The Spanish Data Protection Authority (AEPD) imposed a €200,000 fine on Banco Bilbao Vizcaya Argentaria, SA (BBVA). The amount was subsequently reduced to €120,000 for violations of the General Data Protection Regulation (GDPR) following a complaint.
The complainant alleged that BBVA asked another company to include the complainant’s personal data in their solvency file. The complainant stated that such inclusion was done without prior notice.
AEPD clarified that the accuracy principle under Article 5(1)(d) of the GDPR requires that personal data collected be accurate and, if necessary, updated. Furthermore, controllers must take all reasonable measures to promptly delete or rectify personal data that is inaccurate concerning the purposes for which it is processed.
AEPD determined that by not providing the complainant’s exact address, BBVA caused significant harm as the complainant could not receive the notification regarding the solvency file. Therefore, BBVA violated the accuracy principle under Article 5(1)(d) of the GDPR.
AEPD imposed a €200,000 fine on BBVA. AEPD stated that BBVA had already paid a fine of €120,000, using the voluntary payment procedure and recognizing its responsibility for the violation.