Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Banco Bilbao Vizcaya Argentaria €1M for inadequate security measures

On October 20, 2023, the Spanish data protection authority (AEPD) published, its decision in Proceeding No. PS-00677-2022, in which it imposed a fine of €1 million subsequently reduced to €800,000 on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA), for violations of the General Data Protection Regulation (GDPR), following a complaint by an individual.

Background to the decision

The AEPD explained that the complainant, a customer of BBVA, had lost her purse which contained her bank card among other personal effects. Subsequently, the complainant claimed to have requested BBVA to block all the complainant's banking products. BBVA allegedly failed to act on the complainant's request, and in the following weeks, third parties used identity theft to access the complainant's banking products, take out loans, and transfer money from the complainant's bank accounts.

Findings of the AEPD

The AEPD found that BBVA had violated Article 32 of the GPDR by lacking appropriate security measures leading to the theft of the complainant's personal data. Additionally, the AEPD determined that BBVA had violated Article 25 of the GDPR by failing to implement the principle of data protection by design in its banking processes.


Accordingly, the AEPD imposed a fine of €1 million on BBVA, the fine was subsequently reduced to €800,000 on account of BBVA's voluntary payment of the fine.

You can read the decision, only available in Spanish, here.