AEPD (Spain) - PS/00362/2021
AEPD (Spain) - PS/00362/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 83 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 27.07.2021 |
Published: | 20.10.2021 |
Fine: | 120.000 EUR |
Parties: | BANCO BILBAO VIZCAYA ARGENTARIA, S.A. |
National Case Number/Name: | PS/00362/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined the Banco Bilbao €120,000 for allowing anyone who could provide the ID number of card holders to obtain detailed information on their latest credit card transactions. It concluded that such a procedure violates the confidentiality of personal data due to insufficient technical and organizational safeguards.
English Summary
Facts
The Banco Bilbao provided clients with ‘Affinity Cards’, which are a credit cards that could be used only within an affiliated group of several stores and companies. In this regard, any person calling the automated information hotline provided by the bank was able to obtain details of the last transactions of a card in exchange of the card-holder's ID-number.
In the abstinence of other security measures to confirm the identity of the client, any person could call into the automated systems to obtain financial information only by giving the ID-number without verifying that they are the real owner of the document.
Holding
The AEPD decided that the bank thereby failed to adopt security measures, violating the principle of integrity and confidentiality according to Article 5(1)(f) GDPR and the necessity to implement technical and organizational safeguards from Article 32 GDPR. Accordingly, only asking for the ID-number is insufficient to appropriately authenticate the client in question.
Considering the number of clients affected, the solvency and the high degree of responsibility of the entity, the DPA imposed a fine of €200.000 on the bank. However, the fine was finally reduced to €120.000 because of prior voluntary payment and their acknowledgment of responsibility.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: PS / 00362/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On July 27, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement which is transcribed: << Procedure No.: PS / 00362/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claimant) dated March 25, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (hereinafter, the claimed one). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/16 The reasons on which the claim is based are that the defendant provides the detail of the last movements of the Affinity Card through an attention system automated telephone number *** TELEPHONE. 1 which only asks for as identification data the client's DNI. It is stated by the claimant that the claimed entity does not adopt any other security measure to confirm the identity of the client so that any person can call, give a DNI number and obtain information associated with that DNI, without verifying that the caller is the owner of said document identifying. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 03724/2020, a transfer of said claim to the defendant on June 8, 2020, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to adapt to the requirements provided in the data protection regulations. Despite the nature of this requirement, which as indicated in article 65.4 of the LOPDGDD, is optional and prior to the start of any procedure, the September 25, 2020, the entity claimed in response to the request of this The Agency states that in the Agency's letter, the deadline for respond, which supposes an error in the processing of the procedure, reason for the that based on article 76.2 of Law 39/2015 on Common Administrative Procedure of the Public Administrations, requests that the procedure be stopped, until this error is corrected and you will be notified again of said request for information. THIRD: On December 4, 2020, the Director of the Spanish Agency for Data Protection agreed to accept for processing the claim presented by the claimant. FOURTH: In view of the facts denounced in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/16 in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the claimed one. Likewise, the following points are found: On December 10, 2020, a request for information is sent to the BANK BILBAO VIZCAYA ARGENTARIA, S.A. using several ways: Electronically through notific @, a system that allows you to prove that the notification has been delivered on December 16, 2020, but no receives reply. By post, but no reply is received. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 58 of the RGPD states: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/16 "2. Each supervisory authority shall have all of the following corrective powers listed below: (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; (…) " The RGPD establishes in article 5 of the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality". The article notes that: "1. The personal data will be: (…) f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ('integrity and confidentiality') ”. In turn, the security of personal data is regulated in article 32, of the RGPD, where it is established that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms physical, the person in charge and the person in charge of the treatment will apply technical measures and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/16 appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; a) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; b) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular attention will be paid to take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. 3. Adherence to a code of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the this article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the controller or processor and have access to personal data can only process said data by following instructions of the person in charge, unless it is obliged to do so by virtue of the Right to the Union or the Member States ”. The violation of article 32.1 of the RGPD is typified in article 83.4.a) of the aforementioned RGPD in the following terms: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/16 "4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43. (…) " For its part, the LOPDGDD in its article 71, Infractions, states that: “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law ”. And in its article 73, for the purposes of prescription, it qualifies as “Infractions considered serious ”: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) Failure to adopt technical and organizational measures that result appropriate to ensure a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679. " III C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/16 The RGPD in the aforementioned article 32, does not establish a list of security measures that are applicable in accordance with the data that are subject to treatment, but that establishes that the person in charge and the person in charge of the treatment will apply measures technical and organizational that are appropriate to the risk involved in the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, the risks of probability and severity for the rights and freedoms of the interested persons. Likewise, the security measures must be adequate and proportionate to the risk detected, noting that the determination of the technical measures and organizational must be carried out taking into account: pseudonymisation and encryption, ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, process verification (not audit), evaluation and assessment of the effectiveness of measures. In any case, when evaluating the adequacy of the security level, the particularly take into account the risks presented by data processing, such as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. In this same sense, recital 83 of the RGPD states that: “(83) In order to maintain security and prevent the treatment from violating the provisions of this Regulation, the person in charge or the person in charge must assess the risks inherent to the treatment and apply measures to mitigate them, such as encryption. Are Measures should ensure an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and the nature of the personal data that must protect yourself. When assessing risk in relation to data security, you should take into account the risks arising from the processing of personal data, such as accidental or illegal destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or communication or access does not authorized to said data, susceptible in particular to cause damages physical, material or immaterial ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/16 IV In this case, it is stated that the claimed entity facilitates the detail of the last movements of the Affinity Card through an attention system automated telephone number *** TELEPHONE. 