AEPD (Spain) - PS/00219/2019

From GDPRhub
Revision as of 11:47, 4 January 2021 by Mh (talk | contribs)
AEPD - PS/00219/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Article 17(1)(a) GDPR
Article 83(5)(a) GDPR
72 (1) (a) LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided: 11.12.2020
Published:
Fine: 60000 EUR
Parties: BBVA
National Case Number/Name: PS/00219/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) imposed a fine of €60000 (reduced to €36000) on Banco Bilbao Vizcaya Argentaria, SA. (BBVA) for processing personal data without the accuracy required according to Article 5(1)(a) GDPR.

English Summary

Facts

BBVA sent the claimant's personal data to a collection agency. The claimant had no relationship with the debt, as he was no longer the administrator of the company for which the bank was claiming the debt. Even so, the claimant was receiving mail and calls from the company hired by BBVA to claim the debt.

BBVA failed to verify the accuracy of the data relating to the claimant and the debt incurred by the debtor company, and therefore the claimant could not request the deletion of his personal data held by BBVA.

Dispute

Is the lack of diligence in checking for accuracy when processing personal data an infringement of Article 5(1)(d) GDPR?

Holding

The AEPD held that BBVA processed the complainant's personal data in infringement of the principle of accuracy.

The AEPD took into account, in determining the amount of a significantly serious infringement, the lack of diligence in the conduct of BBVA and the volume of business of the complainant, and the relationship of its habitual activity in the data processing.

BBVA made use of two reductions in the amount of a sanction: voluntary payment (20%) and acknowledgment of responsibility (20%). So they finally paid €36000 after the application of the reductions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/16











     Procedure No.: PS / 00219/2019

RESOLUTION R / 00449/2020 TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTARY


In the sanctioning procedure PS / 00219/2019, instructed by the Spanish Agency for
Data Protection for BANCO BILBAO VIZCAYA ARGENTARIA, S.A., after the
complaint filed by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On March 6, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against BANCO BILBAO

VIZCAYA ARGENTARIA, S.A. (hereinafter, the claimed), through the Agreement that
it is transcribed:

<<





Procedure Nº: PS / 00219/2019

935-240719




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE




       Of the actions carried out by the Spanish Agency for the Protection of
Data and in consideration of the following




                                     ACTS



FIRST: On 04/23/2019 the Director of the Spanish Agency for the Protection of

Data (AEPD) upheld the appeal for reconsideration RR / 00002/2019, filed by Mr.
A.A.A. (hereinafter the claimant), and agreed to admit for processing the claim that in

his day had presented. RR / 00002/2019 challenged the agreement
issued by the Director of the AEPD on 12/12/2018, within the framework of E / 04539/2018, which
The claim that the claimant made on 06/27/2018 was inadmissible for processing.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/16








      The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA
-BBVA- (hereinafter the claimed or BBVA), entity that has required the payment of

a debt that does not belong to you and you have communicated your personal data with that
purpose to a collection manager. The claimant states that for several months

received phone calls and emails from Multi-Management
Iberia, S.L, which, on behalf of BBVA, claimed the payment of a debt to which he is
alien. He adds that he requested the cancellation of his data to BBVA without receiving a response.




      The claimant declares that the claims made by the respondent are not true
in his response to the information request of this Agency: that he maintains positions

debtors with the claimed one as representative of POUSEN, S.L. Add that
It has no connection with the mercantile POUSEN, S.L. and what did you communicate to BBVA

this circumstance before requesting the cancellation of your data and also to
request it.




      Provide a copy of the following documents:



      - Notary public deed dated 11/14/2014 of “modification, cessation of

administrator and appointment of a member of the board of directors granted by
POUSEN, S.L. " In it, the following agreements are made public, among others
adopted on 10/15/2014: removal of the sole administrator D. A.A.A. and the

appointment of the new sole administrator D. B.B.B .. Documentary accredited
the presentation of the notarial deed in the Mercantile Registry on date *** DATE.1.




      - The copy of the emails dated 05/25/2018 and 05/26/2018
exchanged with Multigestión Iberia, S.L., and with BBVA, duly certified by

the eGarante company, a trusted third party, who certify that on 05/25/2018 the
claimant exercised access rights before Multigestión Iberia, S.L., and BBVA
and suppression and that Multi-Management informed her that she was acting as

treatment of BBVA in order to claim on its behalf the payment of a debt
pending with the mercantile POUSEN, S.L. The claimant documentary proof
have informed the treatment manager that it has nothing to do with the

debtor company.



SECOND: A.- In accordance with the mechanism prior to the admission for processing of the

claims that are made before the AEPD established in article 9 of the Royal
Decree-Law 5/2018, of urgent measures for the adaptation of Spanish Law to the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/16








European regulations on data protection - regulation in force since
07/31/2018 until its repeal by Organic Law 3/2018, of December 5, of

Data Protection and Guarantees of digital rights (LOPDGDD) - on date
08/22/2018 the Data Protection Delegate of the claimed of the
claim incorporated into file E / 4539/2018 and it was requested that, within the period of

one month from receipt, will inform this Agency of the circumstances that
had originated the facts set forth in it, of the decision adopted to end
to the irregular situation caused and to proceed to communicate its decision to the

claimant.



      The respondent responds in writing dated 10/01/2018 in which she makes the

following manifestations:



    - You acknowledge that the claimant, by email sent the

        05/25/2018 both BBVA and Multigestión Iberia, S.L., exercised the rights
        of "access and cancellation regarding your personal data and where,
        specifically, it required the removal of his email from the database

        BBVA data ”.



    - Provides, as an attached document, a copy of the email that the claimant

        He sent him that it says in one of its paragraphs:

            “These days the people of Multigestión Iberia, S.L. have written to me, saying
        that I owe you a debt. I have no debt to anyone. ...

        According to them Pousen, S.L., has a debt with BBVA, something that I know is not
        true, because he had a link with Pousen before. But now I don't have any

        link with Pousen, S.L. Also, you have obtained emails
        personal, personal and work telephones, so above I request the
        source where you have obtained them ... Finally I indicate that I do not have

        no debt to you or anyone else. (…) ”(The underlining is from the AEPD)



    - BBVA explains: “On 09/28/2018 the SAC responded by email to Mr.

        A.A.A. accessing your right of access, but not the right of cancellation, since
        it had active positions with the Bank. However, according to the
        RGPD, proceeded to remove your email address from the database

        data of my represented… ”(The underlining is from the AEPD)




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/16








    - BBVA affects this issue in the second allegation of the information brief in
       which reads: “Mr. A.A.A. was sole partner and administrator of the company

       POUSEN, S.L., between 03/12/2019 and 12/02/2014, as can be seen
       in Document No. 4 that is provided. Due to this professional bond the
       10/22/2012 signed contract nº *** CONTRATO.1 between the mercantile

       POUSEN, S.L., and BBVA, including Mr. A.A.A. as its representative and
       the email mentioned as contact information, as you can
       observe in Document No. 5 attached. " (The underlining is from the AEPD)




    - Document number 4 provided by BBVA corresponds to the result of the consultation
       made electronically on 09/14/2018 to Axesor - mercantile information,

       incidents and links- which offers a comprehensive view of the trajectory
       commercial, structural and corporate of the company POUSEN, S.L., and allows

       verify that since 12/02/2014 Mr.
       B.B.B .. The document informs that the claimant was a sole partner and
       POUSEN sole administrator between 03/12/2009 and 12/02/2014. As well,

       dated *** DATE.1 the following are registered in the Mercantile Registry
       acts: the cessation as sole administrator of D.A.A.A .; the appointment as
       Sole administrator of D. B.B.B. and the loss of unipersonality of the

       society.



    - BBVA provides a copy of the response sent to the claimant by mail

       electronic dated 09/28/2018. It informs you about your request for
       access, through six devices. Regarding the cancellation request
       The respondent is limited to saying: “… in relation to your request for cancellation of

       the data that about you appear in our records, of which
       has left a literal copy in this writing, we inform you that after making the
       timely checks, we note that today it maintains positions

       current with the entity, so it is not possible to access your request, since
       the legal basis that obliges us to process your personal data is based on the

       contractual relationship in addition to compliance with the law. In order to perform the
       effective deletion of your personal data, no
       position or commercial relationship with our entity ”. (The underlining is from

       AEPD)



    - Document No. 5 provided by BBVA is a screenshot of its

       systems in which the name, two surnames and NIF of the claimant appear
       followed by the indication “AH: LEGAL CX INTEGRATION ACCOUNT”. The
       account *** ACCOUNT.1 is linked to these data: “NIF LEGAL PERSON

       B73621351 POUSEN S.L. FIRST HOLDER ”. "NIF NATURAL PERSON
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/16








       *** NIF. 1 A.A.A. REPRESENTATIVE ”(The underlining is from the AEPD)




    - BBVA has stated in its informative response that “Currently the contract
       nº *** CONTRACT.1 has an outstanding debt with BBVA of XXX euros,

       as can be seen in the screenshot of the Bank's systems that
       It is provided as Document No. 6 ”. Document No. 6 is called "Detail
       Real Delay Contract ”and in the“ Basic data ”section it appears:“ Contract

       *** CONTRACT. 2 Owner: POUSEN, S.L., Document: B73621351 Situation:
       Suspense. In the section for "Additional information" it appears as
       "Product: LEGAL CX INTEGRATION ACCOUNT".




      On 12/12/2018, the Director of the AEPD agrees to reject the
claim made by the claimant.




B.- The claimant filed on 12/26/2018 an optional appeal for reconsideration against the
inadmissibility agreement for processing (RR / 0002/2019) in which it underlines that BBVA denied
the cancellation of your data for maintaining, supposedly, debtor positions in
quality of representative of POUSEN, S.L .; that he communicated to the claimed entity,
both before requesting the cancellation of your data and when requesting it, which does not have

no connection with POUSEN and that this company has another sole administrator.



       Provide a copy of the public deed of modification, removal of administrator and
appointment of members of the Board of Directors granted by POUSEN,
S.L., on 10/29/2014 which is registered in the Mercantile Registry of *** LOCALIDAD.1 the
11/14/2014.




      On 04/23/2019 the Director of the AEPD decides to estimate the appeal of
replacement filed by the claimant against the resolution of this Agency issued
on 12/12/2018 and “agree to the admission for processing of the claim filed against
BANCO BILBAO VIZCAYA ARGENTARIA, S.A. "






C.- Article 67 of the LOPDGDD, under the heading "Previous Actions of

investigation ”provides that before the adoption of the agreement to initiate
procedure and once the claim is admitted for processing, if any, the Agency
may carry out preliminary investigation actions. And he adds that section 2

that "The preliminary investigation actions ... may not have a duration

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/16








more than twelve months from the date of the agreement for admission to processing… ”.




             Through Diligence dated 12/20/2019 of the data inspector,
incorporate into the file various screen captures related to the information that

appears in the Mercantile Registry regarding the company POUSEN, S.L. Through them
it is verified that, from the cessation of the claimant as sole Administrator of POUSEN,

S.L., and the appointment as Administrator of D. B.B.B., the company has not changed
their legal representatives.






                            FOUNDATIONS OF LAW



                                              I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.




                                             II



      Article 58 of the RGPD, "Powers", states:




      “2 Each supervisory authority shall have all the following powers
corrective measures listed below:

      (…)

      c) order the data controller to respond to exercise requests
of the rights of the interested party under this Regulation;

       (…)


      i) impose an administrative fine in accordance with article 83, in addition or instead
of the measures mentioned in this section, depending on the circumstances of the
particular case


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/16








      (…) "



      The RGPD deals in article 5 with the principles that must govern the

treatment of personal data and mention among them the "accuracy"



      "1. The personal data will be:

      (…)

      d) exact, and if necessary updated; all measures will be taken
reasonable so that the personal data that

are inaccurate with respect to the purposes for which they are treated <<inaccuracy>> ”



       Article 5.2. GDPR adds:



      "The person responsible for the treatment will be responsible for compliance with the
provided in section 1 and capable of demonstrating it (<< proactive responsibility >>) "




      The violation of article 5.1.d) of the RGPD is typified in article
83.5 of Regulation (EU) 2016/679 in the following terms:



      "5. Violations of the following provisions will be sanctioned, in accordance
with section 2, with administrative fines of maximum 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

      a) Basic principles for treatment, including basic conditions
for consent in accordance with articles 5, 6, 7 and 9; "




      For its part, the LOPDGDD, for prescription purposes, considers as
very serious infringement in article 72.1.a) "The processing of personal data
violating the principles and guarantees established in article 5 of the Regulation (EU)
2016/679 ".






                                            III

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/16










      The documentation in the file certifies that BBVA processed the data

claims of the claimant violating the principle of accuracy.



      The treatment of the claimant's data associated with an inaccurate data -the

attribution of a debt to which he was alien- evidence of the text of the emails
emails that he sent on 05/25/2018 both to BBVA and to the person in charge of
treatment, Multigestión Iberia, S.L., and the latter on 05/26/2018.




      It also shows that BBVA processed data from the
complainant contrary to the principle of accuracy the response of that entity to the

informative request that the Agency made in the phase of admission for processing of the
claim. Thus, in writing that the
10/01/2018, BBVA informed the AEPD that, as a result of the claimant exercising the

right to cancel your personal data, with a precautionary nature, the
file with Multigestión Iberia, S.L.U., but the customer service
(SAC) of BBVA responded to the claimant in an email dated 09/28/2018 that no

could access the requested cancellation right “since it presented positions
active with the bank ”.




      The defendant adds that the claimant “was the sole partner and administrator of the
mercantile POUSEN, S.L., between 03/12/2009 and 12/02/2014 "and that" due to that
professional bond ”on 10/22/2012 contract number was signed

*** CONTRACT. 1 between POUSEN, S.L., in which the claimant stated as
representative of the company and his email address was collected. BBVA ends its

explanation saying that “contract number *** CONTRACT.1 maintains a debt
pending of XXX euros as can be seen in the screenshot of the systems
of the Bank that is contributed ”. The documents it provides in this regard are captures of

screen in which POUSEN, S.L. appears as a client, as the "owner" of the
account previously transcribed and the claimant as “representative”.




      Among the documents that BBVA sent to this Agency in the admission phase to
process, there is a report provided by AXESOR on 09/14/2018 which includes
with total clarity that on 12/02/2014 the termination of the business is already registered in the Mercantile Registry

claimant as sole administrator of POUSEN and has been designated as new
sole administrator to D. B.B.B.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/16








      Thus, contract number *** CONTRATO.1 was entered into by BBVA with a
legal person, the mercantile POUSEN, S.L., an extreme of which there is no doubt as it is

that company appears as the "owner" of the contract in BBVA's files. In
In the screenshots provided by BBVA, the claimant appears as
"Representative", given his condition of sole administrator of the company and of

in accordance with article 233.1 of the Consolidated Text of Law 1/2010 of Companies
of Capital.




      The attribution to the administrator of a capital company of a debt
contracted by the company it represents constitutes in itself an infringement
of the principle of accuracy. Even more serious is BBVA's conduct if it is taken into

Considering that since four years before the events occurred, the
claimant was no longer administrator of POUSEN, S.L., since he had ceased in that

charge by social resolution dated 10/15/2014, raised to public deed on
10/29/2014 and published in the Mercantile Registry on *** DATE. 1.



      As a result of the attribution to the claimant of an inaccurate data - a debt that does not

belonged- BBVA processed your personal data without legitimacy communicating it to your
in charge of treatment to claim on his behalf a debt to which he was

alien. Also a consequence of the violation of the principle of accuracy is the
refusal by BBVA to the claimant to delete their personal data
requested. Starting from inaccurate information, the entity reaches the wrong one

conclusion of rejecting the requested deletion by improperly estimating that those
Claimant's data are necessary for the purpose for which they were collected (ex
article 17.1.a; of the RGPD to sensu contrary)






      The facts presented also show a serious lack of diligence in

BBVA not only for having attributed to the claimant, whose status was not that of debtor, the
debt contracted by whoever had been represented, but also because of having
consulted the R.M. could have known that the claimant no longer held the

administrator status. Furthermore, the claimed persists in its
offending conduct and, despite being informed by the claimant at the end of May
2018 that he is no longer administrator of the debtor entity, POUSEN, does not carry out

no checking on that end and refuses to cancel your data. It's more,
Nor does he realize his error when he collects from Axesor in September 2018 a
report with the history of the social agreements registered by POUSEN in the R.M.,

which includes the claimant's termination agreement as administrator and the
appointment of a new sole director of the company adopted in October

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/16








2014 and registered in the R.M. on *** DATE. 1.




      BBVA's behavior described above is subsumed under the penalty type of the
Article 83.5.a, RGPD.




                                             IV



      In determining the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:



      "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case

effective, proportionate and dissuasive. "



      "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;


        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the

        treatment;

         f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;

        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/16








        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge

        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,

"Sanctions and corrective measures", provides:

      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

        a) The continuing nature of the offense.

        b) The linking of the offender's activity with the performance of treatments
        of personal data.

        c) The benefits obtained as a result of the commission of the offense.

        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.

        e) The existence of a merger process by absorption after the commission

        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.

        g) To have, when not mandatory, a delegate for the protection of
        data.

        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those

        cases in which there are controversies between those and any
        interested."


