Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Spain: AEPD fines BBVA €80,000 for violating integrity and confidentiality principle
The Spanish data protection authority ('AEPD') published, on 10 November 2022, its decision in Proceeding No. PS/00419/2022, in which it imposed a fine of €80,000, subsequently reduced to €48,000, on Banco Bilbao Vizcaya Argentaria, S.A. ('BBVA') for violations of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an individual's complaint.
Background to the decision
In particular, the AEPD noted that the claimant had requested a certificate of ownership for their account from the BBVA, however they received a copy of a third party contract. Further to this, the AEPD highlighted that the BBVA confirmed that it had made a operational error. Moreover, the AEPD provided that the claimant had informed the BBVA that it continued to have access to the document through the contact chat with the BBVA and that the document was not eliminated. In its decision, the AEPD highlighted that the BBVA has eliminated customer access to the contract file and that although the conversation between the BBVA and the claimant is saved, the link to the file has been removed in such a way that the claimant cannot access the download or view of the document.
Findings of the AEPD
In its findings, the AEPD confirmed that there is a security breach of personal data in the circumstances indicated above, categorised as a breach of confidentiality, as the claimant was provided with a contract containing the personal data of a third person. In this regard, the AEPD decided to sanction the BBVA €50,000 for breaching principle of integrity and confidentiality pursuant to Article 5(1)(f) of the GDPR.
Furthermore, the AEPD emphasised that at the time the breach occurred, the BBVA did not have adequate technical and organisational measures to prevent the circumstance of making the third party contract available. In addition to this, the AEPD decided to sanction the BBVA €30,000 for violating Article 32 of the GDPR.
Outcomes
As a result, the AEPD imposed a fine of €80,000 on the BBVA for violations of Articles 5(1)(f) and 32 of the GDPR. Moreover, the resolution provides that, on 23 September 2022, the BBVA proceeded to the payment of the fine in the amount of €48,000 making use of voluntary payment and acknowledging its responsibility.
You can read the decision, only available in Spanish, here.