AEPD (Spain) - PS/00070/2019
AEPD - PS/00070/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(11) GDPR Article 5 GDPR Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(2) GDPR Article 7 GDPR Article 12 GDPR Article 13 GDPR Article 13(1)(c) GDPR Article 13(1)(d) GDPR Article 14 GDPR Article 14(1)(d) GDPR Article 21(2) GDPR Article 21(3) GDPR Article 11(1) LOPDGDD Article 6 LOPDGDD Article 11(2) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 11.12.2020 |
Fine: | 5000000 EUR |
Parties: | Banco Bilbao Vizcaya Argentaria, SA |
National Case Number/Name: | PS/00070/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed two fines of €2 and €3 million on Banco Bilbao Vizcaya Argentaria, SA in relation to its privacy policy. The first one was imposed for breaching the principle of transparency subsequent to Articles 12, 13 and 14. The second fine was imposed as BBVA breached Article 6 (legality of processing).
English Summary
Facts
The decision relates that various joint complaints against Banco Bilbao Vizcaya Argentaria, SA (BBVA).
The first complainant complained that BBVA sent promotional SMS to his mobile phone without acquiring consent. In relation to this claim, BBVA argued that the claimant had consented to the sending of advertisement by subscribing to the document entitled "Customer identification, processing of personal data and digitized signature".
The second complainant complained that BBVA did not comply with the legal requirements of free and informed consent. The complainant outlined that they sent an email to BBVA’s data protection officer outlining that BBVA’s application did not provide the possibility to refuse data processing, in breach of Article 12 GDPR. BBVA’s response to this email was that this method of gathering consent was valid according to BBVA as well as according to other forums where such a question has been raised. The complainant provided a copy of the privacy policy document produced by the application. In this copy, Section 1 contained identification data. All the options activated were ticked to gather consent with buttons with the options “I do not want…”.
The third complainant complained that BBVA asked them to sign the privacy policy document to unblock their account. This document, which enables the data subject to provide consent to processing of personal data, includes a ticked option which stated “I don’t want BBVA to process my data to offer me other products and services by email”. This was signed by the data subject.
The fourth complainant complained that they received advertisement communications that they had not authorised or requested. The BBVA argued that the complainant did not oppose themselves to this data processing in the privacy policy document they signed. The Spanish DPA highlighted that there was no possibility to refuse in this specific document.
The fifth complainant complained that they received calls and SMS with advertisements. BBVA outlined that the complainant signed the privacy policy document and consented to such processing of personal data for commercial purposes. It also said that the complainant signed the document a second time expressing their refusal to the processing for commercial purposes. In the first document that was no option to indicate consent and in the second document, the complainant signed the “I don’t want…”.
The privacy policy document in question contained personal data including name, tax ID, date of birth, nationality, address, matrimonial status, fixed and varying income and annual revenue. The purposes and legal bases for processing are also outlined: BBVA relied on legitimate interest for the purpose of “Get to know [the client] better and personalize [the client’s] experience”. It relied on the client’s consent for the following purposes: i) offer products and services from BBVA, the BBVA Group and others, customized for the client; ii) communicating the client’s personal data to BBVA Group companies so that they can offer them personalised products and services; and iii) improve the quality of products and services.
According to the BBVA’s policy, signature by the client indicates acceptance of the privacy policy. However, for a data subject to be a client, they must sign it. After the signature point is a section on “additional information” with a glossary of the terminology. With regards to obtaining consent, the section just above the signature point provides different options for the data subject. This includes:
"We inform you that if you do not agree with the acceptance of any of the following purposes, you can select them below. Products and prices more adjusted to you [] I DO NOT want BBVA to process my data to offer me products and services from BBVA, the Group BBVA and others customized for me. [] I DO NOT want BBVA to communicate my data to BBVA Group companies so that they can offer own products and services customized for me.
Quality improvement [] I DO NOT want BBVA to process my data to improve the quality of new products and services and existing. We want to remind you that you can always easily change or delete the use that we make your data "
Upon request by the Spanish DPA, BBVA provide the data protection impact assessment (DPIA) for profiling for the purpose of advertisements and the DPIA for risk profiling. The DPA also requested a report where BBVA balanced legitimate interest for the processing relying on that legal basis as well a register of all data processing activities.
Dispute
Did the defendant’s privacy policy lack clarity and specificity in breach of Articles 12, 13 and 14 GDPR?
Did the defendant rely on valid legal bases for processing personal data within the scope of Article 6 GDPR?
Holding
The Spanish DPA (AEPD) jointly decided 5 complaints filed against BBVA in relation to its privacy policy and commercial communications (SMS and emails).
The DPA clarified that as the 5 data subjects complained about the effect of BBVA’s privacy policy, the issue is not the data controller’s allegedly illegal processing of personal data as a result of the privacy policy but rather an issue relating to the privacy policy itself. It is the privacy policy which infringes the GDPR. The DPA therefore decided to inspect the ways in which BBVA gathers consent and its validity by inspecting the privacy policy document. As the privacy policy is used for all clients, the alleged GDPR breach do not only affect the 5 complainants.
The DPA imposed two distinct fines. The first one was a fine of €2 million for the absence of clear information in the privacy policy in breach of the principle of transparency as per Articles 12, 13 and 14. The second fine of €3 million was imposed as BBVA breached Articles 6 (legality of processing). The DPA also required from BBVA that they amend their privacy policy to ensure that they rely on a valid legal basis for processing and that sufficient information is provided to clients.
INFORMATION PROVIDED The DPA first addressed the issue of the provision of information in the privacy policy.
Imprecise terminology and vague formulations The Spanish DPA referred to Article 5(1)(a) (principle of lawfulness, fairness and transparency), Article 12(1), Article 7, Article 13 and Article 14 GDPR, the corresponding GDPR recitals (32, 39, 42, 47, 58, 60, 61, and 72), as well are Articles 11(1) and (2) of the Spanish Data Protection Law (LOPDGDD) to highlight the importance of the principle of transparency in data protection law. The DPA then held that BBVA, as a data controller that processes personal data, must in particular respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a).
According to the DPA, BBVA’s privacy policy used terminology that was too imprecise and formulations that were too vague when providing information to the data subject. For example, the expressions “get to know [the client] better and personalize [the client’s] experience” or “offer products and services from BBVA, the BBVA Group and others, customized for the client” were considered too vague by the DPA (the DPA provides a whole list of vague formulations at pages 61-62). It lacked precision as expressions were repeated throughout without clarification, making the privacy policy unclear and ambiguous. It was not easy for the clients to deduce any meaning from these expressions either. The DPA therefore held that privacy policy could not be easily understood by the data subject.
The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA’s privacy policy fell within the examples of poor transparency practices. It used the guidelines as support for its decision that the privacy policy was too vague and unclear.
Information on categories of data processed and specific categories for each purposes The Spanish DPA held that information on the categories of personal data processed in the privacy policy was incomplete. The DPA referred to the Article 29 Working Party Guidelines on consent to highlight the requirements for valid consent, as defined in Article 4(11) GDPR. Accordingly, such consent must be freely given, specific informed and an unambiguous indication of the data subject’s wishes.
The DPA held that there was insufficient information in relation to the type of data that was processed on the basis of consent by the controller (BBVA). Therefore, it cannot be said that informed consent was gathered. The DPA highlighted that BBVA provides, in a generic way, that they may process "Economic and solvency data (including those related to all the products and services that you have contracted with BBVA or of which BBVA is a marketer)” or “Sociodemographic data (such as age, family situation, residences, studies and occupation)” for example. Accordingly, the DPA considered that it is not clear whether BBVA processes economic data unrelated to the products contracted with or marketed by the entity; or what sociodemographic data will be processed. Similarly, consent was not free, specific nor a manifestation of the data subject’s wishes either.
Where the legal basis is legitimate interest, the Spanish DPA held that the absence of information entails a breach of Article 14(1)(d) GDPR. BBVA failed to report on the categories of data that will be subjected to data processing. For example, there was no mention in the policy that BBVA gathered data on the data subject through third parties.
Referring to the Guidelines on transparency and the GDPR Recitals, the DPA outlined the importance of transparency as a fundamental aspect of lawful and fair processing Article 5(1)(a) GDPR). Lack of clear information would, in turn, likely lead to an infringement of other principles under Article 5 such as purpose limitation and data minimisation.
Information on purpose for which personal data is used and legal basis The Spanish DPA identified several sections in the privacy policy where BBVA outlined that similar treatments for different purposes were at time on the basis of consent whereas other times on the basis of legitimate interest. For example, processing of personal data for the purpose of personalised offers relied on consent, and a similar processing activity, for improving customer experience was based on legitimate interest.
The DPA held that whilst the legal bases may be accurate, the similar processing activities with different legal bases meant that the privacy policy lacked clarity for an average citizen. The Spanish DPA also highlighted that having too general formulas for purposes in the privacy policy would fall short of the purpose limitation principle (Article 5(1)(b)).
Information on legitimate interest of the data controller and third parties The DPA held that information provided by BBVA was vague with regards to the legal basis for processing. BBVA did not substantiate the legality of its data processing, in breach of the principle of transparency. For example, BBVA’s definition of legitimate interest in the privacy policy did not provide sufficient information as to the justification for relying on this legal basis. The DPA held that BBVA did not elaborate on the parties’ (including third parties) interests at stake nor their “reasonable expectations” (quoting Recital 47). There was therefore a breach of Article 13.
According to the DPA, sufficient information, which in this case lacked, would have enabled the client or data subject to be able to object to this legal basis.
Information on profiling The Spanish DPA clarified that BBVA used personal data to elaborate profiles for various purposes outlined in the privacy policy, including for commercial purposes. This relied on consent and legitimate interest, which as mentioned above was not sufficiently defined in the privacy policy.
The DPA added that BBVA does not provide sufficiently information in breach of the obligation to inform the data subject with regards to elaborations of profiles (Article 13(1)(c) GDPR specifically). Additionally, the DPA held that BBVA did not clarify what types of profiles were made and what the intended uses were, nor did BBVA inform the data subject of their right to object to such profiles for direct marking purposes (as per Article 21(2) GDPR). At certain points in the privacy policy, BBVA did not explain that profiling occurred at all (e.g. for the “Get to know [the client] better and personalize [the client’s] experience” purpose). This was also an infringement of Article 11 LOPDGDD which clarifies the minimum content that must be provided to the data subject. Other times, the concept of profiling for the “Get to know [the client] better and personalize [the client’s] experience” purpose was mentioned briefly and vaguely.
The DPA highlighted that at no point does the privacy policy refer to whether the profiling falls within the scope of Article 22 GDPR, which would trigger information obligations within Article 13(2)(f) GDPR. However, the DPA held that lack of mention of automated decision making in the policy can be understood as establishing that no such action is carried out. The DPA mentioned Article 22 purely as a warning with regards to information on profiling in privacy policies generally
To summarise, the DPA held Articles 13 and 14 GDPR, which regulate the application of the principle of privacy, were breached as a result of the lack of information in the privacy policy on all the above mentioned circumstances.
LEGAL BASIS: The DPA then went on to assess the legality of the legal bases relied upon by BBVA.
Processing of personal data based on consent The Spanish DPA outlined the conditions for consent as a legal basis for processing as prescribed within Articles 4(11), 6 and 7 GDPR. It also referred to the correlating article in the Spanish data protection law (Article 6 LOPDGDD). Finally, it outlined the Article 29 Working Party Guideline on consent. The DPA highlighted that these Articles enable the data subject to have true control over their personal data and their destination.
The DPA then inspected BBVA’s privacy policy and held that the defendant did not design a specific mechanism to collect valid consent when relying on consent as a legal basis for processing personal data for 3 specific purposes (see facts). BBVA limited the data subject’s options in the way it presented the boxes to tick. The boxes outlined possibilities to object rather than boxes to consent to processing. As such, the DPA held that BBVA relied on “inaction” of the data subject to gather consent. This was in breach of the GDPR’s requirements for gathering valid consent (quoting Recital 32).
Additionally, the DPA held that a general signature of the privacy policy could not be valid consent as it was not specific to the distinct purposes. There was no possibility for opting and choosing one’s own preferences (only the possibility to reject or object) meaning that the data subject could not control their own personal data.
Finally, the consent given was not informed as the privacy policy lacked crucial information as highlighted in the above sections.
Therefore, BBVA processed data without a legal basis for the 3 purposes relying on consent. This was a breach of Article 6 GDPR in connections with Articles 4(11) and 7 on valid consent.
Other processing without legal basis There were other processing activities conducted by BBVA which lacked any legal basis.
Processing of personal data on the basis of legitimate interest of the data controller or third party The Spanish DPA held that there was no sufficient legal basis for processing personal that the BBVA claimed was on the basis of legitimate interest. Additionally, some processing supposedly relying on legitimate interest were very similar to those based on consent, which as mentioned, was invalid. Therefore, the DPA held that processing based on legitimate interest were not legal.
The DPA relied on Article 6 GDPR to highlight that processing must be lawful and that it is the responsibility of the controller to rely on a valid legal basis (in connection with Articles 5(1)(a) and 5(2) GDPR). The DPA also considered that lack of information meant that the data subject could not assess the evaluation done by the controller and therefore, would not be in an informed position to oppose to processing on the basis of legitimate interest. This would mean that the data subject cannot fully exercise its rights under Article 21(3) GDPR.
Additionally, lack of information on the actual interests considered in the balancing exercise was considered by the Spanish DPA to indicate that the legal basis of legitimate interest was not valid: the absence of a weighing exercise means that Article 6(1)(f) cannot be relied upon as a valid legal basis for processing. The DPA then outlined that since information on the balancing exercise lacked, it was difficult to assess whether BBVA’s interests were legitimate. It nonetheless went on to hold that the interests are of an economic nature. Whilst this can be a legitimate interest the DPA held that it cannot prevail over the fundamental rights of the data subject.
Additional information was also considered, including: how data used based on legitimate interest were collected, the excessive scale on which they are collected, the use of data collected from third parties without the knowledge of the interested party, techniques used, lack of transparency about the logic used in profiling, large number of affected data subjects, loss of control for the data subject and the controller’s dominant position. Similarly, there were no additional guarantees or measures taken by BBVA.
Following these considerations, DPA deemed that the processing could not be interpreted as being in the data subject’s interests. Therefore, it held that there was no evidence that the legitimate interest relied upon by BBVA was valid and prevailed over the interests and fundamental rights and freedoms of the data subject. Lack of guarantees meant that nothing could overcome any imbalances in the processing of this personal data.
Therefore, the DPA held that BBVA did not satisfy the conditions of Article 6(1)(f). There was no, legal basis for processing the data allegedly relying on legitimate interest.
Comment
Comment from @Francesc Julve: Many are looking at the amount of the fine imposed but the sanction is also important with regards to the prohibition of processing data and the obligation to delete the unlawful processed data that the AEPD also imposed.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.