AEPD (Spain) - EXP202402432
AEPD - EXP202402432 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.11.2022 |
Decided: | 12.06.2024 |
Published: | |
Fine: | 120,000 EUR |
Parties: | Banco Bilbao Vizcaya Argentaria, S.A. |
National Case Number/Name: | EXP202402432 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA found that a bank violated the principle of accuracy when it transferred incorrect information about the data subject’s address to a solvency data collector, preventing the data subject’s receipt of a notification. The controller paid a reduced fine of €120,000 in accordance with national law.
English Summary
Facts
On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions.
On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct.
Holding
By not providing the exact address of the data subject, the controller caused a serious damage was caused to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR.
The AEPD recommended a sanction of €200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: EXP202402432 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On April 15, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement which is transcribed: << File No.: EXP202402432 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: On November 13, 2022, A.A.A. (hereinafter, the part claimant) filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169 (hereinafter, the claimed party or BBVA). The reasons on which the claim is based are the following: The complaining party states that the complained party requested ASNEF-EQUIFAX, SOLVENCY AND CREDIT INFORMATION SERVICES, S.L. the inclution of your personal data in your solvency file, on August 12, 2021, without the prior notice must be properly carried out, since the postal address to which was sent by ASNEF-EQUIFAX, INFORMATION SERVICES ON SOLVENCY AND CREDIT, S.L. was not the exact address of the claimed party, but which was incomplete. The complaining party states that it has been aware of the inclusion of its personal data in the solvency file of ASNEF-EQUIFAX, SERVICIOS DE C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 INFORMATION ABOUT SOLVENCY AND CREDIT, S.L. because he has been prevented access the contracting of loans in financial institutions, as well as formalize contracting certain services such as changing telephone company and light, for recording their data in the aforementioned file. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on January 9, 2023, said claim was transferred to the claimed party, so that it could proceed with its analysis and inform this Agency in the within one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. On January 12, 2023, ASNEF-EQUIFAX presented a document providing the following documentation: - Copy of the response of January 12, 2023 sent to the complaining party informing of the procedures carried out and once again facilitating their situation in the ASNEF-EQUIFAX file (there is no data in the files Asnef and Asnef Empresas). - Copy of the Certification dated January 10, 2023 issued by the provider of the Generation, Printing, and Making Available Service of the Postal Shipments - Correos and/or Unipost-SERVINFORM, S.A. certifying the date inclusion of the reference notification, along with the rest of the communications issued in the process, and date on which it was made available to the service of postal shipments (August 17, 2021). - Copy of the inclusion notification. - Delivery note and delivery note at the Post Office ***ALBARÁN.1 and Hispapost, dated August 17, 2021, with its admission value date. - Copy of the return of said notification, with the reasons indicated by the postal delivery service, “Incorrect Addresses”. Furthermore, ASNEF-EQUIFAX states, among other things, the following: - That the file ***FILE.1, dated December 11, 2022, where a right of cancellation was managed by proceeding to the cancellation of the data provided by the BBVA entity on December 21, 2022 and appearing As the email address for sending said response, email address provided by the complaining party. - That the data of the complaining party was included in said file on December 12 August 2021 at the request of BBVA, for a debt derived from a credit card credit contracted with that entity. Appearing as display date the data on September 11, 2021. And stating in each of the files the Consultation History, with the entities that have accessed the data of the complaining party in the previous six months. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 - Regarding the lack of notification of the inclusion of your data in the file to BBVA instances in the ASNEF-EQUIFAX file, indicates that, after the query to the Auxiliary Notifications file in the ASNEF-EQUIFAX file, it is stated that the same was notified to you through the reference notification ***REFERENCE.1, issued on August 13, 2021 via postal mail ordinary to the address given by the creditor, that is, ***ADDRESS.1. However, it informs that its return is recorded, registered in its systems. from October 29, 2021. THIRD: On February 13, 2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: On June 16, 2023, information requests were sent to BBVA, and to ASNEF-EQUIFAX. BBVA was required to provide the following information: 1.- Copy of contract number ***XXXX of the SHOP CAR MASTERCARD given registered by BBVA in the name of the complaining party. 2.- Copy of contract number ***XXXX registered by BBVA in the name of the party claimant. 3.- Documentation supporting the debt payment requirements made to the complaining party. 4.- Copy of the contract signed between BBVA and ASNEF-EQUIFAX for the inclusion of the claiming party in the debtor registry managed by ASNEF-EQUIFAX. 