Last month, the Spanish Data Protection Authority (AEPD) imposed the highest fine in its history, 5 million euros, on the BBVA bank (PS/00070/2019,https://www.aepd.es/es/documento/ps-00070-2019.pdf) on the occasion of five complaints in which those people affected claimed to have received commercial communications when they had previously refused to receive them and that consent for the processing of their data was not provided freely and informedly.
What are about each of the complaints?
1st Complaint: The complainant explains that a promotional SMS was sent to his mobile phone, without having authorized the sending of such messages and being enrolled in the Robinson List.
2nd complaint: the claimant claims that the BBVA App for Android systems does not meet the legal requirements relating to free and informed consent. In this regard, it explains that, through a pop-up, the App required the provision of a consent whose scope was to be link to another page on which the option of transfer of data to third parties was enabled by default.
3rd complaint: the complainant notes that for the unlocking of his account it was necessary to subscribe to the personal data protection document, which was forwarded to him telematically, and that he had no possibility to check the options for the processing of the information.
4th complaint: the complainant complains that, on the pretext of having been informed by a document that has not been signed, BBVA forwards commercial communications that it has not requested or authorized. In addition the complainant informed about the adoption of measures to prevent it from continuing to receive commercial communications, which ceased sending emails, but continued to receive SMS, which did not provide unsubscribe mechanisms.
5th complaint: the claimant confirms that he received phone calls and sending advertising SMS, to offer insurance, credit cards and receipt financing, even though he exercised the right to object to the transfer of his data for promotional purposes.
What articles do you understand the AEPD violated?
The AEPD does not impose the fine on BBVA on the basis of each of the complaints submitted, but focuses on analyzing the way used for the collection and the processing of personal data used by BBVA after May 25, 2018 (date of mandatory application of the GDPR) called “Declaración de actividad económica y política de protección de datos personales”. The reason is that the data processing of the 5 whistleblowers (and other BBVA customers) is based on this document: through this document BBVA discloses the terms applicable to the protection of personal data and the way in which the consent of the interested parties is provided.
After analyzing the content of the “Declaración de actividad económica y política de protección de datos personales” (you can see its contents on pages 117 and ss of PS/00070/2019), the AEPD imposes two fines, totaling EUR 5 million, for infringement of the following articles:
Fine of EUR 2 million, for infringement of Articles 13 and 14 GDPR (information to be provided to the data subject) as provided in Article 83.5(5.b) GDPR and classified as “leve” in Article 74(a) LOPDGDD. The reasons are:
-Use of vague terminology to define the privacy policy.
-Insufficient information on the category of personal data that will be processed, especially in relation to the data that BBVA claims to obtain from the customer’s use of products, services and channels; economic and solvency data obtained from products contracted with BBVA or from which BBVA is a marketer; and the personal data that will be transferred to BBVA Group companies.
-Failure to comply with the obligation to report on the purpose of the processing and legal basis that legitimizes it, especially in relation to the processing of personal data that BBVA bases on the legitimate interest.
-Insufficient information on the type of profiles to be made, the specific uses to which they will be used.
Fine of EUR 3 million for infringement of Article 6 GDPR (legality of processing), as provided for in Article 83.5(a) GDPR and classified as very serious for limitation purposes in Article 72.1.b) LOPDGDD. The reasons are:
-There is no specific mechanism for the collection of customer consents for the processing of personal data. The options of the data subject are limited to the marking of a box by which he records his opposition to data processing.
-Non-compliance with the requirements established for the provision of a specific, unequivocal and informed consent.
What does AEPD request from BBVA in its resolution?
The AEPD urges BBVA to adapt to the regulations on the protection of personal data to the processing operations it carries out, the information offered to its customers and the procedure by which they must give their consent for the collection and processing of their personal data.
Could BBVA appeal the resolution?
The decision of the AEPD may be appealed by administrative dispute to the Audiencia Nacional within 2 months from the day following the notification of the decision and, as BBVA has reported, intend to do so. In the event that it is appealed, it is not foreseeable that it will be annulled, but the amount of the penalty could be considerably reduced.