BANCO BILBAO VIZCAYA ARGENTARIA, S.A. – €120,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Banco Bilbao Vizcaya Argentaria, S.A. was fined EUR 120,000 for mishandling a customer's credit information. The bank failed to provide the correct address for notifying the customer about their inclusion in a solvency file. This case shows that companies must ensure accurate information is used to protect users' rights.
What happened
Banco Bilbao Vizcaya Argentaria, S.A. incorrectly provided a customer's address to a solvency data collector.
Who was affected
A customer whose credit information was mishandled and not properly notified.
What the authority found
The Spanish DPA found that the bank violated the accuracy principle under Article 5(1)(d) of GDPR.
Why this matters
This ruling emphasizes the need for companies to maintain accurate customer information. Businesses should verify their data practices to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions. On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct. By not providing the exact address of the data subject, the controller caused a serious damage to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR. The AEPD recommended a sanction of €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015,] a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,00
Related Enforcement Actions (5)
Other enforcement actions involving BANCO BILBAO VIZCAYA ARGENTARIA, S.A. in ES
Fine
€120K
Details
Fine Date
27 July 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
About this data
Cite as: Cookie Fines. BANCO BILBAO VIZCAYA ARGENTARIA, S.A. - Spain (2021). Retrieved from cookiefines.eu
Last updated: