News

26/03/2025

? Erroneous Subscription and Unjustified Bank Withdrawals: SANITAS and BBVA Sanctioned

Source : PS 00479-2023

? Facts:

?? A health insurance contract was recorded without the complainant's consent with SANITAS and BBVA Seguros.
? Bank withdrawals were made between March and May 2022 from their BBVA account.

? Origin of the Issue:
?? A "human error" by an agent of BBVA Mediación Operador de Banca-Seguros (OBS) led to the contract being erroneously registered as an active subscription instead of a simple information request.

? Involvement of the Parties:
? SANITAS and BBVA were deemed joint controllers of the data processing under their co-insurance agreement.
? The OBS (Bank-Insurance Operator) acted as a data processor.

?? No signature or explicit consent from the complainant was obtained.

?? Identified Violations:

1?? Lack of Consent – No Legal Basis (Article 6 GDPR)
? The insurance was subscribed without the client's explicit consent.
? ? The OBS agent mistakenly recorded the subscription as valid.

2?? Lack of Internal Control
? No robust validation mechanisms were in place before activating the policy.

3?? Delayed Responses from BBVA and SANITAS
? July 19, 2022 – A written complaint was submitted to BBVA (no response).
? September 27, 2022 – A complaint was filed with the AEPD.
? November 14, 2022 – The AEPD forwarded the complaint to BBVA (no response).
? November 28, 2022BBVA finally canceled the contract retroactively to March 1, 2022, and refunded the deducted amounts.

? The case lasted over 8 months before being resolved.

? Consequences and Corrective Measures:

? Severity of the Violation:
? Sensitive Data – SANITAS illegally processed health data, a particularly protected category (Article 9 GDPR).
? Duration of the Violation – The illegal data processing lasted more than 8 months, worsening the case.

? Sanctions:
? Administrative fine: €200,000 (reduced to €160,000).

? Required Corrective Actions:
? Improvement of subscription processes to prevent human errors.
? Implementation of mandatory digital signature verification.

? SANITAS' Commitments:
? Strengthening security measures and continuous improvement of procedures.

? Conclusion:

?? The AEPD sanctioned SANITAS for processing health data illegally without valid consent.
? An erroneous subscription should never lead to unauthorized bank withdrawals!

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance