AEPD (Spain) - PS/00427/2021
|AEPD (Spain) - PS/00427/2021
|Article 6(1) GDPR
|BANCO BILBAO VIZCAYA ARGENTARIA, S.A.
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA issued a €60,000 fine to a bank for a violation of Article 6(1) GDPR. The bank mistakenly called and sent electronic communications to a person who was not a customer and had not authorised the processing of their personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
On 28 April 2021, a data subject filed a complaint with the Spanish DPA (AEPD) against the bank Banco Bilbao Vizcaya Argentaria, S.A. (BBVA). According to the complainant, the BBVA had called and sent him several messages about non-payments and appointments. The complainant had asked the bank to delete his data, but the bank replied that it could not do so because there was no customer on their records with the phone number listed in the complaint.
The AEPD requested information from BBVA about what had happened and the bank replied that the communications had been an internal error. BBVA alleged that it was testing the operation of a tool designed to send notifications to its customers, and that the messages received by the complainant were fictitious test notifications that BBVA believed it had sent to an idle phone number. In addition, the entity said it had taken appropriate security measures to correct the situation.
Holding[edit | edit source]
The AEPD considers that BBVA's actions breached the principle of lawfulness in Article 6(1) GDPR because it had no legal basis for processing the complainant's data. The initial sanction the AEPD envisaged was €100,000 but BBVA was able to terminate the sanctioning procedure by paying €60,000 and acknowledging its responsibility, as provided for in Spanish administrative law.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: PS/00427/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On October 29, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed party), through the Agreement which is transcribed: << File No.: PS/00427/2021 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated April 28, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (hereinafter, the claimed party). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 The reason on which the claim is based is that the claimant is receiving in the mobile phone number of your ownership, ***PHONE.1, constant SMS of the claimed entity, about non-payments, appointments, etc., reason for which you requested the deletion of said mobile number from the database of the claimed entity. In response to the claimant's request, the respondent entity responded that it did not could proceed to the suppression of said number because he did not know any client in your database, with the mobile number you mentioned in your request. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on June 10, 2021, said claim was transferred to the claimed party, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. On August 2, 2021, this Agency received a written response indicating that the sending of said text messages has been the product of an error by the team that is responsible for carrying out performance tests of the tool designed to send notifications from the Bank to its customers. The messages the claimant has received are fictitious notifications of calls or meetings in the offices of the claimed entity that my client sent to the phone number ***PHONE.1 mistakenly believing that said number did not exist nor was it operational and therefore no one was going to receive said fictitious ads. We must clarify that these are not advertising messages but placements fictitious to carry out procedures in the offices of the claimed entity and that were sent by mistake in the test environment of the tool. Checked the error and the existence that said mobile phone number belongs to a natural person, the respondent entity has taken the necessary measures to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 that these events do not happen again and has apologized, in writing, to the claimant. THIRD: On August 17, 2021, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim presented by the party claimant. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to resolve this procedure. II The defendant is accused of committing an infraction for violation of Article 6 of the RGPD, “Legality of the treatment”, which indicates in its section 1 the assumptions in which that the processing of third party data is considered lawful: "one. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; (…)” The infringement is typified in Article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 global total annual turnover of the previous financial year, opting for the largest amount: a) The basic principles for the treatment, including the conditions for the consent under articles 5,6,7 and 9.” The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered very serious” provides: "one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in it and, in particular, the following: (…) a) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” III The documentation in the file offers evidence that the claimed, violated article 6.1 of the RGPD, since it processed the data of the claimant without having any legitimacy to do so. The respondent has acknowledged said error and has indicated that it has analyzed the record of the calls provided by the claimant in this file, and observes that, after confirming the reception of these, it has been detected that by mistake the claimant and its numbering in a campaign organized by the claimed object to verify the existence of technical breakdowns that customers may suffer. Likewise, it states that, after receiving the last claim from the client, it has strengthened the operation at the time of establishing and preparing the communication campaigns to clients, inhibiting this number automatically so that it cannot be included C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 as a recipient in any case in those communications; and that they will carry out controls periodically in order to check that its agents comply with all the measures established by the company. Now, despite stating the claim in previous claims to have implemented new security measures so that it does not happen again. It's clear, that the 1002 and 1004 calls continue to occur. Therefore, it is producing the treatment of the personal data of the claimant without legitimizing. IV The determination of the sanction to be imposed in this case requires observe the provisions of articles 83.1 and 83.2 of the RGPD, precepts that, respectively, provide the following: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” (The underlining is from the AEPD) In order to specify the amount of the penalty to be imposed on the person claimed for violation of article 83.5.a) of the RGPD, it is essential to examine and assess whether the circumstances described in article 83.2 of the RGPD and if they intervene by mitigating or aggravating the responsibility of the responsible entity. In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction of fine to impose in the present case, the claimed party is considered responsible for an infringement typified in article 83.5.a) of the RGPD, in an initial assessment, The following factors are considered concurrent. As aggravating the following: - In the present case we are facing a negligent action on significant data that allow the identification of a person (article 83.2 b). - Basic personal identifiers are affected (name, a number identification, the line identifier) (article 83.2 g). - Section k), in relation to article 76.2 of Organic Law 3/2018, in which frames as an aggravating circumstance the continuous nature of the infraction attributed to the claimed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 - The evident link between the business activity of the defendant and the processing of personal data of customers or third parties (article 83.2 K, of the RGPD in relation to article 76.2 b, of the LOPDGDD). This is why it is considered appropriate to adjust the sanction to be imposed on the person claimed and set it at the amount of €100,000 for the infringement of article 6 of the RGPD. Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: START SANCTION PROCEDURE against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169, for the alleged violation of the article 6 of the RGPD typified in article 83.5.a) of the aforementioned RGPD. SECOND: APPOINT B.B.B. and as secretary to C.C.C., indicating that any of them may be challenged, as the case may be, in accordance with established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE to the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its attached documentation, the information requirements that the General Subdirectorate of Data Inspection sent to the entity claimed in the preliminary investigation phase and their respective acknowledgments of receipt FOURTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1- tubre, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond would be 100,000 euros (one hundred thousand euros), without prejudice cio of what results from the instruction. FIFTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169, granting a hearing period of ten C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 working days to formulate the allegations and present the evidence that it considers convenient. In your statement of allegations, you must provide your NIF and the number of the consent that appears at the top of this document. If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the term granted for the formulation of allegations to this initial agreement; it which will entail a reduction of 20% of the sanction to be imposed in the present procedure. With the application of this reduction, the sanction would be established at 80,000 euros, resolving the procedure with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 80,000 euros and its payment will imply the termination of the process. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 60,000 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. In case you chose to proceed to the voluntary payment of any of the amounts C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 indicated above, 80,000 euros or 60,000 euros, you must make it effective by depositing it in account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which welcomes Likewise, you must send proof of payment to the General Subdirectorate of Inspection to proceed with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea Spain Marti Director of the AEPD, P.O. the Deputy Director General for Data Inspection, Olga Pérez Sanjuán, Resolution 4/10/2021 >> SECOND: On December 4, 2021, the claimed party has proceeded to payment of the sanction in the amount of 60,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of the Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the infractions typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "one. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00427/2021, of in accordance with the provisions of article 85 of the LPACAP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-160721 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es