Background information
- Date of final decision: 10 July 2025
- National case
- Controller: Banco Bilbao Vizcaya Argentaria SA
- Legal Reference (s): Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 15 (Right to access by the data subject)
- Decision: Administrative fine
- Key words: Administrative fine, Data subject rights, Transparency
Summary of the Decision
Origin of the case
A customer, who was the victim of fraud, contacted the bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10 000 EUR and reconstructing what had happened. Having received no satisfactory response, he lodged a complaint with the Garante. Only after the Authority had opened proceedings, the bank provided the recordings, but by then the 30-day deadline set by the GDPR had already passed.
Key Findings
During the investigation, the Italian SA pointed out that – according the European Data Protection Baord Guidelines 01/2022 on data subject right of access – even telephone calls between customers and banks can be considered personal data and, as such, must be accessible upon request, in compliance with the rights of any third parties involved.
Decision
The Garante imposed an administrative fine of 100 000 EUR. In determining the amount, the Authority took into account the bank's turnover, its cooperation during the investigation and the absence of previous infringements.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.