AEPD (Spain) - EXP202303478: Difference between revisions
m (Changed short summary) |
m (Added voluntary payment procedure phrase) |
||
Line 77: | Line 77: | ||
While the contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications. | While the contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications. | ||
Therefore, the AEPD held that the controller could not rely on a lawful basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] for the processing of the data in the form of erasure. | Therefore, the AEPD held that the controller could not rely on a lawful basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000. | ||
== Comment == | == Comment == |
Revision as of 07:33, 19 November 2024
AEPD - EXP202303478 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.02.2023 |
Decided: | 12.11.2024 |
Published: | 13.11.2024 |
Fine: | 120,000 EUR |
Parties: | BANCO BILBAO VIZCAYA ARGENTARIA |
National Case Number/Name: | EXP202303478 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA held the erasure of all personal data, not limited to corporate data, off a former work phone had no legal basis.
English Summary
Facts
On the 13 February 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, Banco Bilbao Vizcaya Argentaria.
The data subject was an employee of the controller and the employment relationship ended in September 2021. Upon termination of the employment relationship, the data subject was given the option to retain the work phone for personal use according to the contractual terms. After a few months of use in June 2022, the data subject was suddenly unable to use the device which showed a notice stating that the phone is being administered remotely by the controller and that corporate credentials must be entered for further use.
The data subject contacted the controller who responded with instructions to reset the phone entirely. The data subject however wanted to retrieve their personal data and did not restore the phone to factory settings.
On the 7 October 2024, the AEPD initiated disciplinary proceedings against the controller who argued that the contract governing the transfer of the work phone to private use gave it the right to delete data off the phone.
Holding
While the contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications.
Therefore, the AEPD held that the controller could not rely on a lawful basis under Article 6(1) GDPR for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202303478 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY Payment From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On October 7, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (hereinafter, the respondent party), through the Agreement which is transcribed: << File No.: EXP202303478 AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on 13/02/2023. The complaint is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (hereinafter, the respondent). The grounds on which the claim is based are the following: The appellant states that in September 2021, upon ending his employment relationship with the respondent and, in accordance with the internal policies of the latter, he was offered the possibility of acquiring, on a personal basis, the corporate terminal, which became his property and therefore for exclusively personal use, since 20/09/2021; However, on 06/23/2022, the terminal is no longer active, and when trying to reconfigure it, a message is displayed indicating that it is remotely managed by the respondent party, requesting the entry of their corporate credentials to continue, thus preventing access to it. After contacting the respondent party, they respond by attaching a document with the steps to follow to restore the terminal to factory settings, as a solution to be able to reactivate it, with the loss of information that such action entails. He requested by email help to reactivate the terminal and the information contained therein, to which the response was indicated that although the device is usually completely erased before the employee is acquired, this was not done in due time (in September 2021, without prior notice, and without the possibility of making a backup copy on his part). At that time (June 2022) all his personal information had been erased, after his personal terminal had been found enrolled for more than 9 months in the corporate device management platform, without legal legitimacy to do so and in a continued breach of the principles regarding the protection of personal data. He adds that, on 10/11/2022, he reported what had happened to the Data Protection Officer of the respondent party, receiving a response on 11/10/2022, confirming the impossibility of restoring the data. He states that the respondent party's actions have led to the absolute loss of control over his data, since from the date of the terminal's deletion (June 2022) it has been inactive, with the respondent party offering as its only alternative the restoration of factory settings - which involves formatting it -, which it has not done with the sole hope of recovering its personal information. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 03/15/2023, said claim was transferred to the respondent party, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), was collected on 03/16/2023 as stated in the acknowledgment of receipt in the file. On May 22, 2023, the respondent submitted a written response to the transfer action and request for information. THIRD: On May 13, 2023, in accordance with article 65.5 of the LOPDGDD, the claim submitted was admitted for processing. FOURTH: On May 26, 2023, after analyzing the documentation in the file, a resolution was issued by the Director of the Spanish Data Protection Agency, agreeing to file the claim. The resolution was notified to the appellant on May 26, 2023, as evidenced in the file. FIFTH: On 06/26/2023, the respondent party filed an optional appeal against the Resolution issued, expressing its disagreement with the contested resolution and requesting that the processing of the initial claim presented continue. On 03/05/2024, the appeal filed by the respondent party was forwarded within the framework of the provisions of article 118.1 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 effects of formulating the allegations and presenting the documents and supporting documents that it deemed appropriate, which was carried out by means of a letter dated 03/15/2024. The respondent party stated that the claimant's intention to challenge the decision to file the claim is nothing more than to initiate a sanctioning file, without the claimant having any standing to do so; the absence of an infringement and that while the claimant's employment relationship took place, he acquired a corporate terminal for work purposes, but later, said terminal was acquired in a personal capacity by the claimant, and the respondent proceeded, as the Corporate Smartphone Project confers on him, to erase said terminal; that in no case has the respondent acknowledged any responsibility regarding the erasure of the respondent's corporate data and what he intends is to make it appear that the commission of an infringement in the field of data protection has been acknowledged simply by showing empathy with a person who for many years was part of the Entity. SIXTH: On 05/31/2024, the Director of the Spanish Data Protection Agency decided to ACCEPT the appeal for reconsideration filed by the claimant against the Resolution issued on 05/26/2023, by which the filing of the complaint against the respondent was agreed. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Unfulfilled obligation: article 6.1 of the GDPR The facts claimed are caused by the opportunity to acquire by the complainant, on a personal basis and after his employment relationship with the respondent party has ended, a corporate terminal, which becomes his property and therefore for his exclusive personal use; However, as of 06/23/2022 (date of deletion of information), the terminal was no longer active, offering the claimed party as the only alternative the restoration to factory settings, which meant the loss of all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 personal information contained in the aforementioned device, considering that the regulations on the protection of personal data have been violated. Article 6, Lawfulness of processing, of the GDPR in its section 1, establishes that: “1. The processing will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of this one of pre-contractual measures; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their tasks”. Furthermore, Article 4 of the GDPR, Definitions, in its paragraphs 1, 2, 7 and 11, states that: “1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person shall be any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; “2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 “7) “controller” or “data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; If Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be determined by Union or Member State law “11) ‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication by which the data subject, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her”. It should be noted that data processing requires a legal basis that legitimises it. In accordance with Article 6.1 of the GDPR, in addition to consent, there are other possible bases that legitimize the processing of data without the need for the authorization of the data subject, in particular, when it is necessary for the execution of a contract to which the data subject is a party or for the application, at the request of the data subject, of pre-contractual measures, or when it is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of such data. The processing is also considered lawful when it is necessary for compliance with a legal obligation applicable to the data controller, to protect the vital interests of the data subject or of another natural person or for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the data controller. In accordance with the provisions of article 6.1, there is no proven basis for legitimation of any of those contemplated in the aforementioned provision for the treatment carried out. In the present case, the respondent party has stated that it was authorized to delete the data from the claimant's terminal at any time during the employment relationship between the parties or, as happened in the case at hand, at the end of said employment relationship, since the claimant was dismissed in April 2022 and in June of that year the deletion of data from the terminal occurred, so it understands that the time lapse is not susceptible to being classified as non-compliance and even less as an infringement of the data protection regulations. From the documentation provided it is clear that there was an obligation for deletion by the respondent party once the terminal was purchased as indicated in the CORPORATE SMARTPHONE Project. In the Project Conditions, Condition 2 it is indicated that: “By joining the Project, and from the receipt of the terminal [BRAND/MODEL], the employee authorizes the Company to deduct from each monthly payroll the amount of: ##,## euros, during the 24 months of duration, for the concept of: “Use of a mobile terminal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 high-end”. At the end of this period, the employee may exercise the option to purchase the terminal, or proceed to return it to the Company, in this case, without any cost to the employee for the return. If, after the 24-month period, the employee chooses to buy the terminal, it will no longer be classified as a work tool. The Company undertakes to remove at that time any corporate application, restriction, or terminal configuration, pre-installed to meet the Company's own needs." Furthermore, in Condition 3, Conditions of use of the high-end corporate mobile terminal, it is stated that d) The Company reserves the right to delete, remotely or physically, all data found in the corporate applications contained in the mobile communication device. The right to delete such information may be exercised by the company at any time during the duration of the employee's contract with the Company, or after it, without prior notice from the Company. Regarding this last condition, it should be noted that it should only be applicable to information contained in corporate applications and its use should be exceptional in cases where the employment relationship has been concluded for some time. Furthermore, the email provided dated 07/19/2022 states: From: B.B.B. <***EMAIL.1> Date: Tue Jul 19 2022 at 3:13 Subject: Re: [External] Re: CONTACT RESPONSIBLE MDM SPAIN - URGENT To: B.B.B. <***EMAIL.2> “(…) At the end of the co-payment program (due to the end of the program or withdrawal from the entity) beneficiaries are offered to acquire the device for their personal use, for which it is necessary to completely erase the device to remove the applications and configurations. In your case, the early withdrawal was not notified and this procedure was not carried out at the time of withdrawal, which was executed subsequently since the terminal continued to be registered on the Bank's platforms. (…)” Although the conditions of use of the corporate mobile terminal gave the Company the right to delete all data contained in the corporate applications contained in the device “at any time during the duration of the employee’s contract with the Company, or subsequently thereto”, what this condition did not contain or grant was that the respondent party could delete data not included in said corporate applications and which affected the personal data and information of the complainant contained in the device purchased. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 This subsequent execution caused the personal data and information included in the terminal to be deleted/removed, with the consequent harm to the complainant. In accordance with the above, it is considered that the respondent would be responsible for the infringement of the GDPR: the violation of article 6.1, infringement classified in its article 83.5.a). III The infringement attributed to the respondent is classified in article 83.5 a) of the GDPR, which considers that the infringement of “the basic principles for the treatment, including the conditions for consent according to articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the said article 83 of the cited Regulation, “with administrative fines of 20,000,000€ as maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the highest amount”. The LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” And in its article 72, it considers for the purposes of prescription, that they are: “Infractions considered very serious: 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infractions that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: (…) b) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU) 2016/679. (…)” IV In order to establish the administrative fine to be imposed, the provisions contained in articles 83.1 and 83.2 of the GDPR must be observed, which state: “1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage and harm they have suffered; b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to alleviate the damage and harm suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (f) the extent of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement. In relation to letter k) of Article 83.2 of the GDPR, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: “2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the infringer's activity and the processing of personal data. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the affected party's conduct could have led to the commission of the infringement. e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Having, when not mandatory, a data protection officer. h) The voluntary submission by the controller or person in charge to alternative dispute resolution mechanisms, in those C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 cases in which there are disputes between them and any interested party.” - In accordance with the provisions transcribed, for the purposes of setting the amount of the penalty to be imposed in the present case for the infringement of article 6.1 of the GDPR, classified in article 83.5.a) of the GDPR for which the respondent is held responsible, the following circumstances are considered to be concurrent: The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation; the facts made manifest affect a basic principle relating to the processing of personal data, such as legitimacy, which the law sanctions with the greatest seriousness; it is evident that the personal data of the claimant were deleted or eliminated from the acquired device without being authorized to carry out the aforementioned processing (article 83.2.a) of the GDPR). The intentionality or negligence in the infringement. A serious lack of negligence is observed in the failure to comply with the procedures implemented by the entity itself in light of what is stated in the corporate Project; it could be understood that once the employment relationship is terminated, the elimination of corporate applications would proceed but not the deletion of all information contained in the terminal, especially that of a private or personal nature. Also connected with the degree of diligence that the data controller is obliged to display in compliance with the obligations imposed by the data protection regulations, the SAN of 17/10/2007 can be cited. Although it was issued before the validity of the RGPD, its pronouncement is perfectly applicable to the case we are analyzing. The judgment, after alluding to the fact that entities whose activity involves the continuous processing of client and third party data must observe an adequate level of diligence, specified that “(...). the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is of constant and abundant handling of personal data, it is necessary to insist on the rigor and the exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). The entity under investigation is one of the largest companies in its sector with a sales volume of more than €1,000,000,000 according to AXESOR data (article 83.2.k) of the GDPR). In accordance with the above, the imposition of a fine of €200,000 is considered appropriate. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 FIRST: TO START SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for the alleged infringement of article 6.1 of the RGPD, classified in article 83.5.a) of the RGPD. SECOND: TO APPOINT B.B.B. as an Instructor. and Secretary to C.C.C., indicating that any of them may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD. INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection Services; all of which are documents that make up the file. FOURTH. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October and Article 58.2.b) of the GDPR, the penalty that may apply for the violation of Article 6.1 of the GDPR would be 200,000 euros, without prejudice to the results of the investigation. FIFTH. NOTIFY this Agreement to BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, expressly indicating its right to a hearing in the procedure and granting it a period of TEN BUSINESS DAYS to formulate the allegations and propose the evidence it considers appropriate. In its written allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If you do not submit any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, if the sanction to be imposed is a fine, you may acknowledge your liability within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be established at 160,000 euros, and the procedure would be resolved with the imposition of this sanction. Likewise, at any time prior to the resolution of the present procedure, the proposed fine may be paid voluntarily, which will mean a 20% reduction in its amount. With the application of this reduction, the fine will be set at 160,000 euros and its payment will imply the termination of the procedure, without prejudice to any measures that may be imposed. The reduction for voluntary payment of the fine may be added to the one that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the total fine amount would be set at 120,000 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditional on the withdrawal or waiver of any action or appeal through administrative channels against the sanction. For these purposes, if you accept any of them, you must send to the General Subdirectorate of Data Inspection an express communication of the withdrawal or waiver of any action or appeal through administrative channels against the sanction. If you choose to make voluntary payment of any of the amounts indicated above (160,000 euros or 120,000 euros), you must do so in cash by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are applying. You must also send proof of payment to the Subdirectorate General of Inspection together with the communication of the withdrawal or waiver of any action or appeal through administrative channels against the sanction in order to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement or, where appropriate, the draft start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of article 64 of the LOPDGDD. In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, from now on, the notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering the process to have been carried out and the procedure to be followed. You are informed that you can identify an email address with this Agency to receive the notice of the availability of notifications and that the lack of this notice will not prevent the notification from being considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On October 31, 2024, the respondent party has proceeded to pay the penalty in the amount of 120,000 euros using the two reductions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 provided for in the initiation agreement transcribed above, which implies the recognition of responsibility. THIRD: Payment made within the period granted to submit objections to the opening of the procedure entails the waiver of any action or appeal through administrative course against the sanction and the recognition of liability in relation to the facts referred to in the Commencement Agreement and its legal qualification. LEGAL BASIS I Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants to each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and a non-monetary sanction but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except with regard to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be accumulated with each other. The aforementioned reductions must be determined in the notification of initiation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 of the procedure and its effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202303478, in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 936-151024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es