AEPD (Spain) - PS/00375/2022
From GDPRhub
| AEPD - PS/00375/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 70,000 EUR |
| Parties: | BBVA |
| National Case Number/Name: | PS/00375/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (Spain) - PS/00375/2022 (in ES) |
| Initial Contributor: | jonasm |
The Spanish DPA fined a bank €70,000 for violating Articles 5(1)(b), 5(1)(f) and Article 32 GDPR because they disclosed a lawyer’s private address (who was at the same time a private customer) when contacting another customer who was represented by the mentioned lawyer.
English Summary
Facts
The data subject was a lawyer who had an account at a bank (the controller). On 25 November 2020, the data subject sent a written complaint to the bank on behalf of a client who was a customer of the same bank. On 1 December 2020, the bank handed over a reply to the customer and indicated thereon the data subject’s private address which they kept in their private customer file. Thereby, the bank disclosed the lawyer’s home address to a third party (represented customer).
Holding
The Spanish DPA first held that the processing of the data subject’s personal data – more precisely their home address – carried out in the context of the handling of a customer complaint which was filed by the data subject in their capacity as the customer’s lawyer constituted a breach of the principle of “purpose limitation” outlined in Article 5(1)(b) GDPR, because the personal data was processed in a way that did not comply with the purposes for which the data originally had been collected. Namely, the controller had collected the data for establishing a personal bank account for the data subject.
Furthermore, the DPA detected a violation of Article 32, because the fact that a third party (customer) was given unauthorised access to information relating to the data subject leads to the conclusion that the controller had not effectively adopted the appropriate technical-organisational measures to prevent such an incident.
The DPA found that the controller also infringed Article 5(1)(f) which enshrines the “principle of integrity and confidentiality”. As already stated above, the controller disclosed the home address of the data subject to a third party without a legal basis – such a leak is contrary to the duty of confidentiality. Even though the controller declared that the incident was a one-off error, the DPA held them liable, because such an error runs counter to the diligence that it must adhere to and a lack of diligence is also considered as culpable behaviour.
The Spanish DPA fined the controller €50,000 for breaching Articles 5(1)(b) and 5(1)(f) and another €20,000 for breaching Article 32. However, the DPA did not request that the controller brings, in accordance with Article 58(2)(d), their processing behaviour in compliance with the GDPR, because the case only concerned the misused data of a single person and the mistake had already been corrected.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17
File No.: PS/00375/2022
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the complaining party) dated May 31, 2021
filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169 (hereinafter, the claimed party or BBVA). The reasons on which the
claim are the following:
On November 25, 2020, in his capacity as attorney for Ms. B.B.B.,
on its behalf, it submitted a statement of claim to the BBVA entity.
Subsequently, on December 1, 2020, the claimed entity delivered in
hand to his client, Ms. B.B.B., a letter regarding the claim addressed by BBVA
to the complaining party in which the latter's private address appears, instead of the
corresponding to his professional office, violating the duty of confidentiality
of data (the complaining party is also a client of the entity). The complaining party
warns that BBVA has revealed her private address, which was not known to Ms.
B.B.B., which was provided to the entity due to its status as its client, with
occasion of opening a bank account. Likewise, he adds that he presented
claim before BBVA requesting compensation for these events and received
response on December 31, 2020.
Provides the initial claim presented as a lawyer, which does not indicate
no contact postal address, and a copy of the email through which the
send the same to the claimed entity, dated 11/25/2020; BBVA response
indicating to the complaining party the reference number assigned to the claim,
addressed to the complaining party at his or her private address; WhatsApp screenshot by
that Mrs. B.B.B. sends said response to the complaining party; and writing from BBVA
responding to the second claim made due to the incident that occurred with their
data, in which the entity apologizes and indicates that they have brought the facts to light.
knowledge of the responsible parties involved in order to be able to adopt, in their
case, the measures that are appropriate.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/17
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 06/22/2021 as stated in the
acknowledgment of receipt that appears in the file.
On 09/01/2021, this Agency received a written response from BBVA
indicating that the response issued by the entity to acknowledge receipt of the claim
submitted by the complaining party on behalf of its client, which did not indicate
no address for communication purposes, it was sent to the only address
known by BBVA, which appeared in the customer database.
Furthermore, BBVA states that on December 1, 2020, Ms. B.B.B. appeared in
the entity's office requesting to know the status of your claim and a copy of the
proceedings. At that moment, the Director of the office gave said person a
copy of the only document that existed to date, corresponding to the acknowledgment of
receipt of the claim.
Subsequently, on December 3, 2020, the complaining party presented in another
BBVA office a new statement of claim on behalf of its client in which
indicated his professional address as his address for notification purposes.
On December 25, 2020, the SAC responded to the claim presented, sending
said response to the address indicated by the complaining party in its letter of 3
December 2020, that is, your professional address.
THIRD: On October 6, 2021, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
1. The claimed entity is a public limited company of Spanish nationality. According to
The data recorded in “Axesor” is a large group parent company (…). No
files prior to the present have been found in Sigrid in relation to
security breaches of this entity.
2. Information and documentation was requested from the claimed entity and, from the response
received, the following emerges:
a) Regarding the chronology of the events. Actions taken in order to
minimize adverse effects and measures adopted for their final resolution.
On December 1, 2020, a client of the complaining party requests
copy of the claim that the latter filed on its behalf with BBVA. The
The claimed entity hand-delivered to this person the document relating to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/17
claim, in the name of the claiming party and which includes the private address
this.
BBVA, on December 23, 2020, responded to the claim of the complaining party
apologizing for what happened, stating that said incident has been reported
knowledge of the responsible parties involved who have adopted measures to avoid
similar incidents.
Once BBVA was aware of the incident, the facts were analyzed and it was confirmed that said
The incident occurred due to a specific error, which was repaired immediately by
Inform the complaining party of the address of your professional office.
BBVA clarifies that providing the person represented by the complaining party with the
acknowledgment of receipt of the claim, without hiding its private address (address
used by the SAC since the address of the professional office does not appear in the document),
It was a specific and isolated error.
b) Regarding the causes that made the gap possible
The person represented by the complaining party requested to the BBVA office, on
December 2020, copy of the claim file that your
representative, since at that time the issue had not yet been resolved.
claim and only the acknowledgment of receipt of the claim appeared, this document
was delivered by the Director of the office in which the address of the
domicile of the complaining party.
c) Regarding the affected data
The affected data was the claimant's home address.
d) Regarding the security measures implemented
BBVA defends that: (i) it is a specific and involuntary error, since the Director
of the office was unaware that it was a private address and therefore a
personal information of the representative; (ii) that was corrected, thus proving that it was
They immediately adopted measures to prevent it from happening again, using
mechanisms to reverse the situation and eliminate any risk of recurrence without
specify or certify them.
FIFTH: On 08/10/2022, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the BBVA entity, in accordance with the
provided in articles 63 and 64 of the LPACAP, for the alleged infractions
following:
. Violation of article 5.1.b) of the RGPD, typified in article 83.5.a) of the same
Regulation, and classified as very serious for the purposes of prescription in the article
72.1.a) of the LOPDGDD.
. Violation of article 32 of the RGPD, typified in article 83.4.a) of the same
Regulation, and classified as serious for the purposes of prescription in article 73.f) and g)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/17
of the LOPDGDD.
. Violation of article 5.1.f) of the RGPD, typified in article 83.5.a) of the same
Regulation, and classified as very serious for the purposes of prescription in the article
72.1.a) of the LOPDGDD.
In the opening agreement it was determined that the sanction that could correspond,
taking into account the evidence existing at the time of opening and without prejudice to the
resulting from the instruction, would amount to a total of 70,000 euros (seventy thousand
euros): 25,000 euros (twenty-five thousand euros) for the alleged violation of the article
5.1.b) of the RGPD, of 20,000 euros (twenty thousand euros) for the alleged violation of the
article 32 of the RGPD and 25,000 euros (twenty-five thousand euros) for the alleged
violation of article 5.1.f) of the RGPD.
Likewise, it was warned that the alleged infractions, if confirmed, may
entail the imposition of measures in accordance with the provisions of the aforementioned article
58.2 d) of the GDPR.
SIXTH: The notification to the claimed party of the opening agreement outlined in the
previous precedent, in which a period was granted to formulate allegations and
propose proof, was sent through the Electronic Notification Service, and was
delivered to BBVA on 08/11/2022.
SEVENTH: The aforementioned initiation agreement has been notified in accordance with the established rules
in the LPACAP and once the period granted for the formulation of allegations has elapsed,
has confirmed that no allegation has been received from the claimed party.
Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the violations of the RGPD attributed to the person complained of and the sanctions that
they could impose themselves. Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to initiate the file and in response to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in the present case proposed resolution.
In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:
PROVEN FACTS
1. The complaining party is a private BBVA customer, as the holder of an account
banking. For this reason, he provided the aforementioned entity with his personal data, including the
relative to the postal address corresponding to your home address.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/17
2. On 11/25/2020, in his capacity as lawyer, the complaining party presented
file a claim with BBVA in the name and representation of one of its clients.
3. On the same date of 11/25/2020, BBVA acknowledged receipt of the aforementioned claim
in the Second Proven Fact by means of a writing addressed to the complaining party and his
personal address, the one associated with your private client file as holder of a
bank account opened in this Bank. Through this letter, BBVA informed the
complaining party the reference number assigned to the claim.
4. On 12/01/2020, BBVA provided the person represented by the party
claimant the document acknowledgment of receipt of the claim outlined in the Fact
Proved Third, revealing the information relating to the personal address of the
complaining party.
FOUNDATIONS OF LAW
Yo
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), recognizes each
Control Authority, and as established in articles 47, 48.1, 64.2 and 68.1 of the
LOPDGDD, the Director of the Spanish Data Protection Agency is
competent to initiate and resolve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Data Protection Agency will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
II
In the present case the following facts are revealed, without any of them
They are controversial:
The complaining party is a private customer of BBVA, as the owner of an account
banking. For this reason, he provided the aforementioned entity with his personal data, including the
relative to the postal address corresponding to your home address.
In his capacity as an attorney and acting on behalf and on behalf of one of his
clients, the complaining party filed a claim with BBVA, of which
entity acknowledged receipt by writing to the complaining party and his address
personal, the one associated with your private client file as the owner of an account
banking open in this Bank.
Furthermore, BBVA provided the person represented by the complaining party with this
document acknowledgment of receipt of the claim made, highlighting
the information relating to the personal address of the complaining party, which was not known to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/17
this third person.
III
The facts presented, in relation to the use of the personal data of the party
claimant relative to his or her private address for the processing of a claim
formulated by him in the name and representation of a third party, acting under his
status of lawyer, without there being legitimate cause for it, represent a
non-compliance with the principle of “limitation of purpose” regulated in article 5.1.b)
of the GDPR, which establishes the following:
“1.Personal data will be:
(…)
b) collected for specific, explicit and legitimate purposes, and will not be further processed
in a manner incompatible with said purposes; In accordance with Article 89, paragraph 1, the
further processing of personal data for archiving purposes in the public interest, purposes of
scientific and historical research or statistical purposes will not be considered incompatible with the
initial purposes (“purpose limitation”).
In relation to the principles regulated in the aforementioned article 5 of the RGPD, it is taken into account
Consider what is stated in Recital 39 of the aforementioned GDPR:
“39. All processing of personal data must be lawful and fair. For natural persons, it must
be completely clear that they are being collected, used, consulted or otherwise processed
manner personal data that concerns them, as well as the extent to which such data is or
will be treated. The principle of transparency requires that all information and communication
regarding the processing of said data is easily accessible and easy to understand, and that
Use simple and clear language. This principle refers in particular to the information of
the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the
added information to ensure fair and transparent treatment with respect to the
affected natural persons and their right to obtain confirmation and communication of the data
personal data that concern them that are subject to processing. Natural persons must
be aware of the risks, standards, safeguards and rights relating to the
processing of personal data, as well as the way to enforce your rights in relation to
with the treatment. In particular, the specific purposes of the processing of personal data
They must be explicit and legitimate, and must be determined at the time of collection. The
Personal data must be adequate, relevant and limited to what is necessary for the purposes
for those who are treated. This requires, in particular, ensuring that it is limited to a minimum
strict conservation period. Personal data should only be processed if the purpose of the
treatment could not reasonably be achieved by other means. To ensure that the
personal data is not kept longer than necessary, the data controller has
to establish deadlines for its deletion or periodic review. All measures must be taken
reasonable measures to ensure that personal data that is
inaccurate. Personal data must be processed in a way that guarantees security and
appropriate confidentiality of personal data, including to prevent unauthorized access or use
“authorized users of said data and the equipment used in the processing.”
In the present case, BBVA processed the personal data of the party
claimant incompatible with the purposes that determined the collection of such
data.
