AEPD (Spain) - EXP202211953: Difference between revisions
No edit summary |
m (Ar moved page AEPD (Spain) - PS-00080-2023 to AEPD (Spain) - EXP202211953) |
Latest revision as of 12:42, 13 December 2023
AEPD - PS-00080-2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(a) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 30.09.2022 |
Decided: | |
Published: | 20.09.2023 |
Fine: | 5000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00080-2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Paola Leon |
The Spanish DPA imposed a fine against a website operator for failing to provide adequate information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR.
English Summary
Facts
A data subject submitted a complaint to the AEPD indicating that the website operator Chatwith.IO infringed GDPR by implementing dark patterns, specifically overloading and skipping when users try to object to the processing of their personal data by third parties. Users are prompted with a pop-up which contains a list of service providers, 1.522 in total, in which 338 of those have the selection box toggled on. If users want to object, they need to toggle off each box individually. The data subject submitted that there should be an option to object to ALL of the legitimate interests at once. Moreover, these selection boxes are shown in a light grey colour which can be easily confused with the white background of the website and it requires an additional visual effort on the parts of users to distinguish the options. Further, the data subject submitted that the legitimate interest of third parties is not explained in a manner that can be easily comprehended and found in the privacy policy unless they have to access to each of the third parties' privacy policies.
Holding
Upon reviewing the data subject's complaint, the AEPD confirmed the following:
1. The purposes of the processing for which the personal data are intended and the legal basis for the processing have ambiguous wording, or lack of required clarity.
2. The legitimate interests of third parties to whom the controller is referred to in the information banner on the main page are unclear and it is necessary to access the information individually different privacy policies of each of the more than 1,000 companies that appear in the providers list.
3. No reference is made to the controller's intention to transfer personal data to a third country or international organization outside the European Union, all this despite the fact that some of the companies that appear in the providers list are located outside the EU.
4. In terms of dark patterns, the AEPD confirmed that the dark pattern of overloading and skipping is observed when accessing the providers list. Once there, the users find a list of about 130 companies, of which, more than half have the default marked “Accept data processing for legitimate interest” box, which requires, in the case of objection to the processing marking one by one throughout the entire list, without the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected person.
5. In regards to cookies, those that are not technical or necessary are deployed before obtaining consent from users.
6. The cookie management panel shows that the groups of Cookies are divided into two options, accept the cookies by “Consent” that are pre-marked in the “not accepted” option and accept the cookies by “Legitimate Interest” which pre-marked in the “accepted” option. However, if all the options marked “accepted” are unchecked, the website still continues to use the same cookies detected when entering on the web without having given consent.
7. There is no information about cookies in the second layer or link that enable the user to be redirected to the “Cookie Policy” of the website. The information about cookies appears dispersed in each of the options of the cookie management panel.
The DPA resolved to impose a fine of 2000 euro for infringement of Article 13 GDPR and required compliance with this article within one month. This infringement was considered as medium. It also Imposed a fine of 5000 euro for infringement of Article 5 (1)(a) as well as one month to bring its processing into compliance. This infringement was considered very gave
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/31 File No.: EXP202211953 (PS/00080/2023) RESOLUTION OF THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: BACKGROUND FIRST: On 09/30/22, Mr. A.A.A. (hereinafter, the complaining party) filed claim before the Spanish Data Protection Agency. The claim is directed against the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, owner of the website ***URL.1 (the claimed party), for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of Parliament European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons regarding the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law 34/2002, of July 11, on Information Society Services and Commerce Electronic (LSSI). The reasons on which the claim was based are: “The company IURIS MARKETING S.L. (current CHATWITH.IO WORLDWIDE S.L.) is the owner of the website ***URL.1. The claimed company processes the personal data of visitors who access the website, obtaining them both directly from the interested parties through requests for information when they try to contact the lawyers who advertise on the page, such as through the use of cookies that are installed on the visitor's computer equipment when consulting the website. This is reported by the data controller himself through a message that appears when accessing iurisnow.com, in a pop-up window that appears superimposes the main window and that under the title “Privacy and Transparency” informs the user that both the owner of the website and its partners process the personal data of the interested. Specifically, it is indicated in the first part of the informative text, that “We and our partners use cookies to Store or access information on a device. We and our partners use data to Personalized ads and content, ad and content measurement, information about the public and product development”, at the same time, towards half of the text, you can read, that “Some of our partners may process your data as part of our legitimate business interest without requesting your consent. To see the purposes that they believe have legitimate interest or object to this data processing, please use the link in the list of suppliers below.” A copy of the pop-up window is attached (Doc. evidentiary 4). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/31 The controller uses dark overload patterns overloading and skipping in user interface design through which the privacy options to be applied are configured to the processing of the website visitor's data, specifically when the interested party expresses his opposition to data processing based in the legitimate interest of the person responsible and of third parties, whom he calls “partners”. The dark overload pattern is clearly observed when accessing the section of the “Supplier List” pop-up window, once there, the interested party finds a list of 1,522 companies, of which, according to the estimate made by the claimant, 338 have the default marked "Legitimate interest" box, which requires, in the case of wanting to show the opposition to the treatment of marking one by one throughout the entire list, each one of the 338 boxes, without there being the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected. To the previous 338 boxes, we must add another nine that are found in the “Manage settings” section. Upon accessing, you can see that a set of nine purposes appear of treatment under the title of “Purposes”, each of them, with its box corresponding marked with the default option in favor of the treatment based on legitimate interest, it being necessary to select one by one the boxes to be able to oppose each of the purposes established by the responsible. As in the previous situation, there is no option in the window that allows you to oppose all of them at the same time, or a number reasonable of times. A copy of the “List of suppliers” section is provided for evidentiary purposes. (Exhibit document 5), copy of the “Manage configuration” section for purposes evidence (Evidence Doc. 6) and the formulas used to calculate List companies and estimate boxes with privacy options affected (evidence document 17). On the other hand, the dark concealment pattern is used in the “Supplier List”. If you access this section, you can observe with some difficulty that there is an estimated set of 32 companies who have the consent box checked with the option blocked, without that the interested party can revoke it. These boxes appear in a grayish color that blends in with white. used as the background of the screen, which makes it difficult to locate and serves as camouflage mechanism, avoiding detection if no effort is made increased visual (Exhibits 5 and 17). The information that provided by the person responsible, relating to the legitimate interests of third parties and the purposes of the processing to which personal data is intended is not transparent. The legitimate interests of third parties and the purposes of the processing are not determine or explain in a clear or understandable manner in the information offered to interested parties. Within the privacy policy of the person responsible, The purposes for which the processing is carried out are not indicated, not even in the title C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/31 “Provenance, purpose and legitimacy of the data offered”, can be find any reference to the purposes for which the data is collected. Nor can you find information about the legitimate interests of third parties in the title “Recipients of the data or transfer to third parties”, nor in other parts of the privacy policy, being necessary to access individually to the different privacy policies of each of the 1,522 companies that appear in the so-called “List of suppliers”, for which if a URL link appears within the dropdown information of each "supplier". The only information that can apparently refer to both purposes, such as the legitimate interests of third parties, can be found in unclear form in the text that appears within the pop-up window, in which mentions that the data is used for “ads and content personalized, ad and content measurement, information about the public and product development”, without providing more information. (Documents evidence 2 and 4). The person responsible for the treatment does not make any mention in the information that facilitates the interested party, both in the pop-up window and in the policy of privacy, the intention or possibility of transfers of data to third countries, outside the European Union, nor to the existence or absence of an adequacy decision from the Commission, nor to the guarantees adequate or appropriate measures that can be adopted so that the interested party can exercise their rights regardless of the international transfer. All this despite the fact that a relevant part of the companies that appear in the “List of suppliers”, if they inform in their respective policies of privacy, that the data collected by them may be transferred outside of the European Union. SECOND: On 11/15/22, in accordance with the provisions of article 65.4 of the LOPDGDD, by this Agency, said claim was transferred to the claimed party, so that it could proceed with its analysis and report, within a period of one month, about what was stated in the statement of claim. According to a certificate from the Electronic Notifications and Electronic Address Service, the request letter sent to the claimed party, on 11/18/22, through the service of electronic notifications “NOTIFIC@”, was rejected at destination on 11/29/22. Although the notification was validly carried out by electronic means, it was deemed the procedure has been carried out in accordance with the provisions of article 41.5 of the LPACAP, as informative, an attempt was made to send it by postal mail, which was returned to its destination with the date 12/14/22 with the message “unknown”. THIRD: On 12/30/22, by the Director of the Spanish Agency for Data Protection agreement is issued to admit the claim processing presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible rational indications of a violation of the rules in the field of competences of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/31 FOURTH: On 02/08/23, this Agency accessed the page web***URL.1, verifying the following characteristics on its “Policy of Privacy” and about its “Cookies Policy”: a).- Regarding the processing of personal data: a.1.- It is verified how, on the website, personal data can be obtained through through the <<contact>> link, located at the top of the main page, where you can enter personal data such as name, telephone, email email and subject. Before submitting the form, the user must check the box: “_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>” a.2.- Personal data can also be entered when registering in the website, through the link at the top right of the main page <<private area>>, from which a form is displayed ***FORM.1 where personal data such as name, surname, address must be entered phone, email. There is also the possibility of attaching a photo. Before submitting the form, the user must check the box: “_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>” a.3.- On the pages of the two previous forms there is a banner with the following information: By virtue of the provisions of the L.O. 3/18 Iuris NOW informs you that the data of personal nature that you may offer us are part of data processing The following applies to you: Responsible: IURIS MARKETING S.L. Purpose: Register on the platform to be listed as a professional and receive customer contacts Legitimation: Consent of the interested party or his legal representative. Recipients: Iuris Marketing S.L. and the contracted services. Rights: Access, rectify and delete data, as explained in our Privacy Policy b).- About the “Privacy Policy”: If you access the “Privacy Policy” through the existing links in the previous forms or through the link at the bottom of the page main page, the website redirects the user to a new page ***URL.2 where provides the following information: b.1.- Regarding the “legal notice” information is provided on: - The person responsible for the website C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/31 - Conditions of access and use of the portal - Third party content - Use of links - Disclaimer - Applicable legislation and jurisdiction b.2.- Regarding the Privacy Policy, you are informed of: RESPONSIBLE FOR DATA PROCESSING The ownership of this website, with domain ***DOMINIO.1, is Iuris Marketing S.L., hereinafter “Iuris NOW”, and address at ***ADDRESS.1, with contact email ***EMAIL.1 All of the above, as Data Controller you are informed that: DATA PROTECTION RIGHTS: Iuris NOW users can direct any communication, either by written to the address provided previously, or by mail electronic (***EMAIL.1), communication via email being faster and more effective. electronics. The user can always exercise the following rights: Right of access: Iuris NOW users may request access to the personal data that we have about them. Right to request rectification: In cases where the data is incorrect or need to be updated, for the relevant reason, you may request its rectification. Right of deletion: The interested party may request Iuris NOW to delete at any time, the deletion of any personal data that you concerns. Right to request the limitation of your treatment: You may request Iuris NOW the limitation of the data obtained either because the data is not needed personal data for the purposes of the processing, but are necessary for the interested. Right to oppose the processing: Iuris NOW will stop processing the data that have been provided by the user, unless legitimate reasons are proven and imperative to be able to continue with the treatment. Right to portability of the data offered: In the event that you want us to your data is processed by another company or person, Iuris NOW will undertakes to facilitate said data portability to the new controller whenever requested. In application of the aforementioned legislation that we have mentioned at the beginning of this text, we offer users the model, form and other interesting information offered by the Spanish Agency for Data Protection in the following link C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/31 Likewise, within the rights of users, we offer the possibility of withdraw the consent that has been granted by any of the means that was obtained, since the user of the website has the right to withdraw in consent granted at any time, without alleging just cause, not However, the withdrawal of the consent granted will not invalidate the treatment. based on consent prior to its withdrawal. Finally, we want to emphasize the importance of the exercise of these rights, and any problem or disagreement that may occur with Iuris NOW in the processing of the data, claims may be submitted that may be right suits the corresponding data protection authority, being in Spain the Spanish Data Protection Agency CONSERVATION OF THE DATA OFFERED The disaggregated data will be kept without a deletion period. User data: The retention period of the data of people who offered to Iuris NOW will vary depending on the service that the user contracts with Iuris NOW, however, data retention will be minimal required for the specific case, in general: Clients: From the moment the service provision relationship begins with the client, until 4 years have passed since the end of the provision of services Blog comments: From the moment the user leaves their comment on the blog until requesting its deletion Newsletter subscribers: Since the user subscribes to the newsletter until you withdraw your consent Contact form: Since the user accepts the sending of their data through the contact form until you withdraw your consent. Download a document: Since the user downloads the document and you consent to send you communications. PRINCIPLES OF APPLICATION TO PERSONAL INFORMATION In the processing of personal data that you offer through the media established, Iuris NOW will apply the following principles required by the applicable legislation: Principle of legality, loyalty and transparency: In order to carry out treatment of your data, I will always require express, unequivocal consent, informed and prior to the treatment, the information and treatment thereof It will be specifically intended for the purpose you have requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/31 Data minimization principle: I will only require the information from you necessary for the specific case, I do not want to handle more information than the necessary, but rather that which is essential to be able to respond. Principle of limitation of the conservation period: The data you offer me, will be maintained in the file owned by Iuris NOW for the period essential and necessary. Principle of integrity and confidentiality: The data will be treated in a way that guarantees their security and confidentiality, taking the necessary precautions to access them, only authorized persons or authorized third parties. ORIGIN, PURPOSE AND LEGITIMACY OF THE DATA OFFERED Based on all of the above, the category of data requested from the users is a basic category, it is not a data category specially protected. Web hosting: The Iuris NOW page is hosted at OVH (OVH HISPANO SL NIF: B-83834747) Company based in Madrid, being application of the provisions of the RGPD and LOPDyGDD Data collected through the website: The data collected through the web page, will be incorporated into the corresponding file, in addition to the information provided, the IP address is also collected, which in the large Most of the time this information is not used. Social networks: Iuris NOW has a presence on different social networks, recognizing us as responsible for the data that users process through social networks privately with Iuris NOW, in order to be extracted to provide the requested information. The purpose and legitimacy of the data processing that Iuris NOW carries out on social networks, will be the one permitted by the social network DATA COLLECT The user guarantees that the personal data that has been provided by different means offered and mentioned above are accurate and truthful, being responsible for communicating to Iuris NOW any type of modification that arises in personal data. If the data that has been offered belongs to a third party, the user guarantees that has obtained the consent of said third party in order to facilitate the data. When providing the data, the user declares and accepts having read the this privacy policy, expressly consenting to the treatment of personal data in accordance with what is established on this page. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/31 Likewise, when a user requests information, they are providing a minimum personal information for which Iuris NOW will be responsible. When requesting information, information is collected from the IP address, name, email address, phone number and other information. Be managed and used by Iuris NOW. RECIPIENTS OF THE DATA OR TRANSFER TO THIRD PARTIES For the correct development of the activity carried out by Iuris NOW, it is necessary have different professionals or tools with which you can develop the activities described above, therefore, Iuris NOW share strictly necessary data under their corresponding privacy conditions with the following providers: Google Analytics: The Iuris NOW website uses a service system analytics offered by the company Google Inc, is a company located in the 1600 Amphithreare Parkway, Mountain View (California), CA 94043, USA. This program uses “cookies” which are text files located on your computer when visiting the website, the purpose is to help Iuris NOW to know what users who visit your website do. The information that offered by Google Analytics includes the IP address of the visitor who will be transmitted and archived by Google on its services located in the United States Joined. The Iuris NOW page is hosted on OVH. The Iuris NOW website It has SSL encryption that allows the secure sending of your data personal through the different means that we collect data in our web, website developed using WordPress, more information at Automattic. Google Adsense: The previous company mentioned Google Inc, offers services of advertising that are being used on this website, for this, uses a cookie that publishes a series of advertisements on our website. He user can disable the use of these cookies by following the instructions that are indicated in the Google section itself. For this advertising system, Google offers a platform to different partner companies to publish ads through their platform, so that, certain information is used to provide advertisements about products and services that are of interest, but at no time is the name collected, address, email address or telephone number - If you would like more information about this practice and to know your different options, consult the next link Google Maps: It is a map display service provided by Google Inc, which allows us to provide an interactive map to our website – Google Privacy Policy C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/31 Lawyers: As an object of our main activity, when you leave us your data and request advice, we will offer your data to the best lawyer or the lawyer that you have requested from us. CONFIDENTIALITY Iuris NOW is committed to the use and processing of personal data that are collected through the website, respecting at all times the confidentiality and to use them for the purpose for which they were collected. We undertake to carry out all necessary actions regarding of data protection. ACCEPTANCE AND CONSENT The user accepts having been informed of the conditions regarding protection of data inherent to the legislation that is applicable, accepting and consenting to their processing by Iuris NOW. SECURITY MEASURES This website includes an SSL certificate, it is a security protocol that causes the data between the user and Iuris NOW, a transmission to occur sure of it, we also have a specific security service and we constantly update all the technologies we use in our page. Likewise, Iuris NOW will keep updated and apply all measures necessary to be able to offer the greatest possible security to users, not However, absolute impregnability on the Internet does not exist, committing ourselves that any incident that may affect the users, will be communicated as established in the legislation. Security measures will be reviewed periodically to verify that are still useful for the purpose for which they were collected. CHANGES IN THE PRIVACY POLICY Iuris NOW reserves the right to modify this policy to adapt it to future legislative or jurisprudential modifications, as well as changes that are made in the Iuris NOW services. Iuris NOW will announce the changes that occur and are essential. c).- About the Cookies Policy: 1.- About the use of cookies before the user gives their consent: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the website, it has been verified that cookies that are not technical or necessary, with the following characteristics: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/31 Performance cookies (3): These cookies allow us to quantify the number of visits. tas and traffic sources to be able to evaluate the performance of the site. They help us know which pages are the most or least visited and how visitors navigate gan for the site. cookies Domain Description _gid ***DOMAIN.1 This cookie is set by Google Analytics. Store and access sets a unique value for each visited page and is used to con- tar and track page views. _ga_BHX4LX8C4J ***DOMAIN.1 Google Analytics uses this cookie to maintain state of the session. _ga ***DOMAIN.1 This cookie name is associated ciated with Google Universal Analy- ytics, which is an im- analysis service carrier most used on Google. This cookie is used to distinguish unique users by assigning nation of a generated number randomly as identifier of client. It is included in each so- page legality on a site and used to calculate life data visitors, sessions and campaigns for analysis reports sites. Targeting Cookies (1): These include social media cookies that are placed on sites to track users across the web and serve them ads. cookies Domain Description _gat_gtag_UA_ ***DOMAIN.1 This cookie is part of Google 181162822_9 Analytics and is used to limit applications (application fee acceleration). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/31 2.- About the cookie information banner in the first layer: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without performing any action on the web page, a cookie information banner at the bottom of the main page with the next message: We welcome you to iurisnow.com iurisnow.com requests your consent to use your personal data with these goals: Personalized ads and content, ad and content measurement, information about the public and product development devices. Store or access information on a device More information Your personal data will be processed and the information on your device (cookies, unique identifiers and other device data) may be stored, consulted and shared with <<external providers>> or used specifically through this website or application. Some providers may process your personal data under a legitimate interest, something you can object to by managing your options continuation. Look for a link at the bottom of this page or in our privacy policy. privacy to revoke consent. <<Manage Options>> <<Consent>> a).- If you access the list of suppliers, a new page appears with the following information: Which third-party providers can access my data? These third party providers may use your data to provide services: Exponential Interactive, Inc d/b/a VDX.tv …. Index Exchange, Inc. …. Vodafone … netfix … > 200 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/31 <<close>> b).- If you access the control panel, through the <<Manage Options>> option, the The website displays a new page with the following information: Data preferences. Manage your data You can choose how your personal data is used. Suppliers request so your permission to do the following: Store or access information on a device Cookies, device identifiers or other information may be stored or accessed. mation on your device for the purposes presented. See details OFF Consent Select basic ads Ads can be displayed based on the content being viewed, the application being used, its approximate location or its type of device. vo. See details OFF Consent Legitimate interest ON Create a custom advertising profile We may create a profile about you and your interests to show you personalized ads. nalized that are relevant to you. See details OFF Consent Legitimate interest ON Select personalized ads Personalized ads may be displayed based on your profile. See details OFF Consent Create a profile for content customization A profile can be created about you and your interests to show you personalized content. finalized that was relevant to you. See details OFF Consent Legitimate interest ON Select custom content Custom content can be displayed based on your profile. See details OFF Consent Legitimate interest ON Measure ad performance You can measure the performance and effectiveness of the ads you see or deal with. interacts. See details C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/31 OFF Consent Legitimate interest ON Measure content performance You can measure the performance and effectiveness of the content you view or interact with. you See details OFF Consent Legitimate interest ON Use market research to generate information about the public Market research can be used to obtain more information about the audience that visits websites/applications and views ads. See details OFF Consent Legitimate interest ON Develop and improve products Your data may be used to improve existing systems and/or software, as well as to develop new products. See details OFF Consent Legitimate interest ON Ensure security, prevent fraud and debug errors Your data may be used to monitor and prevent fraudulent activities, and to Ensure systems and processes operate correctly and safely. See details- lles Technically serve ads or content Your device may receive and send information that allows you to view and interact with ads and content. See details Collate and combine offline data sources Data obtained from offline data sources can be combined with your activity online to support one or more purposes. See details Link different devices You can determine which devices belong to you or your home to one or more purposes. See details Receive and use for identification the characteristics of the device that is send automatically Your device can be distinguished from other devices based on the information it contains. sent automatically, such as the IP address or browser type. See details Use precise geographic location data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/31 Your precise geographic location data may be used for one or more purposes. facts. This means that your location can be accurate to within several meters. tros. See details OFF Consent <<Supplier preferences>> If you access the supplier control panel, a new page appears: Accept our suppliers Providers may use your data to offer you services. If you reject a provider, they will no longer be able to use the data you have shared with them. Exponential Interactive, Inc d/b/a VDX.tv Cookie duration: 90 days. Cookie duration is reset after each session. See details OFF Consent Legitimate Interest ON Roq.ad Inc. Cookie duration: 365 (days). Cookie duration is reset after of each session. OFF Consent … … … <<Accept All>> <<Confirm Options>> 3º.- About the information provided in the “Cookies Policy”: There is no page or link that redirects the user to the “Cookies Policy”. The The only existing information about cookies is that provided in the banner of the main page when accessed for the first time and the information offered to via control panel 4º.- About how to withdraw consent to the use of cookies after having offered: There is a link at the bottom of the web page <<Privacy Settings and Cookies>> through which you can access the control panel at any moment of web browsing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/31 FIFTH: On 04/14/23, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the defendant, for the alleged violations of: a).- Violation of article 13 of the RGPD, due to the deficiencies observed in its “Privacy Policy”, with an initial penalty of 2,000 euros, without prejudice to what results from the instruction. Likewise, it was noted that the violations charged, if confirmed, may lead to the imposition of measures, according to the aforementioned article 58.2 d) of the RGPD. b).- Violation of article 5.1.a) of the RGPD, due to the use of patterns dark sources of overloading and skipping, with a initial penalty of 5,000 euros, without prejudice to what results from the investigation. Likewise, it was warned that the alleged infractions, if confirmed, may lead to the imposition of measures, according to the aforementioned article 58.2 d) of the RGPD. c).- Violation of article 22.2 of the LSSI, due to the deficiencies detected in its web page regarding the “Cookies Policy”, with an initial penalty of 5,000 euros, without prejudice to what results from the instruction Notification of the initiation agreement was attempted in accordance with the standards set forth in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (LPACAP). According to State Company Certificate Correos y Telégrafos, S.A., the letter initiating the file sent to the address CHATWITH.IO WORLDWIDE, S.L. C/ ***ADDRESS.1, was returned to origin by Leftover (Not withdrawn in office) on 05/03/23. Having the following associated information, (Unit: XXXXXXXX): - 1st delivery attempt on 04/21/23 at 12:05, by employee 282402 ha result 03 “Absent”. - 2nd delivery attempt on 04/24/23 at 8:20 p.m., by employee 186402 ha result 03 “Absent”. (Notice was left in mailbox). On 05/09/23, notification of the initiation agreement was made through an announcement in the single Edictal Board of the Official State Gazette, in accordance with article 44 of the LPACAP. In said announcement the claimed party is informed about the possibility of obtain a copy of the opening agreement. SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been verified that no allegation has been received from the claimed party. Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period regarding the content of the initiation agreement, when This contains a precise statement about the imputed responsibility, may be considered a proposal for a resolution. In the present case, the agreement beginning of the sanctioning file determined the facts in which the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/31 imputation, the infraction attributed to the person complained of and the sanction that could be imposed. Therefore, taking into consideration that the claimed party has not formulated allegations to the agreement to initiate the file and in accordance with what is established in the article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS. First: The information provided in the “Privacy Policy” ***URL.2, and In relation to the provisions of article 13 GDPR cited, the person responsible for the processing of personal data obtained through the website does not offer information on or at least not detailed on the following points: - The purposes of the processing for which the personal data are intended and the legal basis dica of the treatment, has ambiguous wording, or lacks the required clarity. - The legitimate interests of third parties to whom the responsible for the treatment referred to in the existing information banner. try on the main page, it is necessary to access the pages individually. different privacy policies of each of the more than 1,000 companies that appear in the “List of suppliers”, then the information appears. unclearly in the text of each provider's pop-up window. dor. - No reference is made to the intention of the person responsible to transfer personal data. nals to a third country or international organization outside the European Union, all this despite the fact that a part of the companies (suppliers) that appear cen in the “Supplier List”, are located outside the EU. Second: On the use of dark overloading patterns and skipping, in the case at hand, the dark overload pattern loading) and hiding (skipping), is observed when accessing the “List of suppliers”, once there, the interested party finds a list of about 130 companies. prey (suppliers), of which, more than half have the default marked “Accept data processing for legitimate interest” box, which requires, in the case from wanting to show opposition to the treatment to marking one by one throughout the entire list, without the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected person. Third: Regarding the Cookies Policy on the website in question, cookies have been detected the following irregularities: - When entering the website for the first time, without accepting cookies or performing any actions. tion on the page, it has been verified that non-technical cookies are used. unique or necessary: 3 Performance cookies: _gid; _ga_BHX4LX8C4J and _ga and a Targeting Cookie: _gat_gtag_UA_181162822_9 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/31 - In the cookie control panel it has been detected that the groups of cookies are divided into two options, accept cookies by “Consent” ment” that are pre-marked in the “not accepted” option and accept the cookies for “Legitimate Interest” that are pre-marked in the “accept” option. you give". However, if all the options marked “accepted” are unchecked It is verified that they continue using the same cookies detected when entering on the web without having given consent. - There is no information about cookies in the second layer or link that Enable the user to be redirected to the “Cookie Policy” of the website. The informs- Information about cookies appears dispersed in each of the options of the control Panel. FOUNDATIONS OF LAW YO.- Competence: - About the processing of personal data and the “Privacy Policy”: The Director of the Spanish Agency is competent to resolve this procedure. of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law LOPDGDD. - About the “Cookie Policy”: The Director of the Spanish Agency is competent to resolve this procedure. of Data Protection, in accordance with the provisions of art. 43.1, paragraph second, that of the LSSI Law. II.-1 About the processing of personal data on the website and the “Privacy Policy” In the verification carried out on the website, ***URL.1, it is confirmed that there Personal data can be obtained through the <<contact>> link, intended for make queries and you can also enter personal data when doing so. registration on the website, through the link at the top right of the page main page <<Private area>>. The “Privacy Policy” can be accessed through the existing links in the forms mentioned above or through the link at the bottom from the main page, <<Privacy Policy and Legal Notice>>. Well, article 13 of the RGPD details the information that must be provided to the interested party when the data is collected directly from him, establishing that: “1.When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide: a) the identity and contact details of the person responsible and, where applicable, of your representative; b) the contact details of the protection delegate data, if applicable; c) the purposes of the processing for which the data are intended C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/31 personal and the legal basis of the treatment; d) when the treatment is based in Article 6(1)(f), the legitimate interests of the controller or a third; e) the recipients or categories of recipients of the data personal, if applicable; f) where applicable, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision from the Commission, or, in the case of transfers indicated in Articles 46 or 47 or Article 49(1), second paragraph, reference to adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been provided. 2.In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the moment in which the personal data, the following information necessary to guarantee a fair and transparent data processing: a) the period during which will retain personal data or, when this is not possible, the criteria used to determine this term; b) the existence of the right to request the responsible for the processing of access to personal data relating to the interested party, and its rectification or deletion, or the limitation of its processing, or to oppose the processing, as well as the right to data portability; c) when the processing is based on Article 6(1)(a) or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a requirement necessary to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including the profiling, referred to in article 22, paragraphs 1 and 4, and, least in such cases, significant information about the logic applied, as well as the importance and anticipated consequences of such treatment for the interested". In the case at hand, the information provided in the “Policy of Privacy” ***URL.1 and in relation to the provisions of article 13 GDPR cited, notes that it does not offer information on the following points: - The purposes of the processing for which the personal data are intended and the basis legal treatment, has ambiguous wording, or lack of clarity and required precision. - The legitimate interests of third parties to whom the responsible for the treatment referred to in the information banner existing on the main page, requiring individual access to the different privacy policies of each of the more than 1,000 companies that appear in the “List of suppliers”, then the information unclearly in the text of the pop-up window of each supplier. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/31 - No reference is made to the intention of the person responsible to transfer data personnel to a third country or international organization outside the Union European Union, all this despite the fact that a part of the companies (suppliers) that appear in the “List of suppliers”, are located outside the EU. II.-2 Sanction The irregularities detected in the “Privacy Policy” of the website ***URL.1 may constitute a violation of article 13 RGPD. This violation can be punished with a fine of a maximum of €20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.5.b) of the RGPD. In this sense, article 74.a) of the LOPDGDD, on the infractions considered mild, indicates that: The remaining infractions of a nature are considered minor and will be subject to a one-year statute of limitations. merely formal of the articles mentioned in sections 4 and 5 of the article 83 of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the principle of transparency of information or the right to information of the affected person for not providing all the required information by articles 13 and 14 of Regulation (EU) 2016/679. In accordance with the above, it is considered appropriate to impose a penalty of 2,000 euros, (two thousand euros), for the violation of article 13 RGPD. II.-3. Measures Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose responsible for adopting appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, in a manner certain manner and within a specified period….” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as established provided in art. 83.2 of the GDPR. The text of this agreement establishes what the infractions have been. allegedly committed and the facts that give rise to the violation of the regulations of data protection, from which it is clearly inferred what are the measures to be adopt, without prejudice to the type of procedures, mechanisms or instruments specifics to implement them corresponds to the sanctioned party, since it is the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/31 responsible for the treatment who fully knows your organization and must decide, based on proactive responsibility and the risk approach, how to comply with the RGPD and the LOPDGDD. However, in this case, regardless of the above, it is appropriate to require the responsible entity so that, within the period indicated in the operative part, it adapts the “Privacy Policy” of your website to the current regulations, specifically to what stipulated in article 13 of the GDPR. Please note that failure to comply with the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. III.-1 On the use of dark overloading and hiding patterns (skipping) According to the complainant, the data controller uses the dark patterns of overloading and skipping in user interface design through which you configure the privacy options that are going to be applied to the processing of the data of the visitor to the website, specifically when the interested party expresses his opposition to data processing based on interest legitimate interest of the person responsible and third parties, whom he calls “partners”. The term “dark patterns” refers to the interfaces or implementations of user experience intended to influence behavior and people's decisions in their interaction with websites, apps and social networks, way that they make decisions potentially detrimental to the protection of their personal information. According to recital (39) of the GDPR: All processing of personal data must be lawful and fair. For the people physical data must be completely clear that they are being collected, used, consulting or otherwise processing personal data that concerns them, as well as the extent to which said data is or will be processed. The principle of transparency requires that all information and communication regarding the processing of said data is easily accessible and easy to understand, and that simple and clear language is used. This principle refers in particular to the information of the interested parties about the identity of the responsible for the treatment and its purposes and the added information to ensure fair and transparent treatment of people affected physical bodies and their right to obtain confirmation and communication of the personal data that concerns them that are subject to processing, (…)”. In this regard, article 5 RGDP includes the "Principles relating to processing" and in section 1.a) establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/31 Personal data will be processed in a lawful, fair and transparent manner in relationship with the interested party "lawfulness, loyalty and transparency." Well, in application of the principle of loyalty established in article 5.1.a, the Data controllers must ensure that dark patterns are not used, at least, in relation to decisions regarding the processing of your data personal. The European Data Protection Board (EDPB) adopted for public consultation its ‘Guidelines on dark patterns in social media interfaces, How to recognize and avoid them. These guidelines, like the AEPD guide, They take article 5.1.a of the GDPR as a starting point to evaluate when a Design pattern in a user interface corresponds to a dark pattern. Dark patterns can be presented to the user in data processing operations. of various kinds, such as during the registration or registration process on a social network, when starting session or also in other scenarios such as configuring the privacy, in cookie banners, during the process of exercising rights, in the content of a communication reporting a personal data breach or even when trying to unsubscribe from the platform. According to the EDPB Guidelines, dark patterns can be classified into the following categories: Overloading: consists of presenting too many possibilities to the person who has to make the decisions, which ends up generating fatigue on the user, who ends up sharing more personal information than desired. The The most common techniques to produce this fatigue due to overload are to show questions repeatedly, creating privacy labyrinths and showing too many options. Hiding (skipping): consists of designing the interface or user experience in such a way so that the user does not think about some aspects related to protection of your data, or forget it. Stirring: the users' emotions are appealed to or nudges are used visuals in the form of effects to influence decisions. Hindering: attempts to create obstacles so that the user cannot easily perform certain actions. This is done through techniques such as put privacy settings in areas that cannot be accessed, make it very complicated to reach them or providing misleading information about the effects of some actions. Inconsistency (fickle): the interface has an unstable and inconsistent design that does not allows the user to perform the actions desired. Left in the dark: The information or configuration options of the privacy are hidden or presented in an unclear way using language erratic, contradictory or ambiguous information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/31 In the case at hand, the dark pattern of overloading and concealment (skipping), is observed when accessing the “List of suppliers”, once there, the interested party finds a list of about 130 companies (suppliers), of which, more than half have the default marked “Accept data processing for legitimate interest” box, which requires, in the case from wanting to show opposition to the treatment to marking one by one throughout the entire list, without the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected person. Taking, for example, the provider “Amazon Advertising” we see that in its section the following information appears: Cookie duration: 396 (days). Cookie duration is reset after of each session. Use other forms of storage. <<View details>> |<< Storage details>> | <<Privacy Policy>> Consent (OFF) Legitimate interest (ON) If we display the information <<see details>>, the following information appears: Amazon Advertising requests the following: By Consent: Store or access information on a device Select basic ads Create a custom advertising profile Select personalized ads Measure ad performance Use market research to generate information about the public Develop and improve products For legitimate interest: Ensure security, prevent fraud and debug errors Technically serve ads or content Checking that, in this particular example, legitimate interest is indicated as both the “Ensure security, prevent fraud and debug errors” as “Serve technically advertisements or content”, a situation that is repeated for the more than 200 suppliers that appear on the web. Well, the situation is that there is a button to accept everything (<<Accept All>>) or to confirm the chosen options (<<Confirm Options>>), but not to reject everything or oppose everything, which can constitute a dark pattern of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/31 overloading All this without prejudice to the fact that the treatments marked in the ON position of “legitimate interest” may or may not be justified on this basis of legitimation, an issue that is not analyzed in this procedure. III.-2 Sanction The facts set out above may constitute an infringement of the established in article 5.1.a) of the RGPD, with the scope expressed in the Previous Fundamentals of Law. This violation can be punished with a fine of a maximum of €20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.5.a) of the RGPD. In this sense, article 72.1.a) considers a “very serious” infraction for the purposes of prescription “1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in In particular, the following: a) The processing of personal data that violates the principles and guarantees established in article 5 of Regulation (EU) 2016/679”. III.-3 Graduation of the Sanction The determination of the sanction that should be imposed in the present case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, they provide the following: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of the of this Regulation indicated in sections 4, 9 and 6 are in each case effective, proportionate and dissuasive individual treatment. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each individual case is will take due account of: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered; b) the intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or of the person in charge of the treatment, taking into account the technical measures or organizational measures that have applied under articles 25 and 32; e) all previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to put C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/31 remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or in charge of that is dealt with in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” Within this section, the LOPDGDD contemplates in its article 76, titled “Sanctions and corrective measures”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the criteria of graduation established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of processing of personal data. c) The benefits obtained as consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have induced the commission of the infraction. and) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact to the rights of minors. g) Have, when it is not mandatory, a data protection officer. h) Submission by the person responsible or entrusted, on a voluntary basis, to alternative resolution mechanisms of conflicts, in those cases in which there are disputes between those and anyone interested. 3. Adoption will be possible, complementary or alternatively, when appropriate, of the remaining corrective measures referred to in the article 83.2 of Regulation (EU) 2016/679.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purposes of setting the amount of the fine sanction impose on the claimed entity, in an initial assessment, they are considered concurrent in in this case the following factors, as aggravating factors: - The scope or purpose of the data processing operation, as well as the information affected teresses, (section a). It is also considered that the sanction to be imposed should be graduated in accordance with the following aggravating criteria, established by article 76.2 of the LOPDGDD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/31 - The linking of the offender's activity with the performance of treatment personal data, (section b), considering that in the activity carried out rrolla, the personal data of its clients are involved. Considering the factors exposed, the value reached by the fine, for the Violation of article 5.1.a) of the RGPD, it is 5,000 euros (five thousand euros). III.-4 Measures Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose responsible for adopting appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, in a manner certain manner and within a specified period….” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as established provided in art. 83.2 of the GDPR. The text of this agreement establishes what the infractions have been. allegedly committed and the facts that give rise to the violation of the regulations of data protection, from which it is clearly inferred what are the measures to be adopt, without prejudice to the type of procedures, mechanisms or instruments specifics to implement them corresponds to the sanctioned party, since it is the responsible for the treatment who fully knows your organization and must decide, based on proactive responsibility and the risk approach, how to comply with the RGPD and the LOPDGDD. However, in this case, regardless of the above, it is appropriate to require the responsible entity so that, within the period indicated in the operative part, it adapts the “Privacy Policy” of your website to the current regulations, specifically to what stipulated in article 5.1.a) of the RGPD. Please note that failure to comply with the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. IV.- About the Cookies Policy of the website a).- Regarding the installation of cookies on the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, about the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/31 Therefore, when the use of a cookie involves processing that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies “User input Cookies would be excepted” (those used to fill out forms, or manage a shopping cart); cookies user (session) authentication or identification; user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of complement (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before using any other type of cookies, both first and third-party, session or persistent. In the verification carried out by this Agency on the claimed website, it was possible note that, upon entering the main page and without performing any action on the mime or accept cookies, the following non-necessary cookies were used: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies that are not technical or necessary: - 3 Performance Cookies: _gid; _ga_BHX4LX8C4J and _ga - 1 Targeting cookie: _gat_gtag_UA_181162822_9 c).