Banco Bilbao Vizcaya Argentaria, S.A. – €120,000 Fine (Spain, 2021)

€120,000Agencia Española de Protección de Datos25 August 2021Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Banco Bilbao Vizcaya Argentaria, S.A. failed to provide a correct address for a customer when reporting a credit card debt. This mistake meant the customer didn't know they were included in a solvency file, which hurt their chances of getting credit. The fine of €120,000 shows the importance of accurate data handling.

What happened

The bank provided an incorrect address for a customer to a solvency data collector, leading to the customer's lack of awareness about their debt inclusion.

Who was affected

The affected person was a customer of Banco Bilbao Vizcaya Argentaria, S.A. whose creditworthiness was impacted due to the bank's error.

What the authority found

The Spanish data protection authority found that the bank violated GDPR's accuracy principle by failing to provide the correct address.

Why this matters

This case highlights that companies must ensure accurate data reporting to avoid harming individuals' financial opportunities. Businesses should review their data accuracy practices to prevent similar issues.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
View original scraped data
Art. 32(GDPR)

Original data from scraper before AI verification against source document.

Source verified 10 March 2026
national law identified
Spain enforcementAgencia Española de Protección de Datos actionsAll Banco Bilbao Vizcaya Argentaria, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) has imposed a fine on Banco Bilbao Vizcaya Argentaria, S.A.. The reason for this had been a complaint from a person relating to a lack of authentication. Accordingly, only the ID number had to be given as identification when providing information by telephone. This could allow any person to call, provide an ID number, and thus receive the information associated with the ID number without any verification that the caller is actually the ID holder. The DPA considered this to be a failure to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the data subjects. The original fine of EUR 200,000 was reduced to EUR 120,000 due to voluntary payment and acknowledgement of guilt.

Related Enforcement Actions (3)

Other enforcement actions involving Banco Bilbao Vizcaya Argentaria, S.A. in ES

Fine
Dec 2020· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) fined Banco Bilbao Vizcaya Argentaria, S.A. EUR 5,000,000 for violating Art. 6 GDPR (EUR 3,000,000) and Art. 13 GDPR (EUR 2,000...

€5.0M
Fine
Dec 2020· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) fined the financial and credit institution Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) with a fine in the amount of EUR 36,000...

€36K
Current
Aug 2021

Fine

€120K

Fine
Sept 2023· Agencia Española de Protección de Datos

In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, ...

€70K

Details

Fine Date

25 August 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€120,000

Enforcement Tracker ID

ETid-819

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Banco Bilbao Vizcaya Argentaria, S.A. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: