AEPD (Spain) - EXP202200471: Difference between revisions

From GDPRhub
 
(3 intermediate revisions by 3 users not shown)
Line 63: Line 63:
}}
}}


DPA fined a bank for the lack of implementation of technical and organizational measures regarding a confidentiality data breach. A contract was accidentally disclosed to a third party and this data breach lasted for almost four months.
The Spanish DPA fined a bank €64,000 for lack of adequate technical and organisational measures under [[Article 32 GDPR]], in relation to a confidentiality data breach. A contract was accidentally disclosed to and retained by a third party for almost four months in violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject summited a complaint before the Spanish DPA against BBVA Bank (the controller) for having access to a third-party contract instead of the document requested. On the 26th of October 2021, the data subject asked for an account holder attestation through the bank’s app and received another customer contract with their name, surname, ID number, home address, and IBAN number.  
On 26 October 2021, the data subject asked BBVA Bank (the controller) for an account holder attestation through the bank app. Instead, they received another customer's contract with their name, surname, ID number, home address, and IBAN number.  


The data subject communicated the incident to the Bank and manifested their concern for the protection of their own personal data. The bank representative apologized and stated that it was due to an “operational error” and that the data subject’s rights are protected. However, the data subject manifested that they still had access to the third-party document through the chat to which the bank answered that technically it is not possible to delete or retrieve the submission of that document.  
The data subject communicated the incident to the controller and manifested their concern for the protection of their own personal data. The bank representative apologised and stated that it was due to an “operational error” and that the data subject’s rights were protected. However, the data subject manifested that they still had access to the third-party's document through the chat. The controller's employee answered that technically it was not possible to delete or retrieve the submission of that document. Consequently, the data subject submitted a complaint before the Spanish DPA against the controller for having access to a third-party contract instead of the requested document.  


The DPA started an investigation and notified the Bank. This claimed that the chat tool is a secure channel for communications (a log-in mechanism), which is efficient since it allows access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk made an isolated human error and that the bank requested the data subject to proceed to the deletion of that document and informed them about the prohibition of its disclosure, reproduction, or distribution. On the other hand, the bank eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible.
The DPA started an investigation and notified the controller, who claimed that the chat tool was a secure channel for communications (a log-in mechanism), which allowed access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk had made an isolated human error and that the controller requested the data subject to delete the document. The controller informed the data subject about the prohibition of its disclosure, reproduction, or distribution. Additionally, the controller eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible.


=== Holding ===
=== Holding ===
Firstly, the Spanish DPA analysed the reaction of the controller to this confidentiality data breach. The first observation is that the fact that a data breach occurs does not automatically suppose the imposition of a fine, but the analysis of the diligence and the security measures applied by the controllers or processors.   
Firstly, the Spanish DPA analysed the reaction of the controller to the confidentiality data breach. It observed that the occurence of a data breach does not automatically suppose the imposition of a fine, but requires an analysis of the due diligence and security measures applied by the controller.   


Secondly, the DPA highlighted the provisions of the GDPR regarding personal data integrity and confidentiality, Article 5(1)(f), and the security their security foreseen in Article 32.
Secondly, the DPA highlighted the importance of complying with GDPR provisions regarding personal data integrity and confidentiality, [[Article 5 GDPR|Article 5(1)(f) GDPR]], and the security of processing, foreseen in [[Article 32 GDPR|Article 32 GDPR.]] The DPA found a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and considered as an aggravating circumstance the level of responsibility of the controller regarding its technical and organisational measures applied, as required by [[Article 25 GDPR|Articles 25]] and [[Article 32 GDPR|32 GDPR]]. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorised third parties. In addition, the security breach was not corrected until February 2022 (lasting for 4 months), which showed that appropriate measures were lacking. The DPA also found a violation of [[Article 32 GDPR]]. At the time of the data breach, the controller did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link, which was supposed to contain the data subject documentation.


The DPA found a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and considered as an aggravating circumstance the level of responsibility of either the controller (or the processor) regarding its technical and organisational measures applied as required by Articles 25, 32 and 83.2.d) GDPR. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorized third parties. In addition, the security breach was not corrected until February (lasting for 4 months) which shows that appropriate measures were lacking.
Finally, the DPA fined the controller €50,000 for the violation of [[Article 5 GDPR|Article 5(1)(f) GDPR]] and €30,000 for the violation of [[Article 32 GDPR|Article 32 GDPR.]] According to the national legislation ([https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 76(2)(b) LOPDGDD]on sanctions and corrective measures), the DPA considered as an aggravating circumstance the controller's high number of data processing activities. According to the DPA, a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing. However, the controller benefited from two reductions of this amount, voluntary payment and the admission of guilt, and ended up paying €64,000 for both violations.  
 
In addition, according to the national legislation ([https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 76(2)(b) LOPDGDD]), it was also considered as an aggravating circumstance, the controller's activity due to its high number of data processing activities. To the DPA a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing.  
 
A violation of [[Article 32 GDPR]] was also found. For the DPA, at the time of the data breach, the bank did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link which was supposed to contain the data subject documentation. In accordance with the national law ([https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 76(2)(b) LOPDGDD], the DPA applies also the aggravating circumstance mentioned to this violation.
 
Finally, the DPA fined the controller with €50.000 for the violation of Article 5 and €30.000 for the violation of Article 32.
 
The controller benefited from two reductions of this amount, this is the voluntary payment and the admission of guilt and ended up paying €64.000 for both violations.


== Comment ==
== Comment ==

Latest revision as of 13:21, 13 December 2023

AEPD - PS-00419-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
§76(2)(b) LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 80.000 EUR
Parties: n/a
National Case Number/Name: PS-00419-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA fined a bank €64,000 for lack of adequate technical and organisational measures under Article 32 GDPR, in relation to a confidentiality data breach. A contract was accidentally disclosed to and retained by a third party for almost four months in violation of Article 5(1)(f) GDPR.

English Summary

Facts

On 26 October 2021, the data subject asked BBVA Bank (the controller) for an account holder attestation through the bank app. Instead, they received another customer's contract with their name, surname, ID number, home address, and IBAN number.

The data subject communicated the incident to the controller and manifested their concern for the protection of their own personal data. The bank representative apologised and stated that it was due to an “operational error” and that the data subject’s rights were protected. However, the data subject manifested that they still had access to the third-party's document through the chat. The controller's employee answered that technically it was not possible to delete or retrieve the submission of that document. Consequently, the data subject submitted a complaint before the Spanish DPA against the controller for having access to a third-party contract instead of the requested document.

The DPA started an investigation and notified the controller, who claimed that the chat tool was a secure channel for communications (a log-in mechanism), which allowed access to the chat history, ensuring transparency and traceability of operations. It also manifested that the bank clerk had made an isolated human error and that the controller requested the data subject to delete the document. The controller informed the data subject about the prohibition of its disclosure, reproduction, or distribution. Additionally, the controller eliminated access to the content via the link provided, therefore, additional downloads of the document were not possible.

Holding

Firstly, the Spanish DPA analysed the reaction of the controller to the confidentiality data breach. It observed that the occurence of a data breach does not automatically suppose the imposition of a fine, but requires an analysis of the due diligence and security measures applied by the controller.

Secondly, the DPA highlighted the importance of complying with GDPR provisions regarding personal data integrity and confidentiality, Article 5(1)(f) GDPR, and the security of processing, foreseen in Article 32 GDPR. The DPA found a violation of Article 5(1)(f) GDPR and considered as an aggravating circumstance the level of responsibility of the controller regarding its technical and organisational measures applied, as required by Articles 25 and 32 GDPR. In this case, the controller had to implement adequate measures to avoid the exposition of personal data to non-authorised third parties. In addition, the security breach was not corrected until February 2022 (lasting for 4 months), which showed that appropriate measures were lacking. The DPA also found a violation of Article 32 GDPR. At the time of the data breach, the controller did not have appropriate technical and organisational measures to avoid the incident of disclosing personal data through the link, which was supposed to contain the data subject documentation.

Finally, the DPA fined the controller €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. According to the national legislation (Article 76(2)(b) LOPDGDDon sanctions and corrective measures), the DPA considered as an aggravating circumstance the controller's high number of data processing activities. According to the DPA, a bank should have enough experience in personal data handling and should have adequate knowledge regarding personal data processing. However, the controller benefited from two reductions of this amount, voluntary payment and the admission of guilt, and ended up paying €64,000 for both violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13








     File No.: EXP202200471

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                   VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                 BACKGROUND

FIRST: On September 15, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate sanction proceedings against BANCO BILBAO
VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement
which is transcribed:


<<


File No.: EXP202200471



           AGREEMENT TO START THE SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                     FACTS

FIRST: A.A.A. (hereinafter, the claiming party) dated November 15,
2021 filed a complaint with the Spanish Data Protection Agency. The

The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF
A48265169 (hereinafter BBVA). The reasons on which the claim is based are the following:
following:

It states that it requested a certificate of ownership of its

account, through the APP of said entity, receiving, by the same route, on date 26
October 2021, copy of a third party contract. After notifying the
entity the incidence and its concern for the protection of its data, receives
response, dated October 26, 2021, indicating the following:
"I apologize on behalf of my partner, it was an operational error. Your data

They are protected."
 The claimant transfers to the respondent entity that continues to have access to the
document with data from third parties, which is still available through the chat of
contact with the claimed entity and states that said entity indicates that,
computerized, it is not possible to delete said document.


Along with the notification is provided:
-Contract relating to two holders other than the claimant, dated October 26,
2021.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13








-Conversations held with employees of the entity's management team
claimed (on October 25 and 26 and November 11, 2021) about the
request for the certificate of ownership, of the contract received relating to third parties,

of the operational error. communication from the claimant informing that he continues to have
access to the third-party contract through said channel and response from a management company
the claimed entity, dated November 11, 2021, indicating that it attaches
letter from the bank in this regard, as well as a response from the claimant showing his
disagreement with the response received and the lack of respect for the protection of
data, adding that he continues to have access to the controversial document.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereafter LOPDGDD), said claim was forwarded to BBVA so that
proceed to its analysis and inform this Agency within a month of the

actions carried out to adapt to the requirements established in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 01/18/2022, as stated in the

acknowledgment of receipt in the file.

On 02/21/2022, this Agency received a written response indicating:

"The incident that has given rise to the request for information is due to the fact that the

claimant declares that it requested a certificate of ownership from the entity claimed
of your account, through the APP of said entity, receiving, by the same means, in
dated October 26, 2021, copy of a third-party contract.
The "My Conversations" tool facilitates customer contact with their manager
commercial, allowing to attach and send documentation. It is a secure channel (environment

logged) and efficient that provides access to the history of conversations, with
in order to guarantee the transparency and traceability of all operations.

It is true that the manager of the team with you BBVA made a specific and human error when
attach to your electronic communication a different contract than the one signed by Mr.
A.A.A. and that it is an isolated event, with no evidence of other

complaints from affected people. BBVA regrets the error and informs
this Agency that, at the time the claimant contacted
with the manager to warn of the error, he apologized for it, being unable to do more than
reiterate his apologies in writing, on 11/11/2021, where he also requested
to remove or delete the attached document.


BBVA has eliminated customer access to the contract file. although I know
maintains the conversation between the manager and the client, the link to the file has been
removed in such a way that it cannot access the download/viewing of the
document".


THIRD: On February 11, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13








FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and

in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

Relevant documentation provided by the claimant:
    - Document with header that refers to the claimant and title "Certificate

       of ownership”. Contains a conversation supposedly held between the
       claimant and a person belonging to the "team of your manager" of the claimant.
       In it, the person from the management team quotes, in a message dated October 26
       of 2021, which attaches the account contract. To this message, the claiming
       responds by pointing out that the document refers to data from third parties. is indicated
       that it was an "operational error". In the last message contained in the

       document, dated November 11, 2021, the defendant warns that
       You continue to have access to the certificate with personal data from third parties.
    - Agreement to open an account (“Election Account Agreement”) in the
       claimed dated October 26, 2021 in which they appear as owners
       two third parties other than the claimant. In addition to the contract conditions,
       it includes the following categories of third party personal data:

       name, surname, NIF, address, IBAN code of the bank account.

INVESTIGATED ENTITIES
During these proceedings, the following entities have been investigated:
    - BILBAO VIZCAYA ARGENTARIA BANK, S.A. with NIF A48265169 with
       address at CIUDAD BBVA C/ AZUL 4, EDIF. LA VELA, 7TH FLOOR - 28050

       MADRID (MADRID)

RESULT OF INVESTIGATION ACTIONS
In addition to the documentation mentioned in the background section, it includes
information from the following sources:

    - Written from the claimed and registered entry in the AEPD
       (numbers O00007128e2200008077 and O00007128e2200008078) dated
       February 21, 2022 (Written1).


Context of the facts
The defendant states in the Writ1 that the application of the entity has a
section, "My Conversations", which allows the client to interact with their manager
commercial. Indicates that access to this part is secure (“logged environment”) and
provides access to the history of conversations "in order to guarantee the
transparency and traceability of all operations”.

The defendant states in the Brief1 that the facts described in the claim were
consequence of a "specific and human" error of the manager when attaching in the communication
with the claimant the third party contract. He adds that "this is an isolated incident, not
having evidence of other claims by the affected people.
reaction to incident
The defendant in Brief 1 states that he has eliminated the possibility of accessing the

third party contract by the claimant. In this regard, he points out that "although
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13








maintains the conversation between the manager and the client, the link to the file has been
removed in such a way that it cannot access the download/viewing of the
document." To prove it, attach the following:
    - Document number 3, screen print of the conversation in which
       leaked the disputed document (taken on February 16, 2022

       according to the date of the equipment in the printing itself), which includes the
       link to contract According to the claimant, this screenshot reflects the
       situation prior to withdrawal.
    - Document number 4, screen print of the conversation in which
       leaked the disputed document (taken on February 21, 2022
       according to the date of the equipment in the printing itself), which does not include the

       link to contract According to the claimant, this screenshot reflects the
       post-withdrawal situation.
The defendant also provides information on the communications addressed to the
claimant in relation to these facts:
    - Document number 2 attached to the Writ1 is a communication addressed by the

       claimed from the claimant (undated, although the Brief1 states that it was
       sent on November 11, 2021) which includes the following:
"We are writing to you regarding the incident that occurred on the 26th of
October, in which we mistakenly sent you documentation that was not
corresponded to that of his ownership.
First of all, we would like to convey our apologies warning you that it was

a specific situation caused by a human factor.
Although, we have to warn that when dealing with confidential information submitted
especially to professional secrecy, its disclosure, reproduction or distribution is
prohibited, so having received the information by mistake, you should know that your
reading, copying and use are prohibited thanking you to proceed with its destruction.
    - Document number 1 attached to the Writ1 is a communication addressed by the

       claimed to the claimant on February 14, 2022 that includes the following:
"The purpose of your claim, set forth in your communication, is to state your
annoyance for having received through the BBVA APP the copy of the contract of
account of a third party, rather than your own.
We inform you that this was due to the employee with whom you previously chatted and
to whom you requested said shipment, got the file confused and uploaded that of another client.

We are very sorry for what happened and the office has already taken action with the staff
to avoid confusion of these characteristics.”

                           FUNDAMENTALS OF LAW

                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13








in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II
Article 4 paragraph 12 of the GDPR defines, in a broad way, "violations of
security of personal data" (hereinafter security breach) as "all
those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, stored or otherwise processed

form, or unauthorized communication or access to said data.”

In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality, by
the complaining party has been provided with a contract containing data

third party personal

It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of managers and managers and security measures
applied.


Within the principles of treatment provided for in article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the GDPR, which regulate the security of the

treatment, the notification of a breach of the security of personal data to
the control authority, as well as the communication to the interested party, respectively.

                                           II
Article 5.1.f) "Principles relating to processing" of the GDPR establishes:


"1. Personal data will be:
(…)

       f) processed in such a way as to guarantee adequate security of the
       personal data, including protection against unauthorized processing or

       illicit and against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and
       confidentiality»).”

In this case, it is clear that the personal data of a BBVA customer,

in its database, were improperly exposed to the complaining party
when you requested access to your own contract, as a link was provided to you through
of which, instead of agreeing to his own contract, he agreed to someone else's.

In accordance with the evidence available in this agreement of

initiation of the disciplinary procedure, and without prejudice to what results from the
investigation, it is considered that the known facts could constitute a
infringement, attributable to BBVA, due to violation of article 5.1.f) of the GDPR.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13










                                          IV.

If confirmed, the aforementioned violation of article 5.1.f) of the GDPR could lead to the
commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

       a) the basic principles for the treatment, including the conditions for the

       consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.


For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:


       a) The processing of personal data in violation of the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”

                                           V
For the purposes of deciding on the imposition of an administrative fine and its amount,

In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established in article 83.2 of the GDPR:


As aggravating factors:
       -The degree of responsibility of the controller or the person in charge of the treatment,
       taking into account the technical or organizational measures that they have applied in
       virtue of articles 25 and 32. Art. 83.2.d).


       BBVA, as data controller, has to implement measures
       adequate to avoid the exposure of personal data to third parties
       authorized. Given that in the present case there has been a breach of
       confidentiality, which was not corrected until at least February 16, 2022,
       it can be assumed that appropriate measures had not been taken.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13








Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:


As aggravating factors:
           -The linking of the offender's activity with the performance of
           processing of personal data. (Art. 76.2.b).

           The activity of BBVA, a financial institution, and the high number of customers

           that it has, involves handling a large number of data
           personal. This implies that they have sufficient experience and should have
           with adequate knowledge for the treatment of said data.

The balance of the circumstances contemplated in article 83.2 of the GDPR and the

Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 5.1.f) of the GDPR, allows initially setting a penalty of
€50,000 (fifty thousand euros).

                                           SAW
Article 32 "Security of treatment" of the GDPR establishes:


"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical and

appropriate organizational measures to guarantee a level of security appropriate to the risk,
which may include, among others:
       a) the pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;

       c) the ability to restore the availability and access to personal data
       quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness
       technical and organizational measures to guarantee the safety of the
       treatment.


2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the destruction, loss or accidental or illegal alteration of data
personal information transmitted, preserved or processed in another way, or the communication or
unauthorized access to such data.


3. Adherence to an approved code of conduct pursuant to article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.


4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or processor and
have access to personal data can only process such data by following

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13








instructions of the person in charge, unless it is obliged to do so by virtue of the Law of
the Union or of the Member States.


In the present case, at the time the breach occurred, BBVA did not have
appropriate technical and organizational measures to prevent the occurrence of the
circumstance of making available to a person a link that gave access to the
contract of a third party, thus exposing the client's personal data from the
October 21, 2021 through at least February 16, 2022.


.

In accordance with the evidence available in this agreement of
initiation of the disciplinary procedure, and without prejudice to what results from the
investigation, it is considered that the known facts could constitute a

infringement, attributable to BBVA, for violation of article 32 of the GDPR.

                                           VII
If confirmed, the aforementioned infringement of article 32 of the GDPR could lead to the
commission of the offenses typified in article 83.4 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:


Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for

the highest amount:

       a) the obligations of the person in charge and the person in charge according to articles 8,
       11, 25 to 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.

For the purposes of the limitation period, article 73 "Infractions considered serious"

of the LOPDGDD indicates:
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,

are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)

       f) The lack of adoption of those technical and organizational measures that
       are appropriate to ensure a level of security appropriate to the
       risk of treatment, in the terms required by article 32.1 of the
       Regulation (EU) 2016/679.

        (…)



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13








                                         VIII
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of

agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the criteria that
Article 83.2 of the GDPR establishes:

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the

following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:

As aggravating factors:
           -The linking of the offender's activity with the performance of

           processing of personal data. (Art. 76.2.b).

           The activity of BBVA, a financial institution, and the high number of customers
           that it has, involves handling a large number of data
           personal. This implies that they have sufficient experience and should have
           with adequate knowledge for the treatment of said data.


The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 32 of the GDPR, allows the initial setting of a penalty of
€30,000 (thirty thousand euros).


                                          IX
Among the corrective powers provided by article 58 "Powers" of the GDPR, in the
section 2.d) establishes that each supervisory authority may “order the
controller or processor that the processing operations are

comply with the provisions of this Regulation, where appropriate, in a
certain manner and within a specified period…”.

The Spanish Agency for Data Protection in the resolution that puts an end to the
this procedure may order the adoption of measures, as established
in article 58.2.d) of the GDPR and in accordance with what is derived from the instruction

of the procedure, if necessary, in addition to sanctioning with a fine.

Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:


FIRST: INITIATE SANCTION PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 5.1.f)
of the GDPR typified in Article 83.5 of the GDPR.


START SANCTION PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of Article 32 of the
GDPR typified in Article 83.4 of the GDPR.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13








SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).


THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the Sub-directorate General of Inspection of
Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be:

- For the alleged infringement of article 5.1.f) of the GDPR, typified in article 83.5
of said regulation, an administrative fine amounting to 50,000.00 euros


- For the alleged infringement of article 32 of the GDPR, typified in article 83.4 of
said regulation, an administrative fine of 30,000.00 euros

FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, granting it a hearing period of ten
business days for him to formulate the allegations and present the evidence he deems

convenient. In your statement of allegations you must provide your NIF and the number of
procedure that appears in the heading of this document.

If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the

sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at 64,000.00 euros, resolving the
procedure with the imposition of this sanction.

In the same way, it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 64,000.00 euros and its payment will imply the termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13








In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 48,000.00 euros.


In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (64,000.00 euros or 48,000.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the

procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.

Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity

entered.

The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.


                                                                               935-110422

Mar Spain Marti
Director of the Spanish Data Protection Agency


>>


SECOND: On September 23, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 48,000 euros using the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.



                           FUNDAMENTALS OF LAW

                                           Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13








(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:

"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,

The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in

any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.

3. In both cases, when the sanction is solely pecuniary in nature, the

The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.


The percentage reduction provided for in this section may be increased
according to regulations."

According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202200471, in
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA

ARGENTARIA, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13










Against this resolution, which puts an end to the administrative process as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.


                                                                                  936-040822
Mar Spain Marti

Director of the Spanish Data Protection Agency














































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es