AEPD (Spain) - EXP202201721
From GDPRhub
| AEPD - PS/00456/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 32(1) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 28.12.2021 |
| Decided: | 12.09.2023 |
| Published: | 12.09.2023 |
| Fine: | 70,000 EUR |
| Parties: | Banco Bilbao Vizcaya Argentaria, S.A. |
| National Case Number/Name: | PS/00456/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Mgrd |
The Spanish DPA fined BBVA €70,000 for not securely verifying the data subject's identity. A third party who had stolen the data subject's identity able to withdraw money, violating Article 6 and Article 32 GDPR.
English Summary
Facts
In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, a total of €9,400, without his authorization or consent. The withdrawal was made in person at the local bank branch. The withdrawal also required the signature of the third party. The third party was able to withdraw the money despite their signature not corresponding to the signature on the data subject's ID card.
Holding
The DPA seemed to infer that identifying a client at a bank for just the sake of providing them with a bank service involves a processing operation which must be carried out in compliance with Article 32 GDPR. The Spanish DPA considered the bank to have failed in adopting appropriate security measures by not verifying the data subject's identity in a reliable manner. As highlighted by AEPD, it was negligence that would have been overcome if available protocols would have been correctly followed. For example, correctly comparing and verifying both the photograph and the signature of the document that was presented in the request.
By not using appropriate technical and organisational measures to ensure a level of security appropriate to the risk, the controller violated Article 6 and Article 32 GDPR.
Comment
The DPA seems to consider the authentication procedure itself as "processing" and therefore Article 32 GDPR applies even if the damage is only monetary in nature.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26
File No.: EXP202201721
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: Ms. A.A.A. (hereinafter the claimant) on 12/28/2021 filed
claim before the Spanish Data Protection Agency. The claim is
directs against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (in
hereinafter the claimed). The reasons on which the claim is based are the following:
The affected party states that, after losing her ID and filing the corresponding complaint
On 07/29/2021, a third party went to a branch of the defendant in
***LOCALIDAD.1, impersonating your identity and providing you with banking information,
in addition to giving him all of the money that was deposited in the
account, without your authorization or consent; considers that the claimed entity does not
adopted the measures required by diligence as it had not reliably verified
your identity (in relation to physical resemblance and signature).
Provides:
- Copy of complaint presented to the squad boys. It points out
that the day of the request for the extract and refund was 07/26/2021 and the day of withdrawal of
funds on 07/29/2021, in branch number ***SUCURSAL.1, as indicated, of
information collected from the entity's Customer Service.
- Unsigned bank document (a copy for the client), dated
09/23/2021, which indicates that you have received an amount of money
corresponding to the amount that was arranged without his consent, and the commitment
not to claim said amount in the future, waiving any right or action
about such provision.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on 02/11/2022 said claim was communicated to the party
claimed, so that it could proceed with its analysis and inform this Agency within the period
of one month, of the actions carried out to adapt to the planned requirements
in data protection regulations.
The transfer, which was carried out in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), was collected on 02/14/2022
as stated in the acknowledgment of receipt in the file.
The defendant responded on 02/23/2022 in writing in which he did not provide
any information about the claim that was sent to you.
THIRD: On 03/22/2022, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
The respondent responded on 04/07/2022 providing the following information:
- On 08/23/2021 the claimant requested the defendant to return a charge
in her account stating that she had not authorized it. They provide a copy of the writing
presented.
- The defendant resolved to annul the fraudulent movement made against the
balance of the claimant's account assuming the defrauded amount of 9,400 euros.
- On 09/22/2021, the defendant responded to the claimant indicating that
proceeded to process the corresponding credit into his checking account. They provide a copy of the
document.
- On 11/25/2021, the claimant submitted a new statement of claim to the
claimed, as evidenced by providing a copy thereof, requesting the
refund of the amount of the fraudulent charge and an additional 20% as a consequence
of “the negligent action of the branch that fails to comply with the regulations regarding
data protection, by not verifying my identity for the purposes of providing consent
lawful for the delivery of funds and transfer of data of a sensitive nature.” The
claimant indicated in his writing “this action of the financial entity represents a
violation of my right to data protection, since it acted without the
due diligence, given that it did not correctly validate my identity (physical as well as
as its own identifying signature) nor did it adopt the necessary security measures to
verify my consent for the withdrawal of funds and delivery of documentation
that contains data of a sensitive nature.”
- On 12/16/2021, the defendant informed the claimant, by email
electronic, which proceeded to make the payment of the charge made against your account and,
regarding the request for compensation for damages, informed him that
had to prove them in order to be evaluated. Provide a copy of the email
electronic.
- The representatives of the defendant state that the claimant did not put into
knowledge of the banking entity that had been lost on 06/05/2021 (almost two months
before disposal) your DNI, not following the recommendation of the Bank of Spain
for these cases (they provide a copy of the aforementioned recommendation titled “Have you
Lost or stolen your ID? Inform your bank as soon as possible and report it.”
The representatives of the defendant state that alerting them of the loss of the DNI
would have resulted in the activation of the protocol available in the office network
in these cases. For these purposes, they provide a copy of the aforementioned protocol, which the
offices must follow when a client informs them of the theft or loss of the
identification document. In the protocol it is verified that it indicates that “in the case
for the client to report the theft or loss of their identification document, it is
mandatory to add this information in the teleprocess by blocking the account (of
free text) including the message “ATTENTION: stolen/lost document”,
restricting operation 0001 Refunds so that it serves as an alert for the Network.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26
Request for information was made, the respondent responded on 05/30/2022
with the following information and documentation:
- Documentary accreditation of the procedure followed for the
identification of people who request procedures in person at the offices,
where all the established controls on identity accreditation are recorded
of the applicants, and a copy of the instructions provided to the managers of the
procedures in this regard. In particular, it has been requested to provide the procedure for
identification for processing requests for information and withdrawal of
cash in person in the office.
The claimed party provides a copy of the procedure (internal standard) of
cash provisions. The internal standard is available to employees of the
entity on the intranet. They have also stated that they communicate changes daily
or updates that may affect the rules via email,
providing a copy of the image of an email as an example. They also declare that the
employees have a consultation portal, providing as an example impression of
a question about customer identification, a link to the aforementioned standard is included
internal.
They provide a copy of the aforementioned internal standard, entitled “Cash provisions
against personal accounts within the scope of universal care”, highlighting the
following aspects:
“- In the case of natural persons, to verify the signature the
comparison with the client's digital signature (provided it is available).
- Universal Attention: Clients may go to any office in the Network […] to
carry out their operations in Cash and we will be able to serve them without needing to be the
office that owns the contract.
For this it will be very important to remember that to verify the client's signature, we must
have the identification document digitized and the signature digitized, not being
necessary in this case, request verification from the owner office. […]
- The only valid documents for correct identification are: Spanish DNI
(NIF), passport, […]
- Only originals will be valid, never photocopies, and only if
are in force. Under no circumstances will expired documents be accepted.
- Both the old and the current Spanish model of circulation permit (also
called driving license) are NOT valid as identification documents. […]
How to correctly identify:
Determine if the person carrying the document is the same person who appears on the
photograph of the identification document.
Verify that the document presented is valid, that it is original (never a photocopy) and
that is not expired.
Observe if there could be any manipulation or simple alteration (essential the
use of ultraviolet light lamp)
Any document that presents anomalies in its format as a result of
Possible manipulation should lead to suspicion.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26
Observe the owner himself physically and determine if his appearance and age match the
of the photograph and date of birth that appear on the document.
Finally, it is mandatory to use the ultraviolet light lamp for validation.
of the identification document.”
- A printout has been requested that certifies the details of the procedures carried out
results from the request for information on the banking data and products of the
claimant made on 07/26/2021 in the office, as well as the information and documents
that were provided to the applicant, and documentation accrediting the details of the
specific checks on the identity of the applicant that were carried out in this
case. The claimed party has not provided documentation on the procedures carried out
nor about the information and documents that were provided to the applicant, nor about the
documentary accreditation of the identity checks carried out in the
case concrete.
- A printout has been requested that certifies the details of the procedures carried out
as a result of the refund request made on 07/29/2021 (office ***BRANCH.1),
as well as supporting documentation of the details of the specific checks
on the identity of the applicant that were made in this case. About the
checks carried out on the identity of the representatives of the party
claimed indicate that “In the case being analyzed and in accordance with the aforementioned
rule, the paying office did not correctly identify the person who
ordered, since the refund was carried out by a person other than the owner with the
documentation stolen from the client.” They provide proof of the disposal request
digitized with the signature of the applicant, a signature that consists of the name and the first
last name of the claimant.
They provide a capture of the copy of the claimant's DNI with her signature (document
digitized) indicating that it is on which the verification prior to the
cash provision (they indicate that the DNI is updated since it has been
provided a copy of the one issued on the occasion of the incident). They indicate that as a measure of
Security Once document fraud is detected, the office receives the following
instructions: “You must digitize the current version of your identity document,
We recommend maintaining the blockage until you either recover it or it is no longer available.
current".
FIFTH: On 11/25/2022, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the person complained of for the alleged infringement
of article 6.1 of the RGPD, sanctioned in accordance with the provisions of article 83.5.a)
of the aforementioned RGPD and article 32.1 of the RGPD, typified in article 83.4.a) of the
cited GDPR.
SIXTH: The initiation agreement was notified, the one claimed in writing dated 12/12/2022
requested an extension of the deadline to make allegations, which was granted by the
procedure instructor.
On 12/23/2022, the defendant presented a written statement of allegations stating, in
summary: that the accusation directed against the defendant and its legal basis
is erroneous since article 6.1 of the RGPD has not been violated and with respect to the
violation of article 32.1, the interpretation that is made is equally erroneous, without
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26
make any reference to the procedures established by the defendant to
ensure the validity of cash provisions and existing case law; the
existence of medial competition; that in the imputation of article 32 of the RGPD no
takes into account the ruling of the Supreme Court of February 15, 2022 nor the
diligence displayed by the defendant.
Subsequently, a copy of the audio of the call made to the Service is provided.
Customer Service for the complainant.
SEVENTH: On 04/19/2023, the procedure instructor agreed to open
of a period of practice tests, remembering the following:
- Consider the claim filed reproduced for evidentiary purposes.
by the claimant and her documentation, the documents obtained and generated
by the Inspection Services that are part of the file.
- Consider reproduced for evidentiary purposes, the allegations to the agreement
of initiation presented by the claimant and the accompanying documentation.
-Request the claimant:
Protocol, Procedure or Instructions, etc., established by the
entity to combat and prevent fraud or scam as in the present case,
as well as security measures or opinions for cases of fraud and
fraud prevention and to proceed with correct identification of the
clientele.
Accreditation that said regulation together with the measures of a
technical or organizational were known to the office where the
incidence and were known by their employees.
On 05/09/2023, the defendant responded to the practical test whose
content of work in the file.
EIGHTH: On 06/29/2023, a Proposed Resolution was issued in the sense of
that the Director of the Spanish Data Protection Agency sanctioned the
claimed for violation of article 6.1 and 32.1 of the RGPD, typified in the article
83.5.a) and article 83.4.a) of the aforementioned RGPD, with a penalty of €50,000 (fifty thousand
euros) and €20,000 (twenty thousand euros), respectively.
The aforementioned Proposal was notified to the respondent on 07/03/2023, giving a response
to the allegations put forward in the document presented to the initiation agreement.
After the legally established period has elapsed, the defendant presented a written
allegations on 07/25/2023 reiterating the arguments put forward throughout the
procedure: that there was no violation of articles 6.1 and 32.1 of the RGPD and the
existence of medial competition of infractions, requesting the archive of the
procedure.
NINTH: Of the actions carried out in this procedure, they have been
accredited the following,
PROVEN FACTS
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26
FIRST. On 10/12/2020, the AEPD has written from the claimant.
stating that he has been the subject of identity theft; after losing your ID and
file the corresponding complaint, a third party went to a branch of your entity
bank, being given all of the money that was deposited in
your account, without your authorization or consent, considering that the entity
claimed did not adopt the corresponding measures by not reliably verifying
his identity.
SECOND. The claimant has provided a copy of the complaint dated 08/16/2021 before the
squad boys, diligence number ***DILIGENCIA.1 at Usccorts. In the same,
The claimant states:
“(…)
Who has been on vacation, away in Europe...
That, upon returning to national territory, he opened the mobile application of his banking entity and
observed that they had made a refund, over the counter and in person, of 9,400 euros, without
your consent or authorization.
That the complainant states that said amount of money was taken from the entity
BBVA, located in LOCALIDAD.2 (***LOCALIDAD.1), specifically the office
***BRANCH.1.
That Mrs. A.A.A. Contact the Customer Service of your bank and the
reported that new documentation had been uploaded to their personal profile,
which she has not done nor has any proof of.
What customer service provided information related to the event, such as the day on which
requested statement and refund and the day on which they withdrew the money.
That the day of the request was 07/26/2021 and the day they withdrew the money was
day 07/29/2021, both carried out in person at the banking entity of
LOCALITY.2.,
That the complainants do not know who, how and in what way they have been able to access
their personal data and, especially, how they have been able to obtain
money, in person, from the bank if they supposedly make the
identity verification.
(…)”
THIRD. The claimant provides a copy of the complaint made in Italy, station
Venice-San Marcos in relation to the loss of your DNI.
ROOM. The defendant has provided a document signed by the claimant, without date, in the
that requests the return of those stolen from your account.
FIFTH. The defendant in writing dated 05/30/2022 has stated that: “In the event
that is analyzed and in accordance with the aforementioned standard, the payable office did not carry out
a correct identification of the person who disposed of it, since the refund led to
carried out by a person other than the owner with the documentation stolen from the client”, and
provides proof of the disposal request whose signature does not match the one
appears in the claimant's DNI.
Likewise, it indicated that “…has resolved to annul the movement of the provision
fraud carried out against the balance of the claimant's current account
BBVA therefore assumes the defrauded amount of 9,400 euros…”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/26
SIXTH. There is a written document dated 08/23/2021 in response to the request of the
claimant requesting the refund of the amount of the fraudulent charge in his account, in
which indicates that: “The request is being managed with the reference number
***REFERENCE.1, indicating this number you can make any query to the
regarding”, and the response offered by the respondent on 09/22/2021 stating that:
”We have received the letter that you presented to us, dated August 23, 2021. Your
reference number is ***REFERENCE.1.
The purpose of the claim, stated in your communication, is to request a refund
of the money (€9,400) that was stolen from one of the BBVA offices, without his
consent or authorization, as explained in the complaint attached to your
written.
In this sense, after having reviewed the facts that you describe to us and the
documentation collected in this regard, we inform you that we have transferred this
matter to the appropriate departments of our entity that are in charge of
analyze and resolve the facts that you detail in your writing.
Once your case has been reviewed and all the necessary checks have been made, we will
inform that their request has been attended to favorably, so in the
In the next few days we will proceed to process the credit to your account of the amount subject to
your claim.
(…)”
SEVENTH. As indicated in the fifth fact, a document of
BBVA Cash Drawdown, dated 07/29/2021 against Account: ES00 0000 0000 0000
0000 0000, belonging to the claimant, which states: I have received from the Bank
Bilbao Vizcaya Argentaria S.A., charged to the indicated account, the amount of:
9,400.00 EUROS.
At the bottom of the document appears the Signature of the Intervener, whose signature does not match
with that of the claimant.
EIGHTH. It is clear that the claimant sent the defendant a new
claim requesting, together with the refund of the amount of the fraudulent charge, 20%
additional as a consequence of “the negligent actions of the branch that fails to comply
with the data protection regulations, by not verifying my identity for the purposes
to provide lawful consent for the delivery of funds and transfer of data
sensitive nature.”
The respondent responded on 12/12/2021 that: “…With regard to your request for
compensation for damages caused, we inform you that
It is the burden of the claimant to prove the alleged damages, through documentation
timely, which proves the damage and the causal relationship with the action or omission of the
Bank. It must be taken into account that to evaluate the damages caused, not
it is sufficient that these have been effectively caused but it is necessary
also that they have caused damage or damages and that these can be proven by
objective means and are quantifiable on objective bases. The accreditation
of these extremes corresponds to the person who alleges them and, in many cases,
require the development of an evidentiary phase that only in a judicial procedure
can develop..."
NINETH. The response offered on 02/21/2022 is carried by the defendant.
pointing out that: “We are writing to you regarding the new letter that you sent to this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26
entity, through the Spanish Data Protection Agency, on the amount
stolen from your account at a BBVA office without your consent and the violation
of your right to the protection of your data.
In this regard, we inform you that, having once again analyzed the facts that are the subject of your
claim, the specific conditions of the obligations assumed by the parties and
its particular circumstances, this Entity considers the response appropriate
provided to the claim ***CLAIM.1, a copy of which we attach, so
We ratify ourselves in it.
Likewise, we have been able to verify that on December 16, 2022 it was
credited to your account the amount claimed by you, amounting to €9,400.
However, as we informed you in our previous response, if you do not
agrees with this resolution has the power to go to the Department of
Conduct of Bank of Spain Entities since receipt of this letter…“
TENTH. The claimant provides a copy of the document issued by BBVA, dated 09/23/2021
without signature, which indicates that the claimant has been paid the amount of
9,400 euros, committing not to claim any amount from BBVA in the future,
renouncing any action.
ELEVENTH. The defendant has provided a copy of the audio of the call made to
customer service of the defendant on the occasion of the withdrawal of funds from
your account.
TWELFTH. The defendant has provided documents related to the Provisions of
cash against personal accounts within the scope of universal care in which
The instructions that regulate the provisions against current accounts are included,
of credit and savings books, as well as issues of bank checks and
cash transfers; for the prevention of Fraud and Scam in which
contain instructions for fraud prevention as well as procedures
specific according to the type of fraud, security opinions and other
considerations on fraud and the criteria and guidelines for action
Customer Identification.
THIRTEENTH. The defendant has provided documents Fraud due to provisions
of cash with stolen DNIs and false identification documents in which
describes the modus operandi and how to act if such operations are identified.
FOURTEENTH. The defendant has provided emails dated 01/25/2021
sent to the offices where the incident occurred, subject:
Security alert 0121-January-2021 Fraud due to cash withdrawals with DNI
stolen (important dissemination to all office colleagues).
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The
Procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions dictated in its development and, as far as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures."
II
The reported events materialize in the impersonation of
the claimant by a third party who went to a branch of the claimed entity,
being provided with banking information and the delivery of all the money that was
was deposited in the account without your authorization or consent,
considering that the regulations on data protection of
personal character.
Article 58 of the GDPR, Powers, states:
"2. Each supervisory authority will have all of the following powers
corrective measures indicated below:
(…)
i) impose an administrative fine in accordance with Article 83, in addition to or in
instead of the measures mentioned in this section, according to the
circumstances of each particular case;
(…)”
Firstly, article 6, Lawfulness of processing, of the RGPD in its section
1, establishes that:
"1. Treatment will only be legal if at least one of the following is met
conditions:
a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party is part or for the application at his request of measures
pre-contractual;
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;
d) the processing is necessary to protect the vital interests of the interested party or
from another natural person;
e) the processing is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible
of the treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26
f) the processing is necessary for the satisfaction of legitimate interests
pursued by the person responsible for the treatment or by a third party, provided that
The interests or rights and freedoms do not prevail over said interests.
fundamentals of the interested party that require the protection of personal data,
particularly when the interested party is a child.
The provisions of letter f) of the first paragraph will not apply to the
processing carried out by public authorities in the exercise of their functions.
On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11,
notes that:
“1) “personal data”: any information about an identified natural person
or identifiable ("the interested party"); Any identifiable natural person will be considered
person whose identity can be determined, directly or indirectly, in particular
by means of an identifier, such as a name, an identification number,
location data, an online identifier or one or more elements of the
physical, physiological, genetic, mental, economic, cultural or social identity of said
person;
“2) “treatment”: any operation or set of operations performed
on personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;
“11) “consent of the interested party”: any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him.”
III
1. Data processing requires the existence of a legal basis that
legitimate
In accordance with article 6.1 of the GDPR, in addition to consent,
There are other possible bases that legitimize the processing of data without the need for
have the authorization of its owner, in particular, when necessary for the
execution of a contract to which the affected party is a party or for the application, at the request
of this, pre-contractual measures, or when necessary for the satisfaction of
legitimate interests pursued by the data controller or by a third party,
provided that the interests or rights do not prevail over said interests and
fundamental freedoms of the affected party that require the protection of such data. He
Treatment is also considered lawful when it is necessary for the fulfillment of
a legal obligation applicable to the data controller, to protect interests
vital of the affected person or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the
responsible for the treatment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/26
In accordance with what is stated in article 6.1, there is no proven basis
of legitimation of any of those contemplated in the aforementioned precept for the treatment
of the claimant's data and whose personality was impersonated to empty the
account of which he was the owner, without the defendant displaying the diligence that was
necessary to avoid incidents such as the one that gave rise to the claim and therefore the
present procedure.
2. In the present case, the claimant's data has been used to carry out
carry out an operation, disposition of cash contained in an account, by a third party
that he was not the owner of the same but an impersonator of the identity of the claimant and
although, in general terms, the credit institution has the legitimacy to process the
data of the affected party under the contract signed between both, for this operation
I did not have it specifically since the person who was using the data was a
person outside the contractual relationship having to have verified the photograph and the
signature of the document presented to him, verify that the appearance of the holder of
said document and the person in front of him coincided.
The claimant has stated that she does not know who the person was who went to the
branch of your banking entity, being given all of the money that was
was deposited in your account, without your authorization or consent and without
adopt the corresponding measures if you do not reliably verify your identity.
It should be noted that, as appears in the proven facts, the defendant himself
has stated in his response to the Agency's information request
of 04/07/2021 that “In the case being analyzed and in accordance with the aforementioned
rule, the paying office did not correctly identify the person who
ordered, since the refund was carried out by a person other than the owner with the
documentation stolen from the client.”
Furthermore, the defendant himself has provided proof of the request for
provision whose signature does not match the one that appears on the claimant's DNI.
Furthermore, he points out that “…he has resolved to annul the movement of the
fraudulent disposition made against the balance of the current account of the
claimant therefore assuming BBVA the defrauded amount of 9,400 euros…” (the
Underlined correspond to the AEPD.
Therefore, it is not treated as claimed by the respondent in the response to the Proposal.
Resolution of an invincible error in the identification of the holder of the DNI of the
claimant but of a serious lack of negligence that would have been defeated if
had correctly followed the procedures and protocols implemented,
correctly collating and verifying both the photograph and the signature of the document
that was presented to him together with the Cash Disposal, and that he does not sympathize with
what was indicated by the defendant himself, pointing out that a correct
identification of the person who disposed of it.
On the other hand, it is unnecessary to point out that the state of the art would allow
perhaps the adoption of more effective identification measures such as biometrics, but
that these are considered illegal by the AEPD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26
In accordance with the foregoing, it is estimated that the defendant would be
responsible for the violation of the GDPR: violation of article 6.1, violation
typified in its article 83.5.a).
IV
Secondly, article 32 of the GDPR “Security of processing”,
states that:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the controller or
manager and has access to personal data can only process said data
following instructions from the person responsible, unless obliged to do so by virtue of the
Law of the Union or of the Member States”.
The violation of article 32 of the RGPD is classified in the article
83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, according to
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43.
(…)”
For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies
of “Infringements considered serious”:
Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
g) The bankruptcy, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance
as required by article 32.1 of Regulation (EU) 2016/679.”
(…)”
V
1. The GDPR defines personal data security breaches as
“all those security violations that cause the destruction, loss or
accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data.”
The documentation in the file shows that the defendant has
violated article 32 of the RGPD, by not having implemented and not using measures
appropriate technical and organizational measures to guarantee a level of security appropriate to the
risk in this treatment. This is independent of the fact that, in this specific case,
In addition, a third party may have been able to impersonate the identity of the claimant when it was provided to them.
not only the totality of the money that existed in the account, but information related to the
same.
It should be noted that the RGPD in the aforementioned provision does not establish a list of
the security measures that are applicable in accordance with the data that are
object of treatment, but rather establishes that the person responsible and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk
that the treatment entails, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the processing, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.
Likewise, security measures must be adequate and
proportionate to the risk detected, pointing out that the determination of the measures
technical and organizational measures must be carried out taking into account: pseudonymization and
encryption, the ability to guarantee the confidentiality, integrity, availability and
resilience, the ability to restore availability and access to data after a
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.
In any case, when evaluating the adequacy of the security level, the
particularly taking into account the risks presented by data processing, such as
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/26
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages and losses
physical, material or immaterial.
In this same sense, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent the treatment from infringing the
provided in this Regulation, the person responsible or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as
encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
regarding the risks and the nature of the personal data that must be
protect yourself. When assessing risk in relation to data security,
take into account the risks arising from the processing of personal data,
such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or the communication or access is not
authorized to such data, which may in particular cause damage and harm
physical, material or immaterial.”
2. In the present case, as stated in the facts and within the framework of the
investigation file, the AEPD transferred the claim presented to the defendant
for analysis requesting the contribution of information related to the incident
claimed without initially providing any information about the claim
transferred.
However, as stated previously in a letter dated
04/07/2021 the defendant has acknowledged that in this specific case that “the office
payable did not correctly identify the person who provided it, since the
The refund was carried out by a person other than the owner with the stolen documentation.
client”, having repaid the amount provided to the claimant, assuming the
loss.
The defendant provides proof of the disposition request in which the
the signature of the disposer, as well as the capture of the copy of DNI and signature (digitized)
which must be verified prior to the provision of cash.
The signature that appears on the receipt of the disposal request is not
does not correspond nor does it appear to coincide with what appears on the DNI.
3. As it appears in the proven facts, the defendant provided the document
“Cash withdrawals against personal accounts within the scope of care
“universal” in which the instructions that regulate the provisions against
checking accounts, credit accounts and savings accounts, both in the office where the
counts as in a different office.
In point 2, Risk aspects, it is stated:
“The main aspect of risk in a provision is the incorrect identification
of the person who is going to dispose of it.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/26
The identification process is regulated in standard 80.00.116 “Identification
of the clientele”:
If the person does not identify themselves appropriately (whether or not they are a client), when they are
identification is mandatory, the operation you request can and should be denied.
This is allowed by Law 10/2010 and various sentences that speak of the “pattern of
distrust” by which those who are in charge must be governed
assets of third parties, such as employees of financial institutions.
Next, point 3.2, Document control measures
identification, the following:
“How to correctly identify:
Determine if the person carrying the document is the same person who appears on the document.
the photograph of the identification document.
Verify that the document presented is valid, that it is original (never
photocopy) and that it is not expired.
Observe if there could be any manipulation or simple alteration
(the use of the ultraviolet light lamp is essential)
Any document that presents anomalies in its format such as
consequence of possible manipulation should lead to suspicion.
Observe the owner himself physically and determine if his appearance and age
matches the photograph and date of birth that appear on the
document.
Finally, it is mandatory to use the ultraviolet light lamp for
validation of the identification document.”
Also in the document Prevention of fraud and scam, it contains
instructions to avoid this type of crime. In this regard, it is pointed out
procedure to carry out correct identification of the client, valid documents,
the way to verify the person and the document, etc., similar to the above.
This document already states that “The correct identification of the client, whether
It is an individual natural person, as if he is an attorney-in-fact of a legal entity,
“It is essential for the early prevention of fraud.”
Likewise, it indicates that:
“The only valid documents for correct identification are:
* National Identity Document.
* Passport.
* Foreigner Identification Number (NIE), with its different modalities
Cards (residence, asylum, student, etc.).
* National identification document from a country of the European Union with
Photography.
Only originals will be valid, never photocopies, and only
if they are in force. In no case will expired documents be accepted.”
And:
“In terms of carrying out a correct identification, the first thing is
determine if the person carrying the document is the same person who appears on the
photograph of the identification document, then we will verify that the document
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26
presented is valid. That is, it is included among those that the bank estimates
as appropriate for correct identification, that it is original (never a photocopy) and
that is not expired.
The second thing is to observe if there could be any simple manipulation.
A superficial look at the DNI is not enough for this. You have to observe it with
detail".
Therefore, in accordance with this last document and the established protocol
For the withdrawal of cash, the person requesting the operation is or is not a client of
the entity must be appropriately identified and otherwise it must be denied
the same.
In addition, that person must provide the identification document, which must
be valid, the original, which is not a photocopy, which is not manipulated, which is not
found expired, that there are no anomalies, checking that the appearance of the
holder and the person in front of you coincide, that is, check through the
who is the person he says he is.
However, in the present case it does not appear that the action carried out
by the employee in the office, as confirmed by the claimant himself, will verify
reliably and in accordance with the instructions indicated in both the
document “Cash withdrawals against personal accounts within the scope of
universal care” as in the Prevention of fraud and scam, the personality
of the disposer since the amount delivered and that caused the emptying of the
account was provided to someone who was not its owner in violation of the measures
corresponding.
4. Furthermore, in relation to the provision of cash, the
07/29/2021, a third party goes to the defendant's office located in the
***ADDRESS.1, in ***LOCALITY.2 (***LOCALITY.1) requesting the withdrawal of
funds from the claimant's account, failing to comply with the identification protocol
established for cash withdrawals.
The document provided by the defendant includes the name and surname of the
claimant and the signature that bears no similarity to the one contained in the copy of the
DNI, despite what was stated by the claimant to the contrary.
But what is paradoxical is that the copy of the DNI that was provided at that time
moment to perform the operation was subject to digitization by the same person
that provided the money to the usurper, that is, that the DNI provided at the time of the
provision was scanned and recorded in the entity's database as indicated.
informed the claimant by Customer Service in their call dated
08/04/2021, as appears in the copy of the recording provided.
Therefore, the above evidence is that on the same day of the delivery of
cash, by the branch employee, the digitization was carried out in the
the entity of the DNI used in the operation, without realizing that whoever had
In front he was not who he said he was, not guaranteeing the security of the data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/26
In his allegations to the Proposal, the defendant insists on stating that
adopted the necessary measures to prove the identity of the applicant, reaching
to the conclusion that the person who went to the bank office was the one who
claimed to be and corresponded to the claimant, whose document she provided, which
is surprising in light of the facts established in the procedure: the signature
did not correspond to the one existing in the DNI and even so the employee, as stated
indicated previously, the digitization proceeded in the systems of the
entity of the DNI used in the operation, the affirmation of the entity itself that has
indicated that a correct identification was not made of the person who ordered, for
what we are dealing with is truly negligent behavior, easily
conquerable if the established protocols and precautions had been adopted.
On the other hand, it should be noted that the security measures of the treatment
of the financial institution's data are focused on the security of transactions
banking and indirectly to guarantee the fundamental right of people
affected by the protection of your personal data.
5. Finally, it is true that the Supreme Court in a ruling of 02/15/2022
stated that: “The obligation to adopt the necessary measures to guarantee the
security of personal data cannot be considered an obligation of result,
that implies that there is a leak of personal data to a third party
responsibility regardless of the measures adopted and the activity
displayed by the person responsible for the file or processing.
In result obligations there is a commitment consisting of the
fulfillment of a certain objective, ensuring the proposed achievement or result,
In this case, guarantee the security of personal data and the absence of
security leaks or breaches.
In the obligations of means the commitment that is acquired is to adopt
the technical and organizational means, as well as deploying diligent activity in its
implementation and use that tends to achieve the expected result with means
that can reasonably be classified as suitable and sufficient for its achievement,
For this reason, they are called "diligence" or "behavioral" obligations.
The difference lies in the responsibility in both cases, because while
that in the obligation of result one responds to a harmful result due to the failure of the
security system, whatever its cause and the diligence used. In the
obligation of means, it is enough to establish technically adequate measures and
implement and use them with reasonable diligence.
In the latter, the sufficiency of the security measures that the
responsible must establish must be put in relation to the state of technology
at any given time and the level of protection required in relation to the data
treated, but a result is not guaranteed.”
However, the Court also confirms that the design is not sufficient
of the necessary technical and organizational means, since it is also
Its correct implementation and use appropriately are necessary.
And the responsibility of the defendant is determined by the incident
security manifested by the claimant, since she is responsible for taking
decisions aimed at effectively implementing that technical measures and
organizational measures are appropriate to guarantee a level of security appropriate to the risk
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/26
to ensure the confidentiality of the data, restoring its availability and preventing
access to them.
In accordance with the foregoing, it is estimated that the defendant would be
allegedly responsible for the violation of the RGPD: the violation of article 32,
offense classified in article 83.4.a).
SAW
1. The defendant alleges the existence of a medial competition of infractions for
the assumption referred to in art. 29.5 of Law 40/2015, of October 1,
Therefore, the imposition of only one of the two sanctions would be appropriate, specifically, the
regarding the violation of article 6.1 of the RGPD.
The art. 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public, establishes that: "When the commission of an infraction results
necessarily the commission of another or others, only the sanction should be imposed
corresponding to the most serious infraction committed".
However, such an argument cannot be accepted; the specific standard in
matter of data protection, that is, the RGPD, establishes in its article 83.3 that:
"3. If a controller or a person in charge of the treatment fails to comply
intentional or negligent, for the same treatment operations or operations
linked, various provisions of this Regulation, the total amount of the
administrative fine will not be higher than the amount provided for the most serious violations.
serious.
We already pointed out in FD IV that the processing of personal data
violating the principles and guarantees established in article 6 of the RGPD,
considered a very serious infraction, so the only limit would be established by
the amount indicated in article 83.5 of the RGPD “€20,000,000 maximum or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount.”
2. In allegations to the Proposal, the defendant insists on the existence of a
medial contest of violations; Continuing with what has been expressed, it should be noted that the
Article 29 of the LRJSP is not applicable to the sanctioning regime imposed by
the GDPR. And this is because the GDPR is a closed and complete system.
The GDPR is a European standard directly applicable in the States
members, which contains a new, closed, complete and global system intended to
ensure the protection of personal data uniformly throughout the
European Union.
In relation, specifically and also, to the sanctioning regime established
In it, its provisions are applicable immediately, directly and
integral, providing for a complete system without gaps that must be understood,
be interpreted and integrated in an absolute, complete, integral manner, thus leaving the
Its ultimate purpose is the effective and real guarantee of the fundamental right to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26
Personal data protection. The opposite determines the loss of
guarantees of the rights and freedoms of citizens.
In fact, a specific example of the lack of loopholes in the system
of the GDPR is Article 83 of the GDPR which determines the circumstances that may
operate as aggravating or mitigating circumstances with respect to an infraction (article 83.2 of the
RGDP) or that specifies the existing rule regarding a possible medial contest
(article 83.3 of the RGPD).
To the above we must add that the RGPD does not allow the development or
implementation of its provisions by the legislators of the Member States, safe
of what the European legislator himself has specifically provided for, delimiting it
in a very specific way (for example, the provision of article 83.7 of the RGPD). In this
sense, the LOPDGDD only develops or specifies some aspects of the RGPD as far as
that it allows and with the scope that it allows.
This is so because the intended purpose of the European legislator is to implement
a uniform system throughout the European Union that guarantees the rights and freedoms
of natural persons, that corrects behavior contrary to the RGPD, that encourages
compliance, which enables the free circulation of this data.
In this sense, recital 2 of the GDPR determines that:
“(2) The principles and rules relating to the protection of natural persons in
regarding the processing of your personal data, they must, whatever
whatever their nationality or residence, respect their freedoms and rights
fundamentals, in particular the right to the protection of personal data
staff. This Regulation aims to contribute to the full realization of a
space of freedom, security and justice and of an economic union, to progress
economic and social, to the reinforcement and convergence of economies within the
internal market, as well as the well-being of natural persons.”
And recital 13 of the GDPR that:
“(13) To ensure a consistent level of protection of natural persons
throughout the Union and avoid divergences that hinder the free flow of data
within the internal market, a regulation is necessary that provides
legal certainty and transparency for economic operators, including
micro, small and medium-sized businesses, and offer natural persons
of all Member States the same level of rights and obligations enforceable and
of responsibilities for those responsible and in charge of the treatment, in order to
to ensure consistent supervision of the processing of personal data and
equivalent sanctions in all Member States, as well as cooperation
effective between the supervisory authorities of the different Member States. The good
functioning of the internal market requires that the free circulation of data
personal property in the Union is not restricted or prohibited for reasons related to
protection of natural persons with regard to data processing
personal”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26
In this system, the determining factor of the GDPR is not the fines. The powers
corrective actions of the control authorities provided for in art. 58.2 of the GDPR conjugate
with the provisions of article 83 of the GDPR show the prevalence of measures
corrective measures against fines.
Thus, article 83.2 of the RGPD establishes that “Administrative fines are
will impose, depending on the circumstances of each individual case, additionally
or substitute for the measures referred to in Article 58, paragraph 2, letters a) to h) and
j).
In this way the corrective measures, which are all those provided for in the
article 58.2 of the RGPD, except for the fine, have prevalence in this system, leaving
relegated the financial fine to cases in which the circumstances of the case
specifically determine that a fine is imposed together with corrective measures or in
replacement thereof.
And all this with the purpose of forcing compliance with the RGPD, avoiding
non-compliance, encourage compliance and ensure that infringement is not more profitable
than non-compliance.
For this reason, article 83.1 of the RGPD prevents that “Each supervisory authority
shall ensure that the imposition of administrative fines pursuant to this
article for the infringements of this Regulation indicated in paragraphs 4, 5 and
6 be effective, proportionate and dissuasive in each individual case.”
Fines must be effective, proportionate and dissuasive for the
achievement of the purpose intended by the RGPD.
For this system to work with all its guarantees, it is necessary that
several elements are deployed in an integral and complete manner. The application of rules
unrelated to the RGPD regarding the determination of fines in each of the
Member States applying their national law, whether due to circumstances
aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the case
Spanish as permitted by the RGPD itself-, either by the application of a media contest
different from that provided in the RGPD, would reduce the effectiveness of the system that would lose its
meaning, its teleological purpose, the will of the legislator, resulting in the fines
imposed for different infractions would cease to be effective, proportionate and
deterrents. And in this way the interested parties would also be robbed of the guarantee.
effective enforcement of their rights and freedoms, weakening the uniform application of the GDPR. HE
would diminish the mechanisms for protecting the rights and freedoms of
citizens and would be contrary to the spirit of the RGPD.
The GDPR is endowed with its own principle of proportionality that must be
applied in its strict terms.
And this is because there is no legal loophole, there is no supplementary application of article 29.
of the LRJSP.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26
On the other hand, it should be noted that there is no legal loophole regarding the application
of the media contest. Neither the RGPD allows nor the LOPDGDD requires the application
supplementary provisions of article 29 of the LRJSP.
In Title VIII of the LOPDGDD related to “Procedures in case of possible
violation of data protection regulations”, article 63 that opens the Title is
provides that "The procedures processed by the Spanish Protection Agency
of Data will be governed by the provisions of Regulation (EU) 2016/679, in this
organic law, by the regulatory provisions issued in its development and, in
as long as they do not contradict them, on a subsidiary basis, by the general rules on
administrative procedures." Although there is a clear reference to the LPACAP, it does not
a subsidiary application is established in no way with respect to the LRJSP that does not
contains in its articles any provision relating to administrative procedure
some.
In the same way that the AEPD is not applying the aggravating and mitigating circumstances
provided in article 29 of the LRJSP, since the RGPD establishes its
own, therefore, there is no legal gap or subsidiary application of the same, nor
the application of the section relating to media competition is possible and for identical reasons.
VII
In order to establish the administrative fine that should be imposed, they must
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which
they point out:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment
to alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the
treatment, taking into account the technical or organizational measures that have been
applied under articles 25 and 32;
e) any previous infraction committed by the person responsible or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, in that case,
what extent;
i) when the measures indicated in Article 58(2) have been
previously ordered against the person responsible or the person in charge in question
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through infringement.
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of
processing of personal data.
c) The benefits obtained as a consequence of the commission of the
infringement.
d) The possibility that the conduct of the affected person could have induced
to the commission of the infraction.
e) The existence of a merger process by absorption subsequent to the
commission of the infraction, which cannot be attributed to the entity
absorbent.
f) The impact on the rights of minors.
g) Have, when not mandatory, a protection delegate
of data.
h) Submission by the person responsible or in charge, with character
voluntary, to alternative conflict resolution mechanisms, in
those cases in which there are disputes between those and
anyone interested.”
- In accordance with the transcribed precepts, in order to set the amount of the
sanction to be imposed in the present case for the violation of article 6.1 of the RGPD,
typified in article 83.5.a) of the RGPD for which the claimed party is responsible,
The following factors are considered concurrent as aggravating circumstances:
The nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation; the facts put
manifest affect a basic principle relating to the processing of personal data.
personal, such as legitimacy, which the norm sanctions with the greatest severity; is
It is evident that the claimant's data was used by a third party who was not the owner or
was authorized to carry out the cash withdrawal operation (article
83.2.a) of the RGPD).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26
Intentionality or negligence in the infringement. There is a serious lack of
negligence when the procedures implemented were not followed by not verifying the identity
of the third party, without correctly comparing both the photograph and the
signature of the document that was presented corresponded to the account holder.
Also connected with the degree of diligence that the person responsible for the treatment is
obliged to deploy in compliance with the obligations imposed by the
data protection regulations, the SAN of 10/17/2007 can be cited. Although it was
dictated before the validity of the RGPD, its pronouncement is perfectly
extrapolated to the case we analyze. The sentence, after alluding to the fact that the
entities in which the development of their activity entails continuous processing of
customer and third party data must observe an adequate level of diligence,
specified that “(...).the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender fails
behaves with the required diligence. And in assessing the degree of diligence it must
The professionalism or otherwise of the subject must be especially considered, and there is no doubt that,
In the case now examined, when the appellant's activity is constant and
abundant handling of personal data, emphasis must be placed on rigor and
exquisite care to comply with the legal provisions in this regard” (article 83.2,
b) of the GDPR).
The entity investigated is one of the large companies within its sector
with a sales volume of more than €1,000,000,000 according to AXESOR data (article
83.2.k) of the RGPD).
Extenuating circumstances are:
Any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties; once the fraud is detected
instructions were issued to avoid such incidents; This is how it is accredited
informative alerts sent by email by the Responsible for
Security from the Southern Territorial Directorate to the office where the funds were withdrawn
(article 83.2. c) RGPD).
- In accordance with the transcribed precepts, in order to set the amount of the
sanction to be imposed in the present case for the infraction classified in article 83.4.a)
and article 32.1 of the RGPD for which the defendant is held responsible, are estimated
the following factors concurrently as aggravating circumstances:
These are aggravating circumstances:
The nature and severity of the infraction since we are dealing with the treatment of
economic data, which affect their solvency, in addition to the
damages and losses suffered as a consequence of the negligence of the entity
The funds in the account were emptied, benefiting someone who was not the owner (article
76.2.b) of the LOPDGDD in relation to article 83.2.k).
Intentionality or negligence in the infringement. There is a serious lack of
negligence by failing to comply with the procedures implemented and not verifying the
identity of the third party, without correctly verifying that both the
photograph as the signature of the document presented to him corresponded with the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26
Account holder. Also connected with the degree of diligence that the person responsible
of the treatment is obliged to deploy in compliance with the obligations that
imposed by data protection regulations, the SAN of 10/17/2007 can be cited. Yeah
well it was dictated before the validity of the RGPD, its pronouncement is perfectly
extrapolated to the case we analyze. The sentence, after alluding to the fact that the
entities in which the development of their activity entails continuous processing of
customer and third party data must observe an adequate level of diligence,
specified that “(...).the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender fails
behaves with the required diligence. And in assessing the degree of diligence it must
The professionalism or otherwise of the subject must be especially considered, and there is no doubt that,
In the case now examined, when the appellant's activity is constant and
abundant handling of personal data, emphasis must be placed on rigor and
exquisite care to comply with the legal provisions in this regard” (article 83.2,
b) of the GDPR).
Previous infringement committed by the controller or processor;
There is recidivism derived from violations in relation to the same facts:
There are procedures resolved for violations of the defendant with facts
related to articles 32.1 of the RGPD (PS/362/2021 and PS/420/2021) (article
83.2, e) of the GDPR).
The entity investigated is one of the large companies within its sector
with a sales volume of more than €1,000,000,000 according to AXESOR data (article
83.2.k) of the RGPD).
Extenuating circumstances are:
Any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties; once the fraud is detected
instructions were issued to avoid such incidents; This is how it is accredited
informative alerts sent by email by the Responsible for
Security from the Southern Territorial Directorate to the office where the funds were withdrawn
(article 83.2. c) RGPD).
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169, for violation of articles 6.1 and 32.1 of the RGPD, typified in the
articles 83.5.a) and 83.4.a) of the RGPD, fines of €50,000 (fifty thousand euros) and
€20,000 (twenty thousand euros), respectively.
SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/26
THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.
Once the notification is received and once enforceable, if the enforceable date is
The deadline to carry out the payment is between the 1st and 15th of each month, both inclusive.
Voluntary payment will be until the 20th of the following month or the immediately following business month, and if
is between the 16th and last day of each month, both inclusive, the term of the
Payment will be until the 5th of the second following month or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may optionally file an appeal for reconsideration
before the Director of the Spanish Data Protection Agency within a period of one
month counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution may be provisionally suspended administratively
If the interested party expresses his intention to file a contentious appeal.
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
submitting it through the Agency's Electronic Registry
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the remaining
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also
must transfer to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency was not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day following the notification of this resolution, the
precautionary suspension.
Sea Spain Martí
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
