AEPD (Spain) - PS/00141/2020: Difference between revisions
mNo edit summary |
|||
Line 57: | Line 57: | ||
The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA). | The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA). | ||
Additionally, upon accessing the website, several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies. | Additionally, upon accessing the website, the Spanish DPA found that several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies. | ||
===Dispute=== | ===Dispute=== |
Revision as of 10:18, 4 December 2020
AEPD - PS/00141/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 22(2) LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 10.11.2020 |
Published: | 02.12.2020 |
Fine: | 8000 EUR |
Parties: | Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) |
National Case Number/Name: | PS/00141/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a fine of € 8000 on Asociación de Víctimas por Arbitrariedades Judiciales (JAVA). JAVA infringed Article 6(1)(a) GDPR by publishing illegal recordings on its website and also infringed Article 22(2) LSSI due to its cookie policy.
English Summary
Facts
The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA).
Additionally, upon accessing the website, the Spanish DPA found that several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.
Dispute
Is publishing illegal recordings of a witness on a website an infringement of Article 6(1)(a) GDPR?
Is placing cookies without consent when visiting a webpage and not having a "refusal all" button on the cookie banner an infringement of Article 22(2) LSSI?
Holding
The Spanish DPA (AEPD) held that JAVA infringed Article 6(1)(a) by publishing recordings obtained illegally and, therefore, without consent. This infringement lead to the DPA imposing a fine of € 5000 on JAVA.
In relation to the cookie policy, the Spanish DPA held that the wording of the cookie banner "This website uses cookies so that you have the best user experience " lead to confusion as the message lacked clarity. The DPA also held that the fact that visiting the website lead to (unnecessary) Google Analytics cookies being placed without the user's consent was an infringement of Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI). Additionally, the DPA held that the absence of a "Refuse all" button in the cookie banner was also a violation of Article 22(2) LSSI. For these violations of LSSI, the Spanish DPA imposed an additional fine of € 3000 on JAVA.
The Spanish DPA therefore imposed a total fine of € 8000 on JAVA.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure No.: PS / 00141/2020 938-051119 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00141/2020, instructed by the Spanish Agency for Data Protection, before the entity, ASSOCIATION OF VICTIMS BY ARBITRARIAT- DADES JUDICIALES, (JAVA), with CIF .: G16614174, owner of the website: *** URL.1 (hereinafter, "the claimed entity"), for alleged infringement of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of this Data (RGPD) and for alleged infringement of Law 34/2002, of July 11, Services of the Information Society and Electronic Commerce (LSSI), based on the following: BACKGROUND FIRST: On 03/14/19, you have an entry in this Agency, complaint filed by D. A.A.A., and D. B.B.B. (hereinafter, “the claimants”), where they stated, among others, the following: “In the Court of Instruction No. *** COURT.1 of *** LOCALIDAD.1 is being followed a complex macro cause of corruption. In one of the separate pieces of this cause, the lawyer in the case, *** DATE.1, made an illegal recording and clandestine testimony of various witnesses that was used after riormente to file on August 31, 2017, a complaint against the Judge and the Prosecutor of the case, which was inadmissible for processing by means of a resolution issued by the TSJ of *** LOCALIDAD.2 on December 11, 2017. The signatories of the complaint are advertising the aforementioned on social networks recordings and have made available to those responsible for the website called nothing: *** URL.1, of the Association of Victims of Judicial Arbitrariness (JAVA), part of the recording made, where they use the aforementioned recordings to call them literally corrupt. It is reported that: The aforementioned website does not collect the books nks to the legal notice, cookie law and personal data pages; there is no link to one page where you explain what type of cookies the website uses and information about the owner of the page as well as contact information and there is no way to find out unsubscribe from the newsletter. A screenshot of a web page of *** URL.1 is attached, where there is an article it with the title “FIRST COMPLAINT. *** DATE.2. ”, Written by the profile“ *** PROFILE.1 ”and dated February 6, 2019, where, among others, you can read: “… Judge C.C.C. Y the Prosecutor D.D.D. they put in prison ... ... Why this effort not to record them? The judge not only refused to record them when they asked for it in advance, but rather. in view of what The statements were being as usual, the lawyer reiterated it in person. na twice. Can you imagine the answer? Here you have it: Audios refusing to record: ... ... C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 their testimonies are considered false by the Judge and the Prosecutor, replacing the legal warning that must be given to all witnesses, in threats and coercion. Four audios Reading Rights: …. C.C.C. warns the witness of the obligation to tell the truth, including that he is false witnesses come and they will not allow it. ... SIX AUDIOS OF ABUSE: ... They pressure the witness to rectify his testimony but they are not successful. ... The lawyer when leaving the "statements" filed a written complaint before the Court. do. The same judge and prosecutor denied the conduct that, thanks to the recording, tipping point in the cause: the malicious practice was no longer a rumor, it was a reality. Thank you E.E.E. " SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the protection of the powers of investigation tion granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, with dates 04/02/19 and 04/14/19; 09/19/19 and 10/20/19 go requirements and reiterations of information to the claimed entity, producing the following results: - According to the certificate of the Electronic Notification Service and Elec- Trónica Enabled, of the Ministry of Territorial Policy and Public Administration, the request sent to the claimed entity on 04/02/19, through the service Notice of Notific @, was rejected by the entity on 04/13/19. - According to the certificate of the State Postal and Telegraph Society, the requirement sent to the claimed entity on 04/14/19, to the address ASOCIACIÓN DE VICTIMS BY JUDICIAL ARBITRARITIES (JAVA) *** ADDRESS 1, a Through the SICER service, he was picked up at his destination on 05/27/19 at 7:12 PM, being the receiver of the same, D. F.F.F. *** NIF.1 - According to the certificate of the Electronic Notification Service and Elec- Trónica Enabled, of the Ministry of Territorial Policy and Public Administration, the request sent to the claimed entity on 09/19/19, through the service cio de Notific @, was rejected by the entity on 09/30/19. - According to the certificate of the State Postal and Telegraph Society, the requirement sent to the claimed entity on 10/20/19, to the address: ASOCIACIÓN DE VICTIMS BY JUDICIAL ARBITRARITIES (JAVA) *** ADDRESS 1, Through the SICER service, he was picked up at the destination by D. G.G.G. *** NIF.2 THIRD: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the protection of the powers of investigation tion granted to the control authorities in art 57.1 of the RGPD. So dated 04/02/19 and 09/19/19, two informative requests are addressed to D. E.E.E., who According to the complaint, it was the lawyer who made the unauthorized recordings. - According to the certificate of the State Correos Society, the request sent to the interested 04/02/19, through the SICER service, the 1st delivery was attempted on C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 04/04/19 at 08:21, with the result being "Absent". The 2nd delivery attempt is made on 04/08/19 at 18:29, being the result of "Absent", being returned to origin as it was not collected from the "Post Office" "list" service either. - According to the certificate of the State Correos Society, the request sent to the interested 09/19/19, through the SICER service, the 1st delivery was attempted on 09/27/19 at 09:15, with the result being “Absent”. The 2nd delivery attempt is performed on 09/30/19 at 18:28, being the result of "Absent", being returned to origin as it was not collected from the "Post Office" "list" service either. FOURTH: On 04/23/20, by the General Subdirectorate of Inspection of Data, it is verified that the recordings referred by the complainants are published falls in url: *** URL.2 The following aspects regarding the privacy policy are also checked and the cookie policy of the web. a) .- Regarding the information included in the "Legal Notice" of the website *** URL.3, do reference to: the owner of the website; contacting the owner; information about the Intellectual property and information on links to other sites or pages Web. b) .- On the information included in the "Privacy Policy" of the website *** URL.4, refers to: the person responsible for the treatment; the treatment of data cough: the principles used; the purposes of the treatment; Legitimation; the Desti- natarios; provenance; the terms of conservation; the legitimacy of the treatment; the rights of the interested parties; on the transfer of data to third parties and on security measures. The section referring to the origin of the data states: “As a general rule, the Personal data is always collected directly from the interested party, however, in de- exceptions, the data may be collected through third parties. nas, entities or services other than the interested party. In this sense, this extreme will be transferred to the interested party through the informed consent clauses contained in the different ways of collecting information and within a reasonable period zoneable, once the data has been obtained, and at the latest within a month. " c) .- About the "Cookies Policy" of the reported website: 1º.- When entering the web *** URL.1 and, without accepting cookies or taking any action, On the web, the following persistent cookies are loaded in the browser: to. _ga, with performance purpose according to *** URL. 5. According to said website this cookie is associated with Google Analytics. b. _gat, with performance purpose according to *** URL. 5. According to said website this cookie is associated with Google Analytics. c. _gid, with performance purpose according to *** URL. 5. According to said website this cookie is associated with Google Analytics. 2º.- When entering the web, the following first layer notice about the existence of cookie company: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 “This website uses cookies so that you have the best user experience. Yes continue browsing you are giving your consent for the acceptance of cookies and the acceptance of our cookie policy, click the link to << more information >> - <<accept>> Through the link "cookies policy", you are redirected to the page *** URL.6, where provides information on: what are cookies; its main functions; the you- types of cookies that exist; own and third-party cookies used by the website and how to manage cookie settings through browsers. FIFTH: On 06/07/20, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the claimed entity, for infringement of articles 6.1) of the RGPD, punishable in accordance with the provisions of art. 83 of the aforementioned rule, regarding the processing of personal data without consent of the claimants and by article 22.2) of the LSSI, punishable in accordance with the provisions put in the art. 39) and 40) of the aforementioned Law, regarding the Cookies Policy of the reported website. SIXTH: On 06/19/20, the initiation of the file was notified to the complaining entity. Madame, who has not submitted to this Agency, any writing or allegation, within the the period granted for this purpose. PROVEN FACTS 1.- It is verified that the recordings referred to by the complainants are published in url: *** URL.2 2.- It is found that on the reported web page, *** URL.1, without accepting cookies or perform any action on the web, cookies do not need to be loaded in the browser arias. In addition, there is NOT, in the second layer of the cookie policy, any mecha- nism that allows the rejection of all cookies. FOUNDATIONS OF LAW I Competition: Regarding the processing of personal data, it is competent to resolve this procedure the Director of the Spanish Agency for Data Protection, of in accordance with the provisions of art. 58.2 of the RGPD in art. 47 of LOPDGDD. Regarding the Cookies Policy, it is competent to resolve this procedure. the Director of the Spanish Agency for Data Protection, in accordance with with the provisions of art. 43.1 of the LSSI. II In the present case, the complainants denounce that those responsible for the page web *** URL.1 have used this medium to “call them corrupt”, publishing in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 web your personal data without your consent, verified that it is recorded and published each in url: *** URL.2 Therefore, as has been proven, an illegal recording of the proceedings was made judicial agencies of the testimony of various witnesses that were later used without the express consent of the interested parties, therefore, its obtaining was obtained without the legal basis that would protect it, as it would be, article 6.1.a) of the RGPD when it is- establishes that “the treatment will be lawful if the interested party gave their consent for the treatment handling of your personal data ”, since even its use was additionally inadmissible. Mitigated for processing in a complaint by the Superior Court of Justice of the Balearic Islands. These facts are constitutive of an infraction, attributable to the defendant, for vulnerability tion of article 6.1.a) of the RGPD, which indicates that the treatment will be lawful if “the interest sado gave his consent to the processing of his personal data for one or various specific purposes ”. For its part, article 72.1.b) of the LOPDGDD considers a very serious infringement See, for the purposes of prescription: "The processing of personal data without the concurrence of the One of the conditions of legality of the treatment established in article 6 of the RGPD ”. This offense can be sanctioned with a fine of a maximum of € 20,000,000 or, for a company, of an amount equivalent to a maximum of 4% of the volume total annual global business menu for the previous financial year, opting for the higher amount, in accordance with article 83.5.b) of the RGPD. In accordance with the indicated precepts, in order to set the amount of the penalty to impose in the present case, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: - The nature, severity and duration of the offense, taking into account the nature nature, scope or purpose of the treatment operation in question, as well as such as the number of interested parties affected and the level of damages who have suffered, (section a). - The intentionality or negligence in the infraction. In the present case we are before the intentionality in the use of the personal data of the claims mantes without their express consent, (section b). - The categories of personal data affected by the infringement, The data processed in this case are of a marked personal nature and therefore person identifiers (section g). - Any other aggravating factor applicable to the circumstances of the case. In this In this case, an attempt was made, up to 5 occasions, to collect information from the madame and / or those in charge, there being no type of response or gación in this Agency, to the requirements made, (section k). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 The balance of the circumstances contemplated in article 83.2 of the RGPD, with respect to Regarding the offense committed by violating the provisions of its article 6.1) it allows setting a penalty of 5,000 euros. (five thousand euros). IV Regarding the Cookies Policy of the reported website *** URL.1, it is agreed test that, in the first Layer, (initial page), without accepting cookies or performing any na action on it, cookies are installed in the browser, not necessary: _ga; _gat, and _gid, associated with Google Analytics. The banner about cookies that is displayed when accessing the main page provides information that is not very concise or intelligible. By using the expression: “This website uses cookies so that you have the best user experience ”, lead to confusion to the message is unclear and in the second layer there is no mechanism that allow the rejection of all cookies, in order to make it just as simple give consent, as indicated on the initial page. These facts are constitutive of an infraction, attributable to the defendant, for vulnerability tion of the article of article 22.2 of the LSSI, according to which: “Service providers may use storage and retrieval devices ration of data in terminal equipment of recipients, provided that the same We have given their consent after information has been provided to them clear and complete on its use, in particular, on the purposes of the treatment of the data, in accordance with the provisions of Organic Law 15/1999, of December 13, protection of personal data. When technically possible and effective, the consent of the recipient to accept the data processing may be facilitated by using the parameters from the browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to only in order to carry out the transmission of a communication over a communication network electronic or, to the extent strictly necessary, for the provision of an information society service expressly requested by the recipient River". This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information had not been provided or the consent of the recipient was obtained. natario of the service in the terms required by article 22.2. ”, which may be sanctioned nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigations phase, it is considered that the sanction to be imposed should be graduated according to the following criteria that established by art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equi- value to degree of guilt according to the Judgment of the Hearing National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system for obtaining consent informed service that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, since it is the claim March 2019, (section b). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Spanish Agency Data Protection Policy, RESOLVES IMPOSE: to the entity, ASSOCIATION OF VICTIMS BY ARBITRARITIES COURT DICIALES, (JAVA), with CIF .: G16614174, owner of the website: *** URL.1, dos san- tions, regarding the processing of personal data without consent and regarding its cookie policy on its website, consisting of: - 5,000 euros (five thousand euros), for the violation of article 6.1) of the RGPD, res- The processing of personal data without the consent of the complainants. blankets. - 3,000 euros (three thousand euros), for the violation of article 22.2) of the LSSI, res- pect of its Cookies Policy. REQUEST: to the entity, ASSOCIATION OF VICTIMS BY ARBITRARITIES JU- DICIALES (JAVA), so that, within a month from this act of notification, proceed to take the necessary measures to modify the banner about cookies of the first layer and include in the second layer, a mechanism that allows rejecting all the cookies. NOTIFY: this resolution to the entity, ASSOCIATION OF VICTIMS BY JUDICIAL ARBITRARITIES (JAVA), and to the claimant regarding the result of the clamor. Warn the sanctioned person that the sanction imposed must be effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad- Public Ministries (LPACAP), within the voluntary payment period indicated in article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK, S.A. or otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative chamber of the National Court, in accordance with the provisions set out in article 25 and section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the two months from the day following notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency had no knowledge of the filing of the contentious-administrative appeal trative within a period of two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es