Spain: AEPD fines BBVA €140,000 for processing personal data without legal basis
The Spanish data protection authority ('AEPD') published, on 4 April 2023, its decision in Proceeding No. PS/00678/2022, in which it imposed a fine of €140,000 on Banco Bilbao Vizcaya Argentaria, S.A. ('BBVA'), which was subsequently reduced to €84,000, for violations of Articles 6(1) and 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.
Background to the decision
In particular, the AEPD stated that the complainant, a former client of BBVA, alleged that BBVA processed their personal data without a legal basis, and had not properly addressed the complainant's data access request.
Findings of the AEPD
Following its investigation, the AEPD found that BBVA violated Articles 6(1) and 15 of the GDPR. Notably, the AEPD outlined that the complainant, despite having ceased to be a client of BBVA in 2012, learned in September 2021, that they had two debts registered to their name in the Risk Information Center of the Bank of Spain. In relation to the exercise of the right of access, the AEPD explained that the available evidence revealed that BBVA had requested more information from the complainant in order to recover the recordings, which constituted an undue burden on the data subject for the satisfaction of their request.
As a result, the AEPD imposed a €140,000 fine on BBVA, which was reduced by 20% because BBVA acknowledged its liability within ten days from the execution of the decision, and was subsequently reduced by another 20% for the voluntary payment of the fine, bringing the total amount of the fine down to €84,000.
You can read the decision, only available in Spanish, here.