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine penalty that
it corresponds to impose the claimed party as allegedly responsible for a criminal offense
In article 83.5.a) of the RGPD, in an initial assessment, the concurrence of the
following factors that aggravate the liability due to that entity:


     - The treatment operation in which the offending conduct is specified may
        be classified as significantly serious.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/16








     - Serious lack of diligence: The conduct of the claimed party in which the
       The infringement is the result of a serious lack of diligence in complying with the
       Obligations imposed by the data protection regulations. The entity seems

       ignore two essential questions; that the administrator of a company is its
       representative and the status of debtor cannot be attributed to him personally when
       The owner of the debt is the represented company and, on the other hand, BBVA did not adopt the
       minimum caution by consulting the Commercial Registry and verifying the identity of
       who held the status of administrator of the debtor company at the time of
       communicate the claimant's data to MULTIGESTIÓN.


       - Regarding the circumstance described in section k) of article 83.2 of the
       RGPD in relation to article 76 of the LOPDGDD, it should be mentioned that the
       activity of the allegedly infringing entity is linked to the treatment of
       personal data, both clients and third parties, therefore, taking into account
       its very important volume of activity, the transcendence that

       have the offending behaviors that are the subject of this claim.

         Therefore, based on the foregoing,

       By the Director of the Spanish Agency for Data Protection,



       HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE against BANCO BILBAO VIZCAYA
ARGENTARIA, S.A., with NIF A48265169, for the alleged violation of article 5.1. d)
of the RGPD typified in article 83.5 of the aforementioned Regulation (EU) 2016/679.




SECOND: APPOINTMENT to C.C.C. and secretary to D.D.D., indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of the

Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).




THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its attached documentation; papers
obtained and generated by the General Subdirectorate for Data Inspection during the

previous information; the appeal for reconsideration presented by the claimant and
attached documentation; the estimated resolution of RR / 00002/2019, and the

documentation obtained by the Data Inspection in the course of the investigation
previous.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/16








FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The corresponding sanction would be an administrative fine for an amount of
€ 60,000 (sixty thousand euros) without prejudice to what results from the instruction.




FIFTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The sanction that may correspond would be to ORDER the complained party to proceed to
delete without delay the personal data of the claimant that concerns him.




SIXTH: NOTIFY this agreement to BANCO BILBAO VIZCAYA ARGENTARIA,
S.A., with NIF A48265169, granting a hearing period of ten business days to
to make the allegations and present the evidence it deems appropriate. In

your statement of allegations must provide your NIF and the procedure number that
it appears at the top of this document.




       If, within the stipulated period, no allegations are made to this initiation agreement, the
It may be considered a resolution proposal, as established in the

Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP).




       In accordance with the provisions of article 85 of the LPACAP, in the event of
that the sanction to impose was a fine, you may recognize your responsibility within
of the term granted for the formulation of allegations to this initiation agreement; the

which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be

established at 48,000 euros, resolving the procedure with the imposition of this
sanction.




       In the same way, you may, at any time prior to the resolution of the
present procedure, carry out the voluntary payment of the proposed sanction,
which will mean a reduction of 20% of its amount. With the application of this

reduction, the penalty would be set at 48,000 euros and its payment will imply the
termination of the procedure.




       The reduction for the voluntary payment of the penalty is cumulative to that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/16








corresponds to apply for the recognition of responsibility, provided that this
acknowledgment of responsibility is revealed within the term

granted to formulate allegations at the opening of the procedure. The pay
Voluntary amount of the amount referred to in the previous paragraph may be done at any

time before resolution. In this case, if applicable, apply both
reductions, the amount of the penalty would be set at 36,000 euros.




       In any case, the effectiveness of either of the two mentioned reductions
It will be conditioned to the withdrawal or resignation of any action or remedy in progress.
administrative against the sanction.




       In the event that you choose to proceed to the voluntary payment of any of the
amounts indicated above, 48,000 euros or 36,000 euros, you must do so

cash by entering account number ES00 0000 0000 0000 0000 0000 open
on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,

S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which
welcomes.




       Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



       The procedure will have a maximum duration of nine months from

the date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



       Finally, it is pointed out that in accordance with the provisions of article 112.1 of the

LPACAP, against this act there is no administrative appeal.



Mar Spain Martí


Director of the Spanish Agency for Data Protection



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/16








>>

SECOND: On November 21, 2020, the defendant has proceeded to pay

the penalty in the amount of 36,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process

administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/16








The percentage of reduction foreseen in this section may be increased

regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00219/2019, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA
ARGENTARIA, S.A ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                 936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection




























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es