Consequently, the aforementioned facts violate the provisions of article 5.1.b) of the
RGPD, giving rise to the application of the corrective powers that article 58 of the
cited Regulation grants to the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/17
IV
Article 32 of the GDPR, “Security of processing”, establishes the following:
"1. Taking into account the state of the art, the costs of application, and the nature, the
scope, context and purposes of the processing, as well as risks of probability and severity
variables for the rights and freedoms of natural persons, the person responsible and the person in charge
of the treatment will apply appropriate technical and organizational measures to guarantee a level
of security appropriate to the risk, which, where appropriate, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data in a manner
fast in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of the measures
technical and organizational measures to guarantee the security of the treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to the
risks presented by data processing, in particular as a consequence of the
accidental or unlawful destruction, loss or alteration of transmitted personal data,
preserved or otherwise processed, or unauthorized communication or access to such
data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a mechanism of
certification approved in accordance with article 42 may serve as an element to demonstrate the
compliance with the requirements established in section 1 of this article.
4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and has access
personal data can only process said data following instructions from the person responsible,
unless it is obliged to do so by virtue of Union or Member State law.”
The GDPR defines personal data security breaches as “any
those security violations that cause the destruction, loss or
accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data.”
It should be noted that the GDPR does not establish a list of security measures
that are applicable in accordance with the data that is the object of processing, but
which establishes that the person responsible and the person in charge of the treatment will apply measures
technical and organizational measures that are appropriate to the risk involved in the treatment,
taking into account the state of the art, the application costs, the nature,
scope, context and purposes of the treatment, the probability and severity risks
for the rights and freedoms of the persons concerned.
Likewise, security measures must be appropriate and proportionate to the
detected risk, pointing out that the determination of the technical measures and
organizational measures must be carried out taking into account: pseudonymization and encryption,
ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, process
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/17
verification (not audit), evaluation and assessment of the effectiveness of the
measures.
In any case, when evaluating the adequacy of the security level, the
particularly taking into account the risks presented by data processing, such as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages and losses
physical, material or immaterial.
In this same sense, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent the treatment from violating the provisions of the
This Regulation, the controller or processor must evaluate the risks inherent to the
treatment and apply mitigation measures, such as encryption. These measures must guarantee
an appropriate level of security, including confidentiality, taking into account the status of
the technique and cost of its application with respect to the risks and nature of the data
personnel that must be protected. When assessing risk in relation to the safety of
data, the risks arising from the processing of the data must be taken into account
personal data, such as the accidental or unlawful destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or unauthorized communication or access
to said data, which may in particular cause physical, material or
immaterial.
In accordance with what is expressed in Considering 74 of the RGPD, the person responsible for the
treatment it is necessary to be able to demonstrate that the measures adopted are effective:
“The responsibility of the person responsible for the treatment must be established for any
processing of personal data carried out by himself or on his own account. In particular, the
responsible must be obliged to apply timely and effective measures and must be able to
demonstrate the compliance of processing activities with this Regulation,
including the effectiveness of the measures. These measures must take into account the nature,
scope, context and purposes of the processing as well as the risk to rights and freedoms
of natural persons.”
These technical and organizational measures are included as part of the principle of
active responsibility, which requires a prior assessment by the person responsible
treatment of the risk that could be generated by the processing of personal data, to
from which the appropriate measures will be adopted.
The RGPD seeks to anticipate the infringement or injury of rights to
avoid it. This proactive approach to “permanent implementation” of safety measures
security implies that they are not static, but dynamic, corresponding
It is up to the person responsible for the treatment to determine at all times what the protection measures are.
security measures necessary to ensure the confidentiality, integrity and
availability of personal data and mitigate or eliminate risks to users.
people rights. The first step is to carry out a “risk analysis” to
evaluate threats.
It is the person responsible or in charge of treatment who must prove said diligence.
with a solid and effective internal control system. Therefore, the mere
formal demonstration of compliance, but this principle requires a prior attitude,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/17
conscious, diligent and proactive on the part of organizations towards all
personal data processing they carry out.
Whether these measures are mandatory, or how they are applied, will depend on
factors that must be taken into account in each case, such as the type of treatment and the
risk that such processing implies for the rights and freedoms of the interested parties.
Consequently, due diligence must be adapted to the level of risks in the
data protection and the characteristics of the organization.
The concept of due diligence can be defined as “the measure of prudence,
activity or assiduity that can reasonably be expected, and with which normally
acts, a prudent and reasonable organization in circumstances
determined; It is not measured by an absolute standard, but depending on the facts
relative to the case in question. Therefore, due diligence is an ongoing process.
observation and prevention of the negative effects of the activities of the entities
on data protection.
