AEPD (Spain) - EXP202402432

From GDPRhub
Revision as of 12:54, 19 June 2024 by Lm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202402432
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Complaint
Outcome: Upheld
Started: 13.11.2022
Decided: 12.06.2024
Published:
Fine: 120,000 EUR
Parties: Banco Bilbao Vizcaya Argentaria, S.A.
National Case Number/Name: EXP202402432
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA found that a bank violated the principle of accuracy when it transferred incorrect information about a data subject’s address to an insolvency registry, preventing the latter from notifying the data subject that a processing occurred. The bank paid a reduced fine of €120,000 in accordance with national law.

English Summary

Facts

On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions.

On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct.

Holding

By not providing the exact address of the data subject, the controller caused a serious damage to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR.

The AEPD recommended a sanction of €200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15










File No.: EXP202402432



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based

to the following


                                 BACKGROUND


FIRST: On April 15, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against BANCO BILBAO
VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement
which is transcribed:

<<



File No.: EXP202402432



           AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                     FACTS

FIRST: On November 13, 2022, A.A.A. (hereinafter, the part
claimant) filed a claim with the Spanish Data Protection Agency.

The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with

NIF A48265169 (hereinafter, the claimed party or BBVA).

The reasons on which the claim is based are the following:

The complaining party states that the complained party requested ASNEF-EQUIFAX,

SOLVENCY AND CREDIT INFORMATION SERVICES, S.L. the inclution
of your personal data in your solvency file, on August 12, 2021, without
the prior notice must be properly carried out, since the postal address to which
was sent by ASNEF-EQUIFAX, INFORMATION SERVICES ON
SOLVENCY AND CREDIT, S.L. was not the exact address of the claimed party, but

which was incomplete.

The complaining party states that it has been aware of the inclusion of its
personal data in the solvency file of ASNEF-EQUIFAX, SERVICIOS DE

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15








INFORMATION ABOUT SOLVENCY AND CREDIT, S.L. because he has been prevented
access the contracting of loans in financial institutions, as well as formalize
contracting certain services such as changing telephone company and

light, for recording their data in the aforementioned file.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on January 9, 2023, said claim was transferred to the
claimed party, so that it could proceed with its analysis and inform this Agency in the

within one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

On January 12, 2023, ASNEF-EQUIFAX presented a document providing the
following documentation:


    - Copy of the response of January 12, 2023 sent to the complaining party
       informing of the procedures carried out and once again facilitating their
       situation in the ASNEF-EQUIFAX file (there is no data in the files
       Asnef and Asnef Empresas).


    - Copy of the Certification dated January 10, 2023 issued by the provider
       of the Generation, Printing, and Making Available Service of the
       Postal Shipments - Correos and/or Unipost-SERVINFORM, S.A. certifying the date
       inclusion of the reference notification, along with the rest of the communications
       issued in the process, and date on which it was made available to the service

       of postal shipments (August 17, 2021).

    - Copy of the inclusion notification.

    - Delivery note and delivery note at the Post Office ***ALBARÁN.1 and

       Hispapost, dated August 17, 2021, with its admission value date.

    - Copy of the return of said notification, with the reasons indicated by the
       postal delivery service, “Incorrect Addresses”.

Furthermore, ASNEF-EQUIFAX states, among other things, the following:


    - That the file ***FILE.1, dated December 11, 2022,
       where a right of cancellation was managed by proceeding to the cancellation of the
       data provided by the BBVA entity on December 21, 2022 and appearing
       As the email address for sending said response,

       email address provided by the complaining party.

    - That the data of the complaining party was included in said file on December 12
       August 2021 at the request of BBVA, for a debt derived from a credit card
       credit contracted with that entity. Appearing as display date

       the data on September 11, 2021. And stating in each of the
       files the Consultation History, with the entities that have accessed the
       data of the complaining party in the previous six months.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15








    - Regarding the lack of notification of the inclusion of your data in the file to
       BBVA instances in the ASNEF-EQUIFAX file, indicates that, after the query
       to the Auxiliary Notifications file in the ASNEF-EQUIFAX file, it is stated that
       the same was notified to you through the reference notification
       ***REFERENCE.1, issued on August 13, 2021 via postal mail

       ordinary to the address given by the creditor, that is, ***ADDRESS.1.
       However, it informs that its return is recorded, registered in its systems.
       from October 29, 2021.

THIRD: On February 13, 2023, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.


FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:

On June 16, 2023, information requests were sent to BBVA, and
to ASNEF-EQUIFAX.


BBVA was required to provide the following information:

1.- Copy of contract number ***XXXX of the SHOP CAR MASTERCARD given
registered by BBVA in the name of the complaining party.


2.- Copy of contract number ***XXXX registered by BBVA in the name of the party
claimant.

