Banco Bilbao Vizcaya Argentaria, S.A. – €5,000,000 Fine (Spain, 2020)

€5,000,000Agencia Española de Protección de Datos11 December 2020Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Banco Bilbao Vizcaya Argentaria was fined EUR 5 million for not getting proper consent from customers to use their data and for unclear privacy policies. The bank didn't clearly explain what data they were collecting or why. This case is important because it shows that companies must be transparent and clear about data usage.

What happened

Banco Bilbao Vizcaya Argentaria failed to obtain proper consent and provided unclear information in its privacy policy.

Who was affected

Customers of Banco Bilbao Vizcaya Argentaria whose personal data was processed without clear consent or information.

What the authority found

The Spanish DPA ruled that the bank violated GDPR by not obtaining valid consent and failing to provide clear privacy information.

Why this matters

This highlights the importance of clear communication and consent in data processing. Businesses should ensure their privacy policies are transparent and that they have explicit consent from users.

GDPR Articles Cited

AI-verified

Art. 6 GDPR
Art. 13 GDPR
View original scraped data
Art. 6 GDPR
Art. 13 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll Banco Bilbao Vizcaya Argentaria, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) fined Banco Bilbao Vizcaya Argentaria, S.A. EUR 5,000,000 for violating Art. 6 GDPR (EUR 3,000,000) and Art. 13 GDPR (EUR 2,000,000). The bank had not implemented a specific mechanism to obtain the consent of the customers to process their data. Furthermore, it did not use precise terminology in its privacy policy, nor did it provide adequate information about the type of personal data that might be processed. In particular the AEPD notes that the purpose and legal basis for data processing are not sufficiently identifiable in the privacy statement.

Related Enforcement Actions (2)

Other enforcement actions involving Banco Bilbao Vizcaya Argentaria, S.A. in ES

Current
Dec 2020

Fine

€5.0M

Fine
Dec 2020· Agencia Española de Protección de Datos

The Spanish DPA (AEPD) fined the financial and credit institution Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) with a fine in the amount of EUR 36,000...

€36K
Fine
Sept 2023· Agencia Española de Protección de Datos

In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, ...

€70K

Details

Fine Date

11 December 2020

Authority

Agencia Española de Protección de Datos

Fine Amount

€5,000,000

Enforcement Tracker ID

ETid-481

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Banco Bilbao Vizcaya Argentaria, S.A. - Spain (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: