BANCO BILBAO VIZCAYA ARGENTARIA, S.A. – €120,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions. On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct. By not providing the exact address of the data subject, the controller caused a serious damage to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR. The AEPD recommended a sanction of €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015,] a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,00
GDPR Articles Cited
On 13 November 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Bilbao Vizcaya Argentaria, S.A. (the controller). The controller solicited ASNEF-Equifax, a solvency data collector, to include the data subject’s information concerning a credit card debt in its solvency file. The data subject claimed that this was done without prior notice because the postal address to which ASNEF-Equifax was meant to send notice was incomplete and not the exact address of the data subject. The data subject became aware of the processing when they were denied credit from other financial institutions. On 13 August 2021, ASNEF-Equifax mailed the data subject a notification of their inclusion in its solvency file. It sent the notification to the address cosigned by controller. This was the address that the controller had registered as the data subject’s, and that it had sent payment demands to for the credit card in question. On 29 October 2021, ASNEF-Equifax received the mailed notification back due to incorrect delivery. ASNEF-Equifax then requested a confirmation of the mailing information from the controller, which indicated that the address was correct. By not providing the exact address of the data subject, the controller caused a serious damage to the data subject because it was not made aware of its inclusion in solvency files. The AEPD thus found that the controller violated the principle of accuracy pursuant to Article 5(1)(d) GDPR. The AEPD recommended a sanction of €200,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015,] a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,00
Related Enforcement Actions (2)
Other enforcement actions involving BANCO BILBAO VIZCAYA ARGENTARIA, S.A. in ES
Fine
€120K
Details
Fine Date
27 July 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€120,000
Enforcement Tracker ID
ETid-819
GDPRhub ID
gdprhub-3908About this data
Cite as: Cookie Fines. BANCO BILBAO VIZCAYA ARGENTARIA, S.A. - Spain (2021). Retrieved from cookiefines.eu
Last updated: