AEPD (Spain) - EXP202210347: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page AEPD (Spain) - PS-00051-2023 to AEPD (Spain) - EXP202210347) |
||
| (7 intermediate revisions by 2 users not shown) | |||
| Line 25: | Line 25: | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
|Fine= | |Fine=5000 | ||
|Currency=EUR | |Currency=EUR | ||
| Line 59: | Line 59: | ||
}} | }} | ||
The Spanish DPA fined Massimo Dutti S.A €5,000 for | The Spanish DPA fined Massimo Dutti S.A €5,000 for not giving users the ability to manage their consent once accepting all cookies. This decision is one of the first of noyb’s cookie complaints to result in a fine. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject, represented by noyb (European Centre for Digital Rights), disputed | A data subject, represented by noyb (European Centre for Digital Rights), disputed the cookies employed by Massimo Dutti S.A. on their website, the dark patterns utilised by Massimo Dutti S.A. to entice users to 'accept all cookies' and the lack of ability to change your consent once accepting cookies. | ||
Checking the cookies installed before any interaction with the cookie banner revealed the setting of non-essential cookies. For example, two performance cookies ("AKA_A2" and "RT") which are used by Akamai Technologies, Inc. (a computing platform for the delivery of global Internet content of client companies) to optimise the response time between the visitor and the website | Checking the cookies installed before any interaction with the cookie banner revealed the setting of non-essential cookies. For example, two performance cookies ("AKA_A2" and "RT") which are used by Akamai Technologies, Inc. (a computing platform for the delivery of global Internet content of client companies) to optimise the response time between the visitor and the website. | ||
Regarding dark patterns, there were several issues observed with the consent banner in the initial layer. Firstly, it lacked a 'reject all' button for non-essential cookies. Secondly, the 'accept all' button appeared similar to a regular button, while the 'manage cookies' option was presented as a mere link. Moreover, the 'accept all' button had a different color, which was also misleading. Lastly, withdrawing consent was not as straightforward as granting it. Once you had accepted all cookies or a specific group of cookies through the control panel, there was no clear and easy way to later withdraw your consent. | Regarding dark patterns, there were several issues observed with the consent banner in the initial layer. Firstly, it lacked a 'reject all' button for non-essential cookies. Secondly, the 'accept all' button appeared similar to a regular button, while the 'manage cookies' option was presented as a mere link. Moreover, the 'accept all' button had a different color, which was also misleading. The information informing users on what would happen if users accepted the cookies was considered to be unclear and incomplete | ||
Lastly, withdrawing consent was not as straightforward as granting it. Once you had accepted all cookies or a specific group of cookies through the control panel, there was no clear and easy way to later withdraw your consent. | |||
=== Holding === | === Holding === | ||
The Spanish DPA initially dismissed the complaint because the noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Article 5.6 of the LPACAP] (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb. | The Spanish DPA initially dismissed the complaint because the noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Article 5.6 of the LPACAP] (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb. | ||
The Spanish | The Spanish DPA did not agree that the cookies were non-essential. As an example, they noted that the ones set by Akamai Technologies, Inc. did not identify users as they were anonymised. It is only after the user clicks 'accept all', that tracking cookies such as MUID; ts; CONSEND; SOCS; CLID; _ga; _gid; ttp; u; NID; AEC; _pinterest_ct_ua and 1P_JAR are placed. Thus, the company only applies non-essential cookies once the user has consented to it. | ||
The Spanish DPA did not adress the dark patterns in detail and instead focused on the languange that Massimo Dutti S.A. used in its cookie banner. It noted that Massimo Dutti S.A. had changed the cookie banner languange from the 23 September 2022 to 16 March 2023 and concluded that these changes were acceptable. Therefore, the languange of banner on 16 March 2023 was considered clear and did not contradict [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22.2 of the LSSI.] | |||
On the 16 March 2023 The Spanish DPA verified that there was no mechanism or access to the control panel that would later allow the consent previously given to be withdrawn and reject the cookies that had previously been accepted. The Spanish DPA checked again on the 19 April 2023 and came to the same conclusion as even though the user could now access the control panel, clicking 'off' resulted no change in the set cookies. It was only on the 6 June 2023 that Massimo Dutti S.A. corrected its website to allow the user to manage cookies through the control panel and withdraw their consent and make the website go back to its essential cookies settings. | |||
It was this previous inability to withdraw consent that made the Spanish DPA hold Massimo Dutti S.A. to have breached [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22.2 of the LSSI] (Law of Information Society Services and Electronic Commerce) and be fined €5,000. | |||
== Comment == | == Comment == | ||
Latest revision as of 12:40, 13 December 2023
| AEPD - PS-00051-2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 22.2 LSSI |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 5000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00051-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | PS-00051-2023 (in ES) |
| Initial Contributor: | sh |
The Spanish DPA fined Massimo Dutti S.A €5,000 for not giving users the ability to manage their consent once accepting all cookies. This decision is one of the first of noyb’s cookie complaints to result in a fine.
English Summary
Facts
A data subject, represented by noyb (European Centre for Digital Rights), disputed the cookies employed by Massimo Dutti S.A. on their website, the dark patterns utilised by Massimo Dutti S.A. to entice users to 'accept all cookies' and the lack of ability to change your consent once accepting cookies.
Checking the cookies installed before any interaction with the cookie banner revealed the setting of non-essential cookies. For example, two performance cookies ("AKA_A2" and "RT") which are used by Akamai Technologies, Inc. (a computing platform for the delivery of global Internet content of client companies) to optimise the response time between the visitor and the website.
Regarding dark patterns, there were several issues observed with the consent banner in the initial layer. Firstly, it lacked a 'reject all' button for non-essential cookies. Secondly, the 'accept all' button appeared similar to a regular button, while the 'manage cookies' option was presented as a mere link. Moreover, the 'accept all' button had a different color, which was also misleading. The information informing users on what would happen if users accepted the cookies was considered to be unclear and incomplete
Lastly, withdrawing consent was not as straightforward as granting it. Once you had accepted all cookies or a specific group of cookies through the control panel, there was no clear and easy way to later withdraw your consent.
Holding
The Spanish DPA initially dismissed the complaint because the noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of Article 5.6 of the LPACAP (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb.
The Spanish DPA did not agree that the cookies were non-essential. As an example, they noted that the ones set by Akamai Technologies, Inc. did not identify users as they were anonymised. It is only after the user clicks 'accept all', that tracking cookies such as MUID; ts; CONSEND; SOCS; CLID; _ga; _gid; ttp; u; NID; AEC; _pinterest_ct_ua and 1P_JAR are placed. Thus, the company only applies non-essential cookies once the user has consented to it.
The Spanish DPA did not adress the dark patterns in detail and instead focused on the languange that Massimo Dutti S.A. used in its cookie banner. It noted that Massimo Dutti S.A. had changed the cookie banner languange from the 23 September 2022 to 16 March 2023 and concluded that these changes were acceptable. Therefore, the languange of banner on 16 March 2023 was considered clear and did not contradict Article 22.2 of the LSSI.
On the 16 March 2023 The Spanish DPA verified that there was no mechanism or access to the control panel that would later allow the consent previously given to be withdrawn and reject the cookies that had previously been accepted. The Spanish DPA checked again on the 19 April 2023 and came to the same conclusion as even though the user could now access the control panel, clicking 'off' resulted no change in the set cookies. It was only on the 6 June 2023 that Massimo Dutti S.A. corrected its website to allow the user to manage cookies through the control panel and withdraw their consent and make the website go back to its essential cookies settings.
It was this previous inability to withdraw consent that made the Spanish DPA hold Massimo Dutti S.A. to have breached Article 22.2 of the LSSI (Law of Information Society Services and Electronic Commerce) and be fined €5,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24
File No.: EXP202210347 (PS/00051/2023)
RESOLUTION OF SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following,
BACKGROUND
FIRST: Dated 08/10/22, A.A.A. (hereinafter, the complaining party) filed
claim before the Spanish Data Protection Agency.
The claim was directed against GRUPO MASSIMO DUTTI, S.A. with NIE.:
A78115201, responsible for the website ***URL.1, (hereinafter, the claimed party),
for the alleged violation of data protection regulations: Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/16, relating to Protection
of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of these Data (RGPD), Organic Law 3/2018, of December 5,
of Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
and Law 34/2002, of July 11, on Information Society Services and
Electronic Commerce (LSSI).
The facts, according to statements by the complaining party, are related to the
use of cookies and obtaining user consent. On the visit
that the complaining party claims to have created the website on 09/28/21, it presented a
banner in the first layer of consent in which there was no possibility of
“reject all cookies” that were not technical or necessary; Furthermore, the design
of the links was misleading because the button that leads to the option to “manage the
cookies” in the control panel uses a “link” layout – highlighted text or
underlined―, while the “Accept all cookies” button uses a design
typical “button” – square box with text. Besides, the colors and contrast of the
buttons are also misleading as different colors have been used for the
different options that were presented. It is also indicated in the claim that it is not
It is as easy to withdraw consent as it is to give it and once given, clicking on the
option “accept all cookies” or “accept some group of cookies” through the
control panel, it is not possible to remove it if you wish to do so later.
SECOND: On 04/10/22, by the Director of the Spanish Agency for
Data Protection an agreement is issued to inadmissibility for processing because, after the analysis
made on the documents provided and the concurrent circumstances, it is not
considered the representation of the complaining party to be sufficiently accredited
THIRD: On 11/01/22, the claimant presented a written appeal for
replacement that is estimated by the Director of the Spanish Agency for the Protection of
Data on 11/15/22, taking into consideration the provisions of article 5.6 of the
LPACAP and once the document provided by the claimant where
confers its representation to the organization NOYB, (European Center for Digital
Rights).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/24
FOURTH: On 03/16/23, this Agency accessed the website
***URL.1, confirming the following characteristics about its “Policy of
Cookies":
A.- About the cookies detected when accessing the website:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
The website has been verified to use the following cookies:
a.1).- Strictly necessary cookies (4):
Cookies Domain Description
_abck ***DOMAIN.1 This cookie is used to detect
and defend yourself when a client
try to play a cookie. This
cookie manages the interaction with
online bots and take the measurements
appropriate days.
bm_sz ***DOMAIN.1 This cookie is set by the provider
dor Akamai Bot Manager. This
cookie is used to manage the
interaction with online bots.
It also helps in prevention
of fraud.
OptanonCon- ***DOMAIN.1 This cookie is set by OneTrust
feeling to store details about the
category of cookies on the site and veri-
determine whether visitors have given or re-
consent to the use of
each category.
ak_bmsc ***DOMAIN.1 Akamai uses this cookie to op-
optimize site security by dis-
distinguish between humans and bots.
a.2).- Performance cookies (2):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/24
cookies Domain Description
AKA_A2 ***DOMAIN.1 Akamai sets this cookie to
improve performance and optimize
the response time between the visit
tant and the website.
RT ***DOMAIN.1 Akamai sets this cookie to
measure page loading time
or other associated timers
two with the page.
Note: Akamai Technologies, Inc. is a corporation that provides, among others
services, of a distributed computing platform for the delivery of
global Internet content and application delivery. stores the
server content of a client company on its own servers.
When a user (client) wants to access that content (usually
digital media such as Audio, Graphics, Animation, Video), all or
part is downloaded from an Akamai server instead of the company's
customer.
The Cookie “AKA_A2” appears on the website ***URL.2 as strictly necessary,
(***URL.3)
The “RT” Cookie, although it appears on the website ***URL.2, has performance but is necessary.
saria to improve the performance of the website, (***URL.4),
According to the entity, these cookies allow us to count visits and sources of circulation
in order to measure and improve the performance of the website. All the information we collect
These cookies are aggregated and therefore anonymous.
a.3).- Unclassified cookies (4): Cookies that could not be classified but in
The list of cookies existing in the control panel of the website appears.
cen indicated by the person responsible for the website as “strictly necessary cookies”.
sarias.”
Domain cookie key
ITXSESSIONID ***DOMAIN.1
MDSESSION ***DOMAIN.1
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/24
Domain cookie key
bm_my ***DOMAIN.1
bm_sv ***DOMAIN.1
Note: These cookies that could not be classified appear in the list of
cookies existing in the control panel of the website as “cookies
strictly necessary” ***URL.1 <<Cookie settings>>
<<Strictly necessary cookies>> <<information about cookies>>
B.- About the existing information regarding cookies on the home page and about the
management of these:
When you enter the website for the first time, a banner appears on the main page
of information about cookies, with the following message:
“By clicking “Accept all cookies”, you agree to cookies being stored
on your device to improve site navigation, analyze site usage, and
collaborate with our marketing studies. <<Cookie Policy>>
<<Cookie settings>> <<Accept all cookies>>
If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel
where the different groups of pre-marked cookies appear in the position of
“OFF”:
“Your privacy: Cookies and other similar technologies are a part
essential to how our Platform works. The main objective of the
cookies is to make your browsing experience more comfortable and efficient and
to improve our services and the Platform itself. Likewise, we use
cookies to be able to show you advertising that is of interest to you when you visit
third-party websites and apps. Here you can get all the information about the
cookies that we use and you can activate and/or deactivate them according to
with your preferences, except for those Cookies that are strictly necessary
for the operation of the Platform. Please note that blocking
Some cookies may affect your experience on the Platform and the
operation of it. By clicking “Confirm my preferences”,
will save the cookie selection you have made. If you have not selected
no option, pressing this button will be equivalent to rejecting all cookies.
For more information you can visit our Cookies Policy. <<More
information>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/24
Technical or necessary cookies <<Always active>>
These cookies are necessary for the Platform to function and cannot be
deactivate in our systems. They are usually configured to
respond to actions taken by you to receive services, such as
adjust your privacy preferences, log in to the site, or cover
forms. You can set your browser to block or alert the
presence of these cookies, but some parts of the Platform do not
they will work.
Functionality or personalization cookies OFF ON
These cookies allow the Platform to offer better functionality and
personalization. They may be established by us or by third parties
whose services we have added to our pages. If you do not allow these
cookies some of our services will not work correctly. For
activate or deactivate cookies use the corresponding button. "Active"
means that cookies can be used. "Inactive" means that cookies
they cannot be used.
<<Cookie information>>
Analysis cookies OFF ON
These cookies allow us to count visits and sources of circulation to
be able to measure and improve the performance of our Platform. They help us to
know which pages are the most or least popular, and see how many people
They visit the site. If you do not allow these cookies we will not know when you visited our
Platform. To activate or deactivate cookies use the button
correspondent. "Active" means that cookies can be used.
"Inactive" means that the cookies cannot be used.
<<Cookie information>>
Cookies for advertising OFF ON
These cookies may be throughout the Platform, placed by our
advertising partners. These third parties may use them to create a profile of your
interests and show you relevant ads on other sites. If you do not allow these
cookies, you may receive less targeted advertising. To activate or deactivate the
cookies uses the corresponding button. "Active" means that cookies are
they can use. "Inactive" means that the cookies cannot be used.
<<Cookie information>>
Social network cookies OFF ON
These cookies are set by a number of social media services
that we have added to the site to allow you to share our content with
your friends and networks. They are able to track your browser
through other sites and create a profile of your interests. This may modify the
content and messages you find on other web pages you visit. But
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/24
If you allow these cookies, you will not be able to view or use these sharing tools.
To activate or deactivate cookies, use the corresponding button. "Active"
means that cookies can be used. "Inactive" means that cookies
they cannot be used.
<<Cookie information>>
<<Confirm my preferences>> <<Reject all>> <<Allow all>>
If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or
necessary in both cases, it is checked how the website continues to use cookies
detected at the beginning, that is:
Cookies detected as Necessary Cookies according to Unclassified Cookies that
technical or necessary. the “Cookies Policy” of the GRUPO entity
Akamai Technologies, Inc. MASSIMO DUTTI
states that they are
necessary in its “Policy
of Cookies”
_abck AKA_A2 ITXSESSIONID
bm_sz RT MDSESSION
OptanonConsent bm_mi
ak_bmsc bm_sv
C).- About the possibility of withdrawing consent to the use of cookies once
borrowed.
Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
own and third parties:
Cookie Provider Cookie Provider
MUID Bing.com ttp Tiktok.com
ts Creativecdn.com U Creativecdn.com
CONSEND Google.com NID Google.com
SOCS Google.com AEC Google.com
CLID Clarity.com _pinterest_ct_ua ct.pinterest.com
_ga Google.com 1P_JAR Google.com
_gid Google.com
However, it is found that there is no mechanism or access to the control panel.
control that allows you to later withdraw the consent given and reject these
cookies that had previously been accepted.
D.- About the information provided in the “Cookies Policy:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/24
If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
the main page, the website redirects the user to a new page ***URL.5, where
informs about what cookies are; the different types of cookies that exist and are
informs about the type of cookies used on the website and their purpose. I also know
informs how to update the browser of the terminal equipment to manage the
cookies.
If you want to know the list of cookies that the website says it uses, you must access
through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.
SIXTH: On 03/22/23, by the Directorate of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the claimed entity,
appreciate reasonable indications of violation of the provisions of art. 22.2 of the LSSI,
for the irregularities detected on its website regarding the “Policy of
Cookies”, that is, due to the absence of sufficient information in the first layer about
of the purposes of the installation of cookies, with an initial penalty of 5,000
euros and due to the impossibility of managing the cookies used once the
consent, with an initial penalty of 5,000 euros.
SEVENTH: On 04/18/23, the complaining entity presents a written statement of allegations to
the initiation of the file in which, among others, it indicates:
First.- In relation to the first of the alleged violations of the article
22.2 of the LSSI File No.: EXP202210347 (PS/00051/2023)Allegations
to the Startup Agreement attributed to my client “due to the absence of information
enough in the first layer about the purposes of installing the
cookies", it should be noted that in the initial Agreement this assumption
Non-compliance is described in detail as follows:
“The second of the banners reproduced (and the one that has been proven to be
established at the time of approval of this initiation agreement) is considered
that does not provide “clear and complete” information about the purposes of the
treatment.
On the contrary, it simply states that cookies will be used “to
improve site navigation, analyze site use and collaborate with
our studies for marketing.”
It is considered that such a generic reference lacks sufficient specificity
of the purposes of use and would thereby violate the aforementioned article 22 of the
Law 34/2002, of July 11, on Information Society Services and
electronic commerce”.
That is, as can be deduced from the literal wording of the Initiation Agreement, the text that
It was published on 09/23/2022, it did meet the requirement of including
sufficient information in the first layer about the purposes of the
installation of cookies, while the text that was published
On 03/16/2023 it did not meet this requirement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/24
Faced with this conclusion included in the Initiation Agreement as a reason for
attribute a breach of the aforementioned Article 22.2 LSSI to my client, it must be
demonstrate the total equivalence in terms of information on
purposes of the installation of cookies among the texts published on
09/23/2022 and 03/16/2023, as explained in the following table:
Text published on 09/23/2022 Text published on 03/16/2023
“…analytical purposes…” “…to improve site navigation,
analyze its use…”
“...to show you related advertising“...collaborate with our studies to
with your preferences from your marketing…”
Browsing habits and your profile…”
Therefore, given this total equivalence in terms of information on purposes
of the installation of cookies between the texts published on 09/23/2022 and
03/16/2023, any breach of the Article must be flatly denied
22.2 LSSI that is intended to be based on the absence of sufficient information
in the first layer about the purposes of the installation of cookies.
In any case, even when it is considered that the text that was
published on 03/16/2023 in the first layer complies with the Regulations, it has been
recovered and the one to which it is made is currently published
reference in the Initiation Agreement as published on 09/23/2022.
It should be noted that the return to the wording that was
published on 09/23/2022, has no cause, to any extent, in the avoidance or
rectification of a breach. Rather, what is intended is a
improvement on the basis of the means of compliance that already existed, that is, that
to which the Initiation Agreement refers as published on 03/16/2023.
In fact, the publication of the text that was shown on 03/16/2023 occurred
due to a human error that resulted in said text being published instead of the
which was published on 09/23/2022.
The text change now made, with the incorporation of the one to which
referenced in the Initiation Agreement as published on 09/23/2022, it is
You can see in the screenshot below:
We use our own and third-party cookies for analytical and
to show you advertising related to your preferences from
your browsing habits and your profile. You can configure or reject the
cookies by clicking on “Cookie Settings”. You can too
accept all cookies by pressing the “Accept all cookies” button.
For more information you can visit our. <<Cookie Policy>>
<<Cookie settings>> <<Accept all cookies>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/24
Second.- In relation to the second of the alleged violations of the article
22.2 of the LSSI attributed to my client “due to the impossibility of managing the
cookies used once the initial consent has been given”, it should be noted
that such infringement is flatly denied, while the user has always
willing and has the permanent possibility of managing cookies once
Once the initial consent has been given through an access link to the
“Cookie settings” where you can reject cookies with a simple
click.
Specifically, once the user accepts cookies on the home page or
home of the Website and select the market (geographical) and catalog (women /
man) that you want to access, you always have it available in the horizontal menu
located in the footer of the website the “Cookie Settings” link
(shot 1 below) with which you can access the console where you can
reject cookies simply by clicking on the “Reject all” button
(shot 2 below) or accept them again if you had rejected them
previously (capture 3), through the corresponding buttons.
Even though this possibility of accessing the “Cookie Settings” has
present and easily accessible to the user at all times (with
which, as has been said, non-compliance must be ruled out.
reference to the Initiation Agreement), the
access “Cookie Settings”, as described below.
It must be made clear that this multiplication, reiteration or redundancy
has no cause, to any extent, in the avoidance or cure of a
breach. What is intended is the reinforcement of compliance, through
of facilitating access to the “Cookie Settings”, which is nothing more than
a facilitation or improvement on the basis of the means of compliance already
existed.
Specifically, in addition to the access link to the “Cookie Settings”,
which has always been in the horizontal menu of the footer of the Website:
- This same link has been included as the last of the links in the
vertical menu located on the left side of the footer, just
below the horizontal menu, as seen in the following screenshot, and
where is the link to the Cookie Information or the Cookie Policy
Privacy.
- This same link has been included on the initial or home page of the Site
website, just below the buttons to choose if you want to go to the catalog
of a woman or a man, as seen in the following screenshot.
For all of the above, through these Allegations, I come to REQUEST
that this document is considered presented and the previous ones formulated
Allegations in the Reference File, and prior to the appropriate procedures,
In due course, a Resolution is issued deeming the non-existence of infringement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/24
any attributable to MASSIMO DUTTI in relation to the events described and the
indicated regulations, proceeding to file the actions.
EIGHTH: On 04/19/23, this Agency accessed, once again, the
website ***URL.1, stating the following characteristics about its “Policy
of Cookies”:
A.- About the cookies detected when accessing the website:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the web page in question and using the cookie detection tool of the
Google Chrome browser (<right mouse button> inspections application
cookies) it has been verified that the following cookies are used:
Cookies detected as Necessary Cookies according to Unclassified Cookies that
technical or necessary. the “Cookies Policy” of the GRUPO entity
Akamai Technologies, Inc. MASSIMO DUTTI
states that they are
necessary in its “Policy
of Cookies”
_abck AKA_A2 ITXSESSIONID
bm_sz RT MDSESSION
OptanonConsent bm_mi
ak_bmsc bm_sv
B.- About the existing information regarding cookies on the home page and about the
management of these:
When you enter the website for the first time, a banner appears on the main page
of information about cookies, with the following message:
We use our own and third-party cookies for analytical purposes and to show you
advertising related to your preferences based on your browsing habits and your profile.
You can configure or reject cookies by clicking on “Cookie settings”.
You can also accept all cookies by clicking the “Accept all cookies” button.
For more information you can visit our. <<Cookie Policy>>
<<Cookie settings>> <<Accept all cookies>>
If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel
where the different groups of pre-marked cookies appear in the position of
“OFF”:
Technical or necessary cookies <<Always active>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/24
Functionality or personalization cookies OFF ON
<<Cookie information>>
Analysis cookies OFF ON
<<Cookie information>>
Cookies for advertising OFF ON
<<Cookie information>>
Social network cookies OFF ON
<<Cookie information>>
<<Confirm my preferences>> <<Reject all>> <<Allow all>>
If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or
necessary in both cases, it is checked how the website continues to use the same
cookies detected at the beginning.
C).- About the possibility of withdrawing consent to the use of cookies once
borrowed.
Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties:
MUID .clarity.ms /__Secure-1PAPISID .google.es /
APISID .google.es /__Secure-3PSID .google.es /
SSID A .google.es /__Secure-1PSID .google.es /
__Secure-3PAPISID .google.com /SAPISID .google.com /
SSID .google.com /HSID A .google.com /
SID .google.es /__Secure-1PSID .google.com /
SIDCC .google.com /SID .google.com /
__Secure-3PSID .google.com /__Secure-3PAPISID .google.es /
MUID 3 .bing.com /__Secure-1PSIDCC .google.com /
APISID .google.com /__Secure-3PSIDCC .google.com /
SAPISID .google.es /__Secure-1PAPISID .google.com /
ANONCHK .c.clarity.ms /CLID .clarity.ms /
NID .google.es /SEARCH_E .google.com /
MR .c.clarity.ms /ts .creativecdn.com/
_RwBf .bing.com /ACLUSR .bing.com /
ACL .bing.com /OIDR .bing.com /
SM .c.clarity.ms /BFB .bing.com /
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/24
BFBUSR .bing.com /SRCHUSR .bing.com /
SRCHD .bing.com /_ttp .tiktok.com /
1P_JAR .google.com /AID .google.com /
tt_viewer .teads.tv /AEC .google.com /
CONSENT .google.com /SOCS .google.com /
NID .google.com /OTZ .google.com /
u .creativecdn.com /OID .bing.com /
OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com
MR .c.bing.com /SRCHHPGUSR .bing.com /
SRCHUID .bing.com /SRM_B .c.bing.com /
There is a link to the control panel at the bottom of the website
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting
all cookies) groups are pre-checked “ON”.
However, if you wish to reject the use of cookies by clicking on the option
<<reject all>> or moving the cursor from the “ON” position to the
“OFF” of the different groups of cookies, and clicking on <<confirm my
preferences>>, it is observed that the website continues to use third-party cookies
installed when they were accepted at the beginning, making it impossible for the user, if desired
change your mind, now deny consent once given.
D.- About the information provided in the “Cookies Policy:
If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
The main page, the website displays a document:
***URL.6
where information is provided on what cookies are; the different types of cookies that
They exist and information is provided on the type of cookies used on the website and their purpose.
It also provides information on how to update the terminal equipment's browser to
manage cookies.
If you want to know the list of cookies that the website says it uses, you must access
through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.
NINTH: On 04/24/23, a proposed resolution was formulated in the sense of
that the Director of the AEPD sanction the claimed party, for violation of
as established in article 22.2 of the LSSI, since consent cannot be withdrawn, a
once provided, in the use of cookies that are not technical or necessary, with a
sanction of 5,000 euros (five thousand euros) and considering that the message that was
provides in the information banner about cookies: “We use our own cookies and
from third parties for analytical purposes and to show you advertising related to your
preferences based on your browsing habits and your profile. You can configure or
reject cookies by clicking on “Cookie Settings”. You can too
accept all cookies by pressing the “Accept all cookies” button. For more
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 13/24
information you can visit our”, is equivalent in terms of information about
purposes of the installation of cookies with that published on 09/23/22, does not contradict
with the provisions of article 22.2 of the LSSI.
TENTH: On 05/17/23, the claimed entity presented allegations to the
proposed resolution, where he stated, among others, the following:
First.- In relation to the violation of article 22.2 of the LSSI attributed to me
principal due to “the impossibility of rejecting the cookies used once
initial consent has been given, even if there is a permanent link to the
control panel”, it should be noted that in the Proposed Resolution this
alleged breach is described in detail as follows:
“It has been proven that there is a mechanism or access to the control panel
permanent control at the bottom of the page <<settings
cookies>> that allows access to the control panel for the management of
the cookies. However, if you wish to reject the use of cookies
by clicking on the <<reject all>> option or by moving the course
from the “ON” position to the “OFF” position and clicking on <<confirm
my preferences>>, it is observed that the website continues to use cookies
from third parties installed when they were initially accepted.”
The operation described in the Proposed Resolution (“…if desired
reject the use of cookies by clicking on the option <<reject all>>
or moving the course from the “ON” position to the “OFF” position and
By clicking on <<confirm my preferences>>, you can see that the website is still
using third-party cookies installed when they were accepted at
beginning.”), is not complete to the extent that, as explained below,
below, although the rejected cookies were still visible to the
user, in no case were they used since they were blocked (it is spoken in
passed due to the novelty that is explained in the Second Allegation).
In this sense, clarify that the user could reject the cookies used
once the initial consent has been given through the control panel, in
so much that:
- Tools were used to review the acceptance of cookies in
execution time.
- All cookies were reviewed just before use to ensure
verify that the user had accepted the category in which they were
incorporates the cookie.
- In the event that the user has rejected cookies during the
navigation, they were still in the browser's cookie system,
but in no case were they used, since their use was blocked through
of Javascript code.
- This operation applied to both first-party and first-party cookies,
as well as third-party cookies, with the exception of cookies strictly
necessary.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/24
In section “2. Cookie blocking model” of the document
“Cookie system” which is incorporated as Annex I, is described and exemplified
this model used until now on the Site and consisting of blocking the use
of cookies rejected by the user through Javascript code.
It should be noted that the operational novelty that follows this model and that
stated in the Second Allegation, has been implemented as an improvement to
the accreditation of compliance with the Regulations, since in no case
We understand that the blocking model just described can
considered a breach thereof.
Before well, the cookie blocking model was considered to be a
model fully in accordance with the applicable Regulations and, specifically, complied with the
Article 22.2 of the LSSI on which the sanction to me is intended to be based
principal.
That is, it has evolved from a cookie blocking system
rejected that already complied with the Regulations, towards a model of elimination /
expiration of rejected cookies (explained in the Second Claim) that
improves the accreditation of compliance with Article 22.2 of the LSSI.
Second.- Therefore, within the process of continuous improvement in accreditation
compliance and out of concern for the user, my client has
implemented a technological solution so that cookies rejected
are deleted/expired from the cookie storage system of the
browser.
This technological improvement solution is applied (i) to own or third-party cookies.
first part, and (ii) on third party cookies, in the latter case always
that there are no technical limitations that prevent the elimination of cookies.
Specifically, in section “3. “Cookie deletion/expiration model”
document “Cookie System” that is incorporated as Annex I, is explicit and
details that a model has been implemented by which they are eliminated / expire from the
browser all cookies that have not been accepted by the user.
Specifically, if a user rejects cookies, none of the cookies that are
integrated through Google Tag Manager will be used. Therefore,
None of the cookies indicated in the following list will be used:
(…).
Third.- Additionally, and also within the same improvement process
continues in the accreditation of compliance and for the concern for the
user, my client has implemented a change in the Cookies Policy
(accessible from the cookies banner or from the footer of the Site).
The change in the Cookies Policy is aimed at improving the information and
transparency in the event that the management or configuration system of the
cookies do not allow cookies to be deleted once accepted by the user, for
which provides information on the tools provided by the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/24
browsers, warning that if the user accepts third-party cookies and
later you want to delete them, you can do so from your own browser.
The information in this sense has been incorporated in the second paragraphs,
third and fourth of point “4. How can I manage the use of Cookies in
this Platform?” of the Cookies Policy.
For all of the above, through these Allegations, I come to REQUEST
that this document is considered presented and the previous ones formulated
Allegations in the Reference File, and prior to the appropriate procedures,
Resolution is issued estimating the non-existence of any infringement
attributable to MASSIMO DUTTI in relation to the events described and the
indicated regulations, proceeding to file the actions.
ELEVENTH: On 06/06/23, this Agency accesses,
new, to the website ***URL.1, verifying the following characteristics about the
its “Cookies Policy”:
A.- About the cookies detected when accessing the website:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the web page in question and using the cookie detection tool of the
Google Chrome browser (<right mouse button> inspections application
cookies) it has been verified that the following cookies are used:
Cookies detected as Necessary Cookies according to Unclassified Cookies that
technical or necessary. the “Cookies Policy” of the GRUPO entity
Akamai Technologies, Inc. MASSIMO DUTTI
states that they are
necessary in its “Policy
of Cookies”
_abck AKA_A2 ITXSESSIONID
bm_sz RT MDSESSION
OptanonConsent bm_mi
ak_bmsc bm_sv
B.- About the existing information regarding cookies on the home page and about the
management of these:
When you enter the website for the first time, a banner appears on the main page
of information about cookies, with the following message:
We use our own and third-party cookies for analytical purposes and to show you
advertising related to your preferences based on your browsing habits and your profile.
You can configure or reject cookies by clicking on “Cookie settings”.
You can also accept all cookies by clicking the “Accept all cookies” button.
For more information you can visit our. <<Cookie Policy>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/24
<<Cookie settings>> <<Accept all cookies>>
If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel
where the different groups of pre-marked cookies appear in the position of
“OFF”:
Technical or necessary cookies <<Always active>>
Functionality or personalization cookies OFF ON
<<Cookie information>>
Analysis cookies OFF ON
<<Cookie information>>
Cookies for advertising OFF ON
<<Cookie information>>
Social network cookies OFF ON
<<Cookie information>>
<<Confirm my preferences>> <<Reject all>> <<Allow all>>
If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or
necessary in both cases, it is checked how the website continues to use the same
cookies detected at the beginning.
C).- About the possibility of withdrawing consent to the use of cookies once
borrowed.
Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties:
MUID .clarity.ms /__Secure-1PAPISID .google.es /
APISID .google.es /__Secure-3PSID .google.es /
SSID A .google.es /__Secure-1PSID .google.es /
__Secure-3PAPISID .google.com /SAPISID .google.com /
SSID .google.com /HSID A .google.com /
SID .google.es /__Secure-1PSID .google.com /
SIDCC .google.com /SID .google.com /
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/24
__Secure-3PSID .google.com /__Secure-3PAPISID .google.es /
MUID 3 .bing.com /__Secure-1PSIDCC .google.com /
APISID .google.com /__Secure-3PSIDCC .google.com /
SAPISID .google.es /__Secure-1PAPISID .google.com /
ANONCHK .c.clarity.ms /CLID .clarity.ms /
NID .google.es /SEARCH_E .google.com /
MR .c.clarity.ms /ts .creativecdn.com/
_RwBf .bing.com /ACLUSR .bing.com /
ACL .bing.com /OIDR .bing.com /
SM .c.clarity.ms /BFB .bing.com /
BFBUSR .bing.com /SRCHUSR .bing.com /
SRCHD .bing.com /_ttp .tiktok.com /
1P_JAR .google.com /AID .google.com /
tt_viewer .teads.tv /AEC .google.com /
CONSENT .google.com /SOCS .google.com /
NID .google.com /OTZ .google.com /
u .creativecdn.com /OID .bing.com /
OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com
MR .c.bing.com /SRCHHPGUSR .bing.com /
SRCHUID .bing.com /SRM_B .c.bing.com /
There is a link to the control panel at the bottom of the website
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting
all cookies) groups are pre-checked “ON”.
If you wish to reject the use of cookies by clicking on the option <<reject
all>> or moving the cursor from the “ON” position to the “OFF” position of the
different groups of cookies, and clicking on <<confirm my preferences>>,
Note that the website NO longer uses the cookies that were consented, using only
the technical or necessary cookies detected at the beginning.
D.- About the information provided in the “Cookies Policy:
If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
The main page, the website displays a document:
***URL.7
where information is provided on what cookies are; the different types of cookies that
They exist and information is provided on the type of cookies used on the website and their purpose.
It also provides information on how to update the terminal equipment's browser to
manage cookies.
If you want to know the list of cookies that the website says it uses, you must access
through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.
PROVEN FACTS.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/24
Of the actions carried out in this procedure, it has been accredited
the following facts:
First: In the verification carried out by this Agency on 03/16/23 on the page
***URL.1 website has verified the following characteristics in its “Cookies Policy”:
a).- About the use of non-necessary cookies without the prior consent of
user it was verified that, upon entering the main page and without performing any action
about them, nor accept the cookies, it has been found that they were used
cookies, including two performance cookies (“AKA_A2” and “RT”)
that although they appear with the domain “***DOMAIN.1” they are used by Akamai
Technologies, Inc. (computing platform for global content delivery
of Internet of client companies) to optimize the response time between the
visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform
that stores the content of the server of a client company (Massimo Dutti) on its
own servers) these cookies are necessary because they allow us to count visits and
circulation sources in order to improve the performance of the website. According to them,
All the information collected by these cookies is aggregated and, therefore, is
anonymous.
Four cookies have also been detected that could not be classified
(ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page
website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the
control panel as strictly necessary cookies.
When consent is given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties MUID; ts; CONSEND; SOCS; CLID; _ga; _gid; ttp; or; NID; AEC;
_pinterest_ct_ua and 1P_JAR. Therefore, it can be considered that the website does not use
cookies that are not technical or necessary until the user provides the
consent to it.
b).- On the cookie information banner existing in the first layer,
considered that it did not provide “clear and complete” information on the purposes of the
treatment, since it was limited to stating that cookies would be used “to improve
site navigation, analyze its use and collaborate with our studies
for marketing”,
c).- Regarding the withdrawal of consent once given, it was found that it did not exist
no mechanism or access to the permanent control panel that would later allow
having given consent to withdraw it.
Second: In the verification carried out by this Agency on 04/19/23 on the page
website ***URL.1, the following characteristics were verified in its “Cookies Policy”:
a).- About the use of non-necessary cookies without the prior consent of
user it was verified that, upon entering the main page and without performing any action
about them, nor accept the cookies, it has been found that they were used
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/24
cookies, including two performance cookies (“AKA_A2” and “RT”)
that although they appear with the domain “***DOMAIN.1” they are used by Akamai
Technologies, Inc. (computing platform for global content delivery
of Internet of client companies) to optimize the response time between the
visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform
that stores the content of the server of a client company (Massimo Dutti) on its
own servers) these cookies are necessary because they allow us to count visits and
circulation sources in order to improve the performance of the website. According to them,
All the information collected by these cookies is aggregated and, therefore, is
anonymous.
Four cookies have also been detected that could not be classified
(ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page
website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the
control panel as strictly necessary cookies.
When consent is given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties, whose providers are: Google, Bing.com; Clarity.ms; .teads.tv and
creativecdn.com.
b).- On the cookie information banner existing in the first layer,
You can read the following message:
We use our own and third-party cookies for analytical purposes and to
show you advertising related to your preferences based on your browsing habits
navigation and your profile. You can configure or reject cookies by clicking
in “Cookie settings”. You can also accept all cookies
by clicking the “Accept all cookies” button. For more information you can
visit our
c).- Regarding the withdrawal of consent once given, it was found that now
there is mechanism or access to the permanent control panel at the bottom of the
<<cookie settings>> page that allows access to the control panel for the
cookie management.
However, if you wish to reject the use of cookies by clicking on the option
<<reject all>> or moving the cursor from the “ON” position to the
“OFF” and clicking on <<confirm my preferences>>, you can see that the website is still
using third-party cookies installed when initially accepted.
Third: In the verification carried out by this Agency on 06/06/23 on the page
website ***URL.1, it was verified, regarding the deficiencies detected in the
cookies that, once consent has been given for the use of cookies through
of the existing option in the initial banner or through consent given in the
control panel <<Accept all>>, if you wish to withdraw the consent given,
There is a link to the control panel at the bottom of the web page
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/24
all cookies) the groups are pre-marked in the “ON” option and if desired
reject the use of cookies by clicking on the option <<reject all>> or
moving the course from the “ON” position to the “OFF” position of the different
groups of cookies, and clicking on <<confirm my preferences>>, it is observed that the
website NO longer uses the cookies that were consented to at the beginning, reusing
only the technical or necessary cookies detected at the beginning.
FOUNDATIONS OF LAW
YO.-
Competence:
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection, in accordance with the provisions of art. 43.1,
second paragraph, of Law 34/2002, of July 11, on Society Services
of Information and Electronic Commerce (LSSI),
II.-
About the cookie information banner existing in the first layer (page
major):
In its transparency guidelines, WG29 recommends the use of declarations
or privacy notices by levels, that is, they contain the information in layers, of
so that the user is permitted to go to those aspects of the statement or notice that
are of greater interest to him, thus avoiding information fatigue, and this without prejudice to
that all the information is available in a single place or in a
complete document that can be easily accessed if the interested party wishes
consult it in its entirety.
This system may consist of displaying the essential information in a first layer,
when the page or application is accessed, and complete it in a second layer
through a page that offers more detailed and specific information
about cookies.
The first layer cookie banner must include a generic identification
of the purposes of the cookies that will be used, without it being necessary to identify them.
In the case at hand, this Agency has verified the existence of two banners
successive ones, whose existence and content have been incorporated into the file:
First of all, dated 09/23/22, the informative text of the banner was as follows:
“We use our own and third-party cookies for analytical purposes and to
show you advertising related to your preferences based on your browsing habits
navigation and your profile. You can configure or reject cookies by clicking
in “Cookie settings”. You can also accept all cookies
by clicking the “Accept all cookies” button. For more information you can
visit our Cookies Policy. Cookies policy.
Dated 03/16/23, the banner text was as follows:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/24
“By clicking “Accept all cookies”, you agree that cookies are
saved to your device to improve site navigation, analyze usage
of the same, and collaborate with our marketing studies. <<Policy
Cookies>>”
Sanctioning procedure initiated when considering that this second banner did not
provided “clear and complete” information about the purposes of the treatment, the
claimed entity stated that both wordings provided a total
equivalence in terms of information on the generic purposes that must be
provide in the initial banner, comparing both texts:
Text published on 09/23/2022 Text published on 03/16/2023
“…analytical purposes…” “…to improve site navigation,
analyze its use…”
“...to show you related advertising “...collaborate with our studies to
with your preferences based on your marketing habits…”
navigation and your profile…”
Providing complete information about the purposes of the cookies used in the
“Cookie policy” of the website,
***URL.7
Therefore, based on the evidence available, it is considered that the banner
of generic information about cookies included on the main page of the website in
issue, dated 03/16/23, does not contradict the provisions of article 22.2 of the
LSSI, by including a generic identification of the purposes of the cookies that are
they will use.
III-1
About the withdrawal of consent for the use of cookies once given.
Users must be able to withdraw the consent previously granted in
any moment. To this end, the publisher must ensure that it provides information to
users in their cookie policy on how they can withdraw consent and
delete cookies.
The user must be able to revoke consent easily. The system that
offer to withdraw consent should be as easy as that used when
presto. This facility will be considered to exist, for example, when the user has
simple and permanent access to the cookie management or configuration system.
In the present case, in the verification carried out by this Agency of the website
in question, on 03/16/23 that, once consent was given for the use of the
cookies that were not technical or necessary, through the existing option in the
initial banner or through consent given in the control panel <<Accept
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/24
all>>, it was found that third-party cookies were installed, whose suppliers
were. Google, Bing.com; Clarity.ms; .teads.tv and creativecdn.com.
However, it was found that there was no mechanism or access to the control panel.
control that would later allow the consent given to be withdrawn and reject these
cookies that had previously been accepted.
This sanctioning procedure has been initiated, and in view of the allegations presented
by the claimed party, a check of the website was carried out again with
date 04/19/23, in which it was detected that the website had been modified
including a mechanism or permanent control panel access at the bottom
from the <<cookie settings>> page that allowed access to the control panel
for cookie management. However, if you wanted to reject the use of
non-technical or necessary cookies allowed in advance, by clicking on the option
<<reject all>> or moving the cursor from the “ON” position to the
“OFF” and clicking on <<confirm my preferences>>, it was observed that the website
was still using the third-party cookies installed when they were initially accepted.
After the allegations regarding the proposed resolution, a third
verification of the website in question dated 06/06/23, in which it was detected,
by this Agency that, once consent has been given for the use of the
cookies that are not technical or necessary, if you wish to withdraw consent
provided, the website NO longer uses the cookies that were consented, using again
only the technical or necessary cookies detected at the beginning, disappearing
third party cookies.
In this sense, although it is noted that the person responsible for the website has modified the
cookie policy adapting it to current regulations, that does not make it disappear
the non-compliance that has been proven, since this Agency carried out the first
checking the website on 03/16/23.
III-2
Typification and qualification of the administrative offense
The deficiencies detected in the cookie policy, since the verification carried out
on 04/19/23 until the last one, dated 06/06/23 on the website in question, regarding the
impossibility of rejecting non-technical or necessary third-party cookies, once
given the initial consent, constitutes a violation of the provisions of the
article 22.2 of the LSSI, as it establishes that:
“Service providers may use storage devices and
data recovery on recipients' terminal equipment, provided
that they have given their consent after they have been
provided clear and complete information on its use, in particular on
the purposes of data processing, in accordance with the provisions of the Law
Organic 15/1999, protection of personal data.
Where technically possible and effective, the consent of the recipient
to accept the processing of the data may be facilitated through the use of the
appropriate settings of the browser or other applications.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/24
The above will not prevent possible storage or access of a technical nature
for the sole purpose of carrying out the transmission of a communication over a network of
electronic communications or, to the extent strictly necessary
necessary, for the provision of an information society service
expressly requested by the recipient.”
III-3.
Sanction
This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.
Considering the factors exposed, the value reached by the fine, for the
violation of article 22.2, is 5,000 euros (five thousand euros).
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency,
RESOLVES:
FIRST: IMPOSE THE MASSIMO DUTTI GROUP, S.A. with NIE.: A78115201,
responsible for the website ***URL.1, for a violation of article 22.2 of the LSSI,
classified as “mild” in article 38.4 g), a fine of 5,000 euros (five thousand
euros).
SECOND: NOTIFY this resolution to GRUPO MASSIMO DUTTI, S.A.
Warn the sanctioned person that he must make the sanction imposed effective once the
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period. Received the
notification and once executive, if the date of execution is between the days
1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be
until the 20th of the following or immediately following business month, and if it is between
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th
of the second following or immediately following business month. In accordance with what
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/24
established in article 50 of the LOPDGDD, this Resolution will be made public
once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution may be provisionally suspended administratively
If the interested party expresses his intention to file a contentious appeal.
administrative.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious appeal.
administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
