Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines BBVA €70,000 for processing personal data without legal basis

The Spanish data protection authority ('AEPD') published, on 2 August 2022, its decision in Proceeding No. PS-00142-2022, in which it imposed a fine of €70,000, which was subsequently reduced to €42,000, on Banco Bilbao Vizcaya Argentaria, S.A. ('BBVA'), for violations of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an individual's complaint.

Background to the decision

In particular, the AEPD noted that the complainant has requested since 2014 that BBVA not send any stock market investment report to their address.

Findings of the AEPD

Following its investigation, the AEPD found that the complainant had requested that the information regarding the investment funds be sent to them through email and not by post, and that BBVA did not meet this obligation, continuing to process the personal data of the complainant systematically and continuously in the workplace without taking care to remain compliant with data protection obligations. Accordingly, the AEPD determined that BBVA had violated Article 6 of the GDPR.


In light of the above, the AEPD imposed a fine of €70,000 for the aforementioned violation. However, the AEPD provided that, due to voluntary payment and an admission of responsibility, the fine on BBVA was reduced to €42,000.

You can read the decision, only available in Spanish, here.