BBVA – Court Ruling (Spain, 2022)

This decision is the result of an appeal against a Spanish DPA (AEPD) decision (a summary is available on GDPRhub) which fined Banco Bilbao Vizcaya Argentaria, SA (BBVA) a total of €5,000,000 for violating articles 6, 13 and 14 of the GDPR. The bank filed a judicial appeal against the DPA decision. Among other aspects, BBVA claimed that there was a total disconnection between the object of the procedure by the DPA and the complaints made by the data subjects. It argued that the DPA used specific and individual facts and complaints as an excuse to initiate a sort of general review of BBVA's practices and their data protection policy. While rejecting some of the arguments of BBVA, the Court agreed that there is a relevant disconnection between the initial complaints and the final DPA decision. The Court stressed that Article 57(1)(f) GDPR enables the DPA to investigate facts or the subject matter of the complaint. However, the Court considered that this would not cover the opening of a general procedure against the data protection policy itself. In its reasoning, it referred to one of its previous decisions from 23 April 2019 (Rec. 88/2017), in which it defined criteria for the application of the principles of the administrative sanctioning procedure within the scope of the DPA. In the case at hand, the judges agreed that the DPA failed: (i) to examine the facts reported in the complaints; (ii) to make an assessment of the evidence in relation to those facts; and (iii) to link the facts to the data protection policy document. Rather, they found that the DPA opened a general investigation into the data protection policy of BBVA. In the Court's view, the DPA was bound by the facts of the data subject complaints. Therefore, the DPA is (at least initially) limited to investigate said facts or the "subject matter of the complaint". The Court invoked the principle of legality, provided for in Article 25(1) of the [https://www.boe.es/buscar/pdf/1978/BOE-A-1978-31229-c