BANCO BILBAO VIZCAYA ARGENTARIA – €120,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject was an employee of the controller and the employment relationship ended in September 2021. Upon termination of the employment relationship, the data subject was given the option to retain the work phone for personal use according to the contractual terms of the purchase agreement. After a few months of use in June 2022, the data subject was suddenly unable to use the device which showed a notice stating that the phone is being administered remotely by the controller and that corporate credentials must be entered for further use. The data subject contacted the controller who responded with instructions to reset the phone entirely. The data subject however wanted to retrieve their personal data and did not restore the phone to factory settings. On the 13 February 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, Banco Bilbao Vizcaya Argentaria. On the 7 October 2024, the AEPD initiated disciplinary proceedings against the controller who argued that the purchase contract governing the transfer of the work phone to private use gave it the right to delete data off the phone. While the purchase contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications. Therefore, the AEPD held that the controller could not rely on a lawful basis under Article 6(1) GDPR for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject was an employee of the controller and the employment relationship ended in September 2021. Upon termination of the employment relationship, the data subject was given the option to retain the work phone for personal use according to the contractual terms of the purchase agreement. After a few months of use in June 2022, the data subject was suddenly unable to use the device which showed a notice stating that the phone is being administered remotely by the controller and that corporate credentials must be entered for further use. The data subject contacted the controller who responded with instructions to reset the phone entirely. The data subject however wanted to retrieve their personal data and did not restore the phone to factory settings. On the 13 February 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, Banco Bilbao Vizcaya Argentaria. On the 7 October 2024, the AEPD initiated disciplinary proceedings against the controller who argued that the purchase contract governing the transfer of the work phone to private use gave it the right to delete data off the phone. While the purchase contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications. Therefore, the AEPD held that the controller could not rely on a lawful basis under Article 6(1) GDPR for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine
Related Enforcement Actions (0)
No other enforcement actions found for BANCO BILBAO VIZCAYA ARGENTARIA in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 November 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
GDPRhub ID
gdprhub-8580About this data
Cite as: Cookie Fines. BANCO BILBAO VIZCAYA ARGENTARIA - Spain (2024). Retrieved from cookiefines.eu
Last updated: