AN - 0000104/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 71: Line 71:


=== Facts ===
=== Facts ===
On 11 December 2020, the Spanish DPA jointly decided on 5 complaints made by different data subjects against BBVA (PS/00070/2019). In short, of the 5 complaints: 1 concerned the obligation to sign the privacy policy to unblock a bank account; 1 referred to the impossibility of rejecting data processing when agreeing with the privacy policy; another 3 were related to receiving advertising messages without prior consent (which the bank claimed to have collected through its privacy policy).  
On 11 December 2020, the Spanish DPA jointly decided on 5 complaints made by different data subjects against BBVA ([[AEPD - PS/00070/2019|PS/00070/2019]]). In short, of the 5 complaints: 1 concerned the obligation to sign the privacy policy to unblock a bank account; 1 referred to the impossibility of rejecting data processing when agreeing with the privacy policy; another 3 were related to receiving advertising messages without prior consent (which the bank claimed to have collected through its privacy policy).  


As seen, all the complaints referred to the bank's privacy, to which consumers were required to consent in order to contract banking and financial services. For this reason, the DPA understood that the violation was not limited to the illegal processing of data of the 5 data subjects. In its view, the privacy policy itself was illegal, violating the GDPR and, by extension, the bank's entire set of customers. Based on this understanding, it gathered the complaints for joint decision and instituted a sanctioning procedure with the purpose of investigating BBVA's privacy policy and assess how consent was being obtained.  
As seen, all the complaints referred to the bank's privacy, to which consumers were required to consent in order to contract banking and financial services. For this reason, the DPA understood that the violation was not limited to the illegal processing of data of the 5 data subjects. In its view, the privacy policy itself was illegal, violating the GDPR and, by extension, the bank's entire set of customers. Based on this understanding, it gathered the complaints for joint decision and instituted a sanctioning procedure with the purpose of investigating BBVA's privacy policy and assess how consent was being obtained.  


At the end of the procedures, the DPA found a violation of Articles 12, 13 and 14 GDPR, due to the absence of clear information in the bank's privacy policy, and imposed a fine of €2.000.000. It also found a violation of Article 6 and imposed a second fine, of €3.000.000.  Finally, the DPA ordered BBVA to amend its privacy policy in order to ensure that each processing operation relies on a valid legal basis and to provide sufficient information to its customers. This was the first multimillion-euro fine imposed by the AEPD and received  and received a lot of attention from privacy professionals and those interested in data protection.
At the end of the procedures, the DPA found a violation of [[Article 12 GDPR|Articles 12]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]], due to the absence of clear information in the bank's privacy policy, and imposed a fine of €2.000.000. It also found a violation of Article 6 and imposed a second fine, of €3.000.000.  Finally, the DPA ordered BBVA to amend its privacy policy in order to ensure that each processing operation relies on a valid legal basis and to provide sufficient information to its customers. This was the first multimillion-euro fine imposed by the AEPD and received a lot of attention from privacy professionals and those interested in data protection.


The bank filed a judicial appeal against the DPA decision. In summary, it alleged that the procedure initiated by the DPA violated its right of defense provided for in Law n. 39/2015. According to BBVA, the initiation of investigation represents a pre-judgment of guilt and violates the presumption of innocence, as the investigation order comes from a hierarchical superior, contaminating the action of the inspector responsible for the investigation.
The bank filed a judicial appeal against the DPA decision. In summary, it alleged that the procedure initiated by the DPA violated its right of defense provided for in [https://www.boe.es/buscar/pdf/2015/BOE-A-2015-10565-consolidado.pdf Law n. 39/2015] (National Administrative Procedure Law). Article 63(1) of this law establishes that competent bodies can, by agreement, initiate ex officio sanctioning procedures. However, there must be a clear separation between the investigative and sanctioning phases, conducted by different bodies. In the specific case, the bank claimed that the investigation order came from the sanctioning body itself, which was the hierarchical superior of the body in charge of the investigation. Thus, it argues that the investigation was contaminated.