- Regarding consent to the installation of cookies on the terminal equipment: To use non-excepted cookies, it will be necessary to obtain the express consent of the user. This consent can be obtained by clicking on, “accept” or inferring it from an unequivocal action carried out by the user that denotes that consent has been unequivocally produced. By Therefore, the mere inactivity of the user, scrolling or browsing the website, is not will consider for these purposes a clear affirmative action under no circumstances and will not will involve the provision of consent itself. Likewise, access to the second layer if the information is presented in layers, as well as navigation necessary for the user to manage their preferences in relation to cookies in the control panel, it is not considered an active behavior that can derive the acceptance of cookies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/31 The existence of “Cookie Walls” is also not permitted, that is, windows pop-ups that block content and access to the website, forcing the user to accept the use of cookies to access the page and continue browsing without offer the user any type of alternative that allows them to freely manage their preferences regarding the use of cookies. If the option is to go to a second layer or cookie control panel, the link should take the user directly to said configuration panel. To facilitate the selection, in the panel it can be implemented, in addition to a management system granular cookies, two more buttons, one to accept all cookies and another to reject them all. If the user saves his choice without having selected any cookie, it will be understood that you have rejected all cookies. In relation to this second possibility, in no case are pre-checked boxes in favor of accepting cookies. If for the configuration of cookies, the website refers to the browser configuration installed on the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the editor opts for this option, it must also offer, and in any case, a mechanism that allow you to reject the use of cookies and/or do so on a granular basis. On the other hand, the withdrawal of the consent previously given by the user It must be able to be done at any time. To this end, the editor must offer a mechanism that makes it possible to easily withdraw consent at any time. moment. That facility will be considered to exist, for example, when the user have simple and permanent access to the management or configuration system of the cookies. If the editor's cookie management or configuration system does not allow you to avoid the use of third-party cookies, once accepted by the user, will be provided information about tools provided by the browser and third parties, must warn that, if the user accepts third-party cookies and subsequently wishes delete them, you must do so from your own browser or the system enabled by the third parties for this. In the case in question, it is not possible to reject all cookies at once. To manage cookies it is necessary to access the control panel <<Manage Options>> where the groups of cookies appear divided into purposes such as example “Select basic ads”; “Create a personalized advertising profile” or “Select personalized ads” The groups are divided into two options, accept cookies by “Consent” that are pre-marked in the “not accepted” option and accept cookies for “Interest Legitimate” that are pre-marked in the “accepted” option. However, if all the options marked “accepted” are unchecked, the that continue to use the same cookies detected when entering the website without having consent given. d).- About the information provided in the second layer (cookie policy): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/31 In the second layer or “cookie policy” more detailed information must be provided. detailed information about the characteristics of cookies, including information about, the definition tion and generic function of cookies (what are cookies); about the type of cookies which are used and their purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies Cookies are processed only by the editor and/or also by third parties with identification of this last coughs; the retention period of cookies on the terminal equipment; and if it is him case, information on data transfers to third countries and the processing of profiles that involve automated decision making. In the case in question, there is no information about cookies in the second layer or link that allows the user to be redirected to the “Cookie Policy” of the website. Information about cookies appears dispersed in each of the options of the control panel. IV.-2 Classification of the offense committed Of the deficiencies detected, regarding the cookie policy, on the website in issue: the use of third-party cookies that are not technical or necessary; the impossibility of rejecting third-party cookies and the lack of information in the “cookie policy”, could be assumed by the complainant, the commission of the violation of article 22.2 of the LSSI, as it establishes that: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of L. Organic 15/1999, of December 13, on the protection of personal data staff. Where technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated through the use of the appropriate settings of the browser or other applications. The above will not prevent possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary necessary, for the provision of an information society service expressly requested by the recipient.” IV.-3 Sanction This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/31 sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the previous investigation phase, and without prejudice to what results from the instruction, it is considered that it is appropriate to graduate the sanction to impose according to the following aggravating criteria, established in art. 40 of the LSSI: The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Court's Judgment National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the reported entity the determination of a system for obtaining consent informed that it conforms to the mandate of the LSSI. In accordance with these criteria, it is considered appropriate to impose an initial sanction of 5,000 euros, (five thousand euros), for the violation of article 22.2 of the LSSI, regarding of the cookie policy made on the website owned by it. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency, RESOLVES: FIRST: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, owner of the website ***URL.1, for the violation of article 13 of the RGPD, typified in article 83.5.b) of the same Regulation, and classified as “mild” for the purposes of prescription in article 74.a) of the LOPDGDD, a fine of 2,000 euros (two thousand euros). SECOND: That by the Director of the Spanish Data Protection Agency, order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of the web page to web ***URL.1, which within a period of one month from the notification of this act, adopt the necessary measures to adapt its action to the personal data protection regulations, with the scope expressed in the Legal Basis II.-3, of this resolution. In the same period indicated, the entity must inform and justify compliance with the measures before this Agency imposed. THIRD: IMPOSE on the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, owner of the website ***URL.1, for the violation of the article 5.1.a) of the RGPD, typified in article 83.5.a) of the same Regulation, and qualified as “very serious” for the purposes of prescription in article 72.1.a) of the LOPDGDD, a fine of 5,000 euros (five thousand euros). FOURTH: That by the Director of the Spanish Data Protection Agency, order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of the web page to web ***URL.1, which within a period of one month from the notification of this act, adopt the necessary measures to adapt its action to the personal data protection regulations, with the scope expressed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/31 in the Legal Basis III.-4, of this resolution. In the same period indicated, the entity must report and justify compliance with the measures to this Agency. FIFTH: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, owner of the website ***URL.1, for the violation of article 22.2 of the LSSI, classified as “mild” for the purposes of prescription in article 38.4.g) of the cited rule, a fine of 5,000 euros (five thousand euros). SIXTH: NOTIFY this resolution to the entity CHATWITH.IO WORLDWIDE. SEVENTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Received the notification and once executive, if the date of execution is between the days 1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the following or immediately following business month, and if it is between on the 16th and last day of each month, both inclusive, the payment period will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the provision fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction Contentious-administrative, within a period of two months from the following day to the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/31 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious appeal- administrative within a period of two months from the day following notification of the This resolution would end the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es