulation and promoting awareness of the
controllers and data processors about their obligations,
as well as dealing with claims submitted by an interested party and investigating the reason for the
themselves.
Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in the
performance of their duties. In the event that they have designated a delegate of
data protection, article 39 of the RGPD attributes to it the function of cooperating with said
authority.
Similarly, the domestic legal system, in article 65.4 of the LOPDGDD,
has provided a mechanism prior to the admission for processing of claims that are
made before the Spanish Data Protection Agency, which consists of transferring
the same to the data protection delegates designated by those responsible or
responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or
these when they have not designated them, so that they proceed to the analysis of said
complaints and to respond to them within a month. It is an optional procedure,
so that this transfer is carried out if the Agency so deems it.
In accordance with these regulations, prior to the admission for processing of the
claims that give rise to the present procedure, in four of them a transfer of
the same to the responsible entity so that it could proceed to its analysis, respond to this
Agency within a month and certify having provided the complainant with the proper response.
The result of said transfer was not satisfactory, therefore, for the intended purposes
In its article 64.2 of the LOPDGDD, it was agreed to admit the claims for processing
presented through agreements that were duly notified to the claimants, and not to
BBVA, in accordance with the provisions of article 65.5 of the LOPDGDD. In this regard,
said entity has stated that it responded to the transfer of the claim made by
claimant 3 and provides proof of its posting, although said response does not
It is included in the corresponding file for admission to processing.
On the other hand, BBVA makes a mistake when stating that the previous phase of
investigation was kept open for ten months without any activity, without
no specific investigative action is recorded. In this case, it should be clarified, not
agreed to open a preliminary investigation phase, established as optional in the
Article 67 of the LOPDGDD.
No legal consequence can be attributed to this fact, nor to the time
elapsed between the admission to processing of the claims and the opening of the procedure,
as there is no regulation that limits the time that the Administration has to start
this type of procedure, beyond the rule of prescription and the effects
attribute. During that time interval there was no procedure in progress that
It could be understood as suspended, as indicated by the responsible entity, nor can it be sustained
that said period endorses BBVA's privacy policy or that during that time the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/124
responsibility of the entity in compliance with regulations. Regardless of
effect that can be attributed to the time interval prior to the opening of the procedure
sanctioner, there can be no doubt about the inexistence of circumstances that
have allowed BBVA during that time frame to understand, even incidentally,
that there was no reproach on the part of this Agency in relation to the issues
raised by the claims submitted. BBVA was aware of the claims made and
He also knew that there was no statement from this Agency in this regard.
Nor is there any rule that prevents the opening of a single procedure
sanctioner originating from several claims directed against the same
responsable.
In its brief of allegations to the resolution proposal, BBVA reiterates its protest
on the inactivity of the Administration. In his understanding, this inactivity is
manifest, once the AEPD agreed to dispense with the performance of previous actions
of investigation, for the entire period between the admission for processing of the
claim made by claimant 2, on 02/01/2019, and the opening of the procedure on
12/02/2019, ten months later.
On the other hand, it rejects the approach set out above, according to which the
The only time limitation for the opening of the sanctioning procedure is determined
for the limitation periods of the alleged infringement. Consider that articles 64.2 and 67
of the LOPDGDD establish three successive phases without solution of continuity (admission to
procedure, preliminary investigation actions and opening of the sanctioning procedure), each
one of them with marked time limits, so that, if you choose not to
preliminary investigation actions, once the claim has been admitted for processing,
proceed immediately to the opening of the sanctioning procedure.
In this case, according to BBVA, the AEPD should have agreed to open the
procedure at the time it decided to admit the claim of claimant 2, that is,
on 02/01/2019, so the procedure should have concluded on 11/04/2019. Without
However, that opening took place on 12/02/2019, almost a month after the date on which
the procedure should have concluded by means of the corresponding resolution. Understands
BBVA that this unjustified inactivity results in the expiration of this procedure,
given that the term to resolve would be expired on the same date that the
start agreement.
It should be noted that BBVA's approach to this issue in its
allegations to the opening does not conform to law. On the one hand, it should be noted that there is no
no rule applicable to the sanctioning procedure in terms of data protection
personnel that establish a preclusive period to agree to its opening; and, on the other hand, that
the expiration period of this procedure, established in nine months, is computed from
the date on which its start is agreed, making it inappropriate to add to that computation,
effects of measuring the duration of the administrative file, no other period, such as the
time of the preliminary investigation actions, in the event that their
completion, or, in this case, the time corresponding to the phase of admission for processing of the
claims filed.
This has been repeatedly stated by our Supreme Court. In Judgment of
10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following:
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/124
“[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which
obviously excludes from the computation the time of the reserved information ";" […] The major or minor
duration of the preliminary phase does not entail the expiration of the subsequent procedure " .
Also in the Supreme Court Judgment of 10/13/2011 (resource 3987/2008) that
examines a ground of appeal relating to the computation of the expiration period of the procedure,
the following is declared:
“We cannot share the reasoning presented by the Court of Instance to establish a dies a quo
different from that established by law, indicating as the initial date of the computation the day following the
completion of preliminary informational proceedings.
[…]
Well, once these previous actions have been carried out, the time it takes the Administration to
agreeing to initiate the procedure […] may have the appropriate consequences regarding the
calculation of the prescription (extinction of the right); but it cannot be taken into consideration
effects of expiration, since this figure is intended to ensure that once the
procedure the Administration does not exceed the term available to resolve. On the foundation
third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not
according to the nature of the institution of expiration, since unlike the prescription, which is
cause of extinction of the right or responsibility in question, expiration is a way of
termination of the procedure due to the expiration of the period established in the norm, so its appreciation
does not prevent, if the period established for the prescription of the action of
restoration of urban legality by the Administration, the initiation of a new
process".
On this same issue, BBVA invokes the doctrine established by the National High Court
(AN) in its Judgment of 10/17/2007 (appeal 180/2006), which is outlined in the
Background, in which it revealed the illegality of the inappropriate extension or
unfounded of the previous investigation actions. This Judgment refers to a
assumption processed by the AEPD in which the preliminary investigation actions are
remained inactive for almost eleven months, when the entity in question had attended
the request for information in the first two months of the processing of said actions.
The National Court concluded that there was a “[…] fraudulent use of the
institution of preliminary proceedings. We are therefore faced with an assumption of
fraud of Law contemplated in article 6.4 of the Civil Code, inasmuch as it is intended to circumvent the
application of Art. 42.2 of Law 30/1992 using the request for information to, with it,
avoid the expiration of the sanctioning file ”.
It is necessary to specify that the National Court modified this criterion based on the
Judgment of 11/19/2008 (appeal 90/2008).
In any event, this file does not conform to the assumption analyzed in the
Judgment invoked, not only because it refers to a case of fraudulent use of the
previous investigation actions, which have not been carried out in the event that we
occupies; but because in this case no procedure has been used nor has any
precept to avoid the expiration of the procedure, which has not occurred. It is not breached
the provisions of article 6.4 of the Civil Code, according to which "Acts carried out under
of the text of a norm that pursue a result prohibited by the legal system, or
contrary to it, they will be considered executed in fraud of law and will not prevent the due
application of the rule that has been tried to evade ” .
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/124
Furthermore, in that case it cannot even be said that the period to which BBVA refers,
which includes the time elapsed between the admission for processing of the claim of the
claimant 2 (02/01/2019) and the opening of the procedure (12/02/2019), in the case of a
period of inactivity of the Administration, since during that time the
Admission procedures for the rest of the claims. Claims submitted by
Claimants 3 to 5 had entry into this Agency on 02/13/2019 (a few days
after that admission for processing on 02/01/2019), 05/23/2019 and 08/27/2019; and
admitted for processing through agreements of 08/06/2019, 09/13/2019 and 10/30/2019,
respectively.
On the other hand, BBVA understands that the procedure is used to adopt
general criteria for interpreting the rules to the detriment of BBVA. In this regard, quote
the Judgment of the National High Court of 04/23/2019 (appeal 88/2017), which declared contrary
to the principles of sanctioning law the establishment of general criteria within the
of a sanctioning procedure.
This Agency does not share the conclusion expressed by BBVA. How can
be verified in the opening agreement, and much more in this act, the agreements that are
adopt are based on what is expressed in the applicable regulations and in consolidated
interpretations of it.
III
Taking into account the regulatory change that the approval of the RGPD has entailed,
applicable as of May 25, 2018, these actions are carried out for the
analysis of the personal data collection form used by the BBVA entity with
after that date, called by said entity as "Declaration of activity
economic and personal data protection policy ” , to determine the scope of said
document and possible irregularities that may be appreciated from the point of view of the
personal data protection regulations. Therefore, any reference to the
document regarding the processing of personal data signed by the claimant 1 in the year
2016.
From the perspective of personal data protection regulations, it will be analyzed
In this resolution, the information offered by BBVA to its clients on the subject of
protection of personal data through said document, and specifically: (1) the
compliance by BBVA with the principle of transparency established in articles 5,
12 and following of the RGPD, and related precepts; (2) the different data processing
personal data of its clients that the entity carries out according to the information provided; and
(3) the analysis of the mechanisms used to obtain the consent of
the interested.
All this, within the framework of the new regulations, constituted by the RGPD, applicable
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in
the Official State Gazette, which took place on 12/06/2018.
The information offered in this matter through any
another channel or document, such as the forms used to contract
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/124
products or services that, due to their specialty, include their own
Data Protection.
Nor is it examined the actions that the companies that make up
the so-called “BBVA Group” in relation to the personal data that is communicated to them
by BBVA in accordance with the provisions of the "Declaration of economic activity and policy of
protection of personal data ” .
The analysis of the procedures established by BBVA for the
management of customer rights, as well as the mechanisms used by the aforementioned
entity for the modification of the consents given through the repeated
form.
Likewise, although the information contained in the Evaluations of
Impact provided by BBVA, which has been outlined in the Background, is not carried out
any analysis on data security.
In accordance with the foregoing, the conclusions that could be derived from this
procedure will not suppose any pronouncement regarding the previous aspects
discarded, or in relation to the entities of the BBVA Group.
It constitutes, therefore, the object of the procedure, thus expressly stated in the
opening agreement, the form that discloses the terms applicable to the protection of
personal data and requires the consent of the interested parties.
In BBVA's opinion, the non-existent cause is justifying the filing of the proceedings.
link between the claims made and the stated object of the procedure, for
as the allegedly infringing facts that are invoked cannot be the basis in
that the AEPD supports the opening of this procedure. Understand what is analyzed
the scope of the Privacy Policy contained in that form without linking any
reasoning to the content of the claims, and invokes the same Judgment of
the National Court cited in the previous Law Foundation (SAN of 04/23/2019;
appeal 88/2017), which annuls the sanction of the AEPD, among other reasons, due to
discrepancy between the complaint and the object of the sanctioning resolution.
This claim should also be rejected for several reasons, the first being
of them (i) that the doctrine established in the cited judgment is applicable to events prior to the
RGPD, which establishes a new and different legal regime that must be taken into account in
The procedure; (ii) in addition, the facts revealed in the claims of the
claimants / complainants are closely linked to the document containing the
privacy policy and through which BBVA collects the consents for the
activities carried out, and the examination of said claims, documentation
provided by BBVA, and the form used shows that BBVA's actions transcend
of the five claims presented, since his performance in those five proceedings
described by each of the claimants responds to the general policy of the entity in
data protection matter, which this AEPD understands is carried out, in the words of the
RGPD itself, "in violation of the Regulation"; and (iii) that unlike what was reported in the
sentence of such repeated appointment of the National High Court (see its legal basis
Ninth), in this resolution reference is made to the specific complaints, a
assessment of the tests carried out around them, which are specific behaviors and
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/124
individualized in relation to certain natural persons, but also
these complaints transcend.
The RGPD has established its own and specific regime regarding
procedures before the control authorities in matters of data protection. The chapter
VIII of the RGPD is entitled "Resources, responsibility and sanctions", and the first of the
Articles of said Chapter VIII, Article 77, establishes the right to present a
claim before a control authority. Art. 77.1 Without prejudice to any other resource
administrative or judicial action, any interested party will have the right to file a claim
before a supervisory authority, in particular in the Member State where it has its
habitual residence, place of work or place of the alleged offense, if you consider that the
processing of personal data that concerns you violates this Regulation. At the same time,
the art. 79 RGPD establishes that [s] without prejudice to administrative or extrajudicial remedies
available, including the right to file a claim with a supervisory authority in
By virtue of article 77, all interested parties shall have the right to effective judicial protection when
consider that your rights under this Regulation have been violated as
consequence of a processing of your personal data.
We therefore see that a "claim" from an individual can give rise to two types
of procedures, one of them related to violations of the RGPD, in general, and another
for violation of their rights.
In the LOPDGDD this distinction has been reflected in Title VIII, which regulates
jointly the procedures in case of possible violation of the regulations of
Data Protection. Thus, its art. 63.1, Legal regime, includes (a) the procedures in case
of infringement of the RGPD and the LOPDGDD itself and (b) those derived from a possible violation
of the rights of the interested parties. The LOPDGDD does not foresee any additional type of
procedure in case of possible violation of data protection regulations, of
so that all the functions and powers that the RGPD grants to the control authorities
in arts. 57 and 58 RGPD will have to be exercised through said procedures in case
possible violation of data protection regulations. There are no others.
It follows from this, also taking into account art. 64 LOPDGDD, which
when the procedure is directed exclusively to the lack of attention of a request from the
rights articles 15 to 22 RGPD a claim will be necessary, but that (art. 64.2
LOPDGDD) [ when the purpose of the procedure is to determine the possible
existence of an infringement of the provisions of Regulation (EU) 2016/679 and in this
Organic law, will be initiated through an initiation agreement adopted on its own initiative or as
consequence of claim. That is, both the RGPD and the LOPDGDD consider that
a claim by an affected party may be the way or the means of bringing the
control authority a possible infringement of data protection regulations but in
no case restricts the action of the supervisory authority to the specific and concrete complaint
of those affected. And this for many reasons, among which stands out, as may be the case in
the present procedure, that from the confluence of several claims of persons
affected individuals, an action of the person in charge that with
general character (that is, not only in the specific cases presented by the claimants)
from which it turns out that these specific cases are the reflection of a common guideline or policy
applied to all those affected who are in the same case as the
interested.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/124
With a different example of the current procedure, it can be understood more clearly.
An entity could be considered to be in breach of protection regulations
of data in a specific case when said action individually considered involves a
deviation from the norm or general company policies (for example, the introduction of
a debt in a delinquent file in a specific case in breach of your own
Privacy); but when an action that is considered incorrect derives from a policy
adopted by the controller, so that it is not about errors
in five cases, but these five cases are only the button or the sample of
a general policy adopted that is considered in violation of the GDPR, the violation does not
resides exclusively in the five cases examined but in the privacy policy
adopted by the person in charge. It will be said privacy policy that constitutes a
infringement of the RGPD, and not only specific infringements based on said privacy policy
Privacy.
The opposite would be inconsistent with the purpose and will of the community legislator,
expressly set forth in the RGPD that the control authorities control and make
apply the RGPD, and with the provisions of the RGPD that can be revealed
"Infractions" of the data protection regulations through "claims" that may
transcend the individual claims made.
It is enough to point out in this regard, already in this specific case, that all the actions of
processing of personal data that are the subject of the claims made are justified
by BBVA with the aforementioned document "Declaration of Economic Activity and Policy of
Data Protection ”and its signature by the claimants, as recorded in the Proven Facts.
The BBVA entity itself declares in its allegations that the claim made by the
Complainant 2 refers to the content of the privacy policy and the process of obtaining the
consent; makes a general reference to “those cases in which the claimant
has shown its disagreement with the way to obtain consent ” ; and also in
relationship with the claimant 2 BBVA expresses itself by referring to the “accusations
made on the privacy policy… or the legality of the data processing ” ; what
dismantles his argument about the lack of relationship between the claims and the settlement of
start. In this case, claimant 2 expressly warned that to give consent
"It only offers the possibility of opposing the processing of personal data for different purposes
to those necessary for the purposes of providing financial services if the client activates the
Boxes of opposition to a treatment that BY DEFAULT (see article 25 of the RGPD)
should be considered as activated ” and that “ The informative text is inconsistent with
the principle of transparency of article 12 of the RGPD ”.
In the case of claimant 1, the sending to his mobile phone line of a
Promotional SMS, which is justified by BBVA stating that claimant 1 provided his
consent by signing, on 06/07/2016, the document “Identification of the
client, processing of personal data and digitized signature ” .
The claim made by the claimant 3 refers specifically to the
"Declaration of Economic Activity and Personal Data Protection Policy" .
Claimant 4, for his part, denounces the sending of commercial communications that
has not requested or authorized, which is also justified by BBVA noting that this
The claimant did not object to the data processing reported in the document “Declaration of
Economic Activity and Data Protection Policy ” , signed by the same on the date
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/124
11/26/2018.
And, finally, the claimant 5 makes a claim against BBVA for the receipt of
telephone calls and advertising SMS, also justified by that entity based on the
consent given by the claimant with the signature of the document “Declaration of
Economic Activity and Personal Data Protection Policy ” for the treatment of your
data for commercial purposes.
Based on the foregoing, all these claims have to do with treatment of
personal data of the claimants that BBVA protects in the consent given by the
holders of the data by signing the repeated "Declaration of Economic Activity and
Data protection policy". To assess the regularity of these treatments it is
It is essential to analyze the consent given and its validity, for which it is
decisive, in particular, check the information offered on the protection of
personal data and the mechanisms enabled to obtain the consent of the
affected, without forgetting the rest of the principles and guarantees established in the applicable regulations.
Consequently, the AEPD has decided to analyze the impact of the repeated document
"Declaration of economic activity and personal data protection policy" , which
contains the information that BBVA provides as a priority to its customers and the mechanisms of
collection of consents. In view of the deficiencies noted in the same regarding
the data protection regulations, it turns out that such deficiencies have a general scope,
so that all the clients of the entity are affected, and not just the five
claimants, which would result, as has been stated, that the infringement does not occur
exclusively with respect to the five claimants, but generally as
consequence of said privacy policy.
It cannot be said, therefore, that there is no link between the object of the
procedure and claims. Proof of this is the definition of the object of the file
contained in the initial paragraphs of this Legal Basis.
As the sentence of the AN so merited states, “the account of" proven facts ",
both in criminal and administrative sanctioning proceedings, it is essential
to establish the facts and the typified conducts, since only in this way will the
principle of typicity, which, according to the doctrine is "the legal description of a conduct
specific to which the administrative sanction will be connected. "In the present case, it is reiterated,
The proven facts are clear in that it is BBVA itself that highlights
that its action responds to the fact that all the claimants agreed to and signed the
"Declaration of economic activity and personal data protection policy", therefore
in no case is there helplessness.
In any case, no rule prevents the body that exercises the power
sanctioning procedure, when it determines the opening of a sanctioning procedure, always
official letter (art. 63.1 law 39/2015, of October 1), determine its scope in accordance with the
revealed circumstances, although they do not strictly conform to the
manifestations and claims of the complainant. That is, the agreement to initiate the
sanctioning procedure is not constrained by the complaint (the “claim”) presented
by the individual. This is not the case in the case of procedures processed at the request of the
interested party, in which article 88.2 of the LPACAP requires that the resolution be congruent
with the requests made by him. Even in this case, the authority of the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/124
Administration to initiate a new procedure ex officio.
This same article 88 of the LPACAP, referring to the content of the resolution, in its
paragraph 1 establishes the obligation to decide all questions raised by the
interested parties and those others that derive from the procedure, including related matters not
raised by interested parties. This article expressly states the following:
"1. The resolution that puts an end to the procedure will decide all the questions raised by the
interested parties and those others derived from it.
In the case of related questions that have not been raised by the interested parties, the body
competent authority may rule on them, making it clear to them by a
term not exceeding fifteen days, so that they formulate the allegations that they consider pertinent and contribute,
where appropriate, the means of proof ”.
In the sanctioning procedure, even the facts that are
revealed during their instruction, which will be determined in the
resolution, and may motivate the modification of the allegations contained in the
initiation of the procedure or its legal qualification.
In this sense, when referring to the specialties of the resolution in the
sanctioning procedures, article 90 of the LPACAP establishes:
"2. In the resolution, events other than those determined in the course of the
procedure, regardless of its different legal assessment… ”.
IV
The aforementioned form enabled by BBVA to collect personal data from
its clients disclose the new terms applicable to the protection of said data
personal due to the contracted services and the consent of the
interested parties for use for the purposes indicated in the document. He
The full content of this information is reproduced in Annex 1 to this agreement of
opening of proceedings.
However, it is considered relevant to highlight the following aspects:
In the information provided to customers, the BBVA entity is identified as
data controller, the types of personal data that will be
object of treatment, the treatment operations that will be carried out, including the
data communications, and the purposes for which the data in question are processed,
as well as the legitimizing basis of the treatment. The final two sections are dedicated to the
conservation of personal data and the rights of the interested parties.
On the types of data of clients, representatives, guarantors, authorized or
beneficiaries, in the section "What personal data does BBVA process about you?" , included in the
"Extended information", the following categories are expressly specified:
". Identification and contact data (including postal and / or electronic addresses).
. Signature data (including the digitized and electronic signature that we will comment on later).
. Codes or identification keys for access and operation in the remote channels that you use in
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/124
your relationship with BBVA.
. Economic and financial solvency data (including those related to all products and services
that you have contracted with BBVA or of which BBVA is a marketer).
. Transactional data (income, payments, transfers, debits, receipts, as well as any other
operation and movement associated with any products and services that you have contracted with
BBVA or of which BBVA is a marketer).
. Sociodemographic data (such as age, family situation, residences, studies and occupation) ”.
Regarding the purposes for which the personal data of clients will be used
the document lists the following:
1. Manage the products and services that you have, request or contract with BBVA.
2. Get to know yourself better and personalize your experience.
"At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is more adapted to your customer profile and your needs.
To achieve this we have to know you better, analyzing not only the data that allow us to identify you
as a client, but also your financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments. income,
transfers, debts, receipts- as well as the uses of BBVA products, services and channels.
Additionally, we will apply statistical and classification methods to correctly adjust your
profile. Based on the above, we managed to develop our business models.
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and
services that we consider according to your profile (own or marketed by BBVA), as well as offers
personalized with more adjusted prices for you. As we will know you better, we can congratulate you
for your anniversary, wish you a good day or happy holidays.
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or
at any of our offices.
This section is only applicable to BBVA clients ”.
3. Offer you products and services from BBVA, the BBVA Group and others, customized for you. No
we are going to flood you with information.
“Offer you BBVA products and / or services
We would like to keep you up to date on new BBVA products and services, as well as give you advice
recommendations to better manage your financial situation.
We can also send you information about BBVA products and services with prices more
adjusted to your profile, informing you of what may interest you as a client.
Offer of products and / or services of the BBVA Group and third parties
We can send you information, according to your customer profile, about products, services and offers
financial and non-financial activities of BBVA Group companies and third parties (including products and
services of which BBVA is a marketer) belonging to these sectors of activity: financial,
parabanking, insurance, automotive travel, telecommunications, supplies, security, IT,
education, real estate. consumer products, leisure and free time, professional services and services
social.
Channels for sending commercial information
We will contact you through different channels: postal mail, email
push notifications, SMS, social networks, banners, web pages or other means of communication
equivalent electronics.
This section only applies to BBVA customers ”.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/124
4. Communicate your data to BBVA Group companies so that they can offer you products and services
own personalized for you.
“If you want the BBVA Group companies included in this address
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services
personalized in characteristics and price, we need your authorization to communicate data
related to your customer profile (amount of income and expenses, balances and use of our channels).
This information will be processed to try to improve the characteristics and prices of the product offering and
services. The BBVA Group companies will only process your data for that purpose ”.
5. Improve the quality of products and services.
"We need to use your information anonymously without any characteristics that can
identify, because at BBVA we want to:
Increase your degree of customer satisfaction.
Meet your expectations.
Perfect our internal processes.
Improve the quality of existing products and services.
Develop new products and services of your own or of third parties.
Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be
of interest of BBVA or third parties.
Improve instruments to combat fraud.
This information is obtained from the use of BBVA products, services and channels. Throughout
At the moment, we process the data using secure and up-to-date internal protocols.
This section only applies to BBVA customers ”.
BBVA refers to the legitimate interest as a legitimate basis for the use of the data
with the purpose indicated with number 2 and the consent in relation to the purposes
3, 4 and 5.
Regarding the use of data based on legitimate interest, it is warned about the
possibility to object by sending an email to the address indicated or in any of the
entity offices. And it adds:
“For the legitimate interest of BBVA, so that from BBVA we can better meet your expectations and
we can increase your level of customer satisfaction by developing and improving the quality of
own or third-party products and services, as well as perform statistics, surveys or studies of
market that may be of interest.
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a
good day or happy holidays.
These legitimate interests respect your right to the protection of personal data, to honor and to
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation
reasonable to have your data used so that we can improve products and services and you can
enjoy a better customer experience. In addition, we estimate that you also have a
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise
your right to object if you consider it appropriate at the following address:
rightsprotecciondatos@bbva.com or at any of our offices ”.
On the data of representatives, guarantors, authorized or beneficiaries, it is reported
that will be treated solely for the management of the contract.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/124
On the other hand, in the repeated document it is reported that
communication of personal data to the BBVA Group companies, basing this
communication of data in the consent of the interested party. In this case, it is not distinguished whether
The data that will be communicated correspond to clients or representatives, guarantors,
authorized and beneficiaries, but since the data of these interested parties is only
used for the fulfillment of the contractual relationship, it is understood that the information about
the communication of data to the companies of the Group does not refer to them.
In relation to the communication of personal data, in the "extended information" is
indicates the following:
"We will not transfer your personal data to third parties, unless we are required by law or you do
you have previously agreed with BBVA
As we have indicated, if you consent previously, we may communicate to the companies of the
BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus
identification, contact and transactional data so that you can receive offers
personalized.
In order to provide you with an adequate service and manage the relationship that we maintain with you as
client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by
categories of companies that process your data on behalf of BBVA, as part of the provision of
services that we have contracted.
We also inform you that, for the same purpose as that indicated in the previous paragraph,
certain companies that provide services to BBVA may access your personal data
(international data transfers).
These transfers are made to countries with a level of protection comparable to that of the Union
European (adaptation decisions of the European Commission, standard contractual clauses as well as
certification mechanisms) For more information you can contact the Delegate for the Protection of
BBVA data at the following email address: dpogruppbbva@bbva.com ”.
The signature of the document by the client and the date is included at the end of section 2
"Personal data protection policy" , in which it is indicated that with the process of
signature agrees to the Declaration of Economic Activity and Protection Policy
of data.
Immediately before the space provided for signature, it is reported as follows:
"We inform you that if you do not agree with the acceptance of any of the following purposes,
you can select them below.
. Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make your data ".
V
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/124
Article 5 "Principles relating to treatment" of the RGPD establishes:
"1.The personal data will be:
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and
transparency");
b) collected for specific, explicit and legitimate purposes, and will not be further processed as
way incompatible with said purposes; according to Article 89 (1), further processing
of personal data for archival purposes in the public interest, scientific research purposes and
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of
purpose ");
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed
("Data minimization");
d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that
delete or rectify without delay personal data that are inaccurate with respect to the purposes
for which they are processed ("accuracy");
e) maintained in a way that allows the identification of the interested parties for no longer than
necessary for the purposes of processing personal data; personal data may
be kept for longer periods provided they are treated exclusively for archival purposes
in the public interest, scientific or historical research purposes or statistical purposes, in accordance with
Article 89 (1), without prejudice to the application of technical and organizational measures
regulations imposed by this Regulation in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");
f) processed in such a way as to guarantee adequate security of personal data, including the
protection against unauthorized or illegal processing and against its loss, destruction or damage
accidental, through the application of appropriate technical or organizational measures ('integrity and
confidentiality ').
2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and
able to prove it ('proactive responsibility') ”.
In relation to the aforementioned principles, what is stated in the
Recital 39 of the aforementioned RGPD:
"39. All processing of personal data must be lawful and fair. For natural persons it should be
totally clear that data is being collected, used, consulted or otherwise processed
personal information concerning them, as well as the extent to which said data is or will be processed. He
The principle of transparency requires that all information and communication regarding the treatment of said
data is easily accessible and easy to understand, and that simple and clear language is used. Saying
The principle refers in particular to the information of the interested parties about the identity of the person in charge
treatment and the purposes thereof and the information added to ensure fair treatment and
transparent regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are subject to treatment. The
natural persons must be aware of the risks, regulations, safeguards and rights
relating to the processing of personal data as well as how to enforce your rights in
relation to treatment. In particular, the specific purposes of the processing of personal data
must be explicit and legitimate, and must be determined at the time of collection. The data
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which
be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum.
conservation. Personal data should only be processed if the purpose of the treatment could not
be reasonably accomplished by other means. To ensure that personal data is not kept
longer than necessary, the controller must establish deadlines for its deletion or
Periodic revision. All reasonable steps should be taken to ensure that they are rectified or
delete personal data that are inaccurate. Personal data must be treated in a way
that guarantees adequate security and confidentiality of personal data, including for
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/124
prevent unauthorized access or use of said data and the equipment used in the treatment ”.
SAW
Article 4 of the RGPD, under the heading "Definitions", provides the following:
"2)" treatment ": any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as collection,
registration, organization, structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, broadcast or any other form of access authorization,
collation or interconnection, limitation, deletion or destruction ”.
In accordance with these definitions, the collection of personal data through
of forms enabled for this purpose constitutes data processing, with respect to which the
data controller must comply with the principle of transparency, established
in article 5.1 of the RGPD, according to which personal data will be “treated in a manner
lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and
developed in Chapter III, Section 1, of the same Regulation (articles 12 and following).
Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for
treatment of taking the appropriate measures to "provide the interested party with all information
indicated in articles 13 and 14, as well as any communication in accordance with articles
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way
access, in clear and simple language, in particular any information addressed to a
child".
In the same sense, article 7 of the RGPD is expressed for cases in which the
consent of the interested party is given in the context of a written statement, such as
occurs in the present case. According to this article, said request for consent “is
presented in such a way that it is clearly distinguished from other matters, in an intelligible way
and easily accessible and using clear and simple language ” . It is added in this precept that
no part of the declaration that constitutes an infringement of these Regulations will be
binding.
Article 13 of the aforementioned legal text details the “information that must be provided
when the personal data is obtained from the interested party ” and the aforementioned article 14 is
refers to the “information that must be provided when personal data has not been
obtained from the interested party ” .
In the first case, when the personal data is collected directly from the
interested party, the information must be provided at the same time that that
data Collect. Article 13 of the RGPD details this information in the following terms:
1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment,
at the time these are obtained, you will provide all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are intended and the legal basis of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the
responsible or a third party;
e) the recipients or categories of recipients of the personal data, if applicable;
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/124
f) where appropriate, the intention of the person responsible to transfer personal data to a third country or
international organization and the existence or absence of an adequacy decision of the Commission, or,
in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph
second, reference to adequate or appropriate warranties and means of obtaining a copy of
these or the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the data controller will provide the
interested, at the time the personal data is obtained, the following information
necessary to guarantee fair and transparent data processing:
a) the period during which the personal data will be kept or, when this is not possible, the criteria
used to determine this term;
b) the existence of the right to request the data controller access to personal data
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the
treatment, as well as the right to data portability;
c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,
letter a), the existence of the right to withdraw consent at any time, without affecting
the legality of the treatment based on the consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement
to sign a contract, and if the interested party is obliged to provide personal data and is
informed of the possible consequences of not providing such data;
f) the existence of automated decisions, including profiling, referred to in article
22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as
as the importance and expected consequences of said treatment for the interested party.
3.When the controller plans the further processing of personal data for a
purpose other than that for which they were collected, will provide the interested party, prior to said
further processing, information on that other purpose and any additional information relevant to the
of section 2.
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the
interested party already has the information ”.
Article 14 regulates the information that must be provided in relation to the data that
are not collected directly from the interested party:
"1. When the personal data has not been obtained from the interested party, the person responsible for the treatment
will provide you with the following information:
a) the identity and contact details of the person in charge and, where appropriate, of their representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the
treatment;
d) the categories of personal data in question;
e) the recipients or categories of recipients of the personal data, if applicable;
f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third
country or international organization and the existence or absence of a decision on the adequacy of the
Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49,
Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to
obtain a copy of them or the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the data controller will provide the
interested party the following information necessary to guarantee fair data processing and
transparent with respect to the interested party:
a) the period during which the personal data will be kept or, when that is not possible, the
criteria used to determine this term;
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/124
b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the
responsible for the treatment or a third party;
c) the existence of the right to request the data controller access to personal data
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the
treatment, as well as the right to data portability;
d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,
letter a), the existence of the right to withdraw consent at any time, without affecting
to the legality of the treatment based on the consent before its withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data come and, where appropriate, if they come from access sources
public;
g) the existence of automated decisions, including profiling, referred to in the
Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic
applied, as well as the importance and expected consequences of such treatment for the
interested.
3.The person responsible for the treatment will provide the information indicated in sections 1 and 2:
a) within a reasonable period, once the personal data has been obtained, and at the latest within a
month, taking into account the specific circumstances in which said data is processed;
b) if the personal data are to be used for communication with the interested party, no later than the
moment of the first communication to said interested party, or
c) if it is planned to communicate them to another recipient, at the latest at the time the data
personal information are communicated for the first time.
4. When the person responsible for the treatment plans the subsequent treatment of personal data for
a purpose other than that for which they were obtained, will provide the interested party, before said
further processing, information on that other purpose and any other relevant information indicated in the
section 2.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that:
a) the interested party already has the information;
b) the communication of such information is impossible or involves a disproportionate effort,
in particular for the treatment for archival purposes in the public interest, scientific research purposes
or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89,
paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article
may prevent or seriously impede the achievement of the objectives of such treatment. In such
cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests
legitimate interests of the interested party, including making the information public;
c) the obtaining or the communication is expressly established by the Law of the Union or of the
Member States that applies to the controller and that establishes appropriate measures
to protect the legitimate interests of the data subject, or
d) when personal data must continue to be confidential on the basis of a
obligation of professional secrecy regulated by the law of the Union or of the Member States,
including an obligation of secrecy of a statutory nature ” .
For its part, article 11.1 and 2 of the LOPDGDD provides the following:
"Article 11. Transparency and information to the affected
1. When personal data are obtained from the affected party, the person responsible for the treatment may give
compliance with the duty of information established in article 13 of Regulation (EU) 2016/679
providing the affected party with the basic information referred to in the following section and indicating a
electronic address or other means that allows easy and immediate access to the remaining
information.
2. The basic information referred to in the previous section must contain, at least:
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/124
a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.
c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU)
2016/679.
If the data obtained from the affected party were to be processed for profiling, the information
You will also understand this circumstance. In this case, the affected party must be informed of
your right to object to the adoption of automated individual decisions that produce effects
legal acts on him or significantly affect him in a similar way, when this right to
in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” .
In relation to this principle of transparency, it also takes into account the
expressed in Recitals 32, 39, reproduced in the previous Legal Basis,
42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below
Considering ourselves:
(32) Consent must be given by a clear affirmative act that reflects a manifestation of
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from
personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not
they must constitute consent. Consent must be given for all activities of
treatment carried out for the same or the same purposes. When the treatment has several purposes, you must
give consent for all of them ...
(42)… In particular in the context of a written statement made on another matter, you must
have guarantees that the interested party is aware of the fact that he gives his consent and of the
extent to which it does. According to Council Directive 93/13 / EEC (LCEur 1993, 1071), you must
provide a model declaration of consent previously prepared by the person in charge
treatment with an easily accessible and intelligible formulation that uses clear language and
simple, and that does not contain abusive clauses. For the consent to be informed, the
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the
treatment for which the personal data is intended. Consent must not
be considered freely provided when the interested party does not have a true or free choice or not
You can deny or withdraw your consent without suffering any harm.
(47) The legitimate interest of a data controller, including that of a controller who is
may communicate personal data, or that of a third party, may constitute a legal basis for the
treatment, provided that the interests or rights and freedoms of the interested party do not prevail,
taking into account the reasonable expectations of the interested parties based on their relationship with the
responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and
appropriate between the interested party and the controller, as in situations in which the interested party is a client
or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a
meticulous evaluation, even if a data subject can reasonably foresee, at the time and in
the context of the collection of personal data, which may be processed for this purpose. In
In particular, the interests and fundamental rights of the interested party could prevail over the
interests of the data controller when the personal data is processed in
circumstances in which the interested party does not reasonably expect a treatment to take place
further ... The processing of personal data strictly necessary for the prevention of
Fraud also constitutes a legitimate interest of the person responsible for the treatment in question. He
processing of personal data for direct marketing purposes can be considered carried out by
legitimate interest.
(58) The principle of transparency requires that all information directed to the public or the interested party be
concise, easily accessible and easy to understand, and use clear and simple language, and,
also, if applicable, it is displayed ...
(60) The principles of fair and transparent treatment require that the interested party be informed of the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/124
existence of the treatment operation and its purposes. The controller must provide the
interested party as much additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which the data is processed
personal. The interested party must also be informed of the existence of profiling and
the consequences of such elaboration. If the personal data is obtained from the interested parties,
They should also be informed of whether they are obliged to provide them and of the consequences in the event that
don't ...
(61) Data subjects should be provided with information on the processing of their personal data in
the time they are obtained from them or, if they are obtained from another source, within a reasonable time,
depending on the circumstances of the case ...
(72) Profiling is subject to the rules of this Regulation that govern the
processing of personal data, such as the legal bases of the processing or the principles of
Data Protection…
BBVA, according to proven facts, processes personal data
obtained from customers, directly or "indirectly" , as well as personal data
Obtained from sources other than those interested or inferred by the entity itself. Comes
Therefore, obliged to provide information on all the aspects included in the aforementioned
Articles 13 and 14 of the RGPD.
After analyzing the information offered by BBVA, it is verified that it is
incomplete or inadequate in relation to the provisions of articles 13 and 14 of the RGPD.
-
Use of imprecise terminology and vague formulations
In accordance with the foregoing, at the time of collecting personal data the
responsible for the treatment must provide the interested parties with the information established in
the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language ” .
BBVA does not report clearly and systematically on data processing
personal or the purposes for which they will be used; nor does it delimit the nature of
the information submitted to treatment and its subsequent use.
When referring to these questions, he uses imprecise terminology and
vague formulations, alien to strict compliance with the principle of transparency, preventing
interested parties to know the meaning and real meaning of the indications provided and the
real scope of the consents that may be given.
The privacy policy analyzed contains imprecise formulas and expressions and
vague throughout the entire text:
. "Get to know yourself better and improve your experience."
. "Offer you products and services ... personalized for you."
. "Improve the quality of products and services."
. "Your data is yours and you control it."
. "... make your experience more personalized."
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/124
. "Products and prices more adjusted to you."
. "I DO NOT want BBVA to process my data to offer me products and services ... personalized for me."
. “I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
to offer products and personalized services for me ”.
. “I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing ”.
. "Properly manage the products and services that you request and hire us."
. "Follow the relationship we maintain with you and your financial evolution."
. “At BBVA we treat your personal data to always serve you with the same level of quality, and thus
to be able to offer you a better treatment and service appropriate to your condition of client ”.
. "If you want to streamline the application process, we will need."
. “At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is more adapted to your customer profile and your needs. To make it
we have to get to know you better… ”.
. “Thanks to this analysis we will be able to get to know you better, assess new features for you… as well as
personalized offers with more adjusted prices for you ”.
. “We would like to keep you up to date on new BBVA products and services, as well as give you
advice recommendations to better manage your financial situation.
We can also send you information about BBVA products and services with prices more
adjusted to your profile, informing you of what may interest you as a client ”.
. “If you want the BBVA Group companies… to offer you products and services
personalized in characteristics and price, we need your authorization to communicate data
related to your customer profile ... This information will be processed to try to improve the characteristics and
prices of the supply of products and services ”.
. “… So that BBVA can better meet your expectations and increase your grade
of satisfaction".
. “… To be a bank close to you as a client and to be able to accompany you during our relationship
contractual, we could congratulate you on your anniversary, wish you a good day or happy holidays ”.
. “At BBVA we consider that, as a customer, you have a reasonable expectation that your
data so that we can improve products and services and you can enjoy a better experience
as a customer ”.
. "In addition, we believe that you also have a reasonable expectation to receive congratulations on the occasion
of your anniversary. wish you a good day or happy holidays ”.
. "In order to provide you with an adequate service and manage the relationship that we maintain with you as
client…".
It follows that the data protection policy is shown as a
benefit for the client, implying that its non-acceptance will mean the loss of
advantages as a customer.
(…)
In addition, the information is indeterminate, considering those generic expressions and
unclear what it uses, which is why the privacy policy is not easy to
understood by any interested party, regardless of their qualification, and shows up to
what point it takes to be an expert to understand such information and its scope. It
supposes to understand violated the right to the protection of personal data, understood as
the ability of the affected person to decide on treatment.
Information on key aspects such as categories of personal data
treaties, the purposes or the legal basis that enables the treatment uses little expressions
clear and imprecise, with ambiguous meanings in some cases, whose true scope does not
it develops; expressions that are repeated throughout the text, as indicated, and
that BBVA uses to support different actions, treatments, purposes or
legitimations. Expressions such as “meet you
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/124
better ”“ personalize your experience ”,“ offer you personalized products and services ”,
"Improve product quality", "relationship adapted to your profile", "prices adjusted to your
profile "," develop our business models "," analyzing the uses of the products,
BBVA's services and channels ”,“ we will apply statistical and classification methods to
correctly adjust your profile "or" perform statistics, surveys, actuarial calculations,
media and / or market studies that may be of interest to BBVA or third parties ”.
Nor can the interested party clearly deduce the meaning of these expressions from
starting from the context in which the information is offered and the expression of will is collected
of the interested party, or from the context of the contractual relationship that binds the
interested party with the responsible entity. On this contextual basis or factual context, the
client is not able to understand the meaning of the purposes pursued by BBVA with the
processing of your personal data, such as "knowing you better" , "developing our
business models ” or “ improve the quality of products and services ” .
The expressions that are so often repeated by BBVA throughout the document “Declaration
of Economic Activity and Personal Data Protection Policy ” are included as
examples of bad practices in the Article 29 Working Group document
"Guidelines on transparency under Regulation 2016/679" , adopted on
11/29/2017 and revised on 04/11/2018.
These Guidelines analyze the scope to be attributed to the elements of
transparency established in article 12 of the RGPD, according to which the person responsible for
treatment will take the appropriate measures to "provide the interested party with all information
indicated in articles 13 and 14, as well as any communication in accordance with articles
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way
access, with clear and simple language ” , which must be related to what is expressed in
Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is
highlight at this time the following:
"The requirement that the information be" intelligible "means that it must be understandable to the
average member of the target audience. Intelligibility is closely linked to the requirement of
use clear and simple language. A data controller who acts responsibly
You will proactively get to know the people you collect information about and can use this
knowledge to determine what said audience is likely to understand… ”.
<< Clear and simple language
In the case of “written” information »(and when written information is communicated verbally, or
through auditory or audiovisual methods, also for people with vision problems), have
to follow best practices to write clearly. The EU legislator has already used
previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and
it is also explicitly mentioned in the context of consent in recital 42
of the RGPD. The obligation to use clear and simple language implies that the information must
be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The
information must be concrete and categorical; should not be formulated in abstract or ambivalent terms
nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment
of personal data must be clear.
Examples of Poor Practice
The following statements are not clear enough regarding the purpose of the treatment:
. "We may use your personal data to develop new services" (since it is not clear
what “services” are treated and how the data will help to develop them);
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/124
. "We may use your personal data for research purposes" (since it is not clear what type
of "research" refers); and
. "We may use your personal data to offer you personalized services" (since there is no
clear what this "customization" implies).
Examples of good practices
. "We will retain your purchase history and use details of the products you have purchased
above to suggest other products that we think might also interest you ”(it is clear that
types of data will be processed, that the interested party will be the object of personalized product advertising and
that your data will be used in this regard);
. “We will retain and evaluate information about your recent visits to our website and how
navigate through the different sections of the same in order to analyze and understand the use that
people make our website and be able to make it more intuitive ”(it is clear what type of data is
will treat and the type of analysis that the person in charge will carry out); and
. “We will keep a record of the articles on our website that you have clicked on and we will use
that information to personalize, from the articles you have read, the advertising that we show you
on this website to suit your interests ”(it is clear what personalization entails and
how the interests attributed to the interested party have been identified) >> .
The foregoing must be interpreted, in any case, taking into account the principles
established in article 5 of the RGPD, especially the principle of loyalty. Recital 42
of the same text also refers that the form in which the information is offered in
Personal data protection matter must not contain unfair terms.
BBVA alleges that the “Guide for compliance with the duty to inform”, published by this
Agency, contains some examples when referring to the information on the purpose ( “to facilitate
the interested parties offers of products and services of their interest ” ; "To be able to offer you products and
services according to your interests ” ; "Improve your user experience" ) that can
be considered similar to the expressions used in the Privacy Policy. However,
this circumstance does not have enough potential to overcome the important objections that here
They describe.
In this regard, it should be noted that, although it is true that these expressions are
similar to those used in some specific examples of the aforementioned guide, BBVA does not
reference or has taken into account other statements in the guide that are basic to
frame and interpret the meaning of those that the entity reproduces.
Thus, it omits that these examples are included in the rubric “What
information should be included in each heading? " ; rubric that begins by establishing criteria
general that conditions the application of the examples included in it (such as the
cited by BBVA) when noting that “the extent and level of detail of each heading
will depend on the complexity of their particular circumstances ” (the underlining is from the
AEPD).
Then adding another important qualification such as that the examples
Practices included in the guide are “related to the previous hypothetical cases
( “Warren & Brandeis SA editions” ) ”(Page 9).
On the other hand, the reference expressions are found in the example included in
section 7.2 "purpose" of the guide, which links the purpose of "... to provide interested parties
offers of products and services of your interest… ” and “… according to your interests… ”
exclusively to "the information provided by the interested parties" (the underlining is from the AEPD).
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/124
Finally, the Guide completes the aforementioned section with a new warning by pointing out
that “practices such as including overly generic purposes or
nonspecific, which may lead to further treatments that exceed expectations
reasonable of the interested party ” .
The framework of the Guide, which has been described in its entirety and not with a partial citation and
selective as in BBVA's allegations, it presents substantial differences with that of the
informative clauses of this entity, such as the following: the variety of the data
object of treatment; the diversity of sources from which they are obtained, which go beyond
the data provided by the interested party, including even those obtained in their condition of
mere person in charge of the treatment; as well as the variety and complexity of the purposes object
processing of personal data in its capacity as a financial entity that occupies a
relevant position in the market, unlike the more schematic of an editor,
which is the example cited in the Guide (the details of said data and treatments are described
in different sections of the resolution omitting here to avoid repetitions).
Additionally, it should be noted that the guidelines in the guide do not
may be taken as final, since the aforementioned guide expressly advises that the
The only specific objective it covers is to provide guidance on best practices and adds that it should
be completed with other guides that the Data Protection Authorities may issue, in
relation with the application of the GDPR.
The previous argument about the terminology used in the Privacy Policy
it is not taken into account by BBVA when making its allegations. This entity is limited to performing
statements such as qualifying the arguments of this Agency as appraisals
subjective; affirm that the terms used are clear and precise; who uses those
expressions with the intention of providing their clients with a service adapted to their
specific circumstances, for which it is essential to "know" them ; and that the context in
the one who provides the information, which is determined by the contractual relationship, as well as the
systematic document in two layers, allow a better understanding of the
expressions used.
It has been previously denied that the context in which the information is offered and
collects the manifestation of will allow the interested party to know the meaning and scope of the
expressions that have been pointed out. And, on the other hand, it cannot be said that the end cited by
BBVA (know the customer better) justify the use of unclear expressions and
indeterminate.
It also tries to explain two of the many referenced
above, which, obviously, does not resolve the deficiencies noted in the entire text of
the Privacy Policy.
Specifically, BBVA refers to the expression “we will apply statistical and
classification to correctly adjust your profile ” , which he tries to explain without success, highlighting
that with this expression two of the techniques used to better understand the
client.
Secondly, it refers to the indication “analyzing the uses of the products,
BBVA services and channels ” , which according to BBVA is explained by this Agency in the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/124
motion for a resolution stating that “[t] he all refers to the data processed by reason of
the products and services contracted ” .
This Agency does not share the idea put forward by BBVA. In the first case, the simple
Reference to the techniques used does not help the interested party the scope of the information when
signals that the profile will be adjusted. Regarding the second expression, it was already indicated in the
opening of the procedure and in the proposed resolution, the interested party has no opportunity
to know the true scope of that expression, starting with the specific information
the one referred to.
Add that some of the expressions explained above are similar to
expressions offered as examples in the "Guide on the use of cookies" (in the opinion of
BBVA, “carry out statistics, surveys, actuarial calculations, measurements and / or studies of
market that may be of interest to BBVA or third parties ” , is similar to the expression
"For analytical purposes" ; and "analyzing the uses of BBVA products, services and channels"
is similar to the expression "show you personalized advertising based on a profile
elaborated from your browsing habits ” ) .
Regarding the quotes that have been transcribed verbatim and in quotation marks, it is striking,
First of all, that at the time BBVA carries out the process of
adaptation to the RGPD, including informative clauses, the Guide on cookies published by
the Agency at that time was the one presented on April 29, 2013 and it did not include
the literality of said expressions.
The only example of an informative clause included in said Guide literally indicated
that “we use our own and third-party cookies to improve our services and show them
advertising related to your preferences by analyzing your habits
navigation ” .
Therefore, BBVA could not, in any way, take this text into account as a reference
when preparing its informative clauses.
The examples referred to by BBVA literally reproduce the wording included in
the "Guide on the use of cookies" published in November 2019 (both the one relating to cookies
analytical purposes such as that related to personalized advertising based on the habits of
navigation in example number 2 on page 20).
However, his claim when taking as reference said legends in order to
justifying the information clauses of the entity is again partial, since it is limited to
collect only two limited subsections of the examples in the Guide.
But without taking into account other substantive considerations included in the Guide that
allow to substantiate an assessment contrary to the exculpatory effect intended by the
entity. And, in particular, those that refer to the requirement to “use clear language
and simple, avoiding the use of phrases that lead to confusion or distort the clarity of the
message ” .
In this sense, the Guide specifically indicates in section 3.1.2.b) the following
(page 18):
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/124
<< b) Clear and simple language must be used, avoiding the use of phrases that induce confusion or
detract from the clarity of the message.
For example, phrases such as “we use cookies to personalize your content and create
a better experience for you "or" to improve your navigation ", or phrases such as" we can use your
personal data to offer personalized services ”to refer to advertising cookies
behavioral. Terms such as “may”, “could”, “some”, “often”, and
"Possible" >>.
Expressions that come to confirm the foundations for the declaration of the
BBVA's information clauses as illegal in this procedure.
Based on the foregoing, BBVA's allegation regarding the application of the
principle of legitimate expectations.
Regarding the above issues, BBVA also adds in its allegations that it acted
with proactive responsibility, (…); and that offering a courtesy image is a decision
commercial, a “marketing action” , according to its own terms, for which it is legitimized
by virtue of their right to free enterprise.
(…)
On the other hand, it is clear and indisputable that the Privacy Policy cannot
used as a “marketing action” . This is how BBVA has rated it and the result is
the one that has been described in the previous paragraphs.
- Information on the categories of personal data subjected to treatment;
and on the specific categories of personal data that will be processed for each
one of the specific purposes.
On the other hand, it is verified that the information offered is incomplete in relation to
with key aspects established in the repeated articles, such as the categories of the data
treated personnel.
In accordance with the criteria stated by the European Committee for the Protection of
Data, information on the type of personal data would be necessary in relation to
those data processing whose legal basis is determined by the consent of the
interested. This is how the Article 29 Working Group understood it in its document “Guidelines
on consent under Regulation 2016/679 ” , adopted on 11/28/2017,
revised and approved on 04/10/2018 (these Guidelines have been updated by the Committee
European Data Protection Regulation on 05/04/2020 through the document “Guidelines 05/2020
on consent pursuant to Regulation 2016/679 ” , which literally maintains
identical the parts that are transcribed below).
The Article 29 Working Group draws its conclusions from the definition
of the "consent" contained in article 4 of the RGPD, which is expressed in the terms
following:
"11)" consent of the interested party ": any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a clear action
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/124
affirmative, the processing of personal data that concerns him ” .
From this definition, they are specified as necessary elements for the validity of the
consent to the following:
. Manifestation of free will
. specific
. informed and
. unequivocal by which the interested party accepts, either through a statement or a clear
affirmative action, the processing of personal data concerning you.
In relation to the element "manifestation of specific will" it is said:
“3.2. Specific manifestation of will
(…)
Ad. ii) The consent mechanisms should not only be separated in order to comply with the
"free" consent requirement, but must also comply with the consent requirement
"specific". This means that a data controller seeking consent to
several different purposes, it must facilitate the possibility of opting for each purpose, so that users
can give specific consent for specific purposes.
Ad. iii) Finally, the data controllers must provide, with each request for
separate consent, specific information on the data that will be processed for each purpose, with the
In order for the interested parties to know the impact of the different options they have. Of this
Thus, data subjects are allowed to give specific consent. This question overlaps with the
requirement that those responsible provide clear information ”.
Furthermore, consent, to be valid, must be informed. This item is
analyzed in the aforementioned "guidelines" as follows:
3.3. Informed manifestation of will
The GDPR reinforces the requirement that consent must be informed. In accordance with the
Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles,
closely related to the principles of loyalty and legality. Provide information to interested parties
before obtaining their consent is essential so that they can make informed decisions,
understand what they are authorizing and, for example, exercise your right to withdraw your
consent. If the person in charge does not provide accessible information, the user's control will be
Illusory and consent will not constitute a valid basis for the processing of the data.
If the requirements for informed consent are not met, the consent will not be valid
and the person in charge may be in breach of article 6 of the RGPD.
3.3.1. Minimum content requirements for consent to be "informed"
In order for consent to be informed, it is necessary to communicate to the interested party certain elements that
they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information
following to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the processing operations for which consent is requested,
iii) what (type of) data will be collected and used,
iv) the existence of the right to withdraw consent,
v) information on the use of the data for automated decisions in accordance with article
22, paragraph 2, letter c), where relevant, and
vi) information on the possible risks of data transfer due to the absence of a
decision of adequacy and adequate guarantees, as described in article 46 >> .
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/124
In view of the interpretive criteria on the notion of "informed consent"
offered by the European Data Protection Committee, it is considered that BBVA does not
provides sufficient information on the type of data that will be submitted to
treatment in relation to all those treatments whose legal basis is the
consent of the interested parties.
This insufficiency is observed in relation to the purpose “To improve the quality of
products and services ” , where it is indicated again that: “ Said information is obtained from
from the use of BBVA products, services and channels ” ). All this refers to the data
treated by reason of the products and services contracted, so that, although these are
known to the user, he cannot know which ones will be selected from the use of such
products and services. The same can be said regarding the use of BBVA channels.
In relation to the category of personal data that may be processed, BBVA
warns the interested party, in a generic way, that they may process "Economic and solvency data
patrimonial (including those related to all the products and services that you have contracted
with BBVA or of which BBVA is a marketer); Transactional data (income, payments,
transfers, debts, receipts, as well as any other operation and movement associated with
any products and services that you have contracted with BBVA or for which BBVA is
marketer); Sociodemographic data (such as age, family situation, residences,
studies and occupation).
In view of this information, it is not clear whether BBVA will process economic data
unrelated to the products contracted with or marketed by the entity, what data
personnel will register for each transaction (will the corresponding concept and issuer register
to the payment of a union dues?); or what sociodemographic data will be processed, in addition to those
cite as an example. It could even happen that the information collected by the entity
responsible "from the use of BBVA products, services and channels" was integrated
for sensitive data or special categories of personal data, for example, the quota
aforementioned union or fees paid to political parties, or entities of a
religious, or for the use of services provided by health or religious entities.
It is not concluded that BBVA processes personal data such as
indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the
information offered by BBVA to its customers, that this information is faulty in the
insofar as it does not allow the recipient of the information to know with certainty all the
categories of personal data that will be used by that entity and that, even, the
repeated information, due to its lack of specificity, could be covering a collection
and unacceptable processing of personal data.
Also when referring to the personal data that will be used to carry out
data processing based on the legitimate interest of the entity, reference is made
back to the "uses of BBVA products, services and channels" , as well as to
information regarding the “financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments.
income, transfers, debts, receipts ”. In this case, insufficient information on the
categories of data to be processed is not related to the need for consent
be informed, given that these are treatments based on the legitimate interest of the entity.
However, in these treatments data not provided by the interested parties will be used,
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/124
so that the obligation contained in article 14.1.d) of the RGPD would be applicable.
All this without prejudice to the relationship between data processing based on the
consent of the interested parties to which reference is subsequently made.
(…)
In another vein, at this time, it is interesting to note that the use of data
Personal based on legitimate interest gives rise to the creation of profiles, which are
subsequently used to offer products and services (purpose 3) to customers who
give their consent to do so, and that said profile is communicated to the companies of the
BBVA Group, also based on the consent of the interested party. This being the case, the defects in
information in relation to the processing of data based on legitimate interest affect by
equal to the validity of the consent.
It is also interesting to note that the information offered on the data
subject to treatment by BBVA to which reference has been made includes “those related to
all the products and services… of which BBVA is a marketer ” . This Agency
questions the use of these data by the aforementioned entity and for the purposes that
are indicated, considering that they are not own products, but third party products
marketed by it. BBVA intervenes in the commercialization of these products under
the status of data processor, which limits the possibility of using the information
in question for its own purposes.
Likewise, failure to comply with the obligation to report on the category of
data that will be subjected to treatment is also breached in relation to data that is not
are provided to the person in charge by the interested party, but are obtained by the latter from sources
external or inferred by the entity itself. As has been exposed, in these cases,
Article 14 of the RGPD requires you to provide this information.
Among this information from third parties is that obtained from
products and services marketed by BBVA, but which are not its own, to the
which has already been referenced.
It follows that BBVA processes personal data that it does not obtain
directly from the interested parties under the condition of data controller. I know
consider personal data from third parties that BBVA uses for the purposes
expressed in the Privacy Policy.
The responsibility for these personal data corresponds to the entity that owns the
product purchased by the interested party or provider of the service contracted by the same. BBVA
access such data under the condition of person in charge of treatment, by their intervention
mediator in the commercialization of the product.
In the Privacy Policy, in the section “What personal data does yours treat?
BBVA? " , the following are mentioned:
". Economic and financial solvency data (including those related to all products
services that you have contracted with BBVA or of which BBVA is a marketer);
. Transactional data (income, payments, transfers, debits, receipts, as well as
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/124
any other operation and movement associated with any products and services that
you have contracted with BBVA or of which BBVA is a marketer) ”.
As mentioned above, in relation to data processing based on
the legitimate interest also mentions the information regarding the “financial evolution and
that of the products and services that you have contracted ... through BBVA as
marketer,
With the information provided, as indicated above, it is not clear what
financial and solvency personal data are processed or what data will BBVA record by
every transaction.
(…)
The use by BBVA of personal data from products and services of
Third parties require that the interested parties be provided with the appropriate information and have a
legal basis that protects the treatment.
(…)
The only reference to the information coming from files of patrimonial solvency and
credit and to CIRBE in this privacy policy is contained in the information regarding the
use of personal data to manage the products and services contracted,
legitimized as it is necessary for the execution of the contract.
Even so, the consultation of the client's data in solvency and credit files is
submits to the consent of the interested party “to analyze the economic viability of your
requests and operations ” ; and in the second case, it indicates “We can consult the data that
can appear on you in the CIRBE to assess your solvency, if you request or maintain
financing products or services with us ” .
Nothing is indicated in the privacy policy about this personal data and its
use in the elaboration of profiles based on legitimate interest.
In its brief of allegations to the proposed resolution, BBVA does not make any
mention of personal data obtained from third party products and services
marketed by BBVA. It only states that the obligation to inform about the
categories of sociodemographic data, those obtained from CIRBE and from files of
Solvency is not applicable in this case, by virtue of the provisions of section 5 c) of said
precept, taking into account that such personal data is obtained by BBVA from
conformity with the indicated standards.
The obtaining of such data by BBVA is not questioned in this case. As said
above, the use of personal data from
patrimonial and credit solvency files and CIRBE files to manage the products and
contracted services, provided that it is necessary for the execution of the contract. This is the
foundation that determines access to information provided in the rules that are
they invoke.
However, the use of this personal data by BBVA is not limited to
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/124
check the situation of the interested party for the formalization of a risk operation, but
also for other purposes based on legitimate interest, as well as for the preparation of
Profiles that are used for commercial purposes, to offer products and services.
In addition, in relation to data from solvency and credit files,
The Privacy Policy informs that they will only be consulted with the consent of the interested party
and that the rule invoked by BBVA refers exclusively to the duty to consult the
information on a specific type of operations, such as granting loans with
real collateral or whose purpose is to acquire or retain property rights over land
and real estate; not just any risky operation.
(…)
And not only does it not specify what data will be processed, but it also does not
duly informs about the specific categories of personal data that will be processed for
each of the specified purposes.
The need to complete the information offered to customers in the sense
expressed is especially relevant when it comes to data not provided by the
customer, but inferred by the entity itself from the use of products, services and channels.
It cannot be accepted that all information is intended for all uses, that all data
collected or inferred can be used for all purposes, without delimiting. This serves
The same in relation to the personal data that will be communicated to third parties.
In this regard, the Opinion of the aforementioned Article 29 Working Group,
"Guidelines on consent under Regulation 2016/679" , adopted on
11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020,
When referring to the obligation to inform about the data that will be collected and used, it refers to
Opinion 15/2011 on the definition of consent, as “manifestation of
specific will ” :
“To be valid, consent must be specific. In other words, consent
indiscriminate without specifying the exact purpose of the treatment is not admissible.
To be specific, consent must be understandable: clearly and precisely refer to the
scope and consequences of data processing. It cannot refer to an indefinite set of
treatment activities. This means, in other words, that consent applies in a
limited context.
Consent must be given in relation to the various aspects of the treatment, clearly
identified. This implies knowing what the data is and the reasons for the treatment. This knowledge
It should be based on the reasonable expectations of the parties. Therefore, the "specific consent"
it is intrinsically related to the fact that consent must be informed. Exists
a requirement of precision of consent with respect to the different elements of the treatment of
data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller
treatment. The consent must refer to the treatment that is reasonable and necessary in
relationship with the purpose ”.
In General, as has been said, the principle of transparency should be understood as a
fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate
expressed in Considering paragraphs 39 and 60 and the references they contain to the need to
provide information to ensure fair and transparent treatment:
"39. All processing of personal data must be lawful and fair. For natural persons it should be
totally clear that data is being collected, used, consulted or otherwise processed
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/124
personal data that concern them, as well as the extent to which said data is or will be processed ... Said
The principle refers in particular to the information of the interested parties about the identity of the person in charge
treatment and the purposes thereof and the information added to ensure fair treatment and
transparent regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are subject to treatment. The
natural persons must be aware of the risks, regulations, safeguards and rights
relating to the processing of personal data ”.
"60. The principles of fair and transparent treatment require that the interested party be informed of the
existence of the treatment operation and its purposes. The controller must provide the
interested party as much additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which the data is processed
personal ”.
And in the also cited document of the Article 29 Working Group “Guidelines
on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and
revised on 04/11/2018, which analyzes the scope to be attributed to the principle of
transparency, it indicates:
“A fundamental consideration of the principle of transparency outlined in these provisions is that
the interested party must be able to determine in advance the scope and consequences derived from the
treatment, and that you should not be surprised at a later time by the use that has been made of
your personal information. It is also an important aspect of the principle of loyalty by virtue of
of article 5 (1) of the GDPR and, indeed, it is related to recital 39, which
establishes that “natural persons must be aware of the risks, regulations,
safeguards and rights relating to the processing of personal data [...] ”. Specifically, the posture
of GT29 regarding complex, technical or unforeseen data processing is that, in addition to facilitating
the information prescribed in articles 13 and 14 (aspect that will be dealt with later in these
guidelines), data controllers should also detail separately and in plain language.
ambiguities what will be the most important “consequences” of the treatment: in other words,
What kind of repercussions will the specific treatment described in
a privacy statement / notice? In accordance with the principle of proactive responsibility, and in
In line with recital 39, data controllers should assess whether this type of
treatment poses some specific risk to natural persons that must be put into
knowledge of stakeholders. This can help to get an overview of the types of
treatment that could have a greater impact on the fundamental rights and freedoms of
interested parties in relation to the protection of their personal data ”.
In short, personal data is collected and processed without the owners of the same
are aware that BBVA is accessing them to register them in their
information systems, subjects them to treatments about which the client is not informed
clearly, precisely and simply, and with non-explicit and undetermined purposes, against
of the principles relating to the treatment established in article 5 of the RGPD (loyalty,
limitation of the purpose and minimization of data), since, from the information
provided, considering their lack of discretion, the interested party cannot know, as the
Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose
that possession and uses ” . This lack of precision renders the information provided ineffective
about the data processing that is intended.
The same objection must be expressed in relation to the communication of data
personal to BBVA Group companies. With the information offered it is not possible
that the interested party has a clear idea about the information that will be transferred to the entities that
make up the Group (“… communicate data related to your customer profile -income amount and
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/124
expenses, balance and use of our channels ” ; “… Your identification, contact and
transactional data ” ).
The BBVA entity considers in its allegations that the incorporation of all those
Information regarding the type of data in an already excessively long document would be
liable to cause information fatigue in the interested parties. The GT29 Guidelines
recommend avoiding that consequence, but such a purpose cannot be taken as a
justification for omitting necessary information. It forces to structure the information
adequately, but not to limit it.
On the other hand, BBVA has stated that it cannot be required to report on the
personal data subjected to treatment and that this information is broken down for each one
of the purposes based on the guidelines that have been mentioned, which do not have
normative character. However, it should be noted that the Working Group of the
Article 29 was established by Directive 95/46 / EC on an advisory and
independent, and whose opinions and recommendations serve as an interpretive element
in the matter at hand, admitted by jurisprudence. At present it is the Committee
European Data Protection the body with competence to issue guidelines,
recommendations and good practices in order to promote the consistent application of the GDPR.
Regarding the above questions, it claims again that the conclusions presented
modify what is stated in the "Guide on compliance with the duty to inform" and that no
the establishment of interpretive criteria in a procedure can be admitted
sanctioner.
Both questions have been answered previously, pointing out, on the one hand, the
terms in which the expressions of the "Guides" edited by this Agency should be considered
and, on the other hand, that this resolution is based on widely consolidated criteria
for a long time, as has been well exposed.
- Information on the purposes to which the personal data of the
clients and the legal basis of the treatment
Regarding the purposes to which the personal data of the clients will be used and
the legal basis of the treatment of the treatment, the entity BBVA, in the document through the
that facilitates information on the protection of personal data, refers treatments
similar in relation to different purposes, protected by the legitimate interest in some cases
and in consent in another. This may mean that an average citizen understands that a
Non-consensual treatment is finally carried out under the legitimate interest of the
responsible, and your ability to decide on the destination of your data is undermined
personal.
Specifically, BBVA reports on the realization of personalized offers and the
use of data to improve its products and services as treatment of
data with legal basis in the consent of the interested party and, at the same time, such
treatments are also mentioned among those that can be performed to know
better customer and enhance your experience, based on legitimate interest.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/124
On the treatments based on legitimate interest, information is provided in the
following terms:
. "Know you better and personalize your experience"
. "May your experience be as satisfactory as possible"
. "Get to know yourself better by analyzing your financial evolution ... the uses of products, services and channels."
. "Assess new functionalities ..., products and services"
. "Rate ... personalized offers with more adjusted prices for you"
. "Better meet your expectations and we can increase your degree of customer satisfaction"
. "Improve the quality of products and services"
. "Carry out statistics, surveys or market studies that may be of interest."
Information on consent-based treatment is provided in the
following terms:
. "Offer you products and services from BBVA, the BBVA Group and others, customized for you"
. "Give you advice and recommendations to better manage your financial situation"
. "Improve the quality of products and services"
. "Increase your degree of customer satisfaction."
. "Meet your expectations."
. "Improve the quality of existing products and services."
. Develop new products and services ”.
. "Carry out statistics, surveys, actuarial calculations, averages and / or market studies that can
be of interest to BBVA or third parties.
. "This information is obtained from the use of BBVA products, services and channels."
It is not concluded that they are similar treatment operations, but rather that the
information offered may cause confusion, to an average citizen, on the legal basis
that justifies the treatment, in the sense expressed.
The information on the purposes, in general, is closely linked to the principle of limitation of
the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following:
"1. The personal data will be:
b) collected for specific, explicit and legitimate purposes, and will not be further processed as
way incompatible with said purposes; according to Article 89 (1), further processing
of personal data for archival purposes in the public interest, scientific research purposes and
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of
purpose ")".
The importance of this principle is determined by its object, which is none other than
establish the limits within which personal data can be processed and the
extent to which they can be used, as well as determining the data that can be collected.
To be "explicit" , an end must be unequivocal and clearly stated, in detail
enough for the interested party, any interested party, to know in a certain way how they will be or
data not processed and favoring the exercise of their rights and the evaluation of the
compliance with regulations. To be "explicit" , the purpose must also be disclosed, as
which must take place at the time the personal data is collected
On this issue, the Article 29 Working Group ruled in its Opinion
03/2013, on limitation of purposes. In this work, it was considered that they should be rejected,
by nonspecific, the purposes expressed with vague or too general formulas,
such as "improving user experience" , "marketing purposes" or
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/124
"Future research".
This Opinion indicates that the more complex the data processing is
personal, the purposes should be specified in a more detailed and exhaustive manner, "including,
among other things, the way in which personal data is processed. They must also
to reveal the decision criteria used for the elaboration of customer profiles ” .
In accordance with the foregoing, the purposes for which the data will be processed
personal information about which BBVA informs its clients, except for the management of
products, do not conform to the aforementioned transparency requirements, especially if
We consider the huge amount of personal data that it submits to treatment, individual or
globally considered, and the complex technical processes to which they are subjected, on
all for the elaboration of profiles, which are used for all the purposes described in
the privacy policy:
"2. To get to know you better and personalize your experience.
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No
we are going to flood you with information.
4. To communicate your data to BBVA Group companies so that they can offer you products and
own personalized services for you.
5. To improve the quality of products and services ”.
- Information on the legitimate interest of the person in charge and third parties
Likewise, the aforementioned precepts establish the obligation of the person responsible to inform
on the legitimate interests on which the processing of personal data is based (the
Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests
of the person in charge or of a third party ” ). However, the information provided by BBVA remains
indefinite regarding the basis of the treatment, so that it does not properly support this
authorization for the processing of data, resulting, therefore, contrary to the principle of
transparency. The definition of “legitimate interest” that BBVA
includes in the "Glossary of terms" : "Legitimate interest is one of the legal bases that
authorize BBVA to process your data. This means that BBVA can process your data because
have an interest in doing so, as long as that interest does not harm your rights ”.
Recital 47 of Regulation (EU) 2016/679 are especially clarifying
in the task of specifying the content and scope of this legitimizing basis of the treatment,
described in letter f) of article 6.1 of the RGPD. From what is stated in this Recital,
It is interesting to highlight as an interpretive criterion that the application of this legitimizing base has
to be predictable for your recipients, taking into account their reasonable expectations.
The Article 29 Working Group prepared Opinion 6/2014 regarding the “ Concept of
legitimate interest of the person responsible for data processing under article 7 of the
Directive 95/46 / CE ”, dated 04/09/2014. Although Opinion 6/2014 was issued for
favor a uniform interpretation of Directive 95/46 then in force, repealed by the
RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having
Note that the reflections that the Opinion offers are an exponent and application of principles
that also inspire the GDPR -such as the principle of proportionality- or of principles
principles of Community law - the principle of fairness and respect for the law and
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/124
Law- many of his reflections can be extrapolated to the application of current regulations,
Regulation (EU) 2016/679.
The said Opinion refers to the "Concept of interest" in the following Terms:
"The concept of" interest "is closely related to the concept of" purpose "mentioned in
Article 6 of the Directive, although these are different concepts. In terms of protection of
data, "purpose" is the specific reason why the data is processed: the purpose or intention of the
data processing. An interest, on the other hand, refers to a greater involvement than the
responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the
treatment obtains -or that the company can obtain- from the treatment.
For example, a company may have an interest in ensuring the health and safety of personnel who
work at your nuclear power plant. Therefore, the company may have the purpose of applying
specific access control procedures that justify the processing of certain data
specific personnel in order to ensure the health and safety of personnel.
An interest must be articulated clearly enough to allow the balancing test
It is carried out contrary to the interests and fundamental rights of the interested party.
Furthermore, the interest at stake must also be "pursued by the controller." This
requires a real and current interest, which corresponds to present activities or benefits that are
wait in the very near future. In other words, interests that are too vague or
speculative will not be enough.
The nature of the interest can vary. Some interests may be compelling and beneficial to
society in general, such as the interest of the press in publishing information on corruption
government or interest in conducting scientific research (subject to appropriate safeguards).
Other interests may be less pressing for society as a whole or, in any case,
the impact of your search on society may be more disparate or controversial. This can, for
For example, apply to the economic interest of a company in learning as much as possible about its
potential clients in order to better target advertising on their products and services ”.
In the conclusions section of this Opinion the following is added:
"The concept of" interest "is the broadest implication that the controller may have
in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment.
This can be compelling, clear, or controversial. The situations referred to in the article
7, letter f), may therefore vary from the exercise of fundamental rights or the protection of
important personal or social interests to other less obvious or even problematic contexts.
… It must also be articulated with sufficient clarity and must be specific enough to
allow the balancing test to be performed against interests and rights
fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be
speculative".
The "interest" goes beyond the "purpose" . in terms of the GT29 it represents "a greater
implication that the controller may have in the treatment, or the benefit
that the data controller obtains ” ; while "purpose", in terms of
data protection, “is the specific reason why the data is processed: the objective or the
intention to process the data.
In this case the "interest" is not expressed. The entity does not inform in its policy of
privacy on any specific interest when referring to the data processing that has
planned to be carried out under this legal basis. It is limited to indicating purposes and objectives
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/124
intended with these data processing, but no interest in the sense expressed.
BBVA has stated in its brief of allegations that the information on the
specific legitimate interests on which it is based for these treatments is included in the
section "Why do we use your personal data?" of the "Extended Information" , in
which details the bases that legitimize the treatment ( “… so that from BBVA we can
better meet your expectations and we can increase your degree of customer satisfaction
when developing and improving the quality of own or third party products and services, as well as
carry out statistics, surveys or market studies that may be of interest ... to
be a bank close to you as a customer… ” ). This is also indicated in the "Basic information"
of the privacy policy when it states “for what reason do we use your personal data
(legal base)? Get to know yourself better and make your experience more personalized. Legitimate interest
BBVA is explained in the "Extended information" section.
It can be easily verified that this information on "interest" is similar to the
expressed when describing the purposes:
The basic information indicates:
For what purposes will we use them?
2. To get to know you better and personalize your experience .
And in the extended information:
What do we use your personal data for?
2. Get to know yourself better and personalize your experience
At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is more adapted to your customer profile and your needs.
To achieve this we have to know you better, analyzing not only the data that allow us to identify you
as a client, but also your financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments. income,
transfers, debts, receipts- as well as the uses of BBVA products, services and channels.
Additionally, we will apply statistical and classification methods to correctly adjust your
profile. Based on the above, we managed to develop our business models.
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and
services that we consider according to your profile (own or marketed by BBVA), as well as offers
personalized with more adjusted prices for you. As we will know you better, we can congratulate you
for your anniversary, wish you a good day or happy holidays ”.
(…)
In any case, the use of personal data in order to "know" better
to the client, as stated, can be understood as a follow-up of the interested party
without a justifiable reason, which cannot be protected by the legitimate interest. This follow-up
involves a thorough analysis of customer information, which is intended to be justified with
the mention of a generic and simple purpose ( "to know you better" ), whose consequences
can be much more serious than those mentioned as examples (congratulations on the
birthday).
The same can be said about using customer data to “improve
products and services ” of BBVA, which this entity also bases on the interest
legitimate, considering, as indicated by it, that the interested party has an expectation
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/124
reasonable for your personal data to be used for that purpose.
This Agency considers that this treatment of the data, as it appears
based on BBVA's privacy policy, it cannot rely on the legal basis
legitimate interest, which requires an evaluation to determine the interests or rights that
prevail. This weighting must take into account, indeed, "the expectations
reasonable of the interested parties based on their relationship with the person in charge ” , but understood
as what the interested party can perceive or deduce as reasonable by itself based on
the specific circumstances that occur in each case, what he could foresee at the time of
collecting data reasonably. Not what the responsible entity understands as a
“Reasonable expectation” of the client, nor what it informs the client about
meets those expectations.
The term “reasonable expectation” should always be used sparingly,
taking into account the position held responsible and interested and the legal nature of
the relationship or service that links them, which could lead to the subsequent use of the data
personal of it. Context, already referred to, is taken into account
above, in order to define, based on all this, the subsequent processing of the data
that the interested party can expect to be done. This "reasonable expectation" of the customer is
has to deduce by itself, without the need for the information provided by the
responsible to the interested party or client defines or specifies said expectation, as this
assumes that the Bank impersonates the customer, trying to clarify the expectation that
expect precisely because it does not emerge by itself from the information it offers or from
the relationship that unites responsible and interested. It is intended, with this, to convey an appearance
reasonable expectation and displace the interested party in this deduction.
Therefore, the information offered by
BBVA on data uses based on the expectation that the recipient of the
information you have as a customer.
The specific determination of BBVA's interest, articulated with sufficient clarity,
It will allow the interested party to oppose their own interests. It also enables a better
analysis of the reality and actuality of said interest.
On the legitimate interest of the person in charge and the weighting test, the document
of the Working Group on Article 29 “Guidelines on transparency under the
Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the
following criteria:
“The specific interest in question must be identified for the benefit of the interested party. As a matter of
good practice, the data controller can also provide the data subject with the information
resulting from the "weighting test" that must be carried out in order to benefit from the provisions
in article 6, paragraph 1, letter f), as a lawful basis for the treatment, prior to any
collection of the personal data of the interested parties. To avoid information fatigue, this can
be included within a tiered privacy statement / notice (see section 35).
In any case, the position of the WG29 is that the information addressed to the interested party must make clear
that he can obtain information on the weighting test upon request. This turns out
essential for transparency to be effective when stakeholders doubt whether the examination of
weighting has been carried out loyally or wish to file a claim with the
control".
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/124
In this brief of allegations it indicates that the legitimate interest that it intends to fulfill is the
to continuously improve the relationship with its customers and the portfolio of products and services
What it offers, and thus anticipate their needs in case they require them; what
this interest is aimed at the continuous improvement of the business model and achieving satisfaction
of the client with the service provided; provide the best service to its customers and offer them
products that can better fit your profile; get to know your customers as well as possible to
be able to provide them with their services with the highest degree of excellence possible.
(…)
As can be seen, the legitimate interest is not clearly described, but rather
The purposes about which customers are informed in the Privacy Policy are reiterated
Privacy. According to the above, and contrary to what BBVA stated in its allegations to
the resolution proposal, the legitimate interest is not the purpose for which the data is processed
personal.
All this without forgetting what has already been indicated in relation to the use of imprecise terms
and vague formulations in the information provided, in particular with regard to the definition of
the purposes.
In relation to the previous indications regarding the reasonable expectation of the
interested in the subsequent use of their personal data, BBVA has stated that the
References to this expectation contained in the Privacy Policy are a consequence of the
compliance with the obligations imposed by article 13 of the RGPD on information
about the treatment based on a prevailing legitimate interest; and wonders if the AEPD
It is intended to say that treatments based on legitimate interest should not be reported.
BBVA's interpretation of legitimate interest and expectations
reasonable clients' reasons cannot be shared by the AEPD, for the reasons already
exposed. What this Agency has questioned is that the Privacy Policy defines or
try to define to the data subject what their reasonable expectation is.
- Information on profiling
Another important aspect related to the subject analyzed has to do with the use of
personal data for the preparation of customer profiles, understood as any
form of personal data processing that evaluates personal aspects related to a
Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of
the purposes of the treatment, as well as its legal basis, which means that you must inform
on the elaboration of profiles when the person in charge has foreseen such purpose and specify the
legal basis that protects the treatment for that purpose.
Article 11 of the LOPDGDD establishes the minimum content of the basic information
to be provided to the interested party:
"2. The basic information referred to in the previous section must contain, at least:
(…)
If the data obtained from the affected party were to be processed for profiling, the information
basic knowledge will also understand this circumstance ”.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/124
Recital 60 of the RGPD also refers to the obligation to “inform the
interested party about the existence of profiling and the consequences of said
elaboration".
On the principles relating to the processing of personal data, when these
consist of profiling, the Guidelines of the Article 29 Working Group
on automated individual decisions and profiling for the purposes of
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what
following:
“Transparency of treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the person concerned. It works by creating data
derived or inferred about people ("new" personal data that have not been directly
provided by the interested parties themselves). People have different levels of understanding and
It can be difficult to understand the complex techniques of profiling processes and
automated decisions ”.
“Taking into account the basic principle of transparency that underpins the RGPD, those responsible for the
treatment must ensure that they clearly and easily explain to people the operation
profiling or automated decisions.
In particular, when the treatment involves decision-making based on the preparation of
profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must
clarify to the user the fact that the treatment is for both a) profiling and
of b) adoption of a decision based on the profile generated
Recital 60 establishes that providing information about profiling is part of the
of the transparency obligations of the data controller according to article 5, paragraph 1,
letter a). The interested party has the right to be informed by the person responsible for the treatment, in
certain circumstances, about your right to object to "profiling"
regardless of whether individual decisions have been made based solely on the
automated processing based on profiling ”.
“The person responsible for the treatment must explicitly mention to the interested party details about the right
opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any
other information (Article 21, paragraph 4).
According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration
of profiles) for reasons related to your particular situation. Those responsible for the treatment
are specifically obliged to offer this right in all cases in which the treatment is
based on article 6, paragraph 1, letters e) or f) ”.
The BBVA privacy policy that is the subject of these actions refers to the
profiling on numerous occasions when describing the purposes for which the
will use the data, or include indications that lead to the conclusion that it will perform operations
profiling. This can be understood in relation to the realization of product offers and
personalized services or price offers tailored to the customer's profile; or when I know
informs about the communication to the BBVA Group companies of personal data
related to the client's profile.
Excluding those carried out for the execution of the contract between the client and
responsible, the following are cited:
b) Get to know you better and personalize your experience.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/124
. “At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is best adapted to your customer profile and your needs.
To achieve this we have to know you better, analyzing not only the data that allow us to identify you
as a client, but also your financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments. income,
transfers, debts, receipts- as well as the uses of BBVA products, services and channels.
Additionally, we will apply statistical and classification methods to correctly adjust your
profile. Based on the above, we managed to develop our business models.
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and
services that we consider according to your profile (own or marketed by BBVA), as well as offers
personalized with more adjusted prices for you… ”.
c) Offer products and services from BBVA, the BBVA Group and others, customized for the client:
“… We can send you information about BBVA products and services with prices more adjusted to your
profile, informing you of what may interest you as a client ”;
"We can send you information, according to your customer profile, about products, services and offers
financial and non-financial of the BBVA Group companies and third parties… ”.
d) To communicate customer data to BBVA Group companies so that they can offer
products and services customized for it.
“If you want the BBVA Group companies included in this address
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services
personalized in characteristics and price, we need your authorization to communicate data
related to your customer profile (amount of income and expenses, balances and use of our channels).
This information will be processed to try to improve the characteristics and prices of the product offering and
services. The BBVA Group companies will only process your data for that purpose ”.
Therefore, BBVA processes the personal data of its customers to
proceed to its profiling, which is subsequently used for the stated purposes. In all
the cases in which it refers to the elaboration of profiles or the use of data that
are the result of profiling activities, the basis of their action is based,
in accordance with the information provided to interested-clients, in the consent of
these; Except in what refers to the use of the data in order to better know
the customer and improve their experience, which BBVA protects in the legitimate interest.
For the reasons already expressed in relation to the lack of justification of interest
legitimate, processing operations that include the preparation of
profiles or that are based on these profiles and that have a legal basis in the legitimate interest
of the person in charge.
Furthermore, in this case, in the opinion of this Agency, the requirements of
information described above. BBVA limits itself to reporting on actions that may be
develop adapted to the "customer profile" or "personalized" , but does not offer information
on the type of profiles to be made, the specific uses to which they will be put
these profiles or the possibility that the interested party can exercise the right of opposition in
application of article 21.2 RGPD, when profiling is related to activities of
direct marketing.
In the terms of the GT29, it is not “ explained to people in a clear and simple way the
profiling ” nor are they warned about adopting
decisions “on the basis of the generated profile” , regardless of whether they fall within the scope
of the provisions of article 22.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/124
The concept of profiling is not treated in a systematic way in the privacy policy
of BBVA. In fact, the first layer only talks about “knowing you better and personalizing your
experience ” , omitting the elaboration of profiles, despite the fact that this purpose, according to
appears stated, it is necessary to do a previous profiling of each and every one of the clients.
This is a breach of the provisions of article 11 of the LOPDGDD.
In the second layer or "extended information" , when describing the purpose "To know you
better and personalize your experience ” , the concept profile is only mentioned twice, one of
them qualified with the expression "customer profile" and another when it is indicated that "it will be adjusted
correctly ” the profile with the application of statistical and classification methods, without
describe what these methods will consist of and the consequences of their application, and
presenting this type of action as if it were something alien to the activity of the
responsible whose result is precisely that profiling. In this case, in addition,
treatment operations based on customer profiling referred to in section
a) above go beyond the improvement of the experience of the latter, to the point that said
profiling is used by BBVA to develop its business model, assess new
functionalities and products and make personalized offers.
BBVA dedicates a section of its brief of allegations to the resolution proposal to
this question regarding profiling, but without offering any explanation about
the deficiencies appreciated, to which it does not refer. He simply tries to justify
the use of personal data for the design of its business model and to point out that
informs the interested parties about the treatment carried out (analyze and assess the data), the
data typology and purpose.
On this same question, he reiterates that within the framework of goal 2 "Know you better
and personalize your experience ” no offers or commercial communications are sent and that the
Agency confuses both purposes. However, in the foregoing it is not
produces no confusion in the sense expressed by BBVA. What stands out in the
previous paragraphs are those parts of the text that refer to data processing
that involve the elaboration of profiling operations, about which there is no information
duly, as has been said.
Finally, it is interesting to point out that the Privacy Policy does not warn in
in no case if those profiling operations correspond to the decisions
individual automated regulated in article 22 of the RGPD, if said profiles are to
serve to make automated decisions with legal effects for the interested party or that
will significantly affect in a similar way, in which case the interested party would have
right to be informed by virtue of the provisions of article 13.2.f) of the RGPD,
including in that information all the issues that that letter mentions (the logic
applied, the importance and the expected consequences of such treatment for the
interested party, also warning about the possibility of opposing the adoption of these
automated individual decisions), and the right to have all the guarantees
provided (in addition to the information specific to the interested party, the right to obtain
human intervention, to express their point of view, to receive an explanation of the decision
taken after such evaluation and to challenge the decision). Although it is not said
On the contrary, that is, it is not said that any interested party will be the subject of an individual decision
automated system of this nature, it should be understood that such actions are not carried out
cape.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/124
No imputation is made for regulated automated individual decisions
in the aforementioned article 22 (nor on the treatment of category data
special). This comment is included as a mere warning, considering that the policy of
Privacy informs about data processing that involves the use of profiles of the
that could result discriminatory effects for the interested parties (such as, for example, credits
pre-granted, prices adjusted to the client's profile).
In accordance with the foregoing, the facts set forth imply a violation of the
principle of transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the
application of the corrective powers that article 58 of the aforementioned Regulation grants to the
Spanish Agency for Data Protection.
VII
On the other hand, articles 6 and 7 of the same RGPD refer, respectively, to the
"Legality of the treatment" and the "Conditions for consent":
Article 6 of the RGPD.
"1. The treatment will only be lawful if at least one of the following conditions is met:
a) the interested party gave their consent for the processing of their personal data for one or more
specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for
the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the
treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another natural person;
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller
treatment or by a third party, provided that the interests or interests do not prevail over said interests.
fundamental rights and freedoms of the interested party that require the protection of personal data,
in particular when the interested party is a child.
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the
public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions in order to adapt
the application of the rules of this Regulation with respect to the treatment in compliance with the
section 1, letters c) and e), setting more precisely specific treatment requirements and other
measures to ensure lawful and equitable treatment, including other specific situations
treatment in accordance with Chapter IX.
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, in relation to the
Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the person responsible for
treatment. Said legal basis may contain specific provisions to adapt the application of
rules of this Regulation, among others: the general conditions that govern the legality of the
treatment by the person in charge; the types of data being processed; the interested
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/124
affected; the entities to which personal data may be communicated and the purposes of such
communication; the limitation of the purpose; the data conservation periods, as well as the
processing operations and procedures, including measures to ensure processing
lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter
IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be
proportional to the legitimate aim pursued.
4. When the treatment for a purpose other than that for which the personal data was collected
is not based on the consent of the interested party or on the law of the Union or of the States
members that constitute a necessary and proportionate measure in a democratic society to
safeguard the objectives indicated in article 23, paragraph 1, the data controller, with
in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the personal data was collected and the purposes
the planned further treatment;
b) the context in which the personal data was collected, in particular with regard to the
relationship between the interested parties and the data controller;
c) the nature of the personal data, specifically when special categories of data are processed
personal data, in accordance with article 9, or personal data regarding convictions and offenses
criminal, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or pseudonymization ”.
Article 7 of the RGPD.
"1. When the treatment is based on the consent of the interested party, the person in charge must be
capable of demonstrating that he consented to the processing of his personal data.
2. If the consent of the interested party is given in the context of a written statement that is also
refer to other matters, the consent request will be presented in such a way that it distinguishes
clearly of the other matters, in an intelligible and easily accessible way and using clear and
simple. Any part of the declaration that constitutes infringement of this will not be binding.
Regulation.
3. The interested party will have the right to withdraw their consent at any time. The withdrawal of
Consent will not affect the legality of the treatment based on the consent prior to its withdrawal.
Before giving consent, the interested party will be informed of this. It will be so easy to remove the
consent how to give it.
4. When assessing whether consent has been freely given, the fullest extent will be taken into account
possible the fact whether, among other things, the performance of a contract, including the provision of a
service, is subject to consent to the processing of personal data that are not necessary for
the execution of said contract ”.
The statement in recitals 32, 40 to 44 and 47 is taken into account (already cited in
Basis of Law VI) of the RGPD in relation to the provisions of articles 6 and 7
previously reviewed. From what is expressed in these recitals, the following should be highlighted:
(32) Consent must be given by a clear affirmative act that reflects a manifestation of
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from
personal character that concerns you ... Therefore, silence, the boxes already marked or inaction does not
they must constitute consent. Consent must be given for all activities of
treatment carried out for the same or the same purposes. When the treatment has several purposes, you must
give consent for all of them ...
(42) When the treatment is carried out with the consent of the interested party, the person responsible for the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/124
treatment must be able to demonstrate that he has given his consent to the operation of
treatment. In particular in the context of a written statement made on another matter,
there must be guarantees that the interested party is aware of the fact that he gives his consent and
to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071),
A model declaration of consent must be provided previously prepared by the
data controller with an intelligible and easily accessible formulation that uses a language
clear and simple, and that does not contain abusive clauses. For the consent to be informed, the
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the
treatment for which the personal data is intended. Consent must not
be considered freely provided when the interested party does not have a true or free choice or not
You can deny or withdraw your consent without suffering any harm.
(43) (…) It is presumed that consent has not been freely given when it does not allow authorizing by
separate the different personal data processing operations despite being appropriate in the case
specific, or when the performance of a contract, including the provision of a service, is
dependent on consent, even when it is not necessary for such compliance.
It is also necessary to take into account the provisions of article 6 of the LOPDGDD:
"Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term
consent of the affected party any manifestation of free, specific, informed and unequivocal will
by which he accepts, either through a declaration or a clear affirmative action, the treatment
of personal data concerning you.
2. When it is intended to base the processing of the data on the consent of the affected party for a
plurality of purposes, it will be necessary to state specifically and unequivocally that said
consent is given for all of them.
3. The execution of the contract may not be subject to the affected party consenting to the treatment of the
personal data for purposes that are not related to the maintenance, development or control
of the contractual relationship ” .
- Processing of personal data based on the consent of the interested parties
In accordance with the above, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party validly given,
necessary when there is no other legal basis than those mentioned in article 6.1
of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected
data.
Article 4 of the RGPD) defines “consent” as follows:
"11)" consent of the interested party ": any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a clear action
affirmative, the processing of personal data that concerns him ” .
Consent is understood as a clear affirmative act that reflects a
manifestation of free, specific, informed and unequivocal will of the interested party to accept
the processing of personal data that concerns you, provided with guarantees
sufficient so that the person in charge can prove that the interested party is aware of the
fact that you consent and the extent to which you do so. And it must be given to all
the treatment activities carried out for the same or same purposes, so that, when
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/124
the treatment has several purposes, consent must be given for all of them in a
specific and unequivocal, without the execution of the contract being subject to the fact that the affected
consent to the processing of your personal data for purposes that are not related
with the maintenance, development or control of the business relationship. In this regard, the legality
of the treatment requires that the interested party be informed about the purposes for which they are intended
the data (informed consent).
Consent must be given freely. It is understood that consent does not
is free when the interested party does not have a true or free choice or cannot deny or
withdraw your consent without suffering any harm; or when you are not allowed to authorize
separate the different personal data processing operations despite being adequate
in the specific case, or when the fulfillment of a contract or service provision is
dependent on consent, even when it is not necessary for such compliance.
This occurs when consent is included as a non-negotiable part of the
general conditions or when the obligation to agree to the use of
personal data additional to those strictly necessary.
Without these conditions, the provision of consent would not offer the interested party a
true control over your personal data and their destination, and this would make it illegal to
treatment activity.
The Article 29 Working Group analyzed these issues in its document
"Guidelines on consent under Regulation 2016/679" , adopted on
11/28/2017, reviewed and approved on 04/10/2018.
These Guidelines have been updated by the European Data Protection Committee
on 05/04/2020 through the document “Guidelines 05/2020 on consent with
according to Regulation 2016/679 ” (it keeps the parts that are transcribed
then). In this document 5/2020 it is expressly stated that the opinions of the
Article 29 (WP29) Working Group on consent remain relevant,
provided they are consistent with the new legal framework, stating that these guidelines do not
they replace the previous opinions, but rather expand and complete them.
From what is indicated in the GT29 document cited above, it is interesting now
highlight some of the criteria related to the validity of consent, specifically
on the elements "specific" , "informed" and "unequivocal" :
“3.2. Specific manifestation of will
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of
your data must be given "for one or more specific purposes" and that an interested party can choose with
with respect to each of these purposes. The requirement that consent must be "specific" has
in order to guarantee a level of control and transparency for the interested party. This requirement has not been
amended by the GDPR and remains closely linked to the consent requirement
"informed". At the same time, it must be interpreted in line with the 'disassociation' requirement for
obtain "free" consent. In short, to fulfill the character of "specific" the
responsible for the treatment must apply:
i) the specification of the purpose as a guarantee against deviation of use,
ii) disassociation in consent requests, and
iii) a clear separation between the information related to obtaining consent for the
data processing activities and information on other issues.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/124
Ad. i): In accordance with article 5, section 1, letter b), of the GDPR, obtaining consent
Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the
planned treatment activity. The need for specific consent in combination with the
notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as
guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out
of the data once an interested party has given their authorization to the initial collection of the data.
This phenomenon, also known as diversion of use, poses a risk to stakeholders already
that may lead to an unforeseen use of personal data by the person responsible for the
treatment or third parties and the loss of control by the interested party.
If the controller is based on article 6, paragraph 1, letter a), the interested parties must
always give your consent for a specific purpose for the processing of data. In consonance
with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the
Recital 32, consent may cover different operations, provided that said
operations have the same purpose. Needless to say, specific consent can only be obtained
when the interested parties are expressly informed about the purposes envisaged for the use of the data
that concern them.
Without prejudice to the provisions on compatibility of purposes, consent must be
specific for each purpose. The interested parties will give their consent understanding that they have control
about your data and that these will only be processed for said specific purposes. If a responsible treats
data based on consent and, in addition, you want to process said data for another purpose, you must
obtain consent for that other purpose, unless there is another legal basis that better reflects the
situation…
Ad. ii) The consent mechanisms should not only be separated in order to comply with the
"free" consent requirement, but must also comply with the consent requirement
"specific". This means that a data controller seeking consent to
several different purposes, it must facilitate the possibility of opting for each purpose, so that users
can give specific consent for specific purposes.
Ad. iii) Finally, the data controllers must provide, with each request for
separate consent, specific information on the data that will be processed for each purpose, with the
In order for the interested parties to know the impact of the different options they have. Of this
Thus, data subjects are allowed to give specific consent. This question overlaps with the
requirement that those responsible provide clear information, as stated above
in section 3.3 ".
"3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of
Previous right).
"3.4. Unequivocal manifestation of will
The RGPD clearly establishes that consent requires a declaration by the interested party or a
clear affirmative action, meaning that consent must always be given through action
or statement. It must be evident that the interested party has consented to an operation
specific data processing ...
A "clear affirmative action" means that the data subject must have acted deliberately to
give your consent to that particular treatment. Recital 32 offers additional guidance
on this point ...
The use of already checked acceptance boxes is not valid under the GDPR. The silence or the
inactivity of the interested party, or simply continuing with a service, cannot be considered as a
active indication of having made a choice ...
A data controller must also take into account that consent cannot
be obtained through the same action by which the user agrees a contract or accepts the terms and
general conditions of a service. Global acceptance of the general terms and conditions does not
can be considered a clear affirmative action aimed at giving consent to the use of data
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/124
personal. The RGPD does not allow those responsible for the treatment to offer boxes marked
previously or opt-out mechanisms that require the intervention of the interested party to
avoid the agreement (eg "opt-out boxes") ... ”.
Those responsible for the treatment must design the consent mechanisms so that
are clear to stakeholders. They must avoid ambiguity and ensure that action by means of
which consent is given is distinguished from other actions… ”.
This document cites Opinion 15/2011 of the WG29, on the definition of the
consent. Regarding consent as a manifestation of unequivocal will, in this
Last Opinion indicates:
"For consent to be unequivocally granted, the procedure for obtaining it and
granting does not have to leave any doubt about the intention of the interested party when giving his
consent. In other words, the manifestation by which the interested party consents must not
leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the
person will produce an equivocal situation.
As described below, this requirement obliges data controllers to create
rigorous procedures for people to give their consent… ”.
“This example illustrates the case of the person who remains passive (eg, inaction or 'silence').
Unequivocal consent does not fit well with procedures for obtaining consent to
starting from the inaction or silence of the people: the silence or inaction of one party is
inherently misleading (the interested party's intention could be assent or simply not
perform the action) ”.
“… Individual behavior (or rather, lack of action) raises serious doubts about the will
according to the person. The fact that the person does not take a positive action does not allow
conclude that you have given your consent. Therefore, it does not meet the consent requirement
unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the
data processing provide proof that shows that the person has consented ”.
In this case, BBVA contemplates in its privacy policy the use of the
personal data of your customers for purposes other than mere compliance with the
business relationship. Specifically, the aforementioned entity mentions the following purposes, excluding
that relating to the management of the products and services contracted:
“2) To get to know you better and personalize your experience.
3) To offer you products and services from BBVA, the BBVA Group and others, customized for you.
We are not going to flood you with information.
4) To communicate your data to BBVA Group companies so that they can offer you products and
own personalized services for you.
5) To improve the quality of products and services ”.
In relation to these purposes, BBVA refers to legitimate interest as the basis
legitimizing for the use of the data for the purpose indicated in section 2) above and to
consent in relation to the other purposes indicated.
The responsible entity did not design a specific mechanism to collect the
consent of their clients in order to use personal data with the
purposes 3), 4) and 5), BBVA having estimated that the acceptance without further ado of the
privacy, by means of the client signing the repeated form, entails the provision of
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/124
that consent.
BBVA limits the options of the interested party to marking a box through which
You record your opposition to the indicated data processing. The form
data collection and provision of consent reads as follows:
"We inform you that if you do not agree with the acceptance of any of the following purposes,
you can select them below.
. Products and prices more adjusted to you
[] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
[] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make of your data.
We remind you that when you enter the key that is requested in the signing process, you will be giving your
In accordance with this Declaration of Economic Activity and Personal Data Protection Policy.
SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF
PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL
PERSONAL DATA / DAE, version 13 09-23-2018) ”.
Contrary to what is established in the RGPD, with this mechanism there is no option to
that the client gives his consent to the treatments in question, but that the
Consent is intended to be obtained through the inaction of the interested party (do not mark the
boxes indicating “I DO NOT want to…” ). It is not an affirmative action, but an
pure inaction that does not ensure that the interested party unequivocally grants consent
(usually when you mark something it is because you want it, not because you don't want it; it may not
having understood the double negation; may not have paid due attention when reading
quickly the indications in question).
It is, in short, a consent that is intended to be deduced from inaction and,
therefore, contrary to the RGPD. The requirement according to which “consent must
be given through a clear affirmative act that reflects a manifestation of free will,
specific, informed, and unequivocal of the interested party to accept the data processing of
personal character that concerns him ” , understanding that “ inaction should not constitute
consent ” (Recital 32).
With the designed mechanism, BBVA understands all treatments consented
detailed with the signature of the Privacy Policy. This acceptance by action
unique of all the treatments, which results from the acceptance of the privacy policy (says
expressly the repeated document: "We remind you that when you enter the password that
is requested in the signing process, you will be agreeing to this Declaration of
Economic Activity and Personal Data Protection Policy ” ), also becomes
Invalid consent given by the interested party, regarding the use of the data
for purposes other than the execution of the contract or business relationship maintained by the
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/124
interested party and the responsible entity or, what is the same, with respect to all those
treatments that require a differentiated and granular consent.
Consent must be given for all processing activities carried out with
the same or the same purposes and, when the treatment has several purposes, the
consent for all of them, although through a manifestation of expressed will
for each of the purposes separately or differently, allowing the interested party to choose
for choosing all, a part or none of them. As expressed in Recital 43, no
consent can be understood to have been freely given by not being allowed to "authorize
separately the different personal data processing operations despite being
appropriate in the specific case ” . Recital 32 states that "consent must
cover all processing activities carried out for the same purpose or purposes. When the
processing has multiple purposes, consent must be given for all of them ” .
"When data processing is carried out for various purposes, the solution to meet
with the conditions of valid consent lies in the granularity, that is, the
separation of these purposes and obtaining consent for each purpose ” (Guidelines of the
GT29). Understand that the signature of the form enabled by BBVA for data collection
personal and for the provision of consent implies acceptance of all of them not
It meets this requirement to authorize the various options separately. Accept as valid
signing the document as the only action would be the same as accepting the provision of a
global consent for all processing operations without considering whether their
purposes are diverse or not, which is contrary to all the bases expressed
about this issue.
In addition, as noted, the formula used is not articulated as a
authorization or consent, but in the opposite direction. With this formula, that only
allows the interested party to “not authorize” , BBVA understands that consent has been given when it is not
check the option offered. In these cases, that is, when the interested party does not mark the
options "I do not want ..." , it will not be possible to conclude with absolute certainty if the interested party acted
deliberately leaving those boxes unchecked. For the same reason, the person responsible never
will be in a position to demonstrate that it acted with the consent of the owners of the
personal information.
This formula responds to what the Article 29 Working Group calls
“Opt-out mechanisms” : << The RGPD does not allow those responsible for the
treatment offer previously checked boxes or opt-out mechanisms
that require the intervention of the interested party to avoid the agreement (for example, check boxes
voluntary exclusion ”) >>.
(…)
Furthermore, the consent given is not considered informed. It has already been said here
the importance of providing information to data subjects before obtaining their consent,
essential so they can make decisions having understood what you are authorizing. Yes
the person in charge does not provide clear and accessible information, the user's control will be
Illusory and consent will not constitute a valid basis for the processing of the data.
What is stated in Law Foundation VI, on the objections observed in the
information that BBVA provides regarding the protection of personal data, affect
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/124
equally to the consent that could have been given, making it invalid as it is not
an informed consent, in relation to data collection operations or
data processing with respect to which defects in the
information, including the processing of data that has not been provided directly by the
interested party or that are not necessary for the fulfillment of the contractual relationship that
bind to the entity.
It is not necessary to reiterate here the circumstances already expressed in relation to the
language used in the privacy policy or the lack of a clear and intelligible formulation
of the purposes and processing operations.
All these deficiencies prevent those interested from knowing the meaning and real meaning
of the indications provided and the real scope of the consents that they could give.
Therefore, all the detailed treatments whose legal basis comes from
determined, as expressed by the BBVA entity itself, by the consent of
the interested parties, which include the following processing of personal data, with the
detail that in each case is included in the information provided by BBVA, already detailed:
. The use of personal data of clients to offer them products and services of
BBVA, the BBVA Group and third parties.
. The communication of personal data to BBVA Group companies.
. The use of personal data to improve the quality of products and services.
BBVA, in its brief of allegations, has made a considerable effort to
justify the mechanism designed, that is, to justify that the signature of the document of
privacy policy is affirmative action. However, no argument provided by
the entity is valid to save the need to give consent separately
through an affirmative action (the consent that BBVA understands given to
from a box that the interested party leaves unchecked). This earlier conclusion is so sharp
that the foregoing to substantiate it is considered sufficient to reject
said allegations.
Contrary to what is indicated in the brief of allegations prepared by BBVA, there is no
offers the interested party the possibility of opting and choosing their preferences, but the possibility of
reject or oppose; It is not true that control over the data is guaranteed by the
client; Nor is it that BBVA has opted for a clear affirmative action, referring to
the signing of the "Declaration" .
Regarding the formulas for obtaining consent, BBVA warns that the
Recital 32 admits many different ones. This is true, but the same Recital 32
requires for all these formulas that consent is given by an affirmative act
that reflects a free, specific, informed and unequivocal manifestation of the will of the
interested in accepting the processing of personal data that concerns him. Already
has previously explained the scope of these demands.
BBVA cites examples of consents that it says are valid, although none of them
can be estimated similar to the mechanism designed by this entity in the repeated form of
data Collect.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/124
One of the examples you cite is the case numbered "example 17" in the
Guidelines on WG consent29. BBVA understands that it can be assimilated to what it is
object of this file, when admitting a scenario that contains the options for marking
a "yes" and a "no" :
“A data controller can also obtain explicit consent from a person who
visit your website by offering an explicit consent screen that contains Yes and No boxes,
provided that the text clearly indicates consent, for example, “I, give my consent to the
treatment of my data ”and not, for example,“ I am clear that my data will be processed ”. Strike
say that the conditions of informed consent must be met, as well as the rest of the
conditions necessary to obtain valid consent ” .
