AEPD (Spain) - EXP202408496
Spanish DPA fines BBVA €100,000 for unlawfully redirecting SEPA payments without consent.
Summary
Spain's AEPD (Data Protection Authority) fined BBVA €100,000 for processing personal data without a valid legal basis under GDPR Article 6(1). The bank redirected a SEPA direct debit payment from a closed account to a customer's new account without documented authorization or consent, violating the requirement that direct debits be linked to specific IBANs. BBVA's claims of implied consent and alternative legal bases were rejected, as the controller failed to obtain explicit, informed consent or demonstrate a legitimate interest.
Full text
Help AEPD (Spain) - EXP202408496: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:29, 24 March 2026 view sourceMba (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators886 editsm Tag: Visual edit← Older edit Latest revision as of 16:35, 24 March 2026 view source Rp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators195 edits Tag: Visual edit Line 71: Line 71: }}}} The DPA fined a bank €100,000 for unlawfully debiting a data subject's new account without valid consent or legal basis, infringing [[Article 6 GDPR#1|Article 6(1)]].The DPA fined a bank €100,000 for unlawfully changing a data subject’s SEPA direct debit mandate from a closed account to a new account without prior instruction by the data subject, thus infringing [[Article 6 GDPR#1|Article 6(1)]]. == English Summary ==== English Summary == Latest revision as of 16:35, 24 March 2026 AEPD - EXP202408496 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(a) GDPR Article 6(1) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 7 GDPR Type: Complaint Outcome: Upheld Started: 17.04.2024 Decided: Published: 17.03.2026 Fine: 100.000 EUR Parties: BBVA National Case Number/Name: EXP202408496 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: RP The DPA fined a bank €100,000 for unlawfully changing a data subject’s SEPA direct debit mandate from a closed account to a new account without prior instruction by the data subject, thus infringing Article 6(1). Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts A data subject filed a complaint with the Spanish Data Protection Authority (AEPD) against BBVA, a bank acting as a controller. The data subject had two bank accounts with the controller. An insurance company collected premiums from one of these accounts through a SEPA (Single Euro Payments Area) direct debit mandate. On 14 February 2022, the data subject closed both accounts due to security concerns and opened a new account with the same controller. On 21 March 2022, the insurance company issued a direct debit request to one of the closed accounts. The controller did not reject the request. Instead, it redirected the payment and debited the amount from the data subject’s new account. The controller did this without any documented instruction linking the closed accounts to the new account. The data subject stated that they had not authorised this debit from the new account. They also claimed that they had arranged for the insurance premium to be paid from another account. The data subject therefore considered the processing unlawful. The controller argued that the original SEPA mandate had not been revoked. It claimed that this mandate allowed the continued collection of payments. The controller also argued that the data subject had implicitly accepted the redirection of payments, as they had not objected and similar transactions had occurred before. In addition, the controller relied on Article 6(1)(b) GDPR and Article 6(1)(f) GDPR as alternative legal bases. Holding The AEPD held that the controller infringed Article 6(1) GDPR because it processed personal data without a valid legal basis. The AEPD explained that a SEPA direct debit mandate is linked to a specific bank account identified by its IBAN. Even if BBVA’s assertion that the mandate had not been revoked were accepted, the mandate only covered the original account. The controller therefore needed a new authorisation to debit a different account with a different IBAN. The controller could not rely on the existing mandate to justify the new processing. The AEPD rejected the argument of implied consent. It held that consent under Article 6(1)(a) GDPR must be freely given, specific, informed and unambiguous. The data subject must express consent through a clear affirmative action. The absence of an objection or the data subject’s silence did not meet this standard. The controller also failed to demonstrate that valid consent existed. The AEPD also rejected the alternative legal bases. It held that the controller could not switch legal bases after the processing had taken place. In any event, Article 6(1)(b) GDPR did not apply because the controller was not a party to the insurance contract. The processing was not necessary for the performance of a contract with the data subject. The AEPD also found that the controller had not demonstrated a legitimate interest under Article 6(1)(f) GDPR, as it did not carry out the required balancing test or consider the data subject’s expectations. The AEPD concluded that the controller acted negligently. As a financial institution, the controller had to apply a high standard of care when processing personal data. Debiting a different account without verifying a legal basis breached this duty. The AEPD therefore imposed a fine of €100,000 on the controller for the infringement of Article 6(1) GDPR. There was a 20% reduction to €80,000 of the fine since the controller proceeded to make a voluntary payment according to Spanish procedural law. Comment A relevant question in this case is whether the debiting operation constitutes a data processing activity. However, this issue was not raised by any of the parties. The AEPD merely stated: “In the present case, in accordance with the provisions of Articles 4(1) and 4(2) of the GDPR, the processing of personal data has taken place, since BBVA carries out, among other processing activities, the collection and storage of personal data of natural persons: first and last name, address, email address, and bank account, among others.” Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/35 • File No.: EXP202408496 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On April 17, 2024, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with Tax Identification Number A48265169 (hereinafter, BBVA). The facts brought to the attention of this authority are as follows: The claimant states that they held two accounts with the defendant entity (ending in ***ACCOUNT.1 and ***ACCOUNT.2) and that, following security incidents involving their mailbox due to theft of mail, they chose to close these accounts and open a new one with the defendant entity (ending in ***ACCOUNT.3). They indicate that, to do so, they were asked to digitally sign a series of documents that were to be sent to them via email. However, upon accessing these documents later, they discovered that the files were corrupted and could not be opened. Subsequently, through a notarized request for the documents, it was confirmed that only two of the documents had been properly signed digitally. Furthermore, the claimant states that they have an insurance policy with ***ENTITY.1, with the payment set up as a direct debit from one of the defendant's accounts that they closed. They further state that, without having informed ***ENTITY.1 of the new account, the defendant issued a direct debit to the closed account on March 21, 2022, and the defendant accepted the charge to the new account without the claimant's prior authorization. ***ENTITY.1 did not issue the direct debit to the new account, and there was no connection or transfer of charges between the closed accounts and the new account. The claimant also states that they had set up a direct debit for that payment from a different account, unrelated t