BANCO BILBAO VIZCAYA ARGENTARIA, S.A. – €120,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Banco Bilbao Vizcaya Argentaria, S.A. was fined €120,000 for not providing accurate information about a person's credit card debt. This mistake meant the person didn't know they were included in a solvency file, which can affect their ability to get credit. This case highlights the importance of keeping accurate records and notifying individuals properly.
What happened
Banco Bilbao Vizcaya Argentaria, S.A. failed to provide the correct address for notifying a person about their inclusion in a solvency file.
Who was affected
The person whose credit card debt information was incorrectly handled by Banco Bilbao Vizcaya Argentaria, S.A.
What the authority found
The Spanish Data Protection Authority found that the bank violated the requirement for accuracy in personal data processing under GDPR.
Why this matters
This ruling emphasizes that companies must ensure accurate data handling and proper notifications to individuals. Businesses should review their data accuracy practices to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions. On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct. By not providing the exact address of the data subject, the controller caused a serious damage to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR. The AEPD recommended a sanction of €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015,] a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,00
Related Enforcement Actions (2)
Other enforcement actions involving BANCO BILBAO VIZCAYA ARGENTARIA, S.A. in ES
Fine
€120K
Details
Fine Date
27 July 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
Enforcement Tracker ID
ETid-819
GDPRhub ID
gdprhub-3908About this data
Cite as: Cookie Fines. BANCO BILBAO VIZCAYA ARGENTARIA, S.A. - Spain (2021). Retrieved from cookiefines.eu
Last updated: