AEPD (Spain) - EXP202201718

From GDPRhub
AEPD - AI-00128-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Other Outcome
Fine: n/a
Parties: n/a
National Case Number/Name: AI-00128-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA held that a bank did not violate the GDPR when it was notified by the data subject of a possible fraudulent transaction as the bank had complied with its obligations under Article 32 GDPR.

English Summary


The data subject filed a complaint at the DPA against a bank (the controller) where the data subject had a bank account. The data subject stated that there had been a fraudulent withdrawal of €1,500, which did not match any transaction of the data subject.

After the data subject reported the withdrawal, the controller blocked the mobile application of the data subject for security reasons and reversed the transaction of €1,500. The controller also reported the incident to the police. After this, the controller launched an investigation.

The investigation unit of the DPA analysed the alleged fraudulent transaction and marked it as a ‘correct’ transaction, because no mistakes were found in the process.

The controller found that a facial recognition scan was used to facilitate the financial transaction as a form of biological authentication. To enable this facial recognition on a device, it is necessary to send a one-time password (OTP) key (by SMS) to a validated phone number of the user. OTPs allow for logging on to a service through a unique password that can only be used once. When this facial recognition (or other biometric authentication) is enabled, the user can approve transactions without additional two-factor authentication, and can simply use the biometric authentication option. The data subject was using this biometric option, according to the investigation unit.

The unit remarked that at the time of the transaction, the data subject had access to the information on the credit card, such as numbering, expiry date and CVV code. The data subject should also have been in the possession of the device on which biometric authentication was activated and could, therefore, also have authenticated the transaction by this enabled biometric authentication.

With regard to safety measures provided by the controller prior the transaction, the investigation unit found that the data subject was warned, both by e-mail and by a push notification, that online banking was registered on another mobile device with access to the bank account. The data subject was also warned with e-mail and push-notification that biometric authentication had been activated and that the data subject had been blocked after reporting the alleged fraudulent withdrawal.

It was also found that the OTP key to approve biometric authentication was send to a number that belonged to the data subject.

The investigation unit provided several screenshots as proof for these statements. After this assessment, the controller restored the original transaction of €1,500. The data subject complained at the customer service of the controller, but this complaint was denied.


After looking at the presented evidence, the DPA found no evidence of a breach that would fall under its jurisdiction. The DPA held that the controller had acted accordingly when notified by the data subject. Therefore, the DPA found no violation of Article 32 GDPR and ended the procedure.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202201718
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following:
FIRST: Don A.A.A. (hereinafter, the complaining party) dated December 27
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169 (hereinafter, the claimed party or BBVA).
The grounds on which the claim is based are as follows:
The claimant is the holder of an account opened in the claimed entity, which has
associated with a debit card. It states that, on October 11, 2021,
made a fraudulent charge on your card, corresponding to a purchase that the
claimant had not made, of an amount of 1500 euros. As it is an amount
high, the respondent entity proceeded, subsequently, to block the activity in the
App of the claimant, for security. Provides a complaint filed with the Police, in
date October 14, 2021, communication of the incident to the entity claimed, the
October 14, 2021, screenshot regarding the fraudulent operation and claim
before the OMIC, dated November 15, 2021.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on February 14, 2022 as
It is stated in the acknowledgment of receipt that is in the file.
On February 23, 2022, this Agency received a written response that
it did not provide any information on the claim that was forwarded to it.
THIRD: On March 22, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
C/ Jorge Juan, 6
28001 – Madrid
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
1. The claimant is a customer of the claimed party under a credit card agreement
credit, subscribed from remote banking on 04/28/2017. Provide a copy of the contract
card which contains an agreed limit of 1,800 euros.
The party complained against indicates that it has analyzed the operations carried out through the
credit card linked to the aforementioned contract, and in this case the operations have been
carried out by biometric signature, for which it has been necessary to activate the
biometric access on the mobile and activate the signature with biometrics. They provide a record of
sending two SMS to the mobile number indicating it was validated by the claimant, SMS
in which they inform you of the OTP keys to authenticate the request (date 11
October 2021, same date as the claimed charge).
They indicate that to register the biometric signature it is necessary to enter an OTP key
which was sent by SMS to the claimant's validated mobile phone. The signature with
biometrics allows customers to use their fingerprint, iris, or facial recognition to
sign some of the operations carried out through the entity's app.
Once activated, clients can sign their operations without the need to receive
an SMS with a signature key. They indicate that in the case at hand, the operation
with controversial credit card, the second authentication factor was the signature
biometric that had previously been activated by validating the OTP key.
The respondent reports that, as a result of the incident filed by the claimant,
on October 14, 2021, in compliance with current regulations
restored the payment account to the state it was in before the operation
questioned. They provide an annulment note for the amount of 1500 euros, dated 15
October 2021.
Next, the claimed party initiates, through the specialized fraud area, the
investigative work, collecting records and documentation, both internal and
external to determine if it is an operation carried out correctly from the
operational point of view. They conclude after the analysis of the evidence and the report of the
payment service provider, that the reported electronic commerce operation
by the claimant from a strictly operational point of view should be considered
correct, since it was carried out without errors, and without it being considered an operation not
authorized under the terms established in the Payment Services regulations.
They emphasize that at the time of the purchase the claimant had to: (i) have the
information contained in the card, this is numbering, expiration date and code
CVV; (ii) having in his possession the validated device where the complaining party had
sent the OTP key to activate the signature with biometrics; (iii) validate the operation
using facial, iris or fingerprint recognition.
They indicate that they communicated to the claimant the resolution of the incident and proceeded to
reverse the payment made to the claimant's account. Given this, the claimant
filed a complaint with the Customer Service Department expressing their
disagreement with the previous resolution. On November 23, 2021, the application was dismissed.
C/ Jorge Juan, 6
28001 – Madrid