5. Documentation supporting the communications of the party's data claimant for inclusion/exclusion in the ASNEF-EQUIFAX debtor file. 6.- Any other information that you consider appropriate. In its written response to said information request, BBVA makes, among other the following manifestations: - Provide a copy of the request of the complaining party for the Mercadona card dated December 5, 2011. Along with a document called “MERCADONA CARD REGULATION” in which section one states that the card will be issued by the entity UNOE BANK S.A. Indicating that the contract C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 of the aforementioned card was registered in the BBVA systems with the number ***XXXX, January 16, 2012. - And stating that, due to the termination of the collaboration agreement between Mercadona and BBVA, the aforementioned card was replaced by the Credit Card BBVA Mastercard Shop Card number ***XXXX, indicating that said card was sent to the address of the complaining party on December 16, 2019. Provides information document on the termination of the collaboration agreement between both entities together with the document “GENERAL CONDITIONS OF THE MASTERCARD SHOP CARD”. Although the documents provided are generic communication documents of the termination of the agreement between Mercadona and BBVA and conditions general terms of the new card, which do not include the identification of the person to whom they are addressed, nor the date on which they are issued and without these documents are signed. - Likewise, send movements of the aforementioned BBVA Mastercard Shop card Card from January 16, 2020. - To try to justify the existence of a debt payment requirement to the complaining party before its inclusion in the ASNEF-EQUIFAX file on December 12 August 2021 provides certificates issued by ASNEF- EQUIFAX and SERVIFORM,S.A. that payment of the debt was required on June 15 of 2021 and July 15, 2022, in which it is stated that these requirements of payment were sent by ordinary mail on June 16 and 17 and July 2021, to the postal address of the complaining party, without stating that the aforementioned requirements have been returned. - Also provide a copy of the contract signed between BBVA and ASNEF-EQUIFAX for the inclusion of the debtors in the debtor registry managed by ASNEF-EQUIFAX. ASNEF-EQUIFAX was required to provide the following information: 1.- Copy of the contract signed between BBVA and ASNEF-EQUIFAX for inclusion of the claiming party as debtor in the debtor registry managed by ASNEF- EQUIFAX 2. Documentation supporting communications between ASNEF-EQUIFAX and BBVA for the inclusion/exclusion in the ASNEF debtor file, of the data of the party claimant. 3.-Documentation of the procedures carried out by ASNEF-EQUIFAX with BBVA, before the impossibility of notifying the inclusion of the complaining party in the ASNEF-EQUIFAX debtor file, due to “Incorrect details” according to reason indicated by the postal delivery service. 4.- Any other information that you consider appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 In its written response to the ASNEF-EQUIFAX request, among others, the following manifestations: - That provides a copy of the contract signed between BBVA and ASNEF-EQUIFAX for the inclusion of debtors in the debtor registry managed by ASNEF- EQUIFAX. - In relation to the inclusion of the complaining party's data in the file states that the data transferred to the ASNEF-EQUIFAX file by BBVA, S.A. were discharged on 08/12/2021 due to non-payment of credit card as owner, and in which there was an unpaid balance. And this operation is assigned the corresponding code. - That the cancellation of the data takes place on December 21, 2022 and that on December 11, 2022, the complaining party wrote to ASNEF-EQUIFAX exercising its right of cancellation. - Below, after describing the operation that follows for all the processes of sending of Inclusion Notification letters, indicates that in the specific case of the complaining party according to the consultation of the Auxiliary Notifications file in the ASNEF-EQUIFAX file, it is clear that the inclusion of your data in the file by part of BBVA was notified under the reference communication ***REFERENCE.1, issued on August 13, 2021 via postal mail ordinary to the address provided by BBVA: ***ADDRESS.2. - Since October 29, 2021, it has been returned, being the reason selected by the postal delivery service on 01, which corresponds to “Incorrect Signs”. - Upon receiving the return of the notification, as indicated Previously, a confirmation request is generated to the entity, with date October 29, 2021, to review the notification sending address and proceed to delete the data if it is erroneous or confirm it as correct. And that the entity, with the user ***USER.1, tells them that the address is correct and Therefore, the data remains registered in the file. It must be highlighted for its relevance in the facts that are the subject of the complaint that BBVA has provided a screen print of their systems which shows that BBVA The address of the complaining party was registered on ***ADDRESS.2 street. Likewise, from the documentation provided it is clear that BBVA sent the payment requirements to the aforementioned address of the claimant. FIFTH: As stated in the “2022 Annual Report”, published in ***URL.1, in the year 2022 BBVA's profit has amounted to (…), and it had more than (…) clients, as stated in the diligence that is incorporated into the file dated February 14, 2024. FOUNDATIONS OF LAW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 Yo Competence In accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In the present case it is evident that the claimed party requested ASNEF-EQUIFAX, INFORMATION SERVICES ON SOLVENCY AND CREDIT, S.L. the inclusion of the personal data of the complaining party in its file solvency, on August 12, 2021, without prior notice being adequately given, since that the postal address to which said notice was sent by ASNEF-EQUIFAX, SOLVENCY AND CREDIT INFORMATION SERVICES, S.L. was not the correct address, as it has not been adequately provided by the claimed party. The address provided by the claimed party to ASNEF-EQUIFAX has been: ***ADDRESS 1 The correct address, which appears in the database of the claimed entity, is: ***ADDRESS.2. III Typification of Article 5 of the GDPR Article 5 GDPR establishes that personal data will be: “a) treated in a lawful, loyal and transparent manner in relation to the interested party (“legality, loyalty and transparency»); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; according to article 89, section 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not considered incompatible with the initial purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for which that are processed ("data minimization"); C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 d) accurate and, if necessary, updated; all measures will be taken reasonable grounds for the immediate deletion or rectification of personal data are inaccurate with respect to the purposes for which they are processed (“accuracy”); e) maintained in a way that allows the identification of the interested parties during no longer than necessary for the purposes of processing personal data; the Personal data may be retained for longer periods provided that treated exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with Article 89(1), without prejudice to the application of the appropriate technical and organizational measures that This Regulation is imposed in order to protect the rights and freedoms of the interested party ("retention period limitation"); f) processed in such a way as to ensure adequate data security personal data, including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or organizational arrangements (“integrity and confidentiality”). 2. The person responsible for the treatment will be responsible for compliance with the provisions in section 1 and able to demonstrate it (“proactive responsibility”).” In this case, the claimed party requested ASNEF-EQUIFAX, SERVICIOS OF INFORMATION ON SOLVENCY AND CREDIT, S.L. the inclusion of data personal details of the complaining party, providing the email address to make the prior notice the following address: ***ADDRESS.1, although the postal address that appears in the database of the claimed entity is: ***ADDRESS.2. Therefore, such events could involve the commission of an infraction, attributable to the claimed party, for violation of article 5.1.d) RGPD, which requires that the data personal data collected are accurate and, if necessary, updated; so that They must take all reasonable measures to ensure that they are deleted or rectified without delay personal data that is inaccurate with respect to the purposes for which are treated ("accuracy"); Therefore, since the exact address of the party is not provided claimant by the claimed party, serious prejudice has been caused to the party claimant, since he could not have been aware of its inclusion in files of solvency, upon being sent the notice of inclusion in the solvency file, to a inaccurate email address, as it has not been updated by the claimed party, which represents a violation of the principle of accuracy regulated in article 5.1 d) of the GDPR. IV Classification and classification of the offense If confirmed, the aforementioned violation of article 5.1.d) of the RGPD could mean the commission of the infraction classified in article 83.5 of the RGPD that under the rubric “General conditions for the imposition of administrative fines” provides: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 global total annual business volume of the previous financial year, opting for the largest amount: a) The basic principles for treatment, including the conditions for treatment consent in accordance with articles 5,6,7 and 9.” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of prescription, article 72.1 entitled “infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679”. V Sanction proposal In order to determine the administrative fine to impose, the following must be observed: provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between those and any interested party." In this case, considering the seriousness of the violations found, taking into account especially to the consequences that its commission causes in the complaining party, The imposition of a fine is appropriate, in addition to the adoption of measures, where appropriate. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. Thus considers, in advance, the status of a large company and the volume of business of the claimed party. In accordance with the evidence available at the present time agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD and 76 of the LOPDGDD: As an aggravating factor: Article 83.2.a) of the GDPR: “a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages and damages they have suffered.” The nature and seriousness of the infraction, insofar as the communication by BBVA to the entity responsible for the Asnef file of an inaccurate address prevented the complaining party knew that their data was recorded in said file, which affects the ability of the data owner to exercise true control over the data. themselves. .Article 83.2.b) RGPD: “b) negligence in data processing”. The notorious negligence seen in the commission of the infraction, to the extent that the claimed party did not update the data of the complaining party, since upon receiving the return of the notification, ASNEF-EQUIFAX, INFORMATION SERVICES SOBRE SOLVENENCIA Y CréDITO, S.L formalized a request for confirmation to the claimed party, dated October 29, 2021, to review the address of sending the notification and proceed to delete the data if it is erroneous or confirm it as correct, but the claimed party tells you that the address is correct and therefore Consequently, the data remains registered in the asset solvency file. Article 76.2.b) of the LOPDGDD: “b) The linking of the offender's activity with the carrying out personal data processing”. The high link between the offender's activity and the performance of personal data, considering the level of implementation of the entity and the activity that it develops, in which personal data of millions of customers are involved. This circumstance determines a higher degree of demand and professionalism and, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 consequently, of liability of the claimed entity in relation to the data processing. The balance of the circumstances contemplated in article 83.2 of the RGPD with regarding the infraction committed by violating the provisions of article 5.1.d) of the GDPR allows you to initially set a penalty of €200,000 (two hundred thousand euros). SAW Adoption of measures If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of a fine administrative, according to the provisions of art. 83.2 of the GDPR. This act establishes what the infraction was committed and the facts that give rise to the violation of data protection regulations, from which it is inferred clearly what the measures to be adopted are, without prejudice to the type of specific procedures, mechanisms or instruments to implement them corresponds to the sanctioned party, since it is the person responsible for the treatment who fully knows your organization and must decide, based on the responsibility proactive and risk-focused, how to comply with the RGPD and the LOPDGDD. However, in this case, regardless of the above, if the infringement, in the resolution adopted this Agency may require the entity responsible so that, within a period of one month, he can prove that he has proceeded with the rectification of personal data relating to the complaining party informed to the entity responsible for the Asnef file and the establishment, where appropriate, of adequate mechanisms to ensure that the incident does not occur again. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of article 5.1 d) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 of the RGPD, typified in article 83.5 of the RGPD and classified as very serious to prescription effects, in accordance with article 72.1 a) of the LOPDGDD. SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that they may be challenged, if applicable, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be for an amount of €200,000 (two hundred thousand euros) without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, granting it a hearing period of ten business days for you to formulate the allegations and present the evidence you consider convenient. In your written allegations you must provide your NIF and the number of file that appears at the head of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 160,000 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 160,000 euros and its payment will imply termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 120,000 euros. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (160,000 or 120,000 euros), you must make it effective through your deposit into the account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/Code SWIFT: XXXXXXXXXXXX) opened in the name of the Spanish Agency for the Protection of Data in the banking entity CAIXABANK, S.A., indicating in the concept the number reference of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The sanctioning procedure will have a maximum duration of twelve months from from the date of the initiation agreement or, where applicable, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as Subsequently, the notifications sent to you will be made exclusively electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering the procedure has been carried out and the procedure is followed. You are informed that you can identify to this Agency an email address to receive the notice of making notifications available and that the lack of practice of this notice does not will prevent the notification from being considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-30102023 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On June 6, 2024, the claimed party has proceeded to pay the sanction in the amount of 120,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the waiver of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 FOURTH: In the initiation Agreement transcribed previously it was stated that, If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” Having recognized the responsibility for the infraction, the imposition of the measures included in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202402432, of in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER BANCO BILBAO VIZCAYA ARGENTARIA, S.A. so that within 1 month from when this resolution becomes final and enforceable, notify the Agency to adopt the measures described in the foundations of right of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es