AEPD (Spain) - PS/00427/2021

From GDPRhub
AEPD (Spain) - PS/00427/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 16.12.2021
Fine: 60,000 EUR
Parties: BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
National Case Number/Name: PS/00427/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA issued a €60,000 fine to a bank for a violation of Article 6(1) GDPR. The bank mistakenly called and sent electronic communications to a person who was not a customer and had not authorised the processing of their personal data.

English Summary

Facts

On 28 April 2021, a data subject filed a complaint with the Spanish DPA (AEPD) against the bank Banco Bilbao Vizcaya Argentaria, S.A. (BBVA). According to the complainant, the BBVA had called and sent him several messages about non-payments and appointments. The complainant had asked the bank to delete his data, but the bank replied that it could not do so because there was no customer on their records with the phone number listed in the complaint.

The AEPD requested information from BBVA about what had happened and the bank replied that the communications had been an internal error. BBVA alleged that it was testing the operation of a tool designed to send notifications to its customers, and that the messages received by the complainant were fictitious test notifications that BBVA believed it had sent to an idle phone number. In addition, the entity said it had taken appropriate security measures to correct the situation.

Holding

The AEPD considers that BBVA's actions breached the principle of lawfulness in Article 6(1) GDPR because it had no legal basis for processing the complainant's data. The initial sanction the AEPD envisaged was €100,000 but BBVA was able to terminate the sanctioning procedure by paying €60,000 and acknowledging its responsibility, as provided for in Spanish administrative law.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/11











     File No.: PS/00427/2021


       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                 BACKGROUND

FIRST: On October 29, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against BANCO BILBAO

VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement
which is transcribed:

<<






File No.: PS/00427/2021






           AGREEMENT TO START A SANCTION PROCEDURE




Of the actions carried out by the Spanish Data Protection Agency and in

based on the following



                                     FACTS




FIRST: A.A.A. (hereinafter, the complaining party) dated April 28, 2021
filed a claim with the Spanish Data Protection Agency.




The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with
NIF A48265169 (hereinafter, the claimed party).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11










The reason on which the claim is based is that the claimant is receiving in the

mobile phone number of your ownership, ***PHONE.1, constant SMS of the
claimed entity, about non-payments, appointments, etc., reason for which you requested the

deletion of said mobile number from the database of the claimed entity.



In response to the claimant's request, the respondent entity responded that it did not

could proceed to the suppression of said number because he did not know any client in
your database, with the mobile number you mentioned in your request.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on June 10, 2021, said claim was transferred to the

claimed party, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.



On August 2, 2021, this Agency received a written response

indicating that the sending of said text messages has been the product of an error
by the team that is responsible for carrying out performance tests of
the tool designed to send notifications from the Bank to its customers.




The messages the claimant has received are fictitious notifications of
calls or meetings in the offices of the claimed entity that my client

sent to the phone number ***PHONE.1 mistakenly believing that
said number did not exist nor was it operational and therefore no one was going to receive said
fictitious ads.




We must clarify that these are not advertising messages but placements

fictitious to carry out procedures in the offices of the claimed entity and that were sent
by mistake in the test environment of the tool.




Checked the error and the existence that said mobile phone number belongs
to a natural person, the respondent entity has taken the necessary measures to


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








that these events do not happen again and has apologized, in writing, to the
claimant.




THIRD: On August 17, 2021, the Director of the Spanish Agency for

Data Protection agreed to admit for processing the claim presented by the party
claimant.


                            FOUNDATIONS OF LAW



                                             I




By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Agency for Data Protection is competent to initiate and to
resolve this procedure.




                                             II



The defendant is accused of committing an infraction for violation of Article 6
of the RGPD, “Legality of the treatment”, which indicates in its section 1 the assumptions in which
that the processing of third party data is considered lawful:




"one. The treatment will only be lawful if at least one of the following is met
terms:


a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party

is part of or for the application at the request of the latter of pre-contractual measures;
(…)”


 The infringement is typified in Article 83.5 of the RGPD, which considers as such:




"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11








global total annual turnover of the previous financial year, opting for
the largest amount:




a) The basic principles for the treatment, including the conditions for the
consent under articles 5,6,7 and 9.”



The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
considered very serious” provides:



"one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned in it and, in particular, the
following:



(…)




a) The processing of personal data without the concurrence of any of the conditions
of legality of the treatment established in article 6 of Regulation (EU) 2016/679.”



                                             III



The documentation in the file offers evidence that the claimed,

violated article 6.1 of the RGPD, since it processed the data
of the claimant without having any legitimacy to do so.



The respondent has acknowledged said error and has indicated that it has analyzed the record of
the calls provided by the claimant in this file, and observes that,

after confirming the reception of these, it has been detected that by mistake the
claimant and its numbering in a campaign organized by the claimed object

to verify the existence of technical breakdowns that customers may suffer.



Likewise, it states that, after receiving the last claim from the client, it has strengthened

the operation at the time of establishing and preparing the communication campaigns to
clients, inhibiting this number automatically so that it cannot be included

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








as a recipient in any case in those communications; and that they will carry out controls
periodically in order to check that its agents comply with all the measures

established by the company.




Now, despite stating the claim in previous claims to have
implemented new security measures so that it does not happen again. It's clear,
that the 1002 and 1004 calls continue to occur. Therefore, it is

producing the treatment of the personal data of the claimant without
legitimizing.




                                            IV



The determination of the sanction to be imposed in this case requires

observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that,
respectively, provide the following:




“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation

indicated in sections 4, 9 and 6 are in each individual case effective,
proportionate and dissuasive.”




“Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administration and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under

of articles 25 and 32;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;


g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, section 2, have been ordered

previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or mechanisms of
certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or

indirectly, through the infringement.” (The underlining is from the AEPD)



In order to specify the amount of the penalty to be imposed on the person claimed for violation
of article 83.5.a) of the RGPD, it is essential to examine and assess whether the

circumstances described in article 83.2 of the RGPD and if they intervene by mitigating or
aggravating the responsibility of the responsible entity.





In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction of fine to
impose in the present case, the claimed party is considered responsible for
an infringement typified in article 83.5.a) of the RGPD, in an initial assessment,
The following factors are considered concurrent.


As aggravating the following:

- In the present case we are facing a negligent action on significant data
that allow the identification of a person (article 83.2 b).


- Basic personal identifiers are affected (name, a number
identification, the line identifier) (article 83.2 g).
- Section k), in relation to article 76.2 of Organic Law 3/2018, in which

frames as an aggravating circumstance the continuous nature of the infraction attributed to the
claimed.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11








- The evident link between the business activity of the defendant and the
processing of personal data of customers or third parties (article 83.2 K, of the RGPD

in relation to article 76.2 b, of the LOPDGDD).


This is why it is considered appropriate to adjust the sanction to be imposed on the person claimed and
set it at the amount of €100,000 for the infringement of article 6 of the RGPD.

Therefore, based on the foregoing,



By the Director of the Spanish Data Protection Agency,




HE REMEMBERS:



FIRST: START SANCTION PROCEDURE against BANCO BILBAO

VIZCAYA ARGENTARIA, S.A. with NIF A48265169, for the alleged violation of the
article 6 of the RGPD typified in article 83.5.a) of the aforementioned RGPD.




SECOND: APPOINT B.B.B. and as secretary to C.C.C.,
indicating that any of them may be challenged, as the case may be, in accordance with
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime

Legal Department of the Public Sector (LRJSP).



THIRD: INCORPORATE to the disciplinary file, for evidentiary purposes, the

claim filed by the claimant and its attached documentation, the
information requirements that the General Subdirectorate of Data Inspection
sent to the entity claimed in the preliminary investigation phase and their respective

acknowledgments of receipt



FOURTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1-

tubre, of the Common Administrative Procedure of the Public Administrations, the
sanction that could correspond would be 100,000 euros (one hundred thousand euros), without prejudice
cio of what results from the instruction.




FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A. with NIF A48265169, granting a hearing period of ten

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








working days to formulate the allegations and present the evidence that it considers
convenient. In your statement of allegations, you must provide your NIF and the number of the

consent that appears at the top of this document.




If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).



In accordance with the provisions of article 85 of the LPACAP, in the event that the

sanction to be imposed was a fine, it may recognize its responsibility within the
term granted for the formulation of allegations to this initial agreement; it
which will entail a reduction of 20% of the sanction to be imposed in

the present procedure. With the application of this reduction, the sanction would be
established at 80,000 euros, resolving the procedure with the imposition of this

sanction.



Similarly, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 80,000 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative with the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate

arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of the penalty would be

set at 60,000 euros.



In any case, the effectiveness of any of the two reductions mentioned will be

conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.




In case you chose to proceed to the voluntary payment of any of the amounts
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11








indicated above, 80,000 euros or 60,000 euros, you must make it effective
by depositing it in account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in

the heading of this document and the reason for the reduction of the amount to which
welcomes




Likewise, you must send proof of payment to the General Subdirectorate of
Inspection to proceed with the procedure in accordance with the quantity
entered.




The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.

Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.






Sea Spain Marti

Director of the AEPD, P.O. the Deputy Director General for Data Inspection, Olga
Pérez Sanjuán, Resolution 4/10/2021




>>



SECOND: On December 4, 2021, the claimed party has proceeded to
payment of the sanction in the amount of 60,000 euros making use of the two reductions
provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via
administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11








                            FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of the Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the infractions typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric

"Termination in sanctioning procedures" provides the following:

"one. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation

of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.

The reduction percentage provided for in this section may be increased
regulations."


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:


FIRST: TO DECLARE the termination of procedure PS/00427/2021, of
in accordance with the provisions of article 85 of the LPACAP.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11









SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.



                                                                                    936-160721
Sea Spain Marti
Director of the Spanish Data Protection Agency








































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es