BANCO BILBAO VIZCAYA ARGENTARIA – €120,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Banco Bilbao Vizcaya Argentaria was fined €120,000 for deleting a former employee's personal data from their work phone without permission. The company mistakenly thought they could erase all data on the phone, but they were only allowed to delete corporate information. This ruling emphasizes that companies must respect personal data rights even after employment ends.
What happened
The bank deleted personal data from a former employee's phone without a valid legal basis.
Who was affected
A former employee of Banco Bilbao Vizcaya Argentaria who used a work phone for personal use.
What the authority found
The AEPD found that the bank could not legally erase the employee's personal data, violating GDPR rules.
Why this matters
This decision highlights the need for companies to understand the limits of their data management rights, particularly when it comes to former employees. Businesses should ensure clear policies are in place regarding personal data on devices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject was an employee of the controller and the employment relationship ended in September 2021. Upon termination of the employment relationship, the data subject was given the option to retain the work phone for personal use according to the contractual terms of the purchase agreement. After a few months of use in June 2022, the data subject was suddenly unable to use the device which showed a notice stating that the phone is being administered remotely by the controller and that corporate credentials must be entered for further use. The data subject contacted the controller who responded with instructions to reset the phone entirely. The data subject however wanted to retrieve their personal data and did not restore the phone to factory settings. On the 13 February 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, Banco Bilbao Vizcaya Argentaria. On the 7 October 2024, the AEPD initiated disciplinary proceedings against the controller who argued that the purchase contract governing the transfer of the work phone to private use gave it the right to delete data off the phone. While the purchase contract granted the controller the right to delete all data contained in corporate applications at any time during or after the employment relationship, it did not give the controller the right to delete other personal data not contained in corporate applications. Therefore, the AEPD held that the controller could not rely on a lawful basis under Article 6(1) GDPR for the processing of the data in the form of erasure. The AEPD initially set the fine at €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine
Related Enforcement Actions (0)
No other enforcement actions found for BANCO BILBAO VIZCAYA ARGENTARIA in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 November 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
GDPRhub ID
gdprhub-8580About this data
Cite as: Cookie Fines. BANCO BILBAO VIZCAYA ARGENTARIA - Spain (2024). Retrieved from cookiefines.eu
Last updated: