AEPD (Spain) - EXP202200471
From GDPRhub
| AEPD - PS-00419-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR §76(2)(b) LOPDGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 80.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00419-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Michelle Ayora |
The Spanish DPA fined a bank €64,000 for lack of adequate technical and organisational measures under Article 32 GDPR, in relation to a confidentiality data breach. A contract was accidentally disclosed to and retained by a third party for almost four months in violation of Article 5(1)(f) GDPR.
English Summary
Facts
On 26 October 2021, the data subject asked BBVA Bank (the controller) for an account holder attestation through the bank app. Instead, they received another customer's contract with their name, surname, ID number, home address, and IBAN number.
The data subject communicated the incident to the controller and manifested their concern for the protection of their own personal data. The bank representative apologised and stated that it was due to an “operational error” and that the data subject’s rights were protected. However, the data subject manifested that they still had access to the third-party's document through the chat. The controller's employee answered that technically it was not possible to delete or retrieve the submission of that document. Consequently, the data subject submitted a complaint before the Spanish DPA against the controller for having access to a third-party contract instead of the requested document.
The DPA started an investigation and notified the controller, who claimed that the chat tool was a secure channel for communications (a log-in mechanism), which allowed access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk had made an isolated human error and that the controller requested the data subject to delete the document. The controller informed the data subject about the prohibition of its disclosure, reproduction, or distribution. Additionally, the controller eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible.
Holding
Firstly, the Spanish DPA analysed the reaction of the controller to the confidentiality data breach. It observed that the occurence of a data breach does not automatically suppose the imposition of a fine, but requires an analysis of the due diligence and security measures applied by the controller.
Secondly, the DPA highlighted the importance of complying with GDPR provisions regarding personal data integrity and confidentiality, Article 5(1)(f) GDPR, and the security of processing, foreseen in Article 32 GDPR. The DPA found a violation of Article 5(1)(f) GDPR and considered as an aggravating circumstance the level of responsibility of the controller regarding its technical and organisational measures applied, as required by Articles 25 and 32 GDPR. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorised third parties. In addition, the security breach was not corrected until February 2022 (lasting for 4 months), which showed that appropriate measures were lacking. The DPA also found a violation of Article 32 GDPR. At the time of the data breach, the controller did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link, which was supposed to contain the data subject documentation.
Finally, the DPA fined the controller €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. According to the national legislation (Article 76(2)(b) LOPDGDDon sanctions and corrective measures), the DPA considered as an aggravating circumstance the controller's high number of data processing activities. According to the DPA, a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing. However, the controller benefited from two reductions of this amount, voluntary payment and the admission of guilt, and ended up paying €64,000 for both violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13
File No.: EXP202200471
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On September 15, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate sanction proceedings against BANCO BILBAO
VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement
which is transcribed:
<<
File No.: EXP202200471
AGREEMENT TO START THE SANCTION PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the claiming party) dated November 15,
2021 filed a complaint with the Spanish Data Protection Agency. The
The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF
A48265169 (hereinafter BBVA). The reasons on which the claim is based are the following:
following:
It states that it requested a certificate of ownership of its
account, through the APP of said entity, receiving, by the same route, on date 26
October 2021, copy of a third party contract. After notifying the
entity the incidence and its concern for the protection of its data, receives
response, dated October 26, 2021, indicating the following:
"I apologize on behalf of my partner, it was an operational error. Your data
They are protected."
The claimant transfers to the respondent entity that continues to have access to the
document with data from third parties, which is still available through the chat of
contact with the claimed entity and states that said entity indicates that,
computerized, it is not possible to delete said document.
Along with the notification is provided:
-Contract relating to two holders other than the claimant, dated October 26,
2021.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13
-Conversations held with employees of the entity's management team
claimed (on October 25 and 26 and November 11, 2021) about the
request for the certificate of ownership, of the contract received relating to third parties,
of the operational error. communication from the claimant informing that he continues to have
access to the third-party contract through said channel and response from a management company
the claimed entity, dated November 11, 2021, indicating that it attaches
letter from the bank in this regard, as well as a response from the claimant showing his
disagreement with the response received and the lack of respect for the protection of
data, adding that he continues to have access to the controversial document.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereafter LOPDGDD), said claim was forwarded to BBVA so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 01/18/2022, as stated in the
acknowledgment of receipt in the file.
On 02/21/2022, this Agency received a written response indicating:
"The incident that has given rise to the request for information is due to the fact that the
claimant declares that it requested a certificate of ownership from the entity claimed
of your account, through the APP of said entity, receiving, by the same means, in
dated October 26, 2021, copy of a third-party contract.
The "My Conversations" tool facilitates customer contact with their manager
commercial, allowing to attach and send documentation. It is a secure channel (environment
logged) and efficient that provides access to the history of conversations, with
in order to guarantee the transparency and traceability of all operations.
It is true that the manager of the team with you BBVA made a specific and human error when
attach to your electronic communication a different contract than the one signed by Mr.
A.A.A. and that it is an isolated event, with no evidence of other
complaints from affected people. BBVA regrets the error and informs
this Agency that, at the time the claimant contacted
with the manager to warn of the error, he apologized for it, being unable to do more than
reiterate his apologies in writing, on 11/11/2021, where he also requested
to remove or delete the attached document.
BBVA has eliminated customer access to the contract file. although I know
maintains the conversation between the manager and the client, the link to the file has been
removed in such a way that it cannot access the download/viewing of the
document".
THIRD: On February 11, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
Relevant documentation provided by the claimant:
- Document with header that refers to the claimant and title "Certificate
of ownership”. Contains a conversation supposedly held between the
claimant and a person belonging to the "team of your manager" of the claimant.
In it, the person from the management team quotes, in a message dated October 26
of 2021, which attaches the account contract. To this message, the claiming
responds by pointing out that the document refers to data from third parties. is indicated
that it was an "operational error". In the last message contained in the
document, dated November 11, 2021, the defendant warns that
You continue to have access to the certificate with personal data from third parties.
- Agreement to open an account (“Election Account Agreement”) in the
claimed dated October 26, 2021 in which they appear as owners
two third parties other than the claimant. In addition to the contract conditions,
it includes the following categories of third party personal data:
name, surname, NIF, address, IBAN code of the bank account.
INVESTIGATED ENTITIES
During these proceedings, the following entities have been investigated:
- BILBAO VIZCAYA ARGENTARIA BANK, S.A. with NIF A48265169 with
address at CIUDAD BBVA C/ AZUL 4, EDIF. LA VELA, 7TH FLOOR - 28050
MADRID (MADRID)
RESULT OF INVESTIGATION ACTIONS
In addition to the documentation mentioned in the background section, it includes
information from the following sources:
- Written from the claimed and registered entry in the AEPD
(numbers O00007128e2200008077 and O00007128e2200008078) dated
February 21, 2022 (Written1).
Context of the facts
The defendant states in the Writ1 that the application of the entity has a
section, "My Conversations", which allows the client to interact with their manager
commercial. Indicates that access to this part is secure (“logged environment”) and
provides access to the history of conversations "in order to guarantee the
transparency and traceability of all operations”.
The defendant states in the Brief1 that the facts described in the claim were
consequence of a "specific and human" error of the manager when attaching in the communication
with the claimant the third party contract. He adds that "this is an isolated incident, not
having evidence of other claims by the affected people.
reaction to incident
The defendant in Brief 1 states that he has eliminated the possibility of accessing the
third party contract by the claimant. In this regard, he points out that "although
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13
maintains the conversation between the manager and the client, the link to the file has been
removed in such a way that it cannot access the download/viewing of the
document." To prove it, attach the following:
- Document number 3, screen print of the conversation in which
leaked the disputed document (taken on February 16, 2022
according to the date of the equipment in the printing itself), which includes the
link to contract According to the claimant, this screenshot reflects the
situation prior to withdrawal.
- Document number 4, screen print of the conversation in which
leaked the disputed document (taken on February 21, 2022
according to the date of the equipment in the printing itself), which does not include the
link to contract According to the claimant, this screenshot reflects the
post-withdrawal situation.
The defendant also provides information on the communications addressed to the
claimant in relation to these facts:
- Document number 2 attached to the Writ1 is a communication addressed by the
claimed from the claimant (undated, although the Brief1 states that it was
sent on November 11, 2021) which includes the following:
"We are writing to you regarding the incident that occurred on the 26th of
October, in which we mistakenly sent you documentation that was not
corresponded to that of his ownership.
First of all, we would like to convey our apologies warning you that it was
a specific situation caused by a human factor.
Although, we have to warn that when dealing with confidential information submitted
especially to professional secrecy, its disclosure, reproduction or distribution is
prohibited, so having received the information by mistake, you should know that your
reading, copying and use are prohibited thanking you to proceed with its destruction.
- Document number 1 attached to the Writ1 is a communication addressed by the
claimed to the claimant on February 14, 2022 that includes the following:
"The purpose of your claim, set forth in your communication, is to state your
annoyance for having received through the BBVA APP the copy of the contract of
account of a third party, rather than your own.
We inform you that this was due to the employee with whom you previously chatted and
to whom you requested said shipment, got the file confused and uploaded that of another client.
We are very sorry for what happened and the office has already taken action with the staff
to avoid confusion of these characteristics.”
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Article 4 paragraph 12 of the GDPR defines, in a broad way, "violations of
security of personal data" (hereinafter security breach) as "all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, stored or otherwise processed
form, or unauthorized communication or access to said data.”
In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
the complaining party has been provided with a contract containing data
third party personal
It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of managers and managers and security measures
applied.
Within the principles of treatment provided for in article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the GDPR, which regulate the security of the
treatment, the notification of a breach of the security of personal data to
the control authority, as well as the communication to the interested party, respectively.
II
Article 5.1.f) "Principles relating to processing" of the GDPR establishes:
"1. Personal data will be:
(…)
f) processed in such a way as to guarantee adequate security of the
personal data, including protection against unauthorized processing or
illicit and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).”
In this case, it is clear that the personal data of a BBVA customer,
in its database, were improperly exposed to the complaining party
when you requested access to your own contract, as a link was provided to you through
of which, instead of agreeing to his own contract, he agreed to someone else's.
In accordance with the evidence available in this agreement of
initiation of the disciplinary procedure, and without prejudice to what results from the
investigation, it is considered that the known facts could constitute a
infringement, attributable to BBVA, due to violation of article 5.1.f) of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13
IV.
If confirmed, the aforementioned violation of article 5.1.f) of the GDPR could lead to the
commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”
V
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established in article 83.2 of the GDPR:
As aggravating factors:
-The degree of responsibility of the controller or the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied in
virtue of articles 25 and 32. Art. 83.2.d).
BBVA, as data controller, has to implement measures
adequate to avoid the exposure of personal data to third parties
authorized. Given that in the present case there has been a breach of
confidentiality, which was not corrected until at least February 16, 2022,
it can be assumed that appropriate measures had not been taken.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:
As aggravating factors:
-The linking of the offender's activity with the performance of
processing of personal data. (Art. 76.2.b).
The activity of BBVA, a financial institution, and the high number of customers
that it has, involves handling a large number of data
personal. This implies that they have sufficient experience and should have
with adequate knowledge for the treatment of said data.
The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 5.1.f) of the GDPR, allows initially setting a penalty of
€50,000 (fifty thousand euros).
SAW
Article 32 "Security of treatment" of the GDPR establishes:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which may include, among others:
a) the pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore the availability and access to personal data
quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
technical and organizational measures to guarantee the safety of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the destruction, loss or accidental or illegal alteration of data
personal information transmitted, preserved or processed in another way, or the communication or
unauthorized access to such data.
3. Adherence to an approved code of conduct pursuant to article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or processor and
have access to personal data can only process such data by following
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13
instructions of the person in charge, unless it is obliged to do so by virtue of the Law of
the Union or of the Member States.
In the present case, at the time the breach occurred, BBVA did not have
appropriate technical and organizational measures to prevent the occurrence of the
circumstance of making available to a person a link that gave access to the
contract of a third party, thus exposing the client's personal data from the
October 21, 2021 through at least February 16, 2022.
.
In accordance with the evidence available in this agreement of
initiation of the disciplinary procedure, and without prejudice to what results from the
investigation, it is considered that the known facts could constitute a
infringement, attributable to BBVA, for violation of article 32 of the GDPR.
VII
If confirmed, the aforementioned infringement of article 32 of the GDPR could lead to the
commission of the offenses typified in article 83.4 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the person in charge and the person in charge according to articles 8,
11, 25 to 39, 42 and 43; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
For the purposes of the limitation period, article 73 "Infractions considered serious"
of the LOPDGDD indicates:
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
f) The lack of adoption of those technical and organizational measures that
are appropriate to ensure a level of security appropriate to the
risk of treatment, in the terms required by article 32.1 of the
Regulation (EU) 2016/679.
(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13
VIII
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the criteria that
Article 83.2 of the GDPR establishes:
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:
As aggravating factors:
-The linking of the offender's activity with the performance of
processing of personal data. (Art. 76.2.b).
The activity of BBVA, a financial institution, and the high number of customers
that it has, involves handling a large number of data
personal. This implies that they have sufficient experience and should have
with adequate knowledge for the treatment of said data.
The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 32 of the GDPR, allows the initial setting of a penalty of
€30,000 (thirty thousand euros).
IX
Among the corrective powers provided by article 58 "Powers" of the GDPR, in the
section 2.d) establishes that each supervisory authority may “order the
controller or processor that the processing operations are
comply with the provisions of this Regulation, where appropriate, in a
certain manner and within a specified period…”.
The Spanish Agency for Data Protection in the resolution that puts an end to the
this procedure may order the adoption of measures, as established
in article 58.2.d) of the GDPR and in accordance with what is derived from the instruction
of the procedure, if necessary, in addition to sanctioning with a fine.
Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: INITIATE SANCTION PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 5.1.f)
of the GDPR typified in Article 83.5 of the GDPR.
START SANCTION PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 32 of the
GDPR typified in Article 83.4 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13
SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the Sub-directorate General of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be:
- For the alleged infringement of article 5.1.f) of the GDPR, typified in article 83.5
of said regulation, an administrative fine amounting to 50,000.00 euros
- For the alleged infringement of article 32 of the GDPR, typified in article 83.4 of
said regulation, an administrative fine of 30,000.00 euros
FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, granting it a hearing period of ten
business days for him to formulate the allegations and present the evidence he deems
convenient. In your statement of allegations you must provide your NIF and the number of
procedure that appears in the heading of this document.
If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the
sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at 64,000.00 euros, resolving the
procedure with the imposition of this sanction.
In the same way, it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 64,000.00 euros and its payment will imply the termination
of the procedure.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 48,000.00 euros.
In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (64,000.00 euros or 48,000.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
935-110422
Mar Spain Marti
Director of the Spanish Data Protection Agency
>>
SECOND: On September 23, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 48,000 euros using the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.
3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.
The percentage reduction provided for in this section may be increased
according to regulations."
According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202200471, in
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13
Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
936-040822
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
