AEPD (Spain) - PS/00076/2020

From GDPRhub
AEPD - PS/00076/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Decided: 08.09.2020
Published: 08.09.2020
Fine: 40000 EUR
Parties: n/a
National Case Number/Name: PS/00076/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Aditi Tripathi

The AEPD fined the Spanish bank, BANKIA S.A. 50,000 euros for breach of Article 5.1(b) of the GDPR. The Defendant was charged with retaining personal data of the Claimant. Mitigating factors under Spanish Administrative Law were invoked, leading to a reduced fine of 40,000 euros.

English Summary


On 20/09/2019, the AEPD received a complaint against BANKIA SA for retaining the claimant's personal data despite the fact that the claimant ceased to be their client 16 years ago. On 5/11/2019 the AEPD asked BANKIA to remedy the situation however BANKIA claimed that their actions were in accordance with data protection regulations and did not solve the problem or update their data retention policy until March 2020.


Did BANKIA SA violate the purpose limitation stipulated in Article 5.1(b) GDPR by retaining records of the claimant's personal data, 16 years after their last commercial relationship?


The AEPD held that BANKIA was charged with infringing Article 5.1(b) of the GDPR, for processing data in a manner that did not meet a specified, explicit and legitimate purpose. The blocked data was also accessible by workers from the office of BANKIA, which infringed Spanish Law on the Organic Law on Data Protection and Guarantee of Digital Rights (Article 32.2).

In determining the fine, the following aggravating factors under Article 83 GDPR were considered: unintentional but significant negligent action and the fact that basic personal identifiers (i.e. name, surname, address, telephone) of the claimant were affected. Nevertheless, an attenuating circumstances in the Spanish Law on the Common Administrative Procedure of Public Administration (Article 83) stated that the voluntary payment of the proposed penalty prior to the resolution of the proceedings, led to a reduction of 20% in the penalty.

On 20 August 2020, BANKIA S.A. paid 40,000 euros thereby applying the above-mentioned reduction. In doing so, BANKIA implied recognition of their responsibility and waived any action or appeal through administrative channels, against the sanction. Subsequently, the AEPD decided to terminate the procedure.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00076/2020
In sanction procedure PS/00076/2020, conducted by the Agency
Española de Protección de Datos a BANKIA, S.A., in view of the complaint submitted
by A.A.A., and based on the following,
FIRST: On June 8, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against BANKIA, S.A..
Notified the agreement to start and after analyzing the allegations presented, dated 5
The following motion for a resolution was issued in August 2020
Procedure No.: PS/00076/2020
From the procedure instructed by the Spanish Data Protection Agency and in
based on the following:
FIRST: A.A.A. (hereinafter referred to as the Claimant) dated September 20, 2019
filed a complaint with the Spanish Data Protection Agency. The claim
is directed against BANKIA, S.A. with NIF A14010342 (hereinafter, the claimed).
The reasons on which the complaint is based are your personal data remained in the
files despite having stopped being a client 16 years ago.
The claimant states that he stopped being a client of Caja Madrid more than 16 years ago,
Bankia and for personal reasons, has had to become a client again in order to
solve an issue of an inheritance.
In carrying out this management, the BANKIA office has informed you that
being a client, with an internal number ***CLIENT.1 with data that were at an address of
In order to resolve the issues that led him to contact
BANKIA, has proceeded to modify the data concerning you, in an office of the
entity but have not been able to explain why without having any product contracted, nor
credit/debit card, current, savings or securities account, still had their
personal data.
C/ Jorge Juan, 6
28001 - Madrid
For this reason, he is filing a complaint with this body because he does not understand what it is like
may have kept their data for so long, without being a customer.
SECOND: Upon receipt of the complaint, the Subdirectorate General for the Inspection of
Data proceeded to carry out the following actions:
On 5 November 2019, the claim was transferred to the claimed entity
submitted by the complainant, for its analysis, as well as to inform the
Agency on whether it had communicated with the complainant, and the decision
adopted in this respect to remedy the situation that has arisen.
The requested party states that the data remain blocked in accordance with the
data protection policy that allows them to be maintained in this situation where they are not
THIRD: On 8 June 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the respondent, in accordance with
the provisions of Articles 63 and 64 of Law 39/2015 of 1 October on Procedure
Common Administrative Framework for Public Administration (LPACAP), by
alleged violation of Article 5.1(b) of the GPMR, as set forth in Article 83.5 of the GPMR
FOURTH: Upon notification of the above-mentioned agreement to initiate proceedings, the respondent submitted a written
in which it first of all expresses the defencelessness produced as
consequence of the fixing of the amount of the penalty in the agreement inception, despite the fact that
has not at any time had occasion to make known to that body
what circumstances might be applicable in the present case.
Secondly, it also states that it has approved, on the occasion of full application
of the RGPD, a document entitled "Policy on the Retention of Information on
Bankia, S.A." (the "Policy"), which aims to
to determine the basic internal rules for the preservation of the
the establishment of an obligation to retain information for the periods
required in each case, as determined in that document,
the establishment of essential information preservation measures to
ensure the safety of this and
provide a basic framework of internal regulation that facilitates a
decisions in situations related to the conservation of the
This Policy was updated and re-approved by agreement of the Council of
Administration of 31 March 2020, and it determines the various deadlines for
retention and blocking applicable to the personal data of the data subjects.
In particular, in accordance with the provisions of the Policy, BANKIA will
blocking of your customers' personal data once the various
products or services contracted by them, by identifying and reserving their
by taking technical and organisational measures to prevent