In the present case, as the facts show, the claimed party used the
personal data of the complaining party recorded in their private client file
for the processing of a claim made by this claiming party in
name of a third party. In addition, it provided the acknowledgment of receipt document to a third party.
of said claim, making known the personal information of the complaining party
related to your private home.
This fact shows that the claimed entity has not adopted in a manner
effective appropriate technical and organizational measures to ensure safety
and confidentiality of their clients' data, especially those aimed at preventing the
access to information by unauthorized third parties, as in fact occurred when the
The claimed entity itself provided the client of the complaining party with the
acknowledgment of receipt of the claim made, addressed to the complaining party and its
personal address.
Consequently, the aforementioned facts violate the provisions of article 32 of the RGPD,
giving rise to the application of the corrective powers that article 58 of the aforementioned
Regulation granted to the Spanish Data Protection Agency.
V
The aforementioned article 5 of the RGPD establishes the principles that must govern the
processing of personal data and mentions, among them, “integrity and
confidentiality”:
"1. The personal data will be:
(…)
f) processed in such a way as to ensure adequate security of personal data,
including protection against unauthorized or unlawful processing and against its loss,
destruction or accidental damage, through the application of technical or organizational measures
appropriate (“integrity and confidentiality”).
(…)”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/17
The documentation on record offers sufficient indications to understand that the entity
claimed violated article 5 of the RGPD, which regulates the duty of confidentiality,
materialized in the disclosure to third parties of the personal data of the party
claimant, specifically, that relating to his private address. It is a diffusion
of personal data for which the claimed party does not have a legal basis that the
legitimate
This duty of confidentiality is intended to prevent leaks from occurring.
of data not consented to by its owners.
Consequently, the aforementioned facts represent a violation of the provisions of the
article 5.1 f) of the GDPR, which gives rise to the application of the corrective powers that the
Article 58 of the aforementioned Regulation grants the Spanish Agency for the Protection of
data.
SAW
BBVA, in its response to the claim transfer process, has stated that
The verified events took place due to a specific and isolated error, although not even
has explained what the alleged error consisted of.
In this regard, it is necessary to consider that the incidents that motivate the actions
occur within BBVA's area of responsibility and this entity must respond
thus. In no way can it be considered that the error that he claims to have committed
excludes its liability, since, according to settled jurisprudence, it cannot
The existence of such an error can be considered when it is attributable to the person who suffers it or could have suffered it.
be avoided by the use of greater diligence. In this case, the alleged error is
incompatible with the diligence that the claimed party is obliged to observe.
This diligence must be manifested in the specific case being analyzed, with respect to which
error is alleged, and not in general circumstances.
In the specific case of the complaining party, it cannot be accepted that the actions of the
claimed entity derives from an error. Admit that it is not appropriate to demand responsibility from
BBVA for the facts analyzed, based on an alleged error, would be as much as
admit that the application of the RGPD and the LOPDGDD can be ignored.
In this regard, it must be remembered that when the error is a sign of a lack of
diligence type is applicable. The National Court in Judgment of 21
September 2004 (RCA 937/2003), is pronounced in the following terms:
“Furthermore, regarding the application of the principle of guilt, it is (following the criterion of
this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal
1139/2001) that the commission of the infraction provided for in article 44.3.d) can be either
malicious as well as culpable. And in this sense, if the error is a sign of a lack of diligence, the type
is applicable…".
Along these lines, it is worth mentioning the SAN of January 21, 2010, in which the Court
exposes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/17
“The appellant also maintains that there is no culpability in her actions. Is
It is true that the principle of guilt prevents the admission in administrative law
sanctioning of objective liability, it is also true that the absence of
Intentionality is secondary since this type of infractions are normally committed
for a culpable or negligent act, which is sufficient to integrate the subjective element
of guilt. XXX's actions are clearly negligent because... he must know... the
obligations imposed by the LOPD on all those who handle personal data of third parties.
XXX is obliged to guarantee the fundamental right to the protection of personal data
of its clients and hypothetical clients with the intensity required by the content of its own
right".
The principle of guilt is required in the sanctioning procedure and thus the STC
246/1991 considers inadmissible in the field of administrative sanctioning law
a responsibility without guilt. But the principle of guilt does not imply that only
sanction an intentional or voluntary action, and in this regard article 28
of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric
“Responsibility” provides the following:
"1. Only those who may be sanctioned for acts constituting an administrative offense
natural and legal persons, as well as, when a Law recognizes their capacity to act, the
groups of affected people, unions and entities without legal personality and assets
independent or autonomous, who are responsible for them by way of fraud or
blame".
The facts presented show that BBVA did not act with due diligence to the
that she was forced, that she acted with a lack of diligence. The Supreme Court (Judgments
of 04/16 and 04/22/1991) considers that from the culpable element it follows “...that the
action or omission, qualified as an administratively sanctionable infraction, must be,
in any case, attributable to its author, due to fraud or imprudence, negligence or ignorance
inexcusable". The same Court reasons that “it is not enough... for exculpation against
"invoking the absence of fault is typically illegal behavior" but
that it is necessary to prove “that the diligence that was required by whoever has been used
claims its non-existence” (STS January 23, 1998).
Also connected with the degree of diligence that the person responsible for the treatment is
obliged to deploy in compliance with the obligations imposed by the
data protection regulations, the SAN of 10/17/2007 (Rec. 63/2006) can be cited,
which specified: “(...) the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender fails
"behaves with the required diligence."
Furthermore, the National Court, in matters of data protection of
personal character, has declared that “simple negligence or non-compliance with
the duties that the Law imposes on the people responsible for files or the
data processing to exercise extreme diligence…” (SAN 06/29/2001).
VII
In the event that there is a violation of the provisions of the RGPD, among the
corrective powers available to the Spanish Data Protection Agency,
as a control authority, article 58.2 of said Regulation contemplates the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/17
following:
“2 Each supervisory authority shall have all of the following corrective powers indicated below:
continuation:
(…)
b) send a warning to any person responsible or in charge of processing when the
processing operations have infringed the provisions of this Regulation;”
(...)
d) order the person responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, of a particular
manner and within a specified period;
(…)
i) impose an administrative fine in accordance with Article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;".
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.
VIII
Failure to comply with the provisions of article 5.1.b) and f) of the RGPD means the
commission of separate infractions classified in section 5.a) of article 83 of the
RGPD, which under the heading “General conditions for the imposition of fines
administrative” provides the following:
"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual turnover
overall of the previous financial year, opting for the highest amount:
a) the basic principles for processing, including the conditions for consent to
tenor of articles 5, 6, 7 and 9”.
On the other hand, the violation of article 32 of the RGPD is classified in the
article 83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a
company, of an amount equivalent to a maximum of 2% of the total annual turnover
overall of the previous financial year, opting for the highest amount:
a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 to 39, 42 and
43.
(…)”.
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
infractions the acts and conduct referred to in sections 4, 5 and 6 of the
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/17
“Article 72. Infractions considered very serious.
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, they are considered
very serious and the infractions that involve a violation will expire after three years.
substance of the articles mentioned therein and, in particular, the following:
a) The processing of personal data violating the principles and guarantees established in the
article 5 of Regulation (EU) 2016/679”.
And in its article 73, for the purposes of prescription, it qualifies as “Infringements considered
serious”:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered
serious violations and violations that involve a substantial violation will expire after two years.
of the articles mentioned therein and, in particular, the following:
(…)
f) The lack of adoption of those technical and organizational measures that are appropriate
to guarantee a level of security appropriate to the risk of the treatment, in the terms
required by article 32.1 of Regulation (EU) 2016/679
g) The breach, as a consequence of the lack of due diligence, of the measures
technical and organizational measures that have been implemented in accordance with the requirements of article 32.1
of Regulation (EU) 2016/679.
(…)”
In this case, in light of the facts presented, it is considered that the sanction that
It would be appropriate to impose an administrative fine.
The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD.
In order to determine the administrative fine to impose, the following must be observed:
provisions of article 83, section 2, of the GDPR, which states the following:
"2. Administrative fines will be imposed, depending on the circumstances of each case.
individually, as an additional or substitute for the measures contemplated in article 58,
section 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount
In each individual case due account will be taken of:
a) the nature, severity and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question as well as the number of
interested parties affected and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account
of the technical or organizational measures that have been applied under articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in particular if the
responsible or the person in charge notified the infringement and, if so, to what extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the same
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/17
matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms
approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through
the infringement.”
For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in
its article 76, “Sanctions and corrective measures”, establishes:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of data processing
personal.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission of the
infringement.
e) The existence of a merger by absorption process after the commission of the infraction,
which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are
controversies between those and any interested party.”
In accordance with the indicated precepts, for the purposes of setting the amount of the sanctions
to be imposed in the present case, it is considered that it is appropriate to graduate them in accordance with
the following criteria established by the transcribed precepts:
In this case, the graduation criteria are considered concurrent as aggravating factors.
following:
. Article 83.2.b) of the RGPD: “b) intentionality or negligence in the infringement."
The negligence appreciated in the commission of the infraction, considering that the
claimed party used the personal data of the complaining party registered in
the entity in its capacity as client, without taking into account that it intervened in the
made in the name and representation of a third party.
In this regard, what was stated in the Court's Judgment is taken into account.
National of 10/17/2007 (rec. 63/2006) that, assuming that these are entities
whose activity involves continuous data processing, indicates that “…the
Supreme Court has been understanding that imprudence exists whenever
disregards a legal duty of care, that is, when the offender fails to comply
behaves with the required diligence. And in assessing the degree of diligence,
The professionalism or not of the subject must be especially considered, and there is no doubt
that, in the case now examined, when the appellant's activity is
constant and abundant handling of personal data, we must insist on the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/17
rigor and exquisite care to comply with the legal provisions in this regard.”
It is an entity that processes personal data in a manner
systematic and continuous and that must take extreme care in fulfilling its
data protection obligations.
This Agency understands that diligence has to be deduced from facts
conclusive, duly accredited and directly related
with the elements that make up the infringement, in such a way that it can be deduced
that it has occurred despite all the means arranged by the
responsible to avoid it. In this case, the actions of the claimed party do not
It has this character.
. Article 76.2.b) of the LOPDGDD: “b) The linking of the offender's activity
with the processing of personal data.”
The high link between the offender's activity and the performance of treatments
of personal data. The level of implementation of the entity and the
activity that it carries out, in which personal data of millions is involved
of interested parties. This circumstance determines a higher degree of demand and
professionalism and, consequently, the responsibility of the entity
claimed in relation to the processing of the data.
. Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
applicable to the circumstances of the case, such as the financial benefits obtained
or losses avoided, directly or indirectly, through the infringement.”
. BBVA's status as a large company and business volume. It consists of
the actions that said entity has (...).
It is also considered that the following circumstance occurs as a mitigating circumstance:
. Article 83.2.a) of the GDPR: “a) the nature, severity and duration of the
infringement, taking into account the nature, scope or purpose of the operation
treatment in question as well as the number of interested parties affected and the
level of damages and losses they have suffered.”
The infringement is an anomaly that affects only the complaining party.
Considering the factors exposed, the value reached by the fines for the
imputed infractions is 25,000 euros (twenty-five thousand euros) for the infractions
very serious (violation of articles 5.1.b) and 5.1.f) of the RGPD) and 20,000 euros
(twenty thousand euros) for the serious infraction (violation of the provisions of article 32
of the GDPR).
IX
Once the infractions are confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/17
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
In such case, this Agency could require the person responsible to adapt the
processing of personal data carried out in accordance with data protection regulations
in accordance with what is indicated in the preceding Legal Fundamentals.
This case affects only the complaining party and has to do with the
improper use and communication of the personal data of the complaining party related to
his personal address, on the occasion of a claim in which he intervened under the
status as representative of the interested person; and the BBVA entity has
stated that this circumstance was subsequently corrected. That being so, it is not possible
In this case, urge the adoption of measures by the person responsible for the treatment.
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169, for a violation of article 5.1.b) of the RGPD, typified in article
83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription
in article 72.1.a) of the LOPDGDD, a fine of 25,000 euros (twenty-five thousand
euros).
SECOND: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169, for a violation of article 32 of the RGPD, typified in article
83.4.a) of the same Regulation, and classified as serious for the purposes of prescription in the
article 73.f) and g) of the LOPDGDD, a fine of 20,000 euros (twenty thousand euros).
THIRD: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF
A48265169, for a violation of article 5.1.f) of the RGPD, typified in article
83.5.a) of the same Regulation, and classified as very serious for the purposes of prescription
in article 72.1.a) of the LOPDGDD, a fine of 25,000 euros (twenty-five thousand
euros).
FOURTH: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A.
FIFTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/17
Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected during the executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-120722
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
