AEPD (Spain) - PS/00375/2022: Difference between revisions
m (→Holding) |
No edit summary |
||
Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
The data subject is a lawyer who has an account at a | The data subject is a lawyer who has an account at a bank (the controller). On 25 November 2020, the lawyer sent a written complaint to the bank on behalf of a client who is a customer of the same bank. On 1 December 2020, the bank handed over a reply to the customer and indicated thereon the data subject’s private address which they kept in their private customer file. Thereby, the bank disclosed the lawyer’s home address to a third party (represented customer). | ||
=== Holding === | === Holding === | ||
The Spanish DPA first held that the processing of the data subject’s personal data – more precisely their home address – carried out in the context of the handling of a customer complaint which was filed by the data subject in their capacity as the customer’s lawyer constituted a breach of the principle of “purpose limitation” | The Spanish DPA first held that the processing of the data subject’s personal data – more precisely their home address – carried out in the context of the handling of a customer complaint which was filed by the data subject in their capacity as the customer’s lawyer constituted a breach of the principle of “purpose limitation” outlined in [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], because the personal data was processed in a way that did not comply with the purposes for which the data originally had been collected. Namely, the controller had collected the data for establishing a personal bank account for the data subject. | ||
Furthermore, the DPA detected a violation of [[Article 32 GDPR|Article 32]], because the fact that a third party (customer) was given unauthorised access to information relating to the data subject leads to the conclusion that the controller had not effectively adopted the appropriate technical-organisational measures to prevent such an incident. | Furthermore, the DPA detected a violation of [[Article 32 GDPR|Article 32]], because the fact that a third party (customer) was given unauthorised access to information relating to the data subject leads to the conclusion that the controller had not effectively adopted the appropriate technical-organisational measures to prevent such an incident. | ||
Line 80: | Line 80: | ||
Even though the controller declared that the incident was a one-off error, the DPA held them liable, because such an error runs counter to the diligence that it must adhere to and a lack of diligence is also considered as culpable behaviour. | Even though the controller declared that the incident was a one-off error, the DPA held them liable, because such an error runs counter to the diligence that it must adhere to and a lack of diligence is also considered as culpable behaviour. | ||
The | The Spanish DPA fined the controller €50,000 for breaching [[Article 5 GDPR#1b|Articles 5(1)(b)]] and [[Article 5 GDPR#1f|5(1)(f)]] and another €20,000 for breaching [[Article 32 GDPR|Article 32]]. However, the DPA did not request that the controller brings, in accordance with [[Article 58 GDPR#2d|Article 58(2)(d)]], their processing behaviour in compliance with the GDPR, because the case only concerned the misused data of a single person and the mistake had already been corrected. | ||
== Comment == | == Comment == |
Revision as of 14:32, 3 January 2024
AEPD - PS/00375/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 75000 EUR |
Parties: | BBVA |
National Case Number/Name: | PS/00375/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (Spain) - PS/00375/2022 (in ES) |
Initial Contributor: | jonasm |
The Spanish DPA fined a bank €75,000 for violating Articles 5(1)(b), 32 and 5(1)(f) GDPR because they disclosed a lawyer’s private address (who was at the same time a private customer) when contacting another customer who is represented by the mentioned lawyer.
English Summary
Facts
The data subject is a lawyer who has an account at a bank (the controller). On 25 November 2020, the lawyer sent a written complaint to the bank on behalf of a client who is a customer of the same bank. On 1 December 2020, the bank handed over a reply to the customer and indicated thereon the data subject’s private address which they kept in their private customer file. Thereby, the bank disclosed the lawyer’s home address to a third party (represented customer).
Holding
The Spanish DPA first held that the processing of the data subject’s personal data – more precisely their home address – carried out in the context of the handling of a customer complaint which was filed by the data subject in their capacity as the customer’s lawyer constituted a breach of the principle of “purpose limitation” outlined in Article 5(1)(b) GDPR, because the personal data was processed in a way that did not comply with the purposes for which the data originally had been collected. Namely, the controller had collected the data for establishing a personal bank account for the data subject.
Furthermore, the DPA detected a violation of Article 32, because the fact that a third party (customer) was given unauthorised access to information relating to the data subject leads to the conclusion that the controller had not effectively adopted the appropriate technical-organisational measures to prevent such an incident.
The DPA found that the controller also infringed Article 5(1)(f) which enshrines the “principle of integrity and confidentiality”. As already stated above, the controller disclosed the home address of the data subject to a third party without a legal basis – such a leak is contrary to the duty of confidentiality. Even though the controller declared that the incident was a one-off error, the DPA held them liable, because such an error runs counter to the diligence that it must adhere to and a lack of diligence is also considered as culpable behaviour.
The Spanish DPA fined the controller €50,000 for breaching Articles 5(1)(b) and 5(1)(f) and another €20,000 for breaching Article 32. However, the DPA did not request that the controller brings, in accordance with Article 58(2)(d), their processing behaviour in compliance with the GDPR, because the case only concerned the misused data of a single person and the mistake had already been corrected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 File No.: PS/00375/2022 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated May 31, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169 (hereinafter, the claimed party or BBVA). The reasons on which the claim are the following: On November 25, 2020, in his capacity as attorney for Ms. B.B.B., on its behalf, it submitted a statement of claim to the BBVA entity. Subsequently, on December 1, 2020, the claimed entity delivered in hand to his client, Ms. B.B.B., a letter regarding the claim addressed by BBVA to the complaining party in which the latter's private address appears, instead of the corresponding to his professional office, violating the duty of confidentiality of data (the complaining party is also a client of the entity). The complaining party warns that BBVA has revealed her private address, which was not known to Ms. B.B.B., which was provided to the entity due to its status as its client, with occasion of opening a bank account. Likewise, he adds that he presented claim before BBVA requesting compensation for these events and received response on December 31, 2020. Provides the initial claim presented as a lawyer, which does not indicate no contact postal address, and a copy of the email through which the send the same to the claimed entity, dated 11/25/2020; BBVA response indicating to the complaining party the reference number assigned to the claim, addressed to the complaining party at his or her private address; WhatsApp screenshot by that Mrs. B.B.B. sends said response to the complaining party; and writing from BBVA responding to the second claim made due to the incident that occurred with their data, in which the entity apologizes and indicates that they have brought the facts to light. knowledge of the responsible parties involved in order to be able to adopt, in their case, the measures that are appropriate. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/17 The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 06/22/2021 as stated in the acknowledgment of receipt that appears in the file. On 09/01/2021, this Agency received a written response from BBVA indicating that the response issued by the entity to acknowledge receipt of the claim submitted by the complaining party on behalf of its client, which did not indicate no address for communication purposes, it was sent to the only address known by BBVA, which appeared in the customer database. Furthermore, BBVA states that on December 1, 2020, Ms. B.B.B. appeared in the entity's office requesting to know the status of your claim and a copy of the proceedings. At that moment, the Director of the office gave said person a copy of the only document that existed to date, corresponding to the acknowledgment of receipt of the claim. Subsequently, on December 3, 2020, the complaining party presented in another BBVA office a new statement of claim on behalf of its client in which indicated his professional address as his address for notification purposes. On December 25, 2020, the SAC responded to the claim presented, sending said response to the address indicated by the complaining party in its letter of 3 December 2020, that is, your professional address. THIRD: On October 6, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: 1. The claimed entity is a public limited company of Spanish nationality. According to The data recorded in “Axesor” is a large group parent company (…). No files prior to the present have been found in Sigrid in relation to security breaches of this entity. 2. Information and documentation was requested from the claimed entity and, from the response received, the following emerges: a) Regarding the chronology of the events. Actions taken in order to minimize adverse effects and measures adopted for their final resolution. On December 1, 2020, a client of the complaining party requests copy of the claim that the latter filed on its behalf with BBVA. The The claimed entity hand-delivered to this person the document relating to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/17 claim, in the name of the claiming party and which includes the private address this. BBVA, on December 23, 2020, responded to the claim of the complaining party apologizing for what happened, stating that said incident has been reported knowledge of the responsible parties involved who have adopted measures to avoid similar incidents. Once BBVA was aware of the incident, the facts were analyzed and it was confirmed that said The incident occurred due to a specific error, which was repaired immediately by Inform the complaining party of the address of your professional office. BBVA clarifies that providing the person represented by the complaining party with the acknowledgment of receipt of the claim, without hiding its private address (address used by the SAC since the address of the professional office does not appear in the document), It was a specific and isolated error. b) Regarding the causes that made the gap possible The person represented by the complaining party requested to the BBVA office, on December 2020, copy of the claim file that your representative, since at that time the issue had not yet been resolved. claim and only the acknowledgment of receipt of the claim appeared, this document was delivered by the Director of the office in which the address of the domicile of the complaining party. c) Regarding the affected data The affected data was the claimant's home address. d) Regarding the security measures implemented BBVA defends that: (i) it is a specific and involuntary error, since the Director of the office was unaware that it was a private address and therefore a personal information of the representative; (ii) that was corrected, thus proving that it was They immediately adopted measures to prevent it from happening again, using mechanisms to reverse the situation and eliminate any risk of recurrence without specify or certify them. FIFTH: On 08/10/2022, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the BBVA entity, in accordance with the provided in articles 63 and 64 of the LPACAP, for the alleged infractions following: . Violation of article 5.1.b) of the RGPD, typified in article 83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription in the article 72.1.a) of the LOPDGDD. . Violation of article 32 of the RGPD, typified in article 83.4.a) of the same Regulation, and classified as serious for the purposes of prescription in article 73.f) and g) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/17 of the LOPDGDD. . Violation of article 5.1.f) of the RGPD, typified in article 83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription in the article 72.1.a) of the LOPDGDD. In the opening agreement it was determined that the sanction that could correspond, taking into account the evidence existing at the time of opening and without prejudice to the resulting from the instruction, would amount to a total of 70,000 euros (seventy thousand euros): 25,000 euros (twenty-five thousand euros) for the alleged violation of the article 5.1.b) of the RGPD, of 20,000 euros (twenty thousand euros) for the alleged violation of the article 32 of the RGPD and 25,000 euros (twenty-five thousand euros) for the alleged violation of article 5.1.f) of the RGPD. Likewise, it was warned that the alleged infractions, if confirmed, may entail the imposition of measures in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR. SIXTH: The notification to the claimed party of the opening agreement outlined in the previous precedent, in which a period was granted to formulate allegations and propose proof, was sent through the Electronic Notification Service, and was delivered to BBVA on 08/11/2022. SEVENTH: The aforementioned initiation agreement has been notified in accordance with the established rules in the LPACAP and once the period granted for the formulation of allegations has elapsed, has confirmed that no allegation has been received from the claimed party. Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period regarding the content of the initiation agreement, when This contains a precise statement about the imputed responsibility, may be considered a proposal for a resolution. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the violations of the RGPD attributed to the person complained of and the sanctions that they could impose themselves. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and in response to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in the present case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS 1. The complaining party is a private BBVA customer, as the holder of an account banking. For this reason, he provided the aforementioned entity with his personal data, including the relative to the postal address corresponding to your home address. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/17 2. On 11/25/2020, in his capacity as lawyer, the complaining party presented file a claim with BBVA in the name and representation of one of its clients. 3. On the same date of 11/25/2020, BBVA acknowledged receipt of the aforementioned claim in the Second Proven Fact by means of a writing addressed to the complaining party and his personal address, the one associated with your private client file as holder of a bank account opened in this Bank. Through this letter, BBVA informed the complaining party the reference number assigned to the claim. 4. On 12/01/2020, BBVA provided the person represented by the party claimant the document acknowledgment of receipt of the claim outlined in the Fact Proved Third, revealing the information relating to the personal address of the complaining party. FOUNDATIONS OF LAW Yo By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), recognizes each Control Authority, and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II In the present case the following facts are revealed, without any of them They are controversial: The complaining party is a private customer of BBVA, as the owner of an account banking. For this reason, he provided the aforementioned entity with his personal data, including the relative to the postal address corresponding to your home address. In his capacity as an attorney and acting on behalf and on behalf of one of his clients, the complaining party filed a claim with BBVA, of which entity acknowledged receipt by writing to the complaining party and his address personal, the one associated with your private client file as the owner of an account banking open in this Bank. Furthermore, BBVA provided the person represented by the complaining party with this document acknowledgment of receipt of the claim made, highlighting the information relating to the personal address of the complaining party, which was not known to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/17 this third person. III The facts presented, in relation to the use of the personal data of the party claimant relative to his or her private address for the processing of a claim formulated by him in the name and representation of a third party, acting under his status of lawyer, without there being legitimate cause for it, represent a non-compliance with the principle of “limitation of purpose” regulated in article 5.1.b) of the GDPR, which establishes the following: “1.Personal data will be: (…) b) collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with said purposes; In accordance with Article 89, paragraph 1, the further processing of personal data for archiving purposes in the public interest, purposes of scientific and historical research or statistical purposes will not be considered incompatible with the initial purposes (“purpose limitation”). In relation to the principles regulated in the aforementioned article 5 of the RGPD, it is taken into account Consider what is stated in Recital 39 of the aforementioned GDPR: “39. All processing of personal data must be lawful and fair. For natural persons, it must be completely clear that they are being collected, used, consulted or otherwise processed manner personal data that concerns them, as well as the extent to which such data is or will be treated. The principle of transparency requires that all information and communication regarding the processing of said data is easily accessible and easy to understand, and that Use simple and clear language. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the added information to ensure fair and transparent treatment with respect to the affected natural persons and their right to obtain confirmation and communication of the data personal data that concern them that are subject to processing. Natural persons must be aware of the risks, standards, safeguards and rights relating to the processing of personal data, as well as the way to enforce your rights in relation to with the treatment. In particular, the specific purposes of the processing of personal data They must be explicit and legitimate, and must be determined at the time of collection. The Personal data must be adequate, relevant and limited to what is necessary for the purposes for those who are treated. This requires, in particular, ensuring that it is limited to a minimum strict conservation period. Personal data should only be processed if the purpose of the treatment could not reasonably be achieved by other means. To ensure that the personal data is not kept longer than necessary, the data controller has to establish deadlines for its deletion or periodic review. All measures must be taken reasonable measures to ensure that personal data that is inaccurate. Personal data must be processed in a way that guarantees security and appropriate confidentiality of personal data, including to prevent unauthorized access or use “authorized users of said data and the equipment used in the processing.” In the present case, BBVA processed the personal data of the party claimant incompatible with the purposes that determined the collection of such data. Consequently, the aforementioned facts violate the provisions of article 5.1.b) of the RGPD, giving rise to the application of the corrective powers that article 58 of the cited Regulation grants to the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/17 IV Article 32 of the GDPR, “Security of processing”, establishes the following: "1. Taking into account the state of the art, the costs of application, and the nature, the scope, context and purposes of the processing, as well as risks of probability and severity variables for the rights and freedoms of natural persons, the person responsible and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data in a manner fast in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the measures technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to the risks presented by data processing, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of transmitted personal data, preserved or otherwise processed, or unauthorized communication or access to such data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a mechanism of certification approved in accordance with article 42 may serve as an element to demonstrate the compliance with the requirements established in section 1 of this article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access personal data can only process said data following instructions from the person responsible, unless it is obliged to do so by virtue of Union or Member State law.” The GDPR defines personal data security breaches as “any those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data.” It should be noted that the GDPR does not establish a list of security measures that are applicable in accordance with the data that is the object of processing, but which establishes that the person responsible and the person in charge of the treatment will apply measures technical and organizational measures that are appropriate to the risk involved in the treatment, taking into account the state of the art, the application costs, the nature, scope, context and purposes of the treatment, the probability and severity risks for the rights and freedoms of the persons concerned. Likewise, security measures must be appropriate and proportionate to the detected risk, pointing out that the determination of the technical measures and organizational measures must be carried out taking into account: pseudonymization and encryption, ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, process C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/17 verification (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly taking into account the risks presented by data processing, such as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent the treatment from violating the provisions of the This Regulation, the controller or processor must evaluate the risks inherent to the treatment and apply mitigation measures, such as encryption. These measures must guarantee an appropriate level of security, including confidentiality, taking into account the status of the technique and cost of its application with respect to the risks and nature of the data personnel that must be protected. When assessing risk in relation to the safety of data, the risks arising from the processing of the data must be taken into account personal data, such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to said data, which may in particular cause physical, material or immaterial. In accordance with what is expressed in Considering 74 of the RGPD, the person responsible for the treatment it is necessary to be able to demonstrate that the measures adopted are effective: “The responsibility of the person responsible for the treatment must be established for any processing of personal data carried out by himself or on his own account. In particular, the responsible must be obliged to apply timely and effective measures and must