On October 20, 2023, the Spanish data protection authority (AEPD) published, its decision in Proceeding No. PS-00677-2022, in which it imposed a fine of €1 million subsequently reduced to €800,000 on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA), for violations of the General Data Protection Regulation (GDPR), following a complaint by an individual.

Background to the decision

The AEPD explained that the complainant, a customer of BBVA, had lost her purse which contained her bank card among other personal effects. Subsequently, the complainant claimed to have requested BBVA to block all the complainant's banking products. BBVA allegedly failed to act on the complainant's request, and in the following weeks, third parties used identity theft to access the complainant's banking products, take out loans, and transfer money from the complainant's bank accounts.

Findings of the AEPD

The AEPD found that BBVA had violated Article 32 of the GPDR by lacking appropriate security measures leading to the theft of the complainant's personal data. Additionally, the AEPD determined that BBVA had violated Article 25 of the GDPR by failing to implement the principle of data protection by design in its banking processes.

Outcome

Accordingly, the AEPD imposed a fine of €1 million on BBVA, the fine was subsequently reduced to €800,000 on account of BBVA's voluntary payment of the fine.

You can read the decision, only available in Spanish, here.