D.AAA (claimant) v. Banco Bilbao Vizcaya Argentaria, SA

€5 million in fines


Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.

Our analysis

Banco Bilbao Vizcaya Argentaria, SA (BBVA) faced several joint complaints related to their data processing practices. The first complainant claimed that BBVA sent promotional SMS to their mobile phone without consent, while BBVA argued that the complainant had consented by subscribing to a document on customer identification and processing of personal data. The second complainant claimed that BBVA did not comply with legal requirements for free and informed consent, as their application did not provide the possibility to refuse data processing. BBVA responded that this method of gathering consent was valid according to BBVA and other forums. The third complainant claimed that BBVA asked them to sign a privacy policy document to unblock their account, which included a ticked option that stated they did not want BBVA to process their data for certain purposes. The fourth complainant claimed that they received unauthorised advertising communications, and BBVA argued that the complainant did not oppose this data processing in the privacy policy document they signed. The fifth complainant claimed they received unsolicited calls and SMS, and BBVA argued that the complainant had consented to such processing of personal data for commercial purposes by signing a privacy policy document. 
The Spanish DPA investigated the issue and held that BBVA's privacy policy lacked clarity and specificity, which violated Articles 12, 13, and 14 of the GDPR. The DPA stated that BBVA must respect the obligations outlined in Article 13 and 14 in conjunction with Article 5(1)(a) as a data controller that processes personal data. BBVA's privacy policy used imprecise terminology and vague formulations when providing information to the data subject. The DPA found that BBVA did not design a specific mechanism to collect valid consent when relying on consent as a legal basis for processing personal data for certain purposes, and the data subject's options were limited in the way BBVA presented the boxes to tick. BBVA relied on the "inaction" of the data subject to gather consent, which was in breach of GDPR's requirements for gathering valid consent. A general signature of the privacy policy could not be valid consent as it was not specific to distinct purposes, and the consent given was not informed as the privacy policy lacked crucial information. The DPA referred to the Article 29 Working Party Guidelines on transparency to highlight that BBVA's privacy policy fell within the examples of poor transparency practices. The privacy policy was too vague and unclear, making it difficult for data subjects to understand.


Banco Bilbao Vizcaya Argentaria, SA was fined €2 million for violating the transparency principle and €3 million for breaching the legality of processing under Article 6 of GDPR by the Spanish Data Protection Authority (AEPD).


D.AAA (claimant) and Banco Bilbao Vizcaya Argentaria, SA

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us