3.- Documentation supporting the debt payment requirements made
to the complaining party.


4.- Copy of the contract signed between BBVA and ASNEF-EQUIFAX for the inclusion of the
claiming party in the debtor registry managed by ASNEF-EQUIFAX.

5. Documentation supporting the communications of the party's data
claimant for inclusion/exclusion in the ASNEF-EQUIFAX debtor file.


6.- Any other information that you consider appropriate.

In its written response to said information request, BBVA makes, among
other the following manifestations:


    - Provide a copy of the request of the complaining party for the Mercadona card
       dated December 5, 2011. Along with a document called
       “MERCADONA CARD REGULATION” in which section one states that the
       card will be issued by the entity UNOE BANK S.A. Indicating that the contract


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15








       of the aforementioned card was registered in the BBVA systems with the number
       ***XXXX, January 16, 2012.


    - And stating that, due to the termination of the collaboration agreement
       between Mercadona and BBVA, the aforementioned card was replaced by the Credit Card
       BBVA Mastercard Shop Card number ***XXXX, indicating that said card was
       sent to the address of the complaining party on December 16, 2019. Provides
       information document on the termination of the collaboration agreement between
       both entities together with the document “GENERAL CONDITIONS OF

       THE MASTERCARD SHOP CARD”.

       Although the documents provided are generic communication documents
       of the termination of the agreement between Mercadona and BBVA and conditions
       general terms of the new card, which do not include the identification of the

       person to whom they are addressed, nor the date on which they are issued and without these
       documents are signed.

    - Likewise, send movements of the aforementioned BBVA Mastercard Shop card
       Card from January 16, 2020.


    - To try to justify the existence of a debt payment requirement to the
       complaining party before its inclusion in the ASNEF-EQUIFAX file on December 12
       August 2021 provides certificates issued by ASNEF- EQUIFAX and
       SERVIFORM,S.A. that payment of the debt was required on June 15
       of 2021 and July 15, 2022, in which it is stated that these requirements of

       payment were sent by ordinary mail on June 16 and 17 and July
       2021, to the postal address of the complaining party, without stating that the
       aforementioned requirements have been returned.

    - Also provide a copy of the contract signed between BBVA and ASNEF-EQUIFAX

       for the inclusion of the debtors in the debtor registry managed by
       ASNEF-EQUIFAX.

ASNEF-EQUIFAX was required to provide the following information:

1.- Copy of the contract signed between BBVA and ASNEF-EQUIFAX for inclusion of the

claiming party as debtor in the debtor registry managed by ASNEF-
EQUIFAX

2. Documentation supporting communications between ASNEF-EQUIFAX and BBVA
for the inclusion/exclusion in the ASNEF debtor file, of the data of the party

claimant.

3.-Documentation of the procedures carried out by ASNEF-EQUIFAX with BBVA, before
the impossibility of notifying the inclusion of the complaining party in the
ASNEF-EQUIFAX debtor file, due to “Incorrect details” according to reason

indicated by the postal delivery service.

4.- Any other information that you consider appropriate.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15








In its written response to the ASNEF-EQUIFAX request, among others,
the following manifestations:

    - That provides a copy of the contract signed between BBVA and ASNEF-EQUIFAX for the
        inclusion of debtors in the debtor registry managed by ASNEF-

        EQUIFAX.

    - In relation to the inclusion of the complaining party's data in the file
        states that the data transferred to the ASNEF-EQUIFAX file by BBVA, S.A.
        were discharged on 08/12/2021 due to non-payment of credit card as
        owner, and in which there was an unpaid balance. And this operation is

        assigned the corresponding code.

    - That the cancellation of the data takes place on December 21, 2022
        and that on December 11, 2022, the complaining party wrote to
        ASNEF-EQUIFAX exercising its right of cancellation.


    - Below, after describing the operation that follows for all the processes of
        sending of Inclusion Notification letters, indicates that in the specific case of
        the complaining party according to the consultation of the Auxiliary Notifications file in the
        ASNEF-EQUIFAX file, it is clear that the inclusion of your data in the file by
        part of BBVA was notified under the reference communication

        ***REFERENCE.1, issued on August 13, 2021 via postal mail
        ordinary to the address provided by BBVA: ***ADDRESS.2.

    - Since October 29, 2021, it has been returned, being the
        reason selected by the postal delivery service on 01, which corresponds
        to “Incorrect Signs”.


    - Upon receiving the return of the notification, as indicated
        Previously, a confirmation request is generated to the entity, with date
        October 29, 2021, to review the notification sending address
        and proceed to delete the data if it is erroneous or confirm it as correct. And that the
        entity, with the user ***USER.1, tells them that the address is correct and

        Therefore, the data remains registered in the file.

It must be highlighted for its relevance in the facts that are the subject of the complaint that BBVA has
provided a screen print of their systems which shows that BBVA
The address of the complaining party was registered on ***ADDRESS.2 street.


Likewise, from the documentation provided it is clear that BBVA sent the
payment requirements to the aforementioned address of the claimant.

FIFTH: As stated in the “2022 Annual Report”, published in ***URL.1, in the year
2022 BBVA's profit has amounted to (…), and it had more than (…) clients,

as stated in the diligence that is incorporated into the file dated February 14,
2024.


                            FOUNDATIONS OF LAW

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15









                                            Yo
                                      Competence


In accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the Organic Law
3/2018, of December 5, on Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II
                                   Previous issues

In the present case it is evident that the claimed party requested
ASNEF-EQUIFAX, INFORMATION SERVICES ON SOLVENCY AND CREDIT,

S.L. the inclusion of the personal data of the complaining party in its file
solvency, on August 12, 2021, without prior notice being adequately given, since
that the postal address to which said notice was sent by ASNEF-EQUIFAX,
SOLVENCY AND CREDIT INFORMATION SERVICES, S.L. was not the
correct address, as it has not been adequately provided by the claimed party.


The address provided by the claimed party to ASNEF-EQUIFAX has been:
***ADDRESS 1

The correct address, which appears in the database of the claimed entity, is:

***ADDRESS.2.

                                            III
                          Typification of Article 5 of the GDPR

Article 5 GDPR establishes that personal data will be:


“a) treated in a lawful, loyal and transparent manner in relation to the interested party (“legality,
loyalty and transparency»);

b) collected for specific, explicit and legitimate purposes, and will not be processed

subsequently in a manner incompatible with said purposes; according to article 89,
section 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
considered incompatible with the initial purposes ("purpose limitation");


c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








d) accurate and, if necessary, updated; all measures will be taken
reasonable grounds for the immediate deletion or rectification of personal data
are inaccurate with respect to the purposes for which they are processed (“accuracy”);


e) maintained in a way that allows the identification of the interested parties during no
longer than necessary for the purposes of processing personal data; the
Personal data may be retained for longer periods provided that
treated exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with Article 89(1),

without prejudice to the application of the appropriate technical and organizational measures that
This Regulation is imposed in order to protect the rights and freedoms of the
interested party ("retention period limitation");

f) processed in such a way as to ensure adequate data security

personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements (“integrity and confidentiality”).

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it (“proactive responsibility”).”


In this case, the claimed party requested ASNEF-EQUIFAX, SERVICIOS
OF INFORMATION ON SOLVENCY AND CREDIT, S.L. the inclusion of data
personal details of the complaining party, providing the email address to make the
prior notice the following address: ***ADDRESS.1, although the postal address

that appears in the database of the claimed entity is: ***ADDRESS.2.

Therefore, such events could involve the commission of an infraction, attributable to
the claimed party, for violation of article 5.1.d) RGPD, which requires that the data
personal data collected are accurate and, if necessary, updated; so that

They must take all reasonable measures to ensure that they are deleted or rectified without
delay personal data that is inaccurate with respect to the purposes for which
are treated ("accuracy"); Therefore, since the exact address of the party is not provided
claimant by the claimed party, serious prejudice has been caused to the party
claimant, since he could not have been aware of its inclusion in files of
solvency, upon being sent the notice of inclusion in the solvency file, to a

inaccurate email address, as it has not been updated by the claimed party,
which represents a violation of the principle of accuracy regulated in article 5.1 d)
of the GDPR.

                                            IV

                        Classification and classification of the offense

If confirmed, the aforementioned violation of article 5.1.d) of the RGPD could mean the
commission of the infraction classified in article 83.5 of the RGPD that under the rubric
“General conditions for the imposition of administrative fines” provides:


"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15








global total annual business volume of the previous financial year, opting for
the largest amount:
a) The basic principles for treatment, including the conditions for treatment

consent in accordance with articles 5,6,7 and 9.”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that:

 “The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.”

For the purposes of prescription, article 72.1 entitled “infringements considered very
“serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees

established in article 5 of Regulation (EU) 2016/679”.

                                           V
                                 Sanction proposal


In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:

"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this

Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to

alleviate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15








of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered

previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”

For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD

has:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.


b) The linking of the offender's activity with the performance of medical treatments.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.


d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.


f) The impact on the rights of minors.

g) Have, when not mandatory, a data protection delegate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15









h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

"There are disputes between those and any interested party."

In this case, considering the seriousness of the violations found, taking into account
especially to the consequences that its commission causes in the complaining party,
The imposition of a fine is appropriate, in addition to the adoption of measures, where appropriate.


The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. Thus
considers, in advance, the status of a large company and the volume of business
of the claimed party.