=== Holding ===
=== Holding ===
The Spanish National Court highlighted that, according to Recital 129 GDPR, the powers of the supervisory authorities must be exercised in accordance with adequate procedural guarantees established in the Law of the Union and the Member States. Thus, it took Article 63(2) LOPDGDD as a starting point.  This article establishes that procedures carried out by the Spanish DPA shall be governed by the provisions of the GDPR and, secondarily, by the national norms on administrative procedures. The Court acknowledges that the DPA can launch an ex officio investigation to determine the existence of a violation as provided for by Article 65(2) of the same law.  However, Article 63(1) of Law 39/2015 (Administrative Procedures Law), also applicable pursuant to the aforementioned provision, requires that ex officio investigations be initiated upon agreement by the competent body.
The Spanish National Court highlighted that, according to Recital 129 GDPR, the powers of the supervisory authorities must be exercised in accordance with adequate procedural safeguards set out in Union and Member State law. Thus, it took [https://www.boe.es/buscar/pdf/2018/BOE-A-2018-16673-consolidado.pdf Article 63(2) LOPDGDD] (Personal Data Protection and Digital Rights) a starting point.  This article establishes that procedures carried out by the Spanish DPA shall be governed by the provisions of the GDPR and, secondarily, by the national norms on administrative procedures.  


In the case at hand, the National Court saw a total disconnection between the object of the procedure initiated by the DPA and the complaints made by the data subjects. For the judges, the complaints related to concrete and individual violations, but, from that point on, the DPA initiated a sort of general review of BBVA's performance. In other words, they held that the allusion to the bank's privacy policy in relation to certain facts, empowers the DPA to investigate said facts or the "reason for the complaint" as indicated in article 57 (1)(f) GDPR. However, it does not allow the DPA to open a disciplinary proceeding against the controller as a result of the complaint.
The Court acknowledged that the DPA can launch an ex officio investigation to determine the existence of a violation as provided for by Article 64(2) of the same law. However, Article 63(1) of [https://www.boe.es/buscar/pdf/2015/BOE-A-2015-10565-consolidado.pdf Law 39/2015] (National Administrative Procedure Law), also applicable pursuant to [https://www.boe.es/buscar/pdf/2018/BOE-A-2018-16673-consolidado.pdf Article 63(2) LOPDGDD], requires that these procedures have proper separation between the investigation and the sanctioning phases, which will be entrusted to different bodies. Accepting the bank's allegations, the Court found that these procedural rules were not respected.


The Court stressed the relevance of the principle of legality, provided for in Article 25(1) of the Spanish Constitution, within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". Similarly, the assessment of the evidence must be done in line with the principle of the presumption of innocence. Thus, the National Court understood that the DPA should be limited to proven facts. In its understanding, the facts do not lead to the conclusion that the mere existence of the privacy policy violated the GDPR. Finally, it reinforced that the GDPR does not provide for the sanctioning of potential violations and considered that 5 complaints in a universe of thousands of consumers is not representative of a generalized violation.
Moreover, the Court saw a total disconnection between the object of the procedure initiated by the DPA and the complaints made by the data subjects. It stressed that [[Article 57 GDPR#1f|Article 57 (1)(f) GDPR]] enables DPAs to handle complaints lodged data subjects and investigate, to the extent appropriate, the subject matter of the complaint. However, it does not allow the DPA to open a sanctioning proceeding against the controller as a result of the complaint. For the judges, the complaints related to concrete and individual violations, but, from that point on, the DPA initiated a sort of general review of BBVA's performance. In the Court's view, the allusion to the bank's privacy policy in relation to certain facts empowers the DPA to investigate said facts or the "subject matter of the complaint" as indicated in the aforementioned article .
 
Furthermore, the Court stressed the relevance of the principle of legality, provided for in Article 25(1) of the [https://www.boe.es/buscar/pdf/1978/BOE-A-1978-31229-consolidado.pdf Spanish Constitution], within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the National Court understood that the mere existence of a privacy policy does not correspond to any concrete violation provided for in the legal system and, therefore, is not subject to sanction.
 
Finally, the Court held that the evaluation of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients.


Therefore, the Court annulled the DPA's decision holding that it was not in accordance with the law.
Therefore, the Court annulled the DPA's decision holding that it was not in accordance with the law.

Revision as of 10:07, 19 April 2023

AN - 0000104/2021
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law: Article 57(1)(f) GDPR
Article 63(1) Law 39/2015
Articles 63(2) and 65(2)
Decided: 23.12.2022
Published:
Parties: BBVA
National Case Number/Name: 0000104/2021
European Case Law Identifier:
Appeal from: AEPD (Spain)
PS/00070/2019
Appeal to: Unknown
Original Language(s): Spanish
Original Source: Audiencia Nacional (in Spanish)
Initial Contributor: Bernardo Armentano

A Spanish Court annuled a millionaire fine imposed on BBVA. It held that the DPA violated principles of the sanctioning procedure, as there was a disconnection between the original complaints and the investigation on the bank's privacy policy.

English Summary

Facts

On 11 December 2020, the Spanish DPA jointly decided on 5 complaints made by different data subjects against BBVA (PS/00070/2019). In short, of the 5 complaints: 1 concerned the obligation to sign the privacy policy to unblock a bank account; 1 referred to the impossibility of rejecting data processing when agreeing with the privacy policy; another 3 were related to receiving advertising messages without prior consent (which the bank claimed to have collected through its privacy policy).

As seen, all the complaints referred to the bank's privacy, to which consumers were required to consent in order to contract banking and financial services. For this reason, the DPA understood that the violation was not limited to the illegal processing of data of the 5 data subjects. In its view, the privacy policy itself was illegal, violating the GDPR and, by extension, the bank's entire set of customers. Based on this understanding, it gathered the complaints for joint decision and instituted a sanctioning procedure with the purpose of investigating BBVA's privacy policy and assess how consent was being obtained.

At the end of the procedures, the DPA found a violation of Articles 12, 13 and 14 GDPR, due to the absence of clear information in the bank's privacy policy, and imposed a fine of €2.000.000. It also found a violation of Article 6 and imposed a second fine, of €3.000.000. Finally, the DPA ordered BBVA to amend its privacy policy in order to ensure that each processing operation relies on a valid legal basis and to provide sufficient information to its customers. This was the first multimillion-euro fine imposed by the AEPD and received a lot of attention from privacy professionals and those interested in data protection.

The bank filed a judicial appeal against the DPA decision. In summary, it alleged that the procedure initiated by the DPA violated its right of defense provided for in Law n. 39/2015 (National Administrative Procedure Law). Article 63(1) of this law establishes that competent bodies can, by agreement, initiate ex officio sanctioning procedures. However, there must be a clear separation between the investigative and sanctioning phases, conducted by different bodies. In the specific case, the bank claimed that the investigation order came from the sanctioning body itself, which was the hierarchical superior of the body in charge of the investigation. Thus, it argues that the investigation was contaminated.

Holding

The Spanish National Court highlighted that, according to Recital 129 GDPR, the powers of the supervisory authorities must be exercised in accordance with adequate procedural safeguards set out in Union and Member State law. Thus, it took Article 63(2) LOPDGDD (Personal Data Protection and Digital Rights) a starting point. This article establishes that procedures carried out by the Spanish DPA shall be governed by the provisions of the GDPR and, secondarily, by the national norms on administrative procedures.

The Court acknowledged that the DPA can launch an ex officio investigation to determine the existence of a violation as provided for by Article 64(2) of the same law. However, Article 63(1) of Law 39/2015 (National Administrative Procedure Law), also applicable pursuant to Article 63(2) LOPDGDD, requires that these procedures have proper separation between the investigation and the sanctioning phases, which will be entrusted to different bodies. Accepting the bank's allegations, the Court found that these procedural rules were not respected.

Moreover, the Court saw a total disconnection between the object of the procedure initiated by the DPA and the complaints made by the data subjects. It stressed that Article 57 (1)(f) GDPR enables DPAs to handle complaints lodged data subjects and investigate, to the extent appropriate, the subject matter of the complaint. However, it does not allow the DPA to open a sanctioning proceeding against the controller as a result of the complaint. For the judges, the complaints related to concrete and individual violations, but, from that point on, the DPA initiated a sort of general review of BBVA's performance. In the Court's view, the allusion to the bank's privacy policy in relation to certain facts empowers the DPA to investigate said facts or the "subject matter of the complaint" as indicated in the aforementioned article .

Furthermore, the Court stressed the relevance of the principle of legality, provided for in Article 25(1) of the Spanish Constitution, within the scope of sanctioning administrative procedures. It referred to a Supreme Court precedent according to which this principle "is translated into the imperative requirement of normative predetermination of illegal behaviors and the corresponding sanctions". In the case under analysis, the National Court understood that the mere existence of a privacy policy does not correspond to any concrete violation provided for in the legal system and, therefore, is not subject to sanction.

Finally, the Court held that the evaluation of the evidence by the DPA must be carried out in compliance with the principle of the presumption of innocence, which limits its action to the facts proven in the course of the procedure. In its understanding, the facts do not lead to the conclusion that the privacy policy violated the rights of an entire universe of consumers, not least because a small number of complaints cannot be taken as representative of thousands of bank clients.

Therefore, the Court annulled the DPA's decision holding that it was not in accordance with the law.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database will be able to consult the documents as long as they do so for their private use. The use of the database for commercial purposes is not allowed, nor is the massive download of information. The reuse of this information for the preparation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may lead to the adoption of the appropriate legal measures.