MADRID, 13 Nov. (EUROPA PRESS) -
BBVA has paid a fine of 48,000 euros to the Data Protection Agency after a bank user "mistakenly" received a document with third-party data, as explained in the resolution of the sanctioning procedure initiated against the bank and that has consulted by Europa Press.
The resolution details that in October 2021 a user requested the entity a certificate of ownership of his account through the BBVA 'app', receiving, instead, a copy of a third-party contract. The client reported the incident and his concern about data protection, to which the bank responded with an apology, stating that it was an "operational error".
However, the user continued communications with the bank to indicate that he continued to have access to the document, as it was available through the contact chat that he had with the entity itself. The bank, for its part, indicated to the claimant that it was not possible to remove said document from the conversation.
Subsequently, on November 15, 2021, the client filed a complaint with the Spanish Data Protection Agency against BBVA, a claim that was sent to the bank so that it could analyze and inform the agency of the actions carried out to comply with the requirements. provided for in the data protection regulations.
Already in February 2022, but within the planned period, the bank explained to Data Protection that its tool to put clients and managers in contact ('My Conversations') is a "secure" channel, in a "logged in" environment and that provides access to the history of the conversations, in order to "guarantee the transparency and traceability" of all operations.
In the letter sent to the agency, the bank acknowledges that "a punctual and human error" was made when attaching the contract with third-party data, and that it is "an isolated event, with no evidence of other claims by the affected people". He regrets the mistake and transfers to Data Protection that at the same moment in which the claimant warned his manager of the error, he apologized, as he did in the following communications between the two.
"BBVA has eliminated access by the client to the contract file. Although the conversation between the manager and the client is preserved, the link to the file has been eliminated in such a way that the client cannot access the download/view of the document ", the bank delved into the writing.
Despite this defense, the Data Protection Agency decides to accept the claim for processing and open a sanctioning procedure against BBVA as it is a "security breach" of personal data. Specifically, it explains that there is evidence that the personal data of a BBVA customer contained in its database "were unduly exposed to the complaining party."
In addition, it indicates that, at the time of this breach, BBVA did not have adequate technical and organizational measures to prevent the sending of a link that gave access to a third party's contract, thus exposing the personal data of a client since October from 2021 to February 2022.
As an aggravating circumstance, Data Protection points out, on the one hand, that BBVA's financial activity and the large number of customers it has entail the handling of "a large number of personal data", which implies that it has "sufficient experience and should have adequate knowledge to process such data".
Given this situation, the Data Protection Agency proposes an administrative fine of 50,000 euros for violation of article 5.1.f) of the General Data Protection Regulation (RGPD), typified in article 83.5 of said rule, and another administrative fine of 30,000 euros for an infringement of article 32 of the RGPD, typified in article 83.4.
In the sanctioning procedure, Data Protection recalls the possibility for the bank to acknowledge its responsibility within a period of ten days, which would entail a 20% reduction in the sanction. In this way, the fine would be reduced from 80,000 euros to 64,000 euros.
In addition, it also recognizes the possibility that the bank makes the voluntary payment of the penalty, which would imply another reduction of 20%, reducing the amount of the penalty to 48,000 euros. Thus, it gives the bank the possibility of making a voluntary payment of either of the two amounts, whether they are 64,000 or 48,000 euros.
Finally, on September 23, 2022, BBVA has proceeded to pay 48,000 euros making use of the two reductions provided by the Data Protection Agency, in such a way that "implies the recognition of responsibility", entails the waiver of any administrative action or appeal against the sanction, and implies the completion of the sanctioning procedure.