A fine of 120,000 euros is imposed to BBVA for the unauthorized deletion of personal data 

In February 2023, a complaint was filed to the Spanish Data Protection Agency (AEPD) by D. A.A.A. against Banco Bilbao Vizcaya Argentaria, S.A. (BBVA). A.A.A. terminated his employment relationship with BBVA in September 2021 and acquired a corporate device for personal use. However, in June 2022, the device became inactive and required corporate credentials for reactivation, which prevented its access. 

BBVA informed that the device needed to be restored to factory settings, which would result in the loss of all personal information contained on the device. A.A.A. reported that the device had been remotely managed by BBVA without legal authorization, resulting in the deletion of his personal data. The AEPD initiated an investigation, and found that BBVA had violated Article 6.1 of the GDPR, which establishes the legitimate basis for data processing.

On October 31, 2024, the AEPD decided to impose a fine of €120,000 on BBVA for the infringement of Article 6.1 of the GDPR due to the unauthorized deletion of personal data from the device acquired by A.A.A., because BBVA did not have a legitimate basis for the processing of A.A.A's personal data as the employment relationship had ended.

The decision took into account two extents: (i) the absence of legal basis for the processing of the personal data of the interested party which BBVA could not prove and (ii) BBVA's negligence in not following its own internal procedures, which resulted in the unauthorized deletion of the interested party's personal data.

Author: Cristina Grande (Counsel)