In accordance with the evidence available at the present time
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with
the following criteria established by article 83.2 of the RGPD and 76 of the LOPDGDD:

As an aggravating factor:


Article 83.2.a) of the GDPR: “a) the nature, severity and duration of the infringement,
taking into account the nature, scope or purpose of the processing operation
in question as well as the number of interested parties affected and the level of damages and
damages they have suffered.”


The nature and seriousness of the infraction, insofar as the communication by
BBVA to the entity responsible for the Asnef file of an inaccurate address prevented
the complaining party knew that their data was recorded in said file, which
affects the ability of the data owner to exercise true control over the data.

themselves.

.Article 83.2.b) RGPD: “b) negligence in data processing”.

The notorious negligence seen in the commission of the infraction, to the extent that
the claimed party did not update the data of the complaining party, since upon receiving the

return of the notification, ASNEF-EQUIFAX, INFORMATION SERVICES
SOBRE SOLVENENCIA Y CréDITO, S.L formalized a request for confirmation to the
claimed party, dated October 29, 2021, to review the address of
sending the notification and proceed to delete the data if it is erroneous or confirm it as
correct, but the claimed party tells you that the address is correct and therefore

Consequently, the data remains registered in the asset solvency file.

Article 76.2.b) of the LOPDGDD: “b) The linking of the offender's activity with the
carrying out personal data processing”.


The high link between the offender's activity and the performance of
personal data, considering the level of implementation of the entity and the activity
that it develops, in which personal data of millions of customers are involved.
This circumstance determines a higher degree of demand and professionalism and,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15








consequently, of liability of the claimed entity in relation to the
data processing.


The balance of the circumstances contemplated in article 83.2 of the RGPD with
regarding the infraction committed by violating the provisions of article 5.1.d) of the
GDPR allows you to initially set a penalty of €200,000 (two hundred thousand euros).

                                         SAW
                                Adoption of measures


If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the

treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”

The imposition of this measure is compatible with the sanction consisting of a fine
administrative, according to the provisions of art. 83.2 of the GDPR.


This act establishes what the infraction was committed and the facts that
give rise to the violation of data protection regulations, from which it is inferred
clearly what the measures to be adopted are, without prejudice to the type of
specific procedures, mechanisms or instruments to implement them

corresponds to the sanctioned party, since it is the person responsible for the treatment who
fully knows your organization and must decide, based on the responsibility
proactive and risk-focused, how to comply with the RGPD and the LOPDGDD.

However, in this case, regardless of the above, if the

infringement, in the resolution adopted this Agency may require the entity
responsible so that, within a period of one month, he can prove that he has proceeded with the
rectification of personal data relating to the complaining party informed to the
entity responsible for the Asnef file and the establishment, where appropriate, of
adequate mechanisms to ensure that the incident does not occur again.


It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.



Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,


HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of article 5.1 d)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15








of the RGPD, typified in article 83.5 of the RGPD and classified as very serious to
prescription effects, in accordance with article 72.1 a) of the LOPDGDD.

SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the

Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of

Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be for an amount of €200,000 (two hundred thousand

euros) without prejudice to what results from the instruction.

FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, granting it a hearing period of ten
business days for you to formulate the allegations and present the evidence you consider
convenient. In your written allegations you must provide your NIF and the number of

file that appears at the head of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).


In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 160,000 euros, resolving the

procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 160,000 euros and its payment will imply termination

of the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 120,000 euros.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15








In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (160,000 or 120,000 euros), you must make it effective through
your deposit into the account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/Code

SWIFT: XXXXXXXXXXXX) opened in the name of the Spanish Agency for the Protection of
Data in the banking entity CAIXABANK, S.A., indicating in the concept the number
reference of the procedure that appears in the heading of this document and
the cause of reduction of the amount to which it is accepted.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.

The sanctioning procedure will have a maximum duration of twelve months from

from the date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as

Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering
the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice

of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.

                                                                               935-30102023

Sea Spain Martí
Director of the Spanish Data Protection Agency




>>

SECOND: On June 6, 2024, the claimed party has proceeded to pay
the sanction in the amount of 120,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the

recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to

the facts referred to in the Initiation Agreement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








FOURTH: In the initiation Agreement transcribed previously it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


Having recognized the responsibility for the infraction, the imposition of
the measures included in the Initiation Agreement.


                           FOUNDATIONS OF LAW


                                           Yo
                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,

except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15








3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.


The reduction percentage provided for in this section may be increased
“regularly.”

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202402432, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER BANCO BILBAO VIZCAYA ARGENTARIA, S.A. so that

within 1 month from when this resolution becomes final and enforceable, notify
the Agency to adopt the measures described in the foundations of
right of the Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to BANCO BILBAO VIZCAYA

ARGENTARIA, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                              1259-16012024

Sea Spain Martí
Director of the Spanish Data Protection Agency












C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es