In the opinion of this Agency, this example is not comparable to the present case. In that
For example, the marking of the box is given validity, giving or denying consent,
while the mechanism of BBVA's Privacy Policy is taken for granted the
consent without taking any action. It would be different if in the example
shown, consent will be given if you do not check either of the two
available boxes, in which case, that presumed “manifestation of will” would not be
acceptable.
Likewise, in its brief of allegations to the proposed resolution, it insists on the
same reasoning already contained in his brief of allegations at the opening and indicates that
the Agency has not argued anything in this regard.
This Agency, however, believes otherwise. The standards outlined and
arguments presented in this Legal Basis are considered sufficient to give
answer and disprove the allegations presented by BBVA, and these allegations are the
that they have not taken into consideration what is established in the norms and the arguments of the
Agency.
(…)
It adds that it is lawful and legitimate to process a large amount of personal data and that this
fact cannot be penalized. And this is so, provided that the principles and
Provided guarantees and any applicable regulations.
- Other processing of personal data without legal basis
On the other hand, this Agency considers that there are other data processing that
They are stated in the privacy policy that they are carried out without any basis of legitimacy:
. Purpose 4 refers to the communication of customer data to Group companies
BBVA so that they can offer you personalized products and services. However, in the
privacy policy is added that the information communicated "will be treated to try
improve the characteristics and prices of the offer of products and services ”. The use of
data by the BBVA Group companies for this purpose is not covered by the
consent given by the client in relation to this purpose.
. Nor is there a legal basis that legitimizes the use of personal data "related to
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/124
all the products and services… of which BBVA is a marketer ” with the purposes that
are indicated in the privacy policy. BBVA is not the entity responsible for this data
obtained from third-party products marketed by it, which limits the possibility
to use the information in question for their own purposes, as stated above.
The allegations to the proposed resolution made by the BBVA entity do not
They contain no comments on these questions.
- Processing of personal data based on the legitimate interest of the person responsible or
third party
It is considered, on the other hand, that there is not sufficient legal basis for the treatment of
personal data that BBVA bases on your legitimate interest, carried out for the purpose of
get to know the customer better and improve their experience, including profiling, depending on
the terms used in the form under analysis.
In this regard, the legitimate interest in the
treatment of customer data in order to develop the business model of the
entity, assess new features or send congratulations to customers.
It should also be noted that in the description of the data processing that BBVA
plans to perform on the basis of legitimate interest, includes the making of offers
personalized or the development and improvement of the quality of products and services; being these
processing of data similar to those outlined by citing other purposes based on the
consent (offer personalized products and services and improve the quality of
products and services), motivating that the description of the purposes and enumeration of
processing of data contained in the information offered causes confusion to
interested. Thus, data processing based on interest cannot be admitted.
legitimate similar to others carried out on the basis of the client's consent, which,
furthermore, it is not provided in a valid way.
The information included in the “Declaration
economic activity and personal data protection policy ” on these treatments
of data based on the legitimate interest of BBVA:
What do we use your personal data for?
2. Get to know yourself better and personalize your experience
At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is more adapted to your customer profile and your needs.
To achieve this we have to know you better, analyzing not only the data that allow us to identify you
as a client, but also your financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments. income,
transfers, debts, receipts- as well as the uses of BBVA products, services and channels.
Additionally, we will apply statistical and classification methods to correctly adjust your
profile. Based on the above, we managed to develop our business models.
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and
services that we consider according to your profile (own or marketed by BBVA), as well as offers
personalized with more adjusted prices for you. As we will know you better, we can congratulate you
for your anniversary, wish you a good day or happy holidays.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/124
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or
at any of our offices.
This section is only applicable to BBVA customers.
Why do we use your personal data?
2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA.
For the legitimate interest of BBVA, so that BBVA can better meet your expectations and
we can increase your level of customer satisfaction by developing and improving the quality of
own or third-party products and services, as well as perform statistics, surveys or studies of
market that may be of interest.
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a
good day or happy holidays.
These legitimate interests respect your right to the protection of personal data, to honor and to
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation
reasonable to have your data used so that we can improve products and services and you can
enjoy a better customer experience. In addition, we estimate that you also have a
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise
your right to object if you consider it appropriate at the following address:
rightsprotecciondatos@bbva.com or at any of our offices.
With this information, it is difficult for the interested party to have a clear idea about the
data processing that will be carried out. (…)
The information inferred by BBVA based on legitimate interest, including profiles
prepared, is also used, based on the consent of the interested party, to offer
products and services from BBVA, the BBVA Group and personalized third parties; and with the same
legal basis is communicated to the BBVA Group companies so that they can also offer
personalized products and services and “try to improve the characteristics and prices of the
offer of products and services ” .
The analysis of the question raised must initially take into account the provisions of
Article 1.2 of the RGPD, according to which “This Regulation protects the rights and
fundamental freedoms of natural persons and, in particular, their right to protection
of personal data ” . For this, all the circumstances that
surround the collection and processing of data and the way in which they are fulfilled or reinforced
the principles, rights and obligations required by the data protection regulations of
personal character.
Article 6 of the RGPD requires that the processing of personal data, to be
lawful, can be protected by any of the bases of legitimacy that it establishes and that the
responsible for the treatment is able to demonstrate that, indeed, it concurred in the
processing operation the legal basis that it invokes (article 5.2, principle of
proactive responsibility).
The legal bases of the treatment that are detailed in article 6.1 RGPD are
related to the broader principle of legality of article 5.1.a) of the RGPD, precept
which provides that personal data will be treated " lawfully, loyally and transparently in
relationship with the interested party ”.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/124
In relation to the legal basis of the legitimate interest, invoked by BBVA for the
treatments described in the previous sections, the aforementioned article 6 establishes:
"1. The treatment will only be lawful if at least one of the following conditions is met:
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller
treatment or by a third party, provided that the interests or interests do not prevail over said interests.
fundamental rights and freedoms of the interested party that require the protection of personal data,
particularly when the interested party is a child ... ”.
Recital 47 of the RGPD specifies the content and scope of this base
legitimizing the treatment.
The interpretive criteria that are extracted from this Considering are, among others, (i)
that the legitimate interest of the controller prevails over the interests or rights and freedoms
fundamentals of the data owner, in view of the reasonable expectations that the latter
has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be
it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out,
also in those cases in which the interested party can reasonably foresee, in
the moment and in the context of the data collection, that the treatment with
such an end; (iii) the interests and fundamental rights of the owner of the personal data could
prevail over the legitimate interests of the controller when the data is processed
is carried out in such circumstances in which the interested party " does not reasonably expect" that
a further processing of your personal data is carried out.
It should be added that the interested party, in all cases, can exercise the right to
opposition, which also involves a new evaluation of the interests of the controller and owner
of the data, except in cases of commercial prospecting, in which the exercise of the right
forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD).
It is interesting to highlight some aspects collected in the Opinion 6/2014 prepared by the
Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the
processing of data under article 7 of Directive 95/46 / CE ", dated
04/09/2014, especially the factors that can be assessed when the
mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 is
issued to favor a uniform interpretation of Directive 95/46 then in force,
repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the
RGPD, and that the reflections offered are an example and application of principles that inspire
also the RGPD, such as the principle of proportionality, or general principles of the
Community law, such as the principles of equity and respect for the law and the law,
many of his reflections can be extrapolated to the application of current regulations.
As indicated, so that section f) of article 6.1. RGPD may constitute
the legitimizing basis for the processing of personal data that is carried out, mandatory,
and prior to the treatment, a weighting, an “evaluation
meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the
treatment, on the one hand, and on the other, both the interests and the rights and freedoms
fundamentals of those affected. Weighting that is essential, because only when I eat
As a result of it, the legitimate interest of the data controller prevails over the
rights or interests of the owners of the data may operate as legal basis of the
treatment of the aforementioned interest.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/124
Regarding the weighting test, the repeated Opinion indicates the following:
"The legitimate interest of the controller, when it is minor and not very pressing, in general,
only nullifies the interests and rights of data subjects in cases where the impact on these
rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest
may, in some cases and subject to guarantees and measures, justify even a significant intrusion into
privacy or any other significant impact on the interests or rights of the interested parties.
Here it is important to highlight the special role that guarantees can play in reducing a
undue impact on data subjects and therefore to change the balance of rights and interests
to the extent that the legitimate interest of the data controller prevails. By
Of course, the use of guarantees alone is not sufficient to justify any type of
treatment in any context. Furthermore, the guarantees in question must be adequate and
sufficient, and must, without question and significantly, reduce the repercussion for the interested parties ” .
The aforementioned Opinion refers to the multiple factors that can operate
in the weighting of the interests at stake and groups them into these categories:
(a) the evaluation of the legitimate interest of the controller, the nature and source
legitimate interest and if the data processing is necessary for the exercise of a right
fundamental, is otherwise in the public interest or benefits from recognition of the
affected community;
(b) the impact or repercussions on data subjects and their reasonable expectations about what
will happen to your data ( “what a person considers reasonably acceptable under
circumstances ” ), as well as the nature of the data and the way in which they are
processed; underlining that the claim is not that the data processing carried out by the
responsible does not have any negative impact on the interested parties but prevent the
impact is “ disproportionate ”;
(c) the provisional equilibrium and
(d) additional guarantees that could limit an undue impact on the interested party, such
such as data minimization, privacy protection technologies, increased
transparency, the general and unconditional right to opt-out and the
data portability.
First of all, the Opinion underlines that the implication that the person responsible for the
treatment may have in the data processing carried out is that of "interest", which is already
referenced in the previous Legal Basis to indicate that it is related to
purpose, but it is a broader concept ( “purpose is the specific reason why
process the data: the purpose or intention of the data processing. One interest for another
On the other hand, it refers to a greater involvement that the controller may have in the
treatment, or the benefit that the controller obtains from the treatment ” ).
It is also broader than that of fundamental rights and freedoms, hence, regarding
those affected are weighed not only their fundamental rights and freedoms, but also their
"Interests" .
According to GT29, “an interest must be articulated with sufficient clarity to
allow the balancing test to be carried out against the interests and
fundamental rights of the interested party. Furthermore, the interest at stake must also be
pursued by the controller. This requires a real and current interest, which is
corresponds to present activities or benefits that are expected in a very future
next. In other words, interests that are too vague or speculative are not
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 98
98/124
they will be enough ” .
In addition, the "interest" of the data controller, as established in article 6.1.f)
of the RGPD and before article 7.f) of the Directive, must be "legitimate" , which means, says the
Opinion, which must be "lawful" (respectful of applicable national and EU legislation).
However, the WG29 adds that "The legitimacy of the interest of the data controller
it is only a starting point, one of the elements that must be analyzed under article
7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend
the result of the next balancing test ”; "If the interest pursued by the
controller is not compelling, it is more likely that the interest and rights
of the interested party prevail over the legitimate - but less important - interest of the
responsible for the treatment. Similarly, this does not mean that less interest
compelling of the data controller cannot sometimes prevail over the interests
and rights of the data subjects: this normally happens when the impact of the treatment
about stakeholders is also less important ” .
And exposes the following example:
"Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the
preferences of your customers so that this allows them to better personalize their offers and, ultimately
term, offer products and services that better respond to the needs and desires of your
customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in
some types of market activities, online and offline, provided that
adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment
by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and
beyond).
However, this does not mean that data controllers can refer to article 7,
letter f), as a legal basis for improperly monitoring online and offline activities
line of your customers, combine huge amounts of data about them, from different
sources, which were initially collected in other contexts and for different purposes, and create -and, for
For example, with the intermediation of data brokers, also trade with them - complex profiles
of the personalities and preferences of customers without their knowledge, without a viable mechanism of
opposition, not to mention the absence of informed consent. It is likely that said
profiling activity represents a significant intrusion on customer privacy and,
When this happens, the interests and rights of the interested party will prevail over the interest of the
responsible for the treatment ” .
Ultimately, the concurrence of said interest in the data controller does not
necessarily means that article 6.1 f) RGPD can be used as a basis
legal treatment. Whether or not it can be used as a legal basis
it will depend on the result of the balancing test.
In addition, the treatment must be that necessary to satisfy the legitimate interest
pursued by the person in charge, so that less invasive means are always preferred
to serve the same purpose. Need means here that the treatment is essential
for the satisfaction of the aforementioned interest, so that, if said objective can be achieved
reasonably otherwise less impactful or intrusive, the interest
legitimate cannot be invoked.
The term " need " used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a
own and independent meaning in Community legislation. It is a " concept
Autonomous Community Law ” (CJEU of 12/16/2008, case C-524/2006, section
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 99
99/124
52). On the other hand, the European Court of Human Rights (ECHR) has also offered
guidelines for interpreting the concept of need. In section 97 of its Judgment of
03/25/1983 affirms that the " necessary adjective is not synonymous with" indispensable "nor does it have the
flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”.
On the impact or repercussion that the data processing has on the interests or
fundamental rights and freedoms of the interested parties, indicates that the more "negative" or
“Uncertain” may be the impact of treatment, it is more unlikely than treatment in its
set may be considered legitimate.
“The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a
concept much broader than damage or harm to one or more interested parties in particular. The term
'Impact' as used in this Opinion covers any possible consequences (potential or actual)
of data processing. For the sake of clarity, we also emphasize that the concept is not
related to the notion of violation of personal data and is much broader than the
repercussions that may arise from said violation. On the contrary, the notion of impact, such as
used here, it encompasses the various ways in which an individual may be affected, positively or
negatively, due to the processing of your personal data ”.
“In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is.
that the treatment is considered, as a whole, legitimate. The availability of methods
alternatives to achieve the objectives pursued by the data controller, with
less negative impact on the data subject, should certainly be a consideration
relevant in this context ”.
As sources of potential repercussions for stakeholders he cites the probability
that the risk may materialize and the seriousness of the consequences, noting that
this concept of “severity may take into account the number of potentially
affected ” .
The assessment of the nature of the personal data that has been
object of treatment ) , if the data has been made available to the public by the interested party or
by a third party, a fact - says the Opinion - that can be an evaluation factor especially
whether the publication was made with a reasonable expectation of data reuse
for certain purposes:
“… Does not mean that data that appears in and of itself innocuous can be processed
freely ... even such data, depending on how it is processed, can have an impact
significant about people ”.
The way in which the person in charge treats the data; whether they have been disclosed to the public or
have been made available to large numbers of people or if large amounts of data are
process or combine with other data ( “for example, in the case of profiling, with
commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said:
“Apparently innocuous data, when treated on a large scale and combined with other data,
can lead to interference with more sensitive data, as demonstrated in Scenario 3 above,
which gives as an example the relationship between pizza consumption patterns and insurance premiums for
healthcare.
In addition to potentially leading to the processing of more sensitive data, such analysis may
also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the
behavior or personality of the affected persons. Depending on the nature and
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 100
100/124
impact of these predictions, this can be highly intrusive in the privacy of the person ” .
All this, without forgetting the reasonable expectations of the interested parties:
“… It is important to consider whether the position of the data controller, the nature of the relationship or
the service provided, or the applicable legal or contractual obligations (or other promises made
at the time of data collection) could give rise to reasonable expectations of a
stricter confidentiality and stricter limitations on further use. Usually,
the more specific and restrictive the context of data collection, the more constraints it is
likely to be used. In this case, again, it is necessary to take into account the factual context and not
simply be based on the fine print of the text ” .
The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the
position of the data controller and the interested party; your position may be more or less
dominant with respect to the interested party depending on whether the person responsible for the treatment is a
person, a small organization or a large company, even a multinational company:
“A multinational company may, for example, have more resources and bargaining power than the
individual data subject and may therefore be in a better position to impose on the data subject
what you think is your "legitimate interest". This may all the more so if the
company has a dominant position in the market ” .
When it comes to weighing the interests and rights at stake, the WG29 understands that the
compliance with the general obligations imposed by the regulations, including the principles
proportionality and transparency, help to ensure that the requirements are met
legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those
horizontal requirements, by itself, are always sufficient.
If, finally, after the evaluation, it is not clear how to achieve equilibrium, the
taking additional guarantees can help reduce undue impact and ensure
that the treatment may be based on legitimate interest. As additional measures
includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms,
or increased transparency:
“The concept of responsibility is closely linked to the concept of transparency. With the purpose of
allow data subjects to exercise their rights and allow for wider public scrutiny by
part of the interested parties, the Working Group recommends that those responsible for the treatment
explain to stakeholders clearly and easily the reasons why they believe their interests
prevail over the interests or fundamental rights and freedoms of the interested parties, and
also explain the guarantees they have adopted to protect their personal data, including,
where appropriate, the right to opt out of treatment ”.
“As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of the
purpose (cited in footnote 9 above), in the case of profiling and taking
automated decisions, interested parties or consumers must be given access to their profiles to
guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave
place to the development of said profiles. In other words: organizations should disclose their
criteria for decision making. This is a fundamental guarantee and is especially
important in the world of big data. Whether or not an organization offers this
Transparency is a very pertinent factor that should also be considered in the proof of
balancing ”.
By referring to the right to object and the opt-out mechanism or right
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 101
101/124
unconditional opposition, the GT29 reflects on advertising based on profiles of the
client, which requires a follow-up of the activities and personal data of the
interested parties, which are analyzed with sophisticated automated methods. He concludes the following:
“In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the
purpose, where it was specifically stated that when an organization wishes to analyze or predict
specifically the personal preferences, behavior and attitudes of customers
individuals that will subsequently motivate the «decisions or measures» adopted in relation to
such clients ... free, specific, informed and informed consent should almost always be required
unequivocal of "voluntary inclusion", since otherwise the reuse of the data will not be able to
considered compatible. Most importantly, such consent must be required, for
For example, for tracking and profiling for prospecting, advertising
behavioral, data marketing, location-based advertising, or digital research
market based on monitoring ” .
In this case, the existence of a prevailing legitimate interest of the
responsible for legitimizing the data processing that BBVA intends to base on this basis
legal.
It is worth highlighting in the first place, the defects expressed in the Foundation of
Previous law in relation to compliance with the principle of transparency, by the
limitations and difficulties, if not an impediment, that they pose when carrying out a
true assessment of the concurrence of a prevailing legitimate interest, real and not
speculative.
What has already been indicated about the language used is reiterated here; the indefiniteness of
purposes for which the personal data will be used ( "to better understand the customer" and "to improve
products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the
information related to clients that carry such purposes; or about the types of profiles
what will be done and the specific uses and applications that will be given to these profiles; and,
especially, the lack of information on the specific interest of the person in charge, which is not
expressed with the clarity and precision required by regulations.
Considering that it is not even possible to clearly know the purposes of the
treatment, they can hardly be associated with legitimate interests of BBVA that
may, in addition, prevail over the rights of the interested parties, who are not informed
clearly about the extremes required by data protection regulations.
The legitimate interest expressed, which is described in the same terms as the
purposes, it is vague and speculative (the details on the description of the legitimate interest
they are outlined in the previous Law Foundation, (…)). It has as
consequence that the treatments carried out are not predictable for a citizen
means, medium.
This being the case, it is impossible for the interested party, or this supervisory authority, to be able to
assess whether the processing operations carried out are necessary, or if, on the contrary,
The same result could be obtained by less invasive means; it cannot be concluded either,
even less, that the interest invoked is prevalent.
Rather, it seems that the "interests" expressed by BBVA, whether in the
Privacy or (…) respond to economic interests of the entity, which are not expressed. The
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 102
102/124
obtaining an economic benefit through the business activity that BBVA
develops it is still a legitimate interest, but in no case may it prevail over the
fundamental right to data protection of affected persons. With total clarity
the STS of 06/20/2020 has recently ruled on this matter (R. cassation
1074/2019). In the sixth Legal Foundation he says, regarding one of the questions of
appeal interest raised in the writ of admission of the appeal, “Commercial interests
of a company responsible for a data file must yield to the legitimate interest of the
owner of the data to the protection of the same ”. These economic interests cannot
be rated as pressing.
It is not said, as BBVA seems to indicate in its allegations to the proposal, that the
pursued interest responds to economic interests and that, based on this, the
processing of personal data based on legitimate interest. What stands out here is
that if that is the legitimate interest, in itself considered and without taking into account the rest of
factors that may operate in the weighting of the interests at stake, it is not estimated
sufficient to accept the existence of a legitimate interest that protects the treatment of
data in accordance with the provisions of article 6.1 f) of the RGPD.
Now, even admitting BBVA's thesis, which qualifies as the legal interest of the
responsible or third parties which we believe is nothing but the purpose of the treatment, that
purported interest in no case could be qualified as necessary.
(…) Without prejudice to the fact that the treatment of the claimants' data is “useful” ,
“Desirable” or “reasonable” , as stated by the ECHR in its Judgment of 3/25/1983, the term
"Necessary" does not have the flexibility that is implicit in those expressions.
As can be seen, what has been said above is in accordance with the doctrine of the
Constitutional Court on the proportionality judgment that must be carried out on a
restrictive measure of a fundamental right, to which BBVA refers in its allegations to
the motion for a resolution. According to this doctrine, three requirements must be verified:
suitability (if the measure allows to achieve the proposed objective); need (that does not exist
another more moderate measure); proportionality in the strict sense (more benefits or advantages
what damages).
On these issues, it is not understood what BBVA indicated in those allegations
when it indicates that it has adopted the necessary measures to minimize the information
treated, and clear that the identifying data of the client is excluded. It has been said before that
The information related to the client used is all the information related to the client, including the
identifying data. (…)
In addition to the above, the following circumstances are taken into account:
. The manner in which the data used is collected based on legitimate interest and scale
in data collection, which is excessive; as well as the use of personal data
collected from third parties without the knowledge of the interested party (external solvency files
assets and credits) or third-party products marketed by BBVA.
. The techniques used (data processing in order to obtain algorithms) and the lack
of transparency on the logic of the treatment consisting of profiling, which
can lead to price discrimination and potentially financial impact
which may have the character of excessive.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 103
103/124
. The high number of affected, as well as the large amount of data that is processed and
combined with other data. The unlimited combination of personal data of all
products and services contracted by the client, including third-party products
marketed by BBVA and others obtained from external sources, and the lack of means that
allow the user real control of their data is enough to consider that the interest of BBVA
It cannot prevail over the rights of those affected. Said combination of data, due to its
massive nature and due to the lack of definition of the data that will be used and the purposes,
respects the aforementioned proportionality nor does it allow the necessary weighing judgment
to assess the concurrence of a legitimate interest that justifies the processing of the data.
It is significant that (…); and that the information obtained in accordance with
the regulations for the prevention of money laundering and terrorist financing (...)
. The dominant position of the person in charge over the interested party, due to his condition of great
company and one of the market leaders in its sector.
No consideration does BBVA make on the above circumstances in its writing
of allegations to the proposal, despite its importance, except in relation to the deadline
conservation. BBVA understands that the AEPD erroneously interprets what has been stated about the
period of conservation of the data to carry out the treatment. (…). And clarifies that
Data collected in compliance with the legislation on the prevention of money laundering is
kept for the period established in this legislation, for the purposes provided in it,
but not for controversial treatment.
As can be seen, this Agency does not misinterpret the question
regarding the age of the data subjected to treatment based on legitimate interest and not
questions the conservation of the corresponding data in compliance with the legislation of
money laundering. (…) And the use of data is questioned significantly
collected in accordance with said regulations for the treatment operations that we
occupy.
A special importance must also be given to the absence of measures or
additional guarantees. Among them, the increased transparency and
enabling opt-out mechanisms.
Regarding transparency, BBVA refers to the information provided in the “Declaration of
Economic Activity and Data Protection Policy ” , without making available to the
interested parties, the Report on the weighting of legitimate interest or the impact assessments; and
mentions as a guarantee the exercise of the right of opposition, which is nothing more than a requirement
normative. This right requires a new weighting, in accordance with the provisions of the
Article 21 of the RGPD ( “the data controller will stop processing personal data,
Unless it proves compelling legitimate reasons for the treatment that prevail over
interests, rights and freedoms of the interested party ” ) and has nothing to do with the
opt-out or unconditional opt-out mechanisms recommended.
(…)
Finally, it should be noted that BBVA repeatedly, throughout its brief of
allegations, states that the processing of personal data carried out with this database
legal benefit of the client. Consider achieving excellence in service
through adequate knowledge of your customers, which allows you to anticipate your
needs and improve BBVA's portfolio of products and services so that they meet the
preferences of those; as well as enabling the use of the optimal channels for each client,
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 104
104/124
It is not only done for the benefit of the Bank but, in particular, of its clients.
This entity affirms that the treatment is necessary for the fulfillment of
that legitimate interest of BBVA and the client.
The legitimate interest of the client is considered, in the terms of article 6.1 f) of the
RGPD, as the legitimate interest of third parties. In this case, there is no such approach, according to
which personal data processing operations are carried out on the basis of the
legitimate interest of the client. Accepting it would be as much as admitting a legitimate interest that has arisen,
or later, in respect of which the requirements set forth in the regulations have not been respected
protection of personal data and about which is not informed in the Privacy Policy.
In summary, for the reasons expressed, it is not proven that the alleged legitimate interest
for the treatment of data that BBVA claims prevail over the interests and
fundamental rights and freedoms of clients. Furthermore, the guarantees offered are not
enough to overcome the imbalance that occurs with these treatment operations
of personal data.
Consequently, it must be concluded that the legitimate interest of BBVA does not prevail as
legitimate basis for the treatment.
The conclusion obtained from this examination does not contradict what was expressed in the Report of the
Legal Office of the AEPD 195/2017, to which BBVA repeatedly refers, both (...)
as in your brief of allegations. According to BBVA, this 195/2017 Report concludes the
prevalence of the legitimate interest of financial entities for the analysis of the
transactional movements and / or customer savings capacity, to make observations
and offer recommendations on products and services, as well as for profiling
more detailed that allows to specify with precision the products to be offered.
However, the premises assessed in said report do not conform to the assumption
present, in which the processing of personal data has a much more
broader than those analyzed in said report, both with regard to the purposes of the
treatment such as the information or personal data used. There is more to note that
that report simply analyzes the performance of treatments for marketing purposes,
provided that the offer refers to products similar to those contracted by the interested party and is
use only the information available as a consequence of the management of the
products.
On the other hand, the aforementioned Legal Cabinet Report also responds to the
queries raised regarding the anonymization of transactional data for
develop new products, to analyze patterns of use of services to develop
new ones. These uses coincide with the data processing that BBVA carries out based on
to legitimate interest, but with non-anonymous information.
Regarding the anonymization of data expressed, it is concluded that they must be distinguished
two treatments. Namely, the one that gives rise to anonymous information (the anonymization
itself), subject to data protection regulations, and the treatment that is
carry out with the data already anonymized, excluded from said regulations. Exposes the report
that when the anonymization is complete, it is impossible to link the information
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 105
105/124
directly or indirectly with a specific affected person, and much more if the data
resulting are aggregated, the treatment may be protected in the legitimate interest.
Based on everything stated in this report, BBVA alleges that the data processing
that are carried out with the purposes 3 and 5 of the "Declaration of Economic and Political Activity
of Data Protection ” (3. Offer personalized products and services of BBVA, the Group
BBVA and others; 5. Improve the quality of products and services) could have been based
in the concurrence of legitimate interest, so that when obtaining the consent of the
stakeholders has adopted by reinforced measures of active responsibility.
This Agency does not share the idea that consent constitutes a basis
reinforced legal. As stated here, consent is subject to
specific requirements in its provision, so that its provision by itself does not guarantee
the legality of the treatments.
The same can be said about the performance of those treatments based on the
legitimate interest. It would be necessary, as has been seen here, an exhaustive analysis of all the
concurrent circumstances in relation to the treatments intended to assess this the
relevance of legal basis.
In any case, it has been the BBVA entity itself that decided, in the design of its
treatment operations, protect in the consent those that are described in the
purposes 3 and 5.
Consequently, in accordance with the above findings, the aforementioned
facts represent a violation of article 6 of the RGPD, in relation to article 7 of the
same legal text and article 6 of the LOPDGDD, which gives rise to the application of the powers
corrective measures that article 58 of the RGPD grants to the Spanish Data Protection Agency.
VIII
In the event of an infringement of the RGPD precepts, among the
corrective powers available to the Spanish Data Protection Agency, such as
control authority, article 58.2 of said Regulation contemplates the following:
“2 Each supervisory authority shall have all the following corrective powers indicated at
continuation:
(…)
b) punish any person responsible or in charge of the treatment with warning when the
treatment operations have infringed the provisions of this Regulation; "
(...)
d) order the person in charge or in charge of the treatment that the treatment operations conform to
the provisions of this Regulation, where appropriate, in a certain way and within
a specified term;
(…)
i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures
mentioned in this section, according to the circumstances of each particular case; " .
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 106
106/124
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.
IX
In the present case, the breach of the principle of
transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality
of the treatment regulated in article 6 of the same Regulation, with the scope expressed in
the previous Fundamentals of Law, which implies the commission of respective infractions
typified in article 83.5 of the RGPD, which under the heading " General conditions for the
imposition of administrative fines ” provides the following:
"Violations of the following provisions will be sanctioned, in accordance with section 2, with
administrative fines of up to EUR 20,000,000 or, in the case of a company, a
amount equivalent to a maximum of 4% of the total annual global business volume for the year
previous financial statement, opting for the one with the highest amount:
a) the basic principles for the treatment, including the conditions for consent in accordance with
Articles 5, 6, 7 and 9;
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” .
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83
of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic ” .
For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate:
“Article 72. Violations considered very serious.
1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very
serious and will prescribe after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:
(…)
b) The processing of personal data without any of the conditions of legality of the
treatment established in article 6 of Regulation (EU) 2016/679 ”.
“Article 74. Infractions considered minor.
The remaining infringements of a merely formal nature are considered minor and will prescribe a year.
the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in
in particular, the following:
a) Failure to comply with the principle of transparency of information or the right to information of the
affected by not providing all the information required by articles 13 and 14 of Regulation (EU)
2016/679 " .
In order to determine the administrative fine to be imposed, the provisions
of articles 83.1 and 83.2 of the RGPD, precepts that state :
"1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the
this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are
in each individual case effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each individual case, to
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 107
107/124
additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and
j). When deciding the imposition of an administrative fine and its amount in each individual case, the
due account:
a) the nature, seriousness and duration of the offense, taking into account the nature, scope or
purpose of the treatment operation in question as well as the number of interested parties affected
and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to mitigate the damage and
damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the
technical or organizational measures that have been applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in particular if the
responsible or the manager notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, paragraph 2, have been previously ordered
against the person in charge or the person in charge in relation to the same matter, compliance
of said measures;
j) adherence to codes of conduct under Article 40 or to certification mechanisms
approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through the
infringement".
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are
will be applied taking into account the graduation criteria established in section 2 of the aforementioned
Article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also
be taken into account:
a) The continuing nature of the offense.
b) The linking of the offender's activity with the processing of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the commission of the offense.
e) The existence of a merger by absorption process subsequent to the commission of the offense, which does not
it can be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of
alternative conflict resolution, in those cases in which there are controversies between
those and anyone interested ”.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 108
108/124
In this case, considering the seriousness of the violations found, the
imposition of a fine, in addition to the adoption of measures. The request cannot be accepted
formulated by BBVA to impose other corrective powers that would have allowed
the correction of the irregular situation, such as the warning, which is planned to
natural persons and when the sanction constitutes a disproportionate burden (considering
148 of the RGPD).
BBVA states that it does not understand that in the past the Agency resorted to plans
sectorial and in this case the sanctioning proceedings are initiated. This entity does not consider that
These plans are carried out ex officio with the purpose of examining a sector in general and concluding
recommendations that facilitate entities to adjust their processes in terms of protection
of personal data.
Likewise, in its brief of allegations to the resolution proposal, BBVA has
requested that in determining the sanction that may be imposed the
application of the principles of culpability and proportionality.
He alleges the non-concurrence of guilt in his actions, considering that he has
acted at all times with total diligence. It emphasizes that it has followed the guidelines of the
AEPD included in the "Guide for compliance with the duty to inform" and that it has reported
on all the points established in article 13 of the RGPD, as well as on other
extremes that this rule does not impose and that neither did the interpretation of the AEPD; and
He adds that he acted in the conviction, after having reported on the claims
made, that the Agency had not noticed an element that contravened the established
in the RGPD and LOPDGDD. Based on this, it invokes the principle of legitimate expectations, having
acted in the belief that his conduct was in accordance with the law, and the Judgment of the
National Court of 10/15/2012 (resource 608/2011), in which “the active
participation of the Administration ”, which could lead the interested party to the conclusion that his
action was in accordance with law; that his conduct is not covered by a
reasonable legal interpretation of the applicable rules; and the difficulties in
interpretation described by the Administration ”.
BBVA refers to the different appreciation of some specific expressions
contained in the Privacy Policy regarding the indications contained in this regard in
the aforementioned Guide and what BBVA has described as "inactivity of the Administration" , by the
time elapsed between the admission for processing of the claims made by the
Claimants 1 and 2, which took place on 02/01/2019, and the adoption of the agreement to open the
present sanctioning procedure, dated 12/02/2019. On this basis, he invokes the principle
of legitimate confidence and understands that the actions of this Agency have influenced the commission
of the infractions.
This claim should be rejected for the reasons that have already been set out in this
resolution when dealing with these allegations.
On the one hand, it must be reiterated that BBVA has partially interpreted the “Guide for
compliance with the duty to inform ” , basing its conclusions on three expressions
specific points that are cited as an example in it, but without considering the general criteria
and warnings it contains, which also cover important concerns that
have determined the classification of the facts as constituting an infringement, referring not to
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 109
109/124
only to the language but also to the content of the Privacy Policy, in what it says and in what
omitted, as well as all the processing operations carried out by BBVA.
It is also indicated in the cited Guide itself that it must be completed with others that
are related to the RGPD, as in this case in relation to the aspect to which we
we refer. Specifically, the document of the Working Group on Article 29 “Guidelines on
transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and revised on
04/11/2018, which must be known by an entity such as BBVA, when referring to the language that
should be used in the information on the protection of personal data cites the
expressions in question as " examples of poor practice".
On the other hand, the actions of this Agency have not influenced in any way the
BBVA's conduct determining the infractions analyzed. The alleged "inactivity of the
Administration ” , for the time elapsed between the admission for processing of the first
claims made and the adoption of the agreement to open the procedure, does not influence
at all in the commission of the infractions or aggravate them, and this Agency has not carried out
any action that has allowed BBVA to conclude that this Control Authority does not
noted in the claims made any element that contravened the provisions of
the RGPD and LOPDGDD. BBVA cannot provide any statement or action from this
Agency that led him to this alleged confusion, simply because there is no action
some in that sense.
On the other hand, actions were carried out against BBVA from which it was able to deduce that the
matter was ongoing. We refer to the procedures carried out by this Agency
during the process of admission for processing of claims received after the
02/01/2019, prior to the acceptance agreement of the respective claim, consisting of
transfer these claims to the BBVA entity itself so that it could proceed to its analysis and
respond to this Agency and the claimant.
As mentioned in the previous Fundamentals of Law, BBVA knew the
claims made and also knew that there was no pronouncement of this
Agency about it.
Thus, one cannot speak of “inactivity of the Administration” , since during that
time the admission procedures were carried out for the rest of the claims. As has been
detailed, the claims submitted by claimants 3 to 5 were entered in this
Agency on the dates 02/13/2019 (a few days after that admission to the processing of
02/01/2019), 05/23/2019 and 08/27/2019; and they were admitted for processing through
08/06/2019, 09/13/2019 and 10/30/2019, respectively.
Prior to admission, the claims made by the claimants 3
5 were transferred to BBVA for the indicated purpose. The transfer of these claims
was notified to BBVA on 05/21/2019, 06/28/2019 and 09/19/2019. In the case of
Complainant 4, BBVA requested an extension of the time allowed to respond and was granted
said extension by writing notified to that entity on 08/19/2019.
Ultimately, no legal consequence can be attributed to the time elapsed
between the admission for processing of the claims and the opening of the procedure, even less
the one claimed by BBVA.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 110
110/124
In accordance with the transcribed precepts, in order to set the amount of the sanctions
of fine to be imposed in the present case on the defendant, as responsible for infractions
typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine
impose for each of the offenses charged as follows:
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the
LOPDGDD.
It is estimated that the following factors concur as aggravating factors that reveal
greater unlawfulness and / or culpability in the conduct of the BBVA entity:
a) The nature, seriousness and duration of the offense: the facts found affect very
seriously to one of the basic principles relating to data processing, such as the
transparency, calling into question all the actions carried out by BBVA, in its
as a whole, since the infractions result from the data management procedures
personnel designed by BBVA to adapt these processes to the RGPD, which are
considered irregular from the moment of collection of personal data. Without
However, the present case does not refer to an assumption of total absence of information, but
that the disputed facts result from not providing the interested parties with information
sufficient in relation to the various treatments performed .
BBVA considers that it is not acceptable in Law to assess as a circumstance
aggravate an element of the offending type, such as the principle of transparency. However,
what is taken into account here is not the offending type, even if it is mentioned in the presentation
of the argument. As indicated, the fact that the
Appreciated deficiencies call into question all the actions carried out by BBVA since
same moment of the collection of the personal data of its clients.
No reference is made by BBVA to these specific circumstances.
b) The intentionality or negligence appreciated in the commission of the offense: the actions
have proven an intentional conduct in relation to the violation of the regulations of
personal data protection. (…)
We do not see, on the other hand, what "guidelines emanating from the AEPD" has adjusted the
design of this mechanism.
c) The continuing nature of the offense, in the sense interpreted by the National High Court,
as a permanent offense.
BBVA warns in its allegations that this reproach is attributable to this Agency,
that he was aware of the Privacy Policy almost a year before the opening of the procedure and,
through its inaction, “it made it possible for BBVA not to adopt any measure to correct or
modify the Privacy Policy ” .
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 111
111/124
This claim must also be rejected. We refer to what has already been stated in
this same Legal Basis on the alleged "inactivity of the Administration".
d) The high link of the activity of the offender with the performance of data processing
personal: all operations that constitute the business activity carried out by
BBVA involve personal data processing operations.
e) The condition of a large company of the responsible entity and its volume of business: it is a
leading company in the financial sector with a strong international presence. According to
information that appears on the website “bbva.com” , the Income Statement for the 2019 financial year, to
dated 09/30/2019, reflects a “Net Margin” of 9,304 million euros. In section
“Geographical diversification” the breakdown by country is indicated, with Spain corresponding to
23.4%.
f) High volume of data and processing that constitutes the object of the file: the
Infractions affect all data processing carried out by BBVA that does not result in
necessary for the execution of the contract, for which all the information is used
relative to customers.
g) High number of interested parties: the perceived defects affect all clients
natural persons of the entity (eight million thirty-one thousand, as stated by BBVA in its
brief of allegations).
h) The imputed entity does not have adequate procedures in place for action in the
collection and processing of personal data, so that the infringement is not
consequence of an anomaly in the functioning of these procedures, but a
defect in the personal data management system designed by the person in charge.
In relation to this aggravating circumstance, BBVA again claims that it cannot
considered as such the offending type, understanding that the breach of the obligations
information and the requirements for obtaining consent already imply that the
responsible does not have proper procedures.
This claim must be rejected. The circumstance expressed is taken to mean
literal established in the standard. Furthermore, in this case, it is not taken into consideration for
justify this aggravating information obligation. It is taken into account that the offense
consisting of carrying out data processing operations without legal basis is
structural and is not the result of a specific breach. And this results not only from non-compliance
of the requirements for obtaining consent and not only affects operations carried out
with this legal basis. For this reason, there is talk of the absence of adequate procedures in the
collection and processing of personal data.
Considering the exposed factors, the assessment of the fine for this
offense is 2,000,000 euros.
2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the
article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of
the LOPDGDD:
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 112
112/124
It is estimated that they concur as aggravating factors, in addition to all the factors
exposed in relation to the previous infraction indicated with letters c), d), e), f), g) and h),
the following factors that reveal greater unlawfulness and / or culpability in the conduct
of the BBVA entity:
a) The nature, severity and duration of the offense: the offenses result from the
personal data management procedures designed by BBVA for the adaptation of
those processes to the RGPD, which are considered irregular from the moment of the
collection of personal data and the provision of consents requested from the
customers at the same time. The severity of the infractions increases according to the
scope or purpose of the processing operations in question, which include the
profiling using excessive information.
b) The intentionality or negligence appreciated in the commission of the offense: the actions
have proven an intentional conduct in relation to the violation of the regulations of
personal data protection. It has already been said in this document that BBVA was
aware that the mechanism enabled to obtain consent to the treatment of
personal data would result in the majority accepting all purposes for
default. The absence of specific guarantees in relation to data processing
based on legitimate interest is one more circumstance to consider in this case,
considering the scope of such treatments.
(…)
b) The benefits obtained as a result of the commission of the offense: the information
relating to customers is used to improve the entity's business and to disseminate
their products.
c) The nature of the damages caused to the interested persons or third parties:
the high degree of intrusion into the privacy of BBVA customers is taken into account and that
The information is communicated to third parties (BBVA Group companies) for non-legitimate purposes.
Considering the exposed factors, the assessment of the fine for this
offense is 3,000,000 euros.
The allegations to the proposed resolution made by the BBVA entity do not
contain no observations on the circumstances indicated by letters d), e), f) and g)
of point 1 (non-compliance with articles 13 and 14 of the RGPD), and those indicated with the letters
a) and b) of point 2 above (breach of article 6 of the RGPD).
Instead, it requests that the measures taken be taken into account as mitigating
to regularize the situation of the claimants and the preparation of a new version of the
BBVA Privacy Policy, in July 2020.
Regarding the actions carried out in relation to the claims made,
they basically limit themselves to marking claimants as excluded from commercial actions.
In some cases as a consequence of the exercise of the right of opposition by the interested party and,
in others, in view of the claim made. In two of the cases, the action carried out
consisted in the formalization of the “Declaration of economic and political activity of
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 113
113/124
protection of personal data ” in the same terms analyzed in this resolution.
These actions are not relevant enough to be considered in this
procedure for the purposes intended by BBVA. It can be said that, in some cases,
Those in which the subscription is formalized by the client of the "Declaration" does not exist
no regularization; and in the others, the action complies with the regulations in that regard
to the exercise of rights by the interested parties. It is not a true regularization of the
irregular situation that is determined in the present sanctioning procedure. Therefore,
rejects the request to consider such actions as a mitigating circumstance.
On the other hand, BBVA considers that circumstances should be taken into account
mitigating diligence, proactivity and speed shown, once the opening of the
procedure, with the improvement of the information provided to the interested parties and the
establishment of a new mechanism for obtaining the consent of the interested party,
including in the first informative layer differentiated and granular boxes that the
The interested party must check if they wish to authorize BBVA to process their data with each of the
stated purposes
It indicates that it has carried out a series of internal actions and has intensified
its activity with the purpose of reinforcing the information provided to customers, having
prepared, in July 2020, a new version of the Privacy Policy.
However, it does not provide any details or justification about the actions it says
have developed.
Regarding the new version of the Privacy Policy, with which it intends
correct or leave without "content all of the reproaches made by the AEPD" , and
modifies the mechanism enabled to obtain consent, nor does it even provide the text
of it, but only some fragments.
Nor does BBVA provide any report or evaluation, nor does it explain how it has adapted the
rest of the documents that determine the configuration of this new Privacy Policy and
their subsequent analysis (e.g., recording of treatment activities, evaluation reports
impact or weighting of legitimate interest).
This documentation is especially necessary considering that the
fragments of this new Privacy Policy included in the allegations make
reference to treatment operations and other specific aspects that do not appear in the
documentation that makes up the file.
Furthermore, BBVA has not justified having transferred this new
information on data protection, not even having planned this transfer.
And the same can be said in relation to the consents given and the
data processing carried out. BBVA, in its allegations, makes no mention of the
regularization in its records of the annotations corresponding to the consents
collected to date, or the suspension of personal data processing
classified as illegal in these actions or the deletion of personal data
collected from third parties or inferred by the entity itself.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 114
114/124
BBVA has enjoyed numerous opportunities to provide this documentation
during the processing of the procedure. In each and every communication that you
have been sent has been warned about the principle of permanent access regulated in the
Article 53 "Rights of the interested party in the administrative procedure" of Law 39/2015, of
October 1, of the Common Administrative Procedure of Public Administrations, which
recognizes those interested in the procedure the right to know, at any time,
the status of the processing and to formulate allegations, use the admitted means of defense
by the Legal System, and to provide documents at any stage of the procedure
prior to the hearing process. So that
Consequently, it is not possible to consider the irregular situation regularized.
X
In accordance with the provisions of article 58.2.d) of the RGPD, each
control may “order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate, of a
in a certain way and within a specified period… ” .
In this case, considering the circumstances expressed in relation to the
Appreciated breaches, from the point of view of data protection regulations
personnel, it is appropriate to require the BBVA entity so that, within the period indicated in the
operative, adapt to the personal data protection regulations the operations of
processing of personal data carried out, the information offered to its customers and the
procedure by which they give their consent for the collection and
processing of your personal data. All this with the scope and in the sense expressed in
the Bases of Law of this act.
In those cases in which the client has not been duly informed about the
circumstances regulated in articles 13 and 14 of the RGPD or had not provided
valid consent, BBVA will not be able to carry out the collection and processing of data
personal. The same applies in relation to data processing based on the
legitimate interest of BBVA or third parties.
In accordance with the above, in relation to the personal data of
clients who have given their consent using the form called
"Declaration of economic activity and personal data protection policy" , proceeds
that BBVA, within the period indicated in the operative part, cease data processing
following personal data: personal data processing consisting of offering customers
products and services of the BBVA entity itself, of the BBVA Group and others customized for
the client; cessation of the processing of personal data of its clients consisting of
communicate such data to the BBVA Group companies so that they can offer them products
and own personalized services for the client; and cessation of data processing
your customers' staff to improve the quality of new products and services and
existing.
Likewise, it is appropriate to require BBVA so that, within the period indicated in the
operative, notify the BBVA Group entities to which you have communicated data
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 115
115/124
personal data of the clients who have given their consent using the form
called "Declaration of economic activity and data protection policy
personal data ” that must delete such data and cease using them to
offer their owners products and services of the Group's entities
customized for the client and to improve the characteristics and prices of the offer of
products and services.
In the same way, it is necessary to require BBVA so that, within the period indicated in the
operative part, cessation of the processing of personal data that said entity
based on the legitimate interest of BBVA or third parties.
It is noted that not meeting the requirements of the AEPD may be considered
as a serious administrative offense by "not cooperating with the Control Authority" before the
requirements made, and such conduct may be sanctioned with a pecuniary fine.
The allegations to the proposed resolution made by the BBVA entity do not
They contain no comments on these questions.
Therefore, in accordance with the applicable legislation and the graduation criteria of
the sanctions whose existence has been proven,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, with NIF
A48265169 , for an infringement of articles 13 and 14 of the RGPD, typified in article
83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD,
a fine of 2,000,000 euros (two million euros).
SECOND: IMPOSE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA, for a
infringement of article 6 of the RGPD, classified in article 83.5.a) and classified as very serious
For the purposes of prescription in article 72.1.b) of the LOPDGDD, a fine in the amount of
3,000,000 euros (three million euros).
THIRD: REQUIRE the entity BANCO BILBAO VIZCAYA ARGENTARIA, SA so that,
within six months, adapt to the personal data protection regulations the
processing operations carried out, the information offered to its customers and the
procedure by which they must give their consent for the collection
and processing of your personal data, with the scope expressed in the Basis of
Right X. Within the indicated period, BBVA must justify before this Spanish Agency for
Data Protection attention to this requirement.
FOURTH: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA,
SA
FIFTH: Warn the sanctioned person that he must enforce the sanction imposed once
this resolution is executive, in accordance with the provisions of art. 98.1.b) of the
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the established voluntary payment period
in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 116
116/124
income, indicating the NIF of the sanctioned person and the procedure number that appears in the
heading of this document, in the restricted account number ES00 0000 0000 0000 0000
0000 , opened in the name of the Spanish Agency for Data Protection in the bank
CAIXABANK, SA. Otherwise, it will be collected in the executive period.
Once the notification has been received and once it is executed, if the date of execution is between the
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to
on the 20th of the following or immediately subsequent business month, and if it is between the 16th and
last of each month, both inclusive, the payment term will be until the 5th of the second month
next or immediately after business.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
It will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
They may optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a month from the day after the
notification of this resolution or directly administrative contentious appeal before the Chamber
of the Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 of
July, regulating the Contentious-administrative Jurisdiction, within two months to
count from the day after notification of this act, as provided in article
46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final resolution through administrative channels if the interested party states
his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also send the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
following notification of this resolution, it would terminate the suspension
precautionary.
938-300320
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 117
117/124
APPENDIX 1
"DECLARATION OF ECONOMIC ACTIVITY AND DATA PROTECTION POLICY
PERSONAL "
<< 2. Personal Data Protection Policy
Below we explain BBVA's Personal Data Protection Policy according to which
we will process your personal data.
Who is responsible for the processing of your personal data?
Banco Bilbao Vizcaya Argentaria, SA ("BBVA"), with registered office at Plaza de San Nicolás 4, 48005
Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com
For what purposes will we use them?
• If you are a BBVA customer:
1. To manage the products and services you have, request or contract with BBVA.
2. To get to know you better and personalize your experience.
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you. No
we are going to flood you with information.
4. To communicate your data to BBVA Group companies so that they can offer you products and
own personalized services for you.
5. To improve the quality of products and services.
. If you are a representative, guarantor, authorized or beneficiary, we will treat your personal data in
BBVA for the management of the contract in which you intervene for your legal relationship with a BBVA client.
Who will your data be communicated to?
Never to third parties, unless the law requires us.
Only if you want, to the following BBVA Group companies
https://www.bbva.es/estaticos/mult/Sociedades-grupo.pdf as we explain in the document
"Extended information" that you will find later.
What are your rights?
Your data is yours and you control it. Therefore, you can access at any time, rectify and
delete the data, as well as request other rights, as explained in the section "Information
enlarged ”.
For what reason do we use your personal data (legal basis)?
We use your data to:
. If you are a BBVA customer:
. Manage the products and services that you request or contract from us.
. Comply with the law.
. Get to know yourself better and make your experience more personalized. The legitimate interest of BBVA is explained
in the "Extended information" section. If you do not agree, you can object by sending an email to
rightsprotecciondatos@bbva.com or at any of our offices.
. The purposes for which you give us your consent and which we describe in the section
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 118
118/124
"Extended information".
. If you are a representative, guarantor, authorized or beneficiary:
• Manage the contracting of the products and services in which you participate.
• Comply with the law.
Do you want to expand this information?
You can find more information by accessing and downloading the document [Extended information].
We inform you that if you do not agree with the acceptance of any of the following purposes,
you can select them below.
. Products and prices more adjusted to you
[x] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group
BBVA and others customized for me.
[x] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can
offer personalized products and services for me.
Quality improvement
[x] I DO NOT want BBVA to process my data to improve the quality of new products and services and
existing. We want to remind you that you can always easily change or delete the use that
we make of your data.
We remind you that when you enter the key that is requested in the signing process, you will be giving your
In accordance with this Declaration of Economic Activity and Personal Data Protection Policy.
SIGNING OF THE DOCUMENT "DECLARATION OF ECONOMIC ACTIVITY AND POLICY OF
PROTECTION OF PERSONAL DATA ", including its Extended Information (model LOPD NORMAL
PERSONAL DATA / DAE, version 13 09-23-2018)
… (Date) >>
In the section "Extended information" cited above is offered to the
interested the following detail:
<< Extended information
Do you want to know more about our new personal data protection policy?
Below we show you all the details about how we treat your personal data at BBVA.
Who is responsible for the processing of your personal data?
Banco Bilbao Vizcaya Argentaria, SA (BBVA), with registered office at Plaza de San Nicolás 4, 48005,
Bilbao, Spain. E-mail address: servicioatencioncliente@grupobbva.com
How can you get in touch with the BBVA Data Protection Officer?
You can contact the BBVA Data Protection Officer at the following email address
email: dpogrupobbva@bbva.com
What personal data of yours does BBVA process?
On the occasion of your relationship with us, BBVA may process the following categories of data
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 119
119/124
personal:
. If you are a BBVA customer
. Identification and contact data (including postal and / or electronic addresses).
. Signature data (including the digitized and electronic signature that we will comment on later).
. Codes or identification keys for access and operation in the remote channels that you use in
your relationship with BBVA.
. Economic and financial solvency data (including those related to all products and services
that you have contracted with BBVA or of which BBVA is a marketer).
. Transactional data (income, payments, transfers, debits, receipts, as well as any other
operation and movement associated with any products and services that you have contracted with
BBVA or of which BBVA is a marketer).
. Sociodemographic data (such as age, family situation, residences, studies and occupation).
. If you are a representative, guarantor, authorized or beneficiary:
. Identification and contact data (including postal and / or electronic addresses).
. Signature data (including the digitized and electronic signature that we will comment on later).
. Codes or identification keys for access and operation in the remote channels that you use in
your relationship with BBVA.
. Economic and financial solvency data (including those related to all products and services
that you have contracted with BBVA or of which BBVA is a marketer).
. Transactional data (income, payments, transfers, debits, receipts, as well as any other
operation and movement associated with any products and services that you have contracted with
BBVA or of which BBVA is a marketer).
. Sociodemographic data (such as age, family situation, residences, studies and occupation).
From BBVA we ask you to keep your data duly updated to guarantee that in
At all times the data we process is true. If you modify them, let us know so that we are
aware of your current situation.
What do we use your personal data for?
1. Manage the products and services that you have, request or contract with BBVA
. If you are a BBVA customer
At BBVA we process your personal data to:
. Properly manage the products and services that you request and hire us.
. Follow the relationship we maintain with you and your financial evolution (which includes the analysis of your
status as a customer and the products and services you have with BBVA or of which BBVA is
marketer).
. Send you non-commercial notifications to manage your relationship with BBVA.
. Show you your financial data in a simple and intuitive way.
. Control, analyze and manage risk situations, defaults, incidents or claims.
. If you are a representative, guarantor, authorized or beneficiary, we will process your personal data at BBVA
for the management of the contract in which you intervene for your legal relationship with a BBVA client.
At BBVA we treat your personal data to always serve you with the same level of quality, with
regardless of the channel you want to use to communicate with us (eg office, web,
mobile applications, ATM, telephone) and thus be able to offer you a better deal and service appropriate to your
customer status.
Information to CIRBE
At BBVA we are obliged to notify the Bank of Spain's Risk Information Center
(CIRBE) the risks of your banking operations as a client or guarantor, together with your data
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 120
120/124
personal and your status as an individual entrepreneur, if applicable. We can consult the data that
may appear about you in the CIRBE to assess your solvency, if you request or maintain products or
financing services with us.
Check solvency and credit files
When you give us your consent, you authorize us to consult the data that appears in your name in
solvency and credit files, to analyze the economic viability of your requests and operations.
We inform you that we can communicate the data of your debts to companies with financial solvency and
credit of monetary obligations, when:
. It is a true, past due and enforceable debt that has been unpaid.
. 5 years have not elapsed since the date on which the debt should have been paid, from
maturity of the obligation or of the specific term, if it is of periodic maturity.
. We have previously requested the payment.
Fraud prevention
When you apply for financing, we will need you to prove your working life and your personal income tax return,
to prevent fraud. If you want to speed up the application process, we will need:
. Verify your work life: you can provide us with the online access code that you receive from the Treasury
General Social Security (single-use key), in this way you will authorize us to
we can consult it on your behalf (just check it).
. Verify that your personal income tax return is authentic: we will use the secure verification code that
appears in your copies of the declaration, when you authorize us to do so.
Prevention of money laundering and financing of terrorism
To prevent money laundering, the financing of terrorism, we have the obligation to:
. Declare monthly to the Financial Ownership File the opening, cancellation or
modification of any checking, savings, securities or time deposit accounts. For the
Therefore, your identification data will be part of that file, whose responsibility is the Secretariat of
State of Economy and Business Support.
. Collect information about you, identify you, as well as provide information on payment operations to
the authorities of other countries, inside and outside the European Union, on the basis of the legislation of
some countries and agreements signed between them.
2. Get to know yourself better and personalize your experience
At BBVA we want your experience as a customer to be as satisfactory as possible, through a
personalized relationship that is more adapted to your customer profile and your needs.
To achieve this we have to know you better, analyzing not only the data that allow us to identify you
as a client, but also your financial evolution and that of the products and services you have
contracted with us or through BBVA as a marketer, your operations -payments. income,
transfers, debts, receipts- as well as the uses of BBVA products, services and channels.
Additionally, we will apply statistical and classification methods to correctly adjust your
profile. Based on the above, we managed to develop our business models.
Thanks to this analysis we will be able to get to know you better, evaluate new functionalities for you, products and
services that we consider according to your profile (own or marketed by BBVA), as well as offers
personalized with more adjusted prices for you. As we will know you better, we can congratulate you
for your anniversary, wish you a good day or happy holidays.
If you do not agree, you can object by sending an email to: Derechosprotecciondatos@bbva.com or
at any of our offices.
This section is only applicable to BBVA customers.
3. Offer you products and services from BBVA, the BBVA Group and others, customized for you
Offer you BBVA products and / or services
We would like to keep you up to date on new BBVA products and services, as well as give you advice
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 121
121/124
recommendations to better manage your financial situation.
We can also send you information about BBVA products and services with prices more
adjusted to your profile, informing you of what may interest you as a client.
Offer of products and / or services of the BBVA Group and third parties
We can send you information, according to your customer profile, about products, services and offers
financial and non-financial activities of BBVA Group companies and third parties (including products and
services of which BBVA is a marketer) belonging to these sectors of activity: financial,
parabanking, insurance, automotive travel, telecommunications, supplies, security, IT,
education, real estate. consumer products, leisure and free time, professional services and services
social.
Channels for sending commercial information
We will contact you through different channels: postal mail, email
push notifications, SMS, social networks, banners, web pages or other means of communication
equivalent electronics.
This section only applies to BBVA customers.
4. Communicate your data to BBVA Group companies so that they can offer you products and services
customized for you.
If you want the BBVA Group companies included at this address
https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf they can offer you products and services
personalized in characteristics and price, we need your authorization to communicate data
related to your customer profile (amount of income and expenses, balances and use of our channels).
This information will be processed to try to improve the characteristics and prices of the product offering and
services. The BBVA Group companies will only process your data for that purpose.
5. Improve the quality of products and services
We need to use your information anonymously without any characteristics that can
identify, because at BBVA we want to:
Increase your degree of customer satisfaction.
Meet your expectations.
Perfect our internal processes.
Improve the quality of existing products and services.
Develop new products and services of your own or of third parties.
Carry out statistics, surveys, actuarial calculations, averages and / or market studies that may be
of interest of BBVA or third parties.
Improve instruments to combat fraud.
This information is obtained from the use of BBVA products, services and channels. Throughout
At the moment, we process the data using secure and up-to-date internal protocols.
This section only applies to BBVA customers.
Why do we use your personal data?
Below we explain the legal basis that allows us to process your data for each of the
purposes that we have indicated before:
1. Manage the products and services that you have, request or contract with BBVA: in compliance with
a contract.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 122
122/124
BBVA must also comply with the legal obligations imposed by and between laws. by
Law 10/2010, for the Prevention of Money Laundering and Terrorism Financing; Law 44/2002.
Reform of the Financial System; Law 10/2014 on the Management, Supervision and Solvency of
Credit Institutions, as well as the regulations on the protection of personal data
valid.
2. Get to know yourself better and personalize your experience: for the legitimate interest of BBVA.
For the legitimate interest of BBVA, so that BBVA can better meet your expectations and
we can increase your level of customer satisfaction by developing and improving the quality of
own or third-party products and services, as well as perform statistics, surveys or studies of
market that may be of interest.
Likewise, in the legitimate interest of BBVA to be a bank close to you as a client and to be able to
accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a
good day or happy holidays.
These legitimate interests respect your right to the protection of personal data, to honor and to
personal and family privacy. At BBVA we consider that, as a customer, you have an expectation
reasonable to have your data used so that we can improve products and services and you can
enjoy a better customer experience. In addition, we estimate that you also have a
reasonable expectation of receiving congratulations on your anniversary. wish you a good day or
Happy Holidays. But remember that in both cases based on legitimate interest, you can always exercise
your right to object if you consider it appropriate at the following address:
rightsprotecciondatos@bbva.com or at any of our offices.
3. To offer you products and services from BBVA, the BBVA Group and others, customized for you:
when you give us your consent.
4. To communicate your data to BBVA Group companies so that they can offer you products and
personalized services for you: when you give us your consent.
5. Improve the quality of new and existing products and services: when you give us your
consent.
Sections 2, 3, 4 and 5 above only apply to BBVA customers.
How long will we keep your data?
We will keep your personal data for the duration of the contractual relationship. Requests for
Transactions that are not signed will be kept by BBVA for a maximum period of 6 months, except
that in the request we agree on a longer term, to avoid duplication of procedures before your new
requests.
Once your contracts have ended, at BBVA we will keep your personal data blocked for
the statutory limitation periods, generally 10 years due to regulations on the prevention of
money laundering and financing of terrorism, and up to 21 years by application of the Civil Code and
mortgage legislation.
After the statutory limitation periods have elapsed, we will destroy your data.
Who will we communicate your data to?
We will not transfer your personal data to third parties, unless we are required by law or you
you have previously agreed with BBVA
As we have indicated, if you consent previously, we may communicate to the companies of the
BBVA Group included in this address https://www.bbva.es/estaticos/muIt/Sociedades-grupo.pdf tus
identification, contact and transactional data so that you can receive offers
personalized.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 123
123/124
In order to provide you with an adequate service and manage the relationship that we maintain with you as
client, at the following address http: //bbva.lnfo/empresasdatos you will find a relationship by
categories of companies that process your data on behalf of BBVA, as part of the provision of
services that we have contracted.
We also inform you that, for the same purpose as that indicated in the previous paragraph,
certain companies that provide services to BBVA may access your personal data
(international data transfers).
These transfers are made to countries with a level of protection comparable to that of the Union
European (adaptation decisions of the European Commission, standard contractual clauses as well as
certification mechanisms) For more information you can contact the Delegate for the Protection of
BBVA data at the following email address: dpogruppbbva@bbva.com
What are your rights when you provide us with your data?
RIGHT CONTENT
Access You can check your personal data included in BBVA files
Rectification You can modify your personal data when they are inaccurate
Deletion You can request the deletion of your personal data
Opposition You can request that your personal data not be processed
Limitation You can request the limitation to the processing of your data in the following cases:
. While the challenge to the accuracy of your data is being verified.
. When the treatment is illegal, but you oppose the deletion of your data.
. When BBVA does not need to process your data but you need it for the exercise or
defense of claims.
. When you have opposed the processing of your data for the fulfillment of a mission
in the public interest or for the satisfaction of a legitimate interest, while verifying whether the
legitimate reasons for the treatment prevail over yours.
Portability You can receive, in electronic format, the personal data that you have provided us and
those that have been obtained from your contractual relationship with BBVA, as well as
transmit them to another entity.
CHANNELS OF ATTENTION: Derechosprotecciondatos@bbva.com; Group Customer Service
BBVA, APDO: 1598-28080 Madrid; BBVA offices
If you consider that we have not processed your personal data in accordance with the regulations, you can
contact the Data Protection Delegate at the address dpogrupobbva@bbva.com
However, you can file a claim with the Spanish Agency for Data Protection
(www.agpd.es).
To exercise your rights, accompany your request with a copy of your ID or equivalent document
accrediting your identity.
The exercise of these rights is free.
Likewise, if you are a BBVA customer, at any time, you can withdraw the consent given without
that this affects the legality of the treatment by sending your request to the email address
rightsprotecciondatos@bbva.com, to the BBVA Group Customer Service, APDO: 1598 -
28080 Madrid, or by going to one of our offices. Remember to accompany your request a
Copy of your ID or equivalent document proving your identity.
Digitized and Electronic Signature… >>.
<< Glossary
(…)
Legitimate interest
Legitimate interest is one of the legal bases that authorize BBVA to process your data. That means
that BBVA can process your data because it has an interest in doing so, provided that this interest is not
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 124
124/124
harm your rights >>.
C / Jorge Juan 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
