Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

Spanish courts quash the first multimillion-euro fine imposed by the AEPD

Data Privacy 21 March 2023

In December 2020, the Spanish Data Protection Agency (AEPD) imposed  the first of its multimillion-euro fines for violating the General Data Protection Regulation (GDPR) on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA): 5 million euros.  The sanctioning trend has been on an upward curve since then with this figure exceeded on three occasions, along with over a dozen fines of over one million euros.

However, at the beginning of March, a judgment of the National Court of 23 December 2022 was published, quashing the fine imposed on BBVA. The judgment is of interest for two reasons:

  • it is the first court judgment to look at one of the multimillion-euro fines imposed by the AEPD
  • as we shall see, the reason why the fine was quashed is related to the manner in which the AEPD conducted the sanctioning procedure.

The AEPD fine

In its decision of 11 December 2020, the AEPD imposed a fine of 5 million euros on BBVA for two infringements of the GDPR: (i) Articles 13 and 14 (2 million euros) and (ii) Article 6 (3 million euros).

The sanctioning procedure which gave rise to the fine was initiated following 5 complaints by individuals, all of them concerning the sending of commercial communications. However, the AEPD ultimately concluded that BBVA's privacy policy – applicable to its customers in general and to processing other than the sending of commercial communications – violated the duty of information (Articles 13 and 14 GDPR) and on occasion misused consent and legitimate interest as the legal basis for processing (Article 6 RGPD).

The National Court judgment

In its judgment, the National Court found that the AEPD violated the guiding principles of the sanctioning procedure, as there was a complete disconnect between the decision and fine with regards BBVA’s privacy policy and the original complaints made to the AEPD. According to the National Court, the AEPD took advantage of the five complaints about the sending of commercial communications to open a wider case against BBVA which then alleged breach of GDPR in the company’s privacy policy. This argument led the National Court to overturn the sanction in its entirety. 

Conclusions

Although the judgment can still be appealed to the Supreme Court, it has given rise to an injection of optimism for those data controllers who have been the subject of similar sanctions, and who will have to analyse to what extent the judgment impacts the sanctioning procedures underway in relation to them.

Toolkits & Client Log-in