Spain: AEPD fines BBVA €70,000 for processing personal data without legal basis
The Spanish data protection authority ('AEPD') published, on 2 August 2022, its decision in Proceeding No. PS-00142-2022, in which it imposed a fine of €70,000, which was subsequently reduced to €42,000, on Banco Bilbao Vizcaya Argentaria, S.A. ('BBVA'), for violations of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an individual's complaint.
Background to the decision
In particular, the AEPD noted that the complainant has requested since 2014 that BBVA not send any stock market investment report to their address.
Findings of the AEPD
Following its investigation, the AEPD found that the complainant had requested that the information regarding the investment funds be sent to them through email and not by post, and that BBVA did not meet this obligation, continuing to process the personal data of the complainant systematically and continuously in the workplace without taking care to remain compliant with data protection obligations. Accordingly, the AEPD determined that BBVA had violated Article 6 of the GDPR.
In light of the above, the AEPD imposed a fine of €70,000 for the aforementioned violation. However, the AEPD provided that, due to voluntary payment and an admission of responsibility, the fine on BBVA was reduced to €42,000.
You can read the decision, only available in Spanish, here.