The Spanish Data Protection Agency (“SDPA”) has recently released the decision on the procedure PS/00070/2019 against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. (“BBVA”), which has ended up with two fines amounting in total to 5 million euros.

The first infringement (fined with 3 million euros) concerns the failure to comply with the information obligations set out in articles 13 and 14 of Regulation (EU) 2016/679 of 27 April 2016 ("GDPR").

The second infringement (fined with 2 million euros) focuses on the legal basis of some of the processing activities carried out by BBVA, and in particular, the way in which consent is obtained (article 6 of the GDPR).

The procedure started after five complaints submitted by different clients of BBVA, describing a variety of alleged irregularities regarding the sending of commercial communications and the collection of consent.

As a result of the referred complaints, the SDPA examined in detail the document including the privacy policy and the declaration of consent which have been used by BBVA after the GDPR came into force both to inform its clients and to obtain their consents for different purposes. The section of the resolution dedicated to Background Facts highlights the following aspects of such document as:

“In order to comply with the GDPR, BBVA designed a personal data collection form named "Declaration of economic activity and personal data protection policy". Section 1 of this document contains the client's identification data and the declaration of economic activity. Amongst other data, this includes name, surname(s), tax ID, date of birth, nationality, address, marital status, marital economic regime, contact details, fixed and variable income, entity which he/she provides service to or gross annual income.

By means of this document, established by BBVA as mandatory for all its clients, the aforementioned entity [BBVA] makes known the terms of its privacy policy and sets the mechanisms for the customers to give their consent to the processing of their personal data for the purposes indicated in the aforementioned document.

Signature of the document by the client and date is included at the end of section 2 "Personal data protection policy", expressly indicating to the interested party that by the signing process he agrees to the "Declaration of economic activity and personal data protection policy".

The "Extended Information" on personal data protection and a glossary of terms are included immediately after signature.

As for the giving consent, immediately right before the space provided for signature, interested parties are offered the possibility of ticking the following options:

"Please note that if you do not agree with any of the following purposes, you may select them below.

Products and prices more suitable for you

[ ] I do NOT want my details to be processed by BBVA with the aim to offer me both products and services from BBVA, the BBVA Group including those customised for me.

[ ] I do NOT want BBVA to communicate my details to companies within the BBVA Group with the aim to offer me their own products and services customised for me.

Quality improvement

[ ] I do NOT want BBVA to process my data to improve the quality of new and existing products and services. We want to remind you that you can always easily change or erase the use we make of your data".

Leaving aside the procedural aspects examined in the decision, that will probably become relevant in the most likely appeal to be filed by BBVA, the substantive questions highlighted by the SDPA are the following:

1. Use of imprecise terminology and vague allegations.

The SDPA considers that "BBVA does not provide clear and systematic information about the processing of personal data or the purposes for which they will be used; nor does it delimit the nature of the information subject to processing and its subsequent use. When it refers to these issues [BBVA] displays imprecise terminology and vague allegations, which are not in strict compliance with the principle of transparency, preventing the interested parties from knowing the real meaning and significance of the indications provided and the real scope of the consents that may be given".

The SDPA quotes some of the expressions that, in its opinion, are imprecise or vague. Among others, the SDPA includes the following :

“At BBVA we want your experience as a client to be as satisfactory as possible, through a personalized relationship that is best suited to your customer profile and needs. To achieve this, we need to get to know you better...”.

"Thanks to this analysis we will be able to know you better, evaluate new functionalities for you... as well as personalized offers with fitted prices".

"We would like to keep you abreast of new products and services from BBVA, as well as give you advice and recommendations to better manage your financial situation. We can also send you information on BBVA products and services with prices that are more suited to your profile, informing of what might interest you as a client.

"If you wish that companies within the BBVA Group... can offer both products and services customized in regard of trait and price, we need your authorization to provide them with information regarding your customer profile... This information will be processed with the aim to improve the characteristics and prices of the products and services on offer".

"... so that we at BBVA can better meet your expectations and increase your level of satisfaction".

2. Lack of precision in the description of the categories of personal data processed.

The SDPA highlights that when requesting data subject’s consent, BBVA does not list in detail all categories of data to be processed, which means that the consent cannot be considered "informed".

Similarly, there is insufficient information regarding data processing based on the legitimate interest, especially when data is obtained from third party sources that do not appear clearly identified within the privacy policy.

The SDPA points out that “(...) personal data are collected and processed without the holders being aware that BBVA gain access to record them with its information systems, the personal data are processed without the customer being informed in a clear, accurate and easy way, with purposes that are unexplicit and indeterminate, contrary to the principles relating to processing established in article 5 of the GDPR (fairness, purpose limitation and data minimization), since, on the basis of the information provided, considering its lack of detail, the data subject cannot understand, as the Constitutional Court points out, "what use he is making of it and, on the other hand, be able to object such possession and use". This lack of precision makes the information provided on the intended data processing ineffective. The same objection must be expressed in relation to the communication of personal data to companies within the BBVA Group. With the information provided, it is not possible for the interested party to have a clear idea about the information that will be transferred to the Group entities (...)".

3. Lack of clarity in the information provided on the purposes of processing and the lawfulness of processing.

The SDPA considers that similar data processing are described in relation to purposes based on different legal grounds, resulting in a confuse explanation from the point of view of the client. For example, "BBVA informs about making of personalized offers and using personal data to improve both products and services as processing based on the data subject consent, while at the same time, those processing are equally included within those that can be done in order to better know the customer and improve his/her experience, based on legitimate interest".

4. Lack of information on the legitimate interests of BBVA and third parties.

According to the SDPA, BBVA confuses the definition of the purpose with the description of the legitimate interests pursued by the controller and third parties which, as a consequence, are not properly described. Furthermore, it must be added, as indicated, that generic expressions are used and there is a lack of clarity in the description of the different processing.

In particular, the SDPA points out:

"In any case, the use of personal data for the purpose of "knowing" better the client , as stated, can be understood as a follow up of the interested party without a justifiable reason, which cannot be justified on the legitimate interest. Such monitoring involves an exhaustive examination of the information about the customer, which is intended to be justified by the mention of a generic and simple purpose ("to know you better"), the consequences of which may be much more serious than those mentioned as examples (birthday greetings).

The same can be said about the use of customer data to "improve products and services" of BBVA, which BBVA also justifies on the legitimate interest, considering, as indicated by the entity, that the data subject has a reasonable expectation that his or her personal data will be used for that purpose.

This Agency considers that this processing of data, as it appears to be substantiated within the BBVA's privacy policy, cannot rely on the ground of legitimate interest, which requires an assessment to determine the interests or rights that prevail. This assessment must indeed take into account "the reasonable expectations of the data subjects based on their relationship with the controller", but connected with the data subject expectations or deductions as reasonable considering the specific circumstances concurring in each case, which he/she could reasonably foresee at the time of collection of the data. Not what the responsible entity understands as a "reasonable expectation" of the customer, not neither what it informs the customer that it meets those expectations.

The concept of "reasonable expectation" must always be used with moderation, taking into account the position held by the responsible party and the legal nature of the relationship or service that links them, which could lead to the subsequent use of the customer's personal data (...)".

5. Lack of information regarding the profiling activities carried out by BBVA.

BBVA privacy policy refers to the creation of profiles on different occasions, lacking any known pattern and failing to offer information over the kind of profiles to be made, the specific uses of the profiles created or the right to object of the data subject when the profiling is for direct marketing purposes.

6. Deficiencies in the collection of the consent.

According to the SDPA, BBVA has not developed a specific consent collection mechanism that meets the requirements of the GDPR. BBVA relies on the signature of the document "Declaration of economic activity and personal data protection policy" to get the consent on the privacy policy together with the absence of ticking the objection boxes provided therein. However, this does not constitute a positive act, since it is assumed that the user consents to the processing described, and objection boxes ("opt-out") are made available to him/her. 

It should also be noted that the lack of clarity in the wording of the privacy policy means that, in any case, consent cannot be considered as informed consent.

7. Processing of data mistakenly based on legitimate interest.

After reminding the importance of striking the balance (and provide evidence) of the conflicted interests when justifying a specific processing operation on the existence of a legitimate interest by the controller or third party, the SDPA points out the following:

"Considering that it is not even possible to know ultimate purposes of the processing, it becomes difficult to associate them with BBVA’s legitimate interests which may, moreover, prevail over the rights of the data subjects, who are not clearly informed about the features required by the data protection regulations.

The legitimate interest outlined, which is described in the same terms as the purposes, is vague and speculative (...). The consequence of this is that the processing carried out is not foreseeable for an average citizen.

This being so, it is impossible for the data subject or this supervisory authority to assess whether the processing operations carried out are necessary or whether, on the contrary, the same outcome could be obtained by less invasive means; nor can it be concluded that the interest alleged is prevailing.

Rather, it seems that the "interests" expressed by BBVA, either in the Privacy Policy or (...) respond to economic interests of the entity, which are not confessed. Obtaining an economic benefit through the business activity that BBVA carries out can be a legitimate interest, but under no circumstances may it prevail over the fundamental right to data protection of the persons concerned (...)".

(…)

In addition to the above, the following circumstances are taken into account:

The way in which the data is collected on the basis of legitimate interest and the scale in which the data is collected, which is excessive; as well as the use of personal data collected from third parties without the knowledge of the interested party (external files on creditworthiness and loans) or third party products marketed by BBVA.

The techniques used (processing of data with the aim of obtaining algorithms) and the lack of transparency regarding the logic of the processing consisting of profiling, which may lead to price discrimination and imply a potential financial impact that may be excessive.

The decision of the SDPA, in its 124 pages, provides a deep analysis of the privacy policy of a complex financial entity, which undoubtedly handles a considerable amount of personal data and carries out highly sophisticated processing operations. As demonstrated, striking the right balance between the precise description of such processing and the clear and accessible language required by the GDPR is not a simple task.

In view of the comments made by the SDPA, companies should review their privacy policies which, in order to avoid future modifications, have not clearly described the processing and purposes thereof in order to avoid ambiguities. Similarly, companies should ensure that they have documented in writing the assessment that serve as a basis for the application of the legitimate interest, and that such assessment is well grounded.