1 which only asks for as identification data the client's DNI. Unless proven otherwise, these facts suppose that the respondent would not adopt the adequate security measures, since anyone using the system Automated telephone service could give a DNI number, whether or not the owner of the itself and obtain information associated with that DNI, since the claimed entity does not adopts security measures to verify that the person requesting said information is the owner of said identification document. This Agency informed the entity of the claim presented and requested information in relation to this claim, in accordance with the Article 65.4 of the RGPD. On September 25, 2020, the entity claimed in response to said request requests the suspension of the procedure, in accordance with article 76.2 of the law 39/2015 of the Common Administrative Procedure of Public Administrations, alleging defects in the processing. The Spanish Agency for Data Protection addressed the claimed requesting him information in accordance with article 65.4 of the RGPD that establishes the following: "Before deciding on the admission for processing of the claim, the Spanish Agency of Data Protection may send the same to the data protection delegate who had, where appropriate, designated the person in charge or in charge of the treatment or the supervisory body established for the application of codes of conduct to the effects provided for in articles 37 and 38.2 of this organic law. The agency Spanish Data Protection may also send the claim to the responsible or in charge of the treatment when a data protection officer or adhering to resolution mechanisms extrajudicial of conflicts, in which case the person in charge or manager must give response to the claim within a month. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/16 Said requirement is ex gratia character, to discern on the convenience or not to admit the procedure for processing by virtue of the answer given by the claimed from this Agency, to avoid initiating procedures as far as possible penalties when the situation that is the subject of the claim has already been resolved or there is a serious and verifiable purpose that is being solved, without prejudice to the investigation actions that the Spanish Agency for Data Protection, as a supervisory authority, it can always carry out, if it considers it appropriate and necessary, in accordance with article 57.1 of the RGPD. Neither of the two is inferred from the answer given by the claimed entity. indicated possibilities. Therefore, due to the facts claimed, that is, lack of adoption of measures of adequate security by the claimed entity, without respecting the principle of integrity and confidentiality of article 5.1 f) of the RGPD, whose purpose, among others, is to avoid unauthorized or illegal treatment of personal data, this Agency proceeds to the opening of the corresponding sanctioning procedure against the entity claimed, for the possible violation of article 32 of the RGPD, transcribed in the Ground II that states that “the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to ensure a level of security suitable". In addition, in accordance with article 32 of the RGPD, it will be required that the claimed take appropriate technical and organizational measures to ensure a level of adequate security using mechanisms that allow: -the pseudonymisation and encryption of personal data; -the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; -the ability to restore the availability and access to personal data of quickly in the event of a physical or technical incident; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/16 -a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. V Article 83.4 a) of the RGPD establishes that: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the of greater amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43 In turn, article 73.f) of the LOPDGDD, under the heading "Violations considered bass has: "Based on article 83.4 of Regulation (EU) 2016/679, they will be considered serious and The infractions that suppose a substantial violation will prescribe after two years of the articles mentioned therein, and in particular the following: f) Failure to adopt technical and organizational measures that result appropriate to ensure a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679. " SAW In accordance with the indicated precepts, against the infringement of article 32, considers that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/16 As aggravating factors the following: The number of clients of the claimed entity is high and therefore also the number of affected (art. 83.2 a) The respondent is a solvent entity that has the technical means to take adequate security measures, their lack implies negligence in their actions (art. 83.2 b) The high degree of responsibility of the claimed party, since trying to daily personal data of your customers as part of your business and adopting adequate security measures, including those of the regulation for the prevention of fraud in banking entities, is fully aware of the need to implement security measures appropriate to the risk in all the treatments you carry out, aggravates your responsibility for lack of security measures (art. 83.2 d) Despite previous requirements and attempts to communicate this Agency with the claimed entity to know the situation from the point of view of all the affected parties, the complained entity, has not submitted allegations to the prior requirement, rather than to request its stoppage alleging errors in the processing of a procedure not started, and without collaborating with this Agency in their actions, despite having knowledge of the claim filed against her (art. 83.2 f) VII C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/16 Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, in accordance with the provisions of Article 58.2.b) of the RGPD, for the alleged violation of Article 32 of the RGPD, typified in article 83.4.a) of the RGPD. SECOND: APPOINT B.B.B. as an instructor. and, as Secretary to C.C.C., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FOURTH: THAT for the purposes provided for in art. 64.2. b) of Law 39/2015, of 1 October and article 58.2.b) of the RGPD, it would be appropriate to impose a penalty of 200,000 euros (two hundred thousand euros) for the violation of article 32 of the RGPD, without prejudice of what results from the instruction. FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, granting a hearing period of ten business days to make the allegations and present the evidence that it considers convenient. In your statement of allegations you must provide your NIF and the number of procedure at the top of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/16 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be established at € 160,000 (one hundred and sixty thousand euros), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at € 160,000 (one hundred and sixty thousand euros), and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be established at € 120,000 (one hundred and twenty thousand euros). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above € 160,000 (one hundred and sixty thousand euros) or € 120,000 (one hundred twenty thousand euros), you must make it effective by entering account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in the bank CAIXABANK, S.A., indicating in the concept the number reference of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/16 Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On August 18, 2021, the claimed party has made the payment of the sanction in the amount of 120,000 euros making use of the two reductions provided for in the Initiation Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/16 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. " In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00362/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/16 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es