AEPD (Spain) - EXP202303478

From GDPRhub
AEPD - EXP202303478
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 13.02.2023
Decided: 12.11.2024
Published: 13.11.2024
Fine: 120,000 EUR
Parties: BANCO BILBAO VIZCAYA ARGENTARIA
National Case Number/Name: EXP202303478
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Ao

The DPA held that the erasure of all personal data from a former employee’s work phone by the employer was unlawful since it was not limited to corporate information.

English Summary

Facts

The data subject was an employee of the controller and the employment relationship ended in September 2021. Upon termination of the employment relationship, the data subject was given the option to retain the work phone for personal use according to the contractual terms of the purchase agreement. After a few months of use in June 2022, the data subject was suddenly unable to use the device which showed a notice stating that the phone is being administered remotely by the controller and that corporate credentials must be entered for further use.

The data subject contacted the controller who responded with instructions to reset the phone entirely. The data subject however wanted to retrieve their personal data and did not restore the phone to factory settings. On the 13 February 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, Banco Bilbao Vizcaya Argentaria. On the 7 October 2024, the AEPD initiated disciplinary proceedings against the controller who argued that the purchase contract governing the transfer of the work phone to private use gave it the right to delete data off the phone.

Holding

While the purchase contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications.

Therefore, the AEPD held that the controller could not rely on a lawful basis under Article 6(1) GDPR for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13

File No.: EXP202303478

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

Payment

From the procedure initiated by the Spanish Data Protection Agency and based

on the following

BACKGROUND

FIRST: On October 7, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against BANCO BILBAO
VIZCAYA ARGENTARIA, S.A. (hereinafter, the respondent party), through the Agreement
which is transcribed:

<<

File No.: EXP202303478

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and
based on the following

FACTS

FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on 13/02/2023. The
complaint is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF
A48265169 (hereinafter, the respondent). The grounds on which the claim is based

are the following: The appellant states that in September 2021, upon
ending his employment relationship with the respondent and, in accordance with the internal policies of
the latter, he was offered the possibility of acquiring, on a personal basis, the corporate terminal,
which became his property and therefore for exclusively personal use,
since 20/09/2021; However, on 06/23/2022, the terminal is no longer active, and when trying to reconfigure it, a message is displayed indicating that it is

remotely managed by the respondent party, requesting the entry of their corporate
credentials to continue, thus preventing access to it.

After contacting the respondent party, they respond by attaching a document
with the steps to follow to restore the terminal to factory settings, as a solution

to be able to reactivate it, with the loss of information that such action entails.

He requested by email help to reactivate the terminal and the information contained therein, to which the response was indicated that although the device is usually completely erased before the employee is acquired, this was not done in due time (in September 2021, without prior notice, and without the possibility of making a backup copy on his part). At that time (June 2022) all his personal information had been erased, after his personal terminal had been found enrolled for more than 9 months in the corporate device management platform, without legal legitimacy to do so and in a continued breach of the principles regarding the protection of personal data.

He adds that, on 10/11/2022, he reported what had happened to the Data Protection Officer of the respondent party, receiving a response on 11/10/2022, confirming the impossibility of restoring the data.

He states that the respondent party's actions have led to the absolute loss of control over his data, since from the date of the terminal's deletion (June 2022)

it has been inactive, with the respondent party offering as its only alternative the
restoration of factory settings - which involves formatting it -, which it has not done
with the sole hope of recovering its personal information.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 03/15/2023, said claim was transferred to the respondent party, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), was collected on 03/16/2023 as stated in the acknowledgment of receipt in the file.

On May 22, 2023, the respondent submitted a written response to the
transfer action and request for information.

THIRD: On May 13, 2023, in accordance with article 65.5 of the
LOPDGDD, the claim submitted was admitted for processing.

FOURTH: On May 26, 2023, after analyzing the documentation in the file, a resolution was issued by the Director of the Spanish Data Protection Agency, agreeing to file the claim. The resolution was notified to the
appellant on May 26, 2023, as evidenced in the file.

FIFTH: On 06/26/2023, the respondent party filed an optional appeal against the Resolution issued, expressing its disagreement with the contested resolution and requesting that the processing of the initial claim presented continue.

On 03/05/2024, the appeal filed by the respondent party was forwarded within the framework of the provisions of article 118.1 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13

effects of formulating the allegations and presenting the documents and supporting documents that it deemed appropriate, which was carried out by means of a letter dated 03/15/2024.

The respondent party stated that the claimant's intention to challenge
the decision to file the claim is nothing more than to initiate a sanctioning

file, without the claimant having any standing to do so; the absence of an infringement and that while the claimant's employment relationship took place, he acquired a corporate terminal for work purposes, but later, said terminal was acquired in a personal capacity by the claimant, and the respondent proceeded, as the Corporate Smartphone Project confers on him, to erase said terminal; that in no case has the respondent acknowledged any responsibility regarding the erasure of the respondent's corporate data and what he intends is to make it appear that the commission of an infringement in the field of data protection has been acknowledged simply by showing empathy with a person who for many years was part of the Entity.

SIXTH: On 05/31/2024, the Director of the Spanish Data Protection Agency decided to ACCEPT the appeal for reconsideration filed by the claimant against the Resolution issued on 05/26/2023, by which the filing of the complaint against the respondent was agreed.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The
procedures processed by the Spanish Data Protection Agency shall be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they do not
contradict them, on a subsidiary basis, by the general rules on administrative
procedures."

II
Unfulfilled obligation: article 6.1 of the GDPR

The facts claimed are caused by the opportunity to acquire by the

complainant, on a personal basis and after his employment relationship with the respondent party
has ended, a corporate terminal, which becomes his property and therefore
for his exclusive personal use; However, as of 06/23/2022 (date of deletion of information), the terminal was no longer active, offering the claimed party as the only alternative the restoration to factory settings, which meant the loss of all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13

personal information contained in the aforementioned device, considering that the regulations on the protection of personal data have been violated.

Article 6, Lawfulness of processing, of the GDPR in its section 1, establishes
that:

“1. The processing will only be lawful if at least one of the following
conditions is met:

a) the interested party gave his consent for the processing of his personal data for one or more specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of this one of pre-contractual measures;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The provisions of point (f) of the first paragraph shall not apply to
processing carried out by public authorities in the exercise of their tasks”.

Furthermore, Article 4 of the GDPR, Definitions, in its paragraphs 1, 2, 7 and
11, states that:

“1) “personal data” means any information relating to an identified or
identifiable natural person (“data subject”); an identifiable natural person shall be

any person whose identity can be determined, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that
person;

“2) “processing” means any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13

“7) “controller” or “data controller” means the natural or legal person,
public authority, agency or other body which, alone or jointly with others, determines the
purposes and means of the processing; If Union or Member State law

determines the purposes and means of processing, the controller or the
specific criteria for its nomination may be determined by Union or Member State law

“11) ‘consent of the data subject’ means any freely given,
specific, informed and unambiguous indication by which the data subject,
by a statement or by a clear affirmative action, agrees to the processing of personal data
relating to him or her”.

It should be noted that data processing requires a legal basis
that legitimises it.

In accordance with Article 6.1 of the GDPR, in addition to consent,
there are other possible bases that legitimize the processing of data without the need for
the authorization of the data subject, in particular, when it is necessary for the
execution of a contract to which the data subject is a party or for the application, at the request
of the data subject, of pre-contractual measures, or when it is necessary for the satisfaction of

legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and
freedoms of the data subject that require the protection of such data. The
processing is also considered lawful when it is necessary for compliance with
a legal obligation applicable to the data controller, to protect the
vital interests of the data subject or of another natural person or for the performance of a task
carried out in the public interest or in the exercise of official authority conferred on the
data controller.

In accordance with the provisions of article 6.1, there is no proven basis for

legitimation of any of those contemplated in the aforementioned provision for the treatment
carried out.

In the present case, the respondent party has stated that it was
authorized to delete the data from the claimant's terminal at any
time during the employment relationship between the parties or, as happened in the
case at hand, at the end of said employment relationship, since the
claimant was dismissed in April 2022 and in June of that year the
deletion of data from the terminal occurred, so it understands that the time lapse is
not susceptible to being classified as non-compliance and even less as an infringement of the
data protection regulations.

From the documentation provided it is clear that there was an obligation for
deletion by the respondent party once the terminal was purchased as indicated in
the CORPORATE SMARTPHONE Project.

In the Project Conditions, Condition 2 it is indicated that: “By joining
the Project, and from the receipt of the terminal [BRAND/MODEL], the employee
authorizes the Company to deduct from each monthly payroll the amount of: ##,##
euros, during the 24 months of duration, for the concept of: “Use of a mobile terminal

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13

high-end”. At the end of this period, the employee may exercise the
option to purchase the terminal, or proceed to return it to the Company, in this
case, without any cost to the employee for the return.

If, after the 24-month period, the employee chooses to buy the terminal,
it will no longer be classified as a work tool. The Company
undertakes to remove at that time any corporate application, restriction, or
terminal configuration, pre-installed to meet the Company's own needs."

Furthermore, in Condition 3, Conditions of use of the high-end corporate mobile
terminal, it is stated that

d) The Company reserves the right to delete, remotely or physically, all
data found in the corporate applications contained in the

mobile communication device. The right to delete such information may be
exercised by the company at any time during the duration of the employee's contract
with the Company, or after it, without prior notice from the Company.

Regarding this last condition, it should be noted that it should only be applicable to
information contained in corporate applications and its use should be exceptional

in cases where the employment relationship has been concluded for some time.

Furthermore, the email provided dated 07/19/2022 states:

From: B.B.B. <***EMAIL.1>

Date: Tue Jul 19 2022 at 3:13
Subject: Re: [External] Re: CONTACT RESPONSIBLE MDM SPAIN -
URGENT
To: B.B.B. <***EMAIL.2>

“(…)
At the end of the co-payment program (due to the end of the program or withdrawal from the entity)
beneficiaries are offered to acquire the device for their personal use, for which
it is necessary to completely erase the device to remove the applications and
configurations. In your case, the early withdrawal was not notified and this procedure was not
carried out at the time of withdrawal, which was executed

subsequently since the terminal continued to be registered on the Bank's
platforms. (…)”
Although the conditions of use of the corporate mobile terminal gave the Company the right to delete all data contained in the corporate applications contained in the device “at any time during the duration of the employee’s contract with the Company, or subsequently thereto”, what this condition did not contain or grant was that the respondent party could delete data not included in said corporate applications and which affected the personal data and information of the complainant contained in the device purchased.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13

This subsequent execution caused the personal data and information included in the terminal to be deleted/removed, with the consequent harm to the complainant.

In accordance with the above, it is considered that the respondent would be
responsible for the infringement of the GDPR: the violation of article 6.1, infringement
classified in its article 83.5.a).

III

The infringement attributed to the respondent is classified in
article 83.5 a) of the GDPR, which considers that the infringement of “the basic principles
for the treatment, including the conditions for consent according to
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the
said article 83 of the cited Regulation, “with administrative fines of 20,000,000€ as

maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the highest amount”.

The LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of

Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”

And in its article 72, it considers for the purposes of prescription, that they are: “Infractions
considered very serious:

1. In accordance with the provisions of article 83.5 of Regulation (EU)
2016/679, infractions that
constitute a substantial violation of the articles mentioned therein and, in
particular, the following are considered very serious and will be subject to a three-year statute of limitations:

(…)
b) The processing of personal data without any of the
conditions for the lawfulness of the processing established in article 6 of
Regulation (EU) 2016/679.
(…)”

IV
In order to establish the administrative fine to be imposed, the provisions contained in articles 83.1 and 83.2 of the GDPR must be observed, which
state:

“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or as a substitute for the measures provided

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13

in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative
fine and its amount in each individual case, due account shall be taken of:

a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the
level of damage and harm they have suffered;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor

to alleviate the damage and harm suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous infringement committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as the financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.

In relation to letter k) of Article 83.2 of the GDPR, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:

“2. In accordance with the provisions of Article 83.2.k) of Regulation (EU)
2016/679, the following may also be taken into account:

a) The continued nature of the infringement.
b) The connection between the infringer's activity and the processing of personal
data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the affected party's conduct could have led to the

commission of the infringement. e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or person in charge to alternative dispute resolution mechanisms, in those

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13

cases in which there are disputes between them and any interested party.”

- In accordance with the provisions transcribed, for the purposes of setting the amount of the penalty to be imposed in the present case for the infringement of article 6.1 of the GDPR, classified in article 83.5.a) of the GDPR for which the respondent is held responsible, the following circumstances are considered to be concurrent:

The nature, seriousness and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation; the facts made manifest affect a basic principle relating to the processing of personal data, such as legitimacy, which the law sanctions with the greatest seriousness; it is
evident that the personal data of the claimant were deleted or
eliminated from the acquired device without being authorized to carry out the aforementioned

processing (article 83.2.a) of the GDPR).

The intentionality or negligence in the infringement. A serious lack of negligence is observed in the failure to comply with the procedures implemented by the entity itself in light of what is stated in the corporate Project; it could be understood that once the employment relationship is terminated, the elimination of corporate applications would proceed but not the

deletion of all information contained in the terminal, especially that of a private or personal nature. Also connected with the degree of diligence that the data controller is obliged to display in compliance with the
obligations imposed by the data protection regulations, the SAN of 17/10/2007 can be cited. Although it was issued before the validity of the RGPD, its pronouncement

is perfectly applicable to the case we are analyzing. The judgment, after
alluding to the fact that entities whose activity involves the continuous
processing of client and third party data must observe an adequate level of
diligence, specified that “(...). the Supreme Court has understood that there is
imprudence whenever a legal duty of care is disregarded, that is, when the

offender does not behave with the required diligence. And in assessing the degree of
diligence, the professionalism or lack thereof of the subject must be especially considered, and
there is no doubt that, in the case now examined, when the activity of the appellant
is of constant and abundant handling of personal data, it is necessary to insist on
the rigor and the exquisite care to comply with the legal provisions in this regard”
(article 83.2, b) of the GDPR).

The entity under investigation is one of the largest companies in its sector
with a sales volume of more than €1,000,000,000 according to AXESOR data (article
83.2.k) of the GDPR).

In accordance with the above, the imposition of a fine of €200,000 is considered appropriate.

Therefore, in accordance with the above, by the Director of the

Spanish Data Protection Agency,

IT IS AGREED:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13

FIRST: TO START SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged infringement of article 6.1 of the
RGPD, classified in article 83.5.a) of the RGPD.

SECOND: TO APPOINT B.B.B. as an Instructor. and Secretary to C.C.C., indicating that

any of them may be challenged, if applicable, in accordance with the provisions of
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).

THIRD. INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents
obtained and generated by the Inspection Services; all of which are documents that
make up the file.

FOURTH. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October and Article 58.2.b) of the GDPR, the penalty that may apply for the

violation of Article 6.1 of the GDPR would be 200,000 euros, without prejudice to the
results of the investigation.

FIFTH. NOTIFY this Agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, expressly indicating its right to a
hearing in the procedure and granting it a period of TEN BUSINESS DAYS to

formulate the allegations and propose the evidence it considers appropriate. In its
written allegations, you must provide your NIF and the procedure number that appears
in the heading of this document.

If you do not submit any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in

article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, if the sanction to be imposed is a fine, you may acknowledge your liability within
the period granted for the formulation of objections to this initiation agreement; which

will entail a 20% reduction of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be established
at 160,000 euros, and the procedure would be resolved with the imposition of
this sanction.

Likewise, at any time prior to the resolution of the present procedure, the proposed fine may be paid voluntarily, which will mean a 20% reduction in its amount. With the application of this reduction, the fine will be set at 160,000 euros and its payment will imply the termination of the procedure, without prejudice to any measures that may be imposed.

The reduction for voluntary payment of the fine may be added to the one that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the total fine amount would be set at 120,000 euros.

In any case, the effectiveness of any of the two reductions mentioned

will be conditional on the withdrawal or waiver of any action or appeal through administrative channels
against the sanction. For these purposes, if you accept any of them, you must send to the General Subdirectorate of Data Inspection an express communication of the withdrawal or waiver of any action or appeal through administrative channels
against the sanction.

If you choose to make voluntary payment of any of the amounts indicated above (160,000 euros or 120,000 euros), you must do so
in cash by depositing it in account number ES00 0000 0000 0000 0000 0000 opened
in the name of the Spanish Data Protection Agency at Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the reason for the reduction of the amount to which you are applying.

You must also send proof of payment to the Subdirectorate General of
Inspection together with the communication of the withdrawal or waiver of any action or appeal through administrative channels against the sanction in order to continue with the procedure in

accordance with the amount paid.

The procedure will have a maximum duration of twelve months from the date of the start agreement or, where appropriate, the draft start agreement.
After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that,
from now on, the notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address
(dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the
file, considering the process to have been carried out and the procedure to be followed. You are

informed that you can identify an email address with this Agency
to receive the notice of the availability of notifications and that the lack of
this notice will not prevent the notification from being considered fully
valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of

the LPACAP, there is no administrative appeal against this act.

Mar España Martí
Director of the Spanish Data Protection Agency

>>

SECOND: On October 31, 2024, the respondent party has proceeded to pay
the penalty in the amount of 120,000 euros using the two reductions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13

provided for in the initiation agreement transcribed above, which implies the
recognition of responsibility.

THIRD: Payment made within the period granted to submit objections to the
opening of the procedure entails the waiver of any action or appeal through administrative
course against the sanction and the recognition of liability in relation to
the facts referred to in the Commencement Agreement and its legal qualification.

LEGAL BASIS

I

Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and a non-monetary sanction but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at

any time prior to the resolution, will imply the termination of the procedure,
except with regard to the restoration of the altered situation or the determination of
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the

body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, which may be accumulated with each other.
The aforementioned reductions must be determined in the notification of initiation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13

of the procedure and its effectiveness will be conditional on the withdrawal or waiver of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202303478, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

936-151024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es