be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. These measures must take into account the nature, scope, context and purposes of the processing as well as the risk to rights and freedoms of natural persons.” These technical and organizational measures are included as part of the principle of active responsibility, which requires a prior assessment by the person responsible treatment of the risk that could be generated by the processing of personal data, to from which the appropriate measures will be adopted. The RGPD seeks to anticipate the infringement or injury of rights to avoid it. This proactive approach to “permanent implementation” of safety measures security implies that they are not static, but dynamic, corresponding It is up to the person responsible for the treatment to determine at all times what the protection measures are. security measures necessary to ensure the confidentiality, integrity and availability of personal data and mitigate or eliminate risks to users. people rights. The first step is to carry out a “risk analysis” to evaluate threats. It is the person responsible or in charge of treatment who must prove said diligence. with a solid and effective internal control system. Therefore, the mere formal demonstration of compliance, but this principle requires a prior attitude, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/17 conscious, diligent and proactive on the part of organizations towards all personal data processing they carry out. Whether these measures are mandatory, or how they are applied, will depend on factors that must be taken into account in each case, such as the type of treatment and the risk that such processing implies for the rights and freedoms of the interested parties. Consequently, due diligence must be adapted to the level of risks in the data protection and the characteristics of the organization. The concept of due diligence can be defined as “the measure of prudence, activity or assiduity that can reasonably be expected, and with which normally acts, a prudent and reasonable organization in circumstances determined; It is not measured by an absolute standard, but depending on the facts relative to the case in question. Therefore, due diligence is an ongoing process. observation and prevention of the negative effects of the activities of the entities on data protection. In the present case, as the facts show, the claimed party used the personal data of the complaining party recorded in their private client file for the processing of a claim made by this claiming party in name of a third party. In addition, it provided the acknowledgment of receipt document to a third party. of said claim, making known the personal information of the complaining party related to your private home. This fact shows that the claimed entity has not adopted in a manner effective appropriate technical and organizational measures to ensure safety and confidentiality of their clients' data, especially those aimed at preventing the access to information by unauthorized third parties, as in fact occurred when the The claimed entity itself provided the client of the complaining party with the acknowledgment of receipt of the claim made, addressed to the complaining party and its personal address. Consequently, the aforementioned facts violate the provisions of article 32 of the RGPD, giving rise to the application of the corrective powers that article 58 of the aforementioned Regulation granted to the Spanish Data Protection Agency. V The aforementioned article 5 of the RGPD establishes the principles that must govern the processing of personal data and mentions, among them, “integrity and confidentiality”: "1. The personal data will be: (…) f) processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical or organizational measures appropriate (“integrity and confidentiality”). (…)”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/17 The documentation on record offers sufficient indications to understand that the entity claimed violated article 5 of the RGPD, which regulates the duty of confidentiality, materialized in the disclosure to third parties of the personal data of the party claimant, specifically, that relating to his private address. It is a diffusion of personal data for which the claimed party does not have a legal basis that the legitimate This duty of confidentiality is intended to prevent leaks from occurring. of data not consented to by its owners. Consequently, the aforementioned facts represent a violation of the provisions of the article 5.1 f) of the GDPR, which gives rise to the application of the corrective powers that the Article 58 of the aforementioned Regulation grants the Spanish Agency for the Protection of data. SAW BBVA, in its response to the claim transfer process, has stated that The verified events took place due to a specific and isolated error, although not even has explained what the alleged error consisted of. In this regard, it is necessary to consider that the incidents that motivate the actions occur within BBVA's area of responsibility and this entity must respond thus. In no way can it be considered that the error that he claims to have committed excludes its liability, since, according to settled jurisprudence, it cannot The existence of such an error can be considered when it is attributable to the person who suffers it or could have suffered it. be avoided by the use of greater diligence. In this case, the alleged error is incompatible with the diligence that the claimed party is obliged to observe. This diligence must be manifested in the specific case being analyzed, with respect to which error is alleged, and not in general circumstances. In the specific case of the complaining party, it cannot be accepted that the actions of the claimed entity derives from an error. Admit that it is not appropriate to demand responsibility from BBVA for the facts analyzed, based on an alleged error, would be as much as admit that the application of the RGPD and the LOPDGDD can be ignored. In this regard, it must be remembered that when the error is a sign of a lack of diligence type is applicable. The National Court in Judgment of 21 September 2004 (RCA 937/2003), is pronounced in the following terms: “Furthermore, regarding the application of the principle of guilt, it is (following the criterion of this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal 1139/2001) that the commission of the infraction provided for in article 44.3.d) can be either malicious as well as culpable. And in this sense, if the error is a sign of a lack of diligence, the type is applicable…". Along these lines, it is worth mentioning the SAN of January 21, 2010, in which the Court exposes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/17 “The appellant also maintains that there is no culpability in her actions. Is It is true that the principle of guilt prevents the admission in administrative law sanctioning of objective liability, it is also true that the absence of Intentionality is secondary since this type of infractions are normally committed for a culpable or negligent act, which is sufficient to integrate the subjective element of guilt. XXX's actions are clearly negligent because... he must know... the obligations imposed by the LOPD on all those who handle personal data of third parties. XXX is obliged to guarantee the fundamental right to the protection of personal data of its clients and hypothetical clients with the intensity required by the content of its own right". The principle of guilt is required in the sanctioning procedure and thus the STC 246/1991 considers inadmissible in the field of administrative sanctioning law a responsibility without guilt. But the principle of guilt does not imply that only sanction an intentional or voluntary action, and in this regard article 28 of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric “Responsibility” provides the following: "1. Only those who may be sanctioned for acts constituting an administrative offense natural and legal persons, as well as, when a Law recognizes their capacity to act, the groups of affected people, unions and entities without legal personality and assets independent or autonomous, who are responsible for them by way of fraud or blame". The facts presented show that BBVA did not act with due diligence to the that she was forced, that she acted with a lack of diligence. The Supreme Court (Judgments of 04/16 and 04/22/1991) considers that from the culpable element it follows “...that the action or omission, qualified as an administratively sanctionable infraction, must be, in any case, attributable to its author, due to fraud or imprudence, negligence or ignorance inexcusable". The same Court reasons that “it is not enough... for exculpation against "invoking the absence of fault is typically illegal behavior" but that it is necessary to prove “that the diligence that was required by whoever has been used claims its non-existence” (STS January 23, 1998). Also connected with the degree of diligence that the person responsible for the treatment is obliged to deploy in compliance with the obligations imposed by the data protection regulations, the SAN of 10/17/2007 (Rec. 63/2006) can be cited, which specified: “(...) the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender fails "behaves with the required diligence." Furthermore, the National Court, in matters of data protection of personal character, has declared that “simple negligence or non-compliance with the duties that the Law imposes on the people responsible for files or the data processing to exercise extreme diligence…” (SAN 06/29/2001). VII In the event that there is a violation of the provisions of the RGPD, among the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/17 following: “2 Each supervisory authority shall have all of the following corrective powers indicated below: continuation: (…) b) send a warning to any person responsible or in charge of processing when the processing operations have infringed the provisions of this Regulation;” (...) d) order the person responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, of a particular manner and within a specified period; (…) i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. VIII Failure to comply with the provisions of article 5.1.b) and f) of the RGPD means the commission of separate infractions classified in section 5.a) of article 83 of the RGPD, which under the heading “General conditions for the imposition of fines administrative” provides the following: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover overall of the previous financial year, opting for the highest amount: a) the basic principles for processing, including the conditions for consent to tenor of articles 5, 6, 7 and 9”. On the other hand, the violation of article 32 of the RGPD is classified in the article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, of an amount equivalent to a maximum of 2% of the total annual turnover overall of the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 to 39, 42 and 43. (…)”. In this regard, the LOPDGDD, in its article 71 establishes that “They constitute infractions the acts and conduct referred to in sections 4, 5 and 6 of the article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law.” For the purposes of the limitation period, article 72 of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/17 “Article 72. Infractions considered very serious. 1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, they are considered very serious and the infractions that involve a violation will expire after three years. substance of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in the article 5 of Regulation (EU) 2016/679”. And in its article 73, for the purposes of prescription, it qualifies as “Infringements considered serious”: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered serious violations and violations that involve a substantial violation will expire after two years. of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679 g) The breach, as a consequence of the lack of due diligence, of the measures technical and organizational measures that have been implemented in accordance with the requirements of article 32.1 of Regulation (EU) 2016/679. (…)” In this case, in light of the facts presented, it is considered that the sanction that It would be appropriate to impose an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In order to determine the administrative fine to impose, the following must be observed: provisions of article 83, section 2, of the GDPR, which states the following: "2. Administrative fines will be imposed, depending on the circumstances of each case. individually, as an additional or substitute for the measures contemplated in article 58, section 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount In each individual case due account will be taken of: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account of the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/17 matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, establishes: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also may be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of data processing personal. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process after the commission of the infraction, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party.” In accordance with the indicated precepts, for the purposes of setting the amount of the sanctions to be imposed in the present case, it is considered that it is appropriate to graduate them in accordance with the following criteria established by the transcribed precepts: In this case, the graduation criteria are considered concurrent as aggravating factors. following: . Article 83.2.b) of the RGPD: “b) intentionality or negligence in the infringement." The negligence appreciated in the commission of the infraction, considering that the claimed party used the personal data of the complaining party registered in the entity in its capacity as client, without taking into account that it intervened in the made in the name and representation of a third party. In this regard, what was stated in the Court's Judgment is taken into account. National of 10/17/2007 (rec. 63/2006) that, assuming that these are entities whose activity involves continuous data processing, indicates that “…the Supreme Court has been understanding that imprudence exists whenever disregards a legal duty of care, that is, when the offender fails to comply behaves with the required diligence. And in assessing the degree of diligence, The professionalism or not of the subject must be especially considered, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data, we must insist on the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/17 rigor and exquisite care to comply with the legal provisions in this regard.” It is an entity that processes personal data in a manner systematic and continuous and that must take extreme care in fulfilling its data protection obligations. This Agency understands that diligence has to be deduced from facts conclusive, duly accredited and directly related with the elements that make up the infringement, in such a way that it can be deduced that it has occurred despite all the means arranged by the responsible to avoid it. In this case, the actions of the claimed party do not It has this character. . Article 76.2.b) of the LOPDGDD: “b) The linking of the offender's activity with the processing of personal data.” The high link between the offender's activity and the performance of treatments of personal data. The level of implementation of the entity and the activity that it carries out, in which personal data of millions is involved of interested parties. This circumstance determines a higher degree of demand and professionalism and, consequently, the responsibility of the entity claimed in relation to the processing of the data. . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” . BBVA's status as a large company and business volume. It consists of the actions that said entity has (...). It is also considered that the following circumstance occurs as a mitigating circumstance: . Article 83.2.a) of the GDPR: “a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the operation treatment in question as well as the number of interested parties affected and the level of damages and losses they have suffered.” The infringement is an anomaly that affects only the complaining party. Considering the factors exposed, the value reached by the fines for the imputed infractions is 25,000 euros (twenty-five thousand euros) for the infractions very serious (violation of articles 5.1.b) and 5.1.f) of the RGPD) and 20,000 euros (twenty thousand euros) for the serious infraction (violation of the provisions of article 32 of the GDPR). IX Once the infractions are confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/17 which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” In such case, this Agency could require the person responsible to adapt the processing of personal data carried out in accordance with data protection regulations in accordance with what is indicated in the preceding Legal Fundamentals. This case affects only the complaining party and has to do with the improper use and communication of the personal data of the complaining party related to his personal address, on the occasion of a claim in which he intervened under the status as representative of the interested person; and the BBVA entity has stated that this circumstance was subsequently corrected. That being so, it is not possible In this case, urge the adoption of measures by the person responsible for the treatment. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for a violation of article 5.1.b) of the RGPD, typified in article 83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription in article 72.1.a) of the LOPDGDD, a fine of 25,000 euros (twenty-five thousand euros). SECOND: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for a violation of article 32 of the RGPD, typified in article 83.4.a) of the same Regulation, and classified as serious for the purposes of prescription in the article 73.f) and g) of the LOPDGDD, a fine of 20,000 euros (twenty thousand euros). THIRD: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for a violation of article 5.1.f) of the RGPD, typified in article 83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription in article 72.1.a) of the LOPDGDD, a fine of 25,000 euros (twenty-five thousand euros). FOURTH: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. FIFTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/17 Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-120722 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es