Banco Bilbao Vizcaya Argentaria, S.A. – €70,000 Fine (Spain, 2023)

In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, a total of €9,400, without his authorization or consent. The withdrawal was made in person at the local bank branch. The withdrawal also required the signature of the third party. The third party was able to withdraw the money despite their signature not corresponding to the signature on the data subject's ID card. The DPA seemed to infer that identifying a client at a bank for just the sake of providing them with a bank service involves a processing operation which must be carried out in compliance with Article 32 GDPR. The Spanish DPA considered the bank to have failed in adopting appropriate security measures by not verifying the data subject's identity in a reliable manner. As highlighted by AEPD, it was negligence that would have been overcome if available protocols would have been correctly followed. For example, correctly comparing and verifying both the photograph and the signature of the document that was presented in the request. By not using appropriate technical and organisational measures to ensure a level of security appropriate to the risk, the controller violated Article 6 and Article 32 GDPR.