AEPD (Spain) - PS/00118/2021: Difference between revisions

Latest revision as of 12:58, 13 December 2023

AEPD (Spain) - PS-00118-2021

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 22.2 of the Act on Information Society Services and Electronic Commerce
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	07.06.2021
Published:	16.06.2021
Fine:	1200 EUR
Parties:	Radio Popular S.A.
National Case Number/Name:	PS-00118-2021
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) fined a radio station €2000 (reduced to €1200) for failing to provide a link to its cookie policy in their cookie banner and for installing cookies that are not strictly necessary on user devices without obtaining prior consent.

English Summary

Facts

A data subject filed a complaint against a radio company stating that "when accessing their website (www.cope.es), it is impossible to reject cookies". When the website loaded, a banner informing users that cookies were being used on the site and containing a link to the configuration panel was displayed. However, no link to the actual cookie policy was provided, and the user could not access the cookie policy before accepting the cookies.

Furthermore, non-strictly necessary cookies for the functioning of the website were installed on the user's device before consent was obtained, such as:

_cb: analytical cookie that stores the unique identifier for chartbeat tracking (tool for real-time website metrics analysis) (1 year active)
_chartbeat2: analytical cookie used to store statistics on the number of visits per year (30 days active)
_ga: analytical cookie used to distinguish between users of the website (2 years active)
_cb_svref: analytical cookies used to store the origin of the visitors (active during session)
_cb_ls: analytical cookie used for the analysis and control of active users' navigation (1 year active)
web_gid: analytical cookie used to distinguish users (active 24 hours)

Holding

The Spanish DPA (AEPD) found that the controller was installing unnecessary cookies before asking for the consent of the user, what violated Article 22(2) of the Act on Information Society Services and Electronic Commerce (implementing the e-Privacy Directive). The controller should have sought the consent of the users before installing such cookies.

Additionally, the controller also violated the same Article by not providing enough information about the processing of such cookies, as the users could not directly access the cookie policy. The cookie banner should have included a direct link to such policy, or it should have been available in the second layer. The user should have been able to access the information before providing consent.

The AEPD held that therefore the controller had violated Article 22(2) of the Act on Information Society Services and Electronic Commerce and fined the controller €2000, that were reduced by 40% to €1200 due to timely payment and admission of guilt.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/11








     Procedure No.: PS / 00118/2021

RESOLUTION R / 00436/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                   VOLUNTARY

In the sanctioning procedure PS / 00118/2021, instructed by the Spanish Agency for
Data Protection to RADIO POPULAR S.A., considering the complaint presented by
A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On May 10, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against RADIO POPULAR
S.A. (hereinafter, the claimed), through the Agreement that is transcribed:


<<
Procedure No.: PS / 00118/2021
935-240719
           AGREEMENT TO START THE SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Agency for Data Protection before

the entity, RADIO POPULAR S.A. with CIF .: A28281368, owner of the website,
https://www.cope.es/, (hereinafter, “the claimed entity”), by virtue of the
claim filed by D.A.A.A. (hereinafter, "the claimant"), for
alleged violation of data protection regulations, and taking into account the
following:

                                     FACTS

FIRST: On 10/19/20, the claimant sent this Agency a written statement of
claim, stating, among others, the following: "When accessing the web it is impossible
reject cookies ”.


SECOND: On 12/04/20, this Agency sent a request
informative to the claimed entity, in accordance with the provisions of article
65.4 of Organic Law 3/2018, of December 5, on the protection of personal data
and guarantee of digital rights, (hereinafter "LOPDGDD").


THIRD: On 01/13/21, the claimed entity submitted a written statement of
answer in this Agency, in which, among others, it indicated the following:

"What, COPE, following the recommendations of the" Cookies Guide ", whose
update was published on July 28, has implemented a vendor CMP

Quancast, as of August 3, and has followed the recommendations of IAB EUROPE
in accordance with TFC 2.0, showing its adequate commitment and diligence with
regarding compliance with data protection regulations. Likewise, COPE has
carried out an exhaustive analysis of all the cookies in operation and has
verified that despite having implemented the TFC 2.0 system some

cookies, contrary to what the providers themselves pointed out, they continued
downloading, so it has proceeded to implement additional measures that
guarantee the non-use of these until, indeed, the user consents to the
treatment and discharge of these. This implementation process began in July,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/11








being finalized in August, thus complying with the times indicated in the
Guide.

That as a consequence of this claim it is again verified that the
mechanism detecting that some cookies continued to download despite

have the consent and transparency framework, and what is indicated by the
own vendors, so we proceed to implement additional parameters to the TFC
2.0, through Javascript, blocking advertising cookies from providers such as
They are: Sedtag, Facebook Connect, Insurdads, Teads and Outbrain, Google Tag Manager,
etc. Attached as evidence, examples of the technical code implemented for
guarantee the necessary affirmative action for the use of said cookies. (ANNEXED

I).

That for the implementation of the entire configuration system it has been taken into
takes into account the recommendations and criteria of IAB EUROPE, a body that we have
considered diligent, taking into account the close relationship with the

control authorities, even participating in the preparation of the "Cookie Guide"
published by this authority, as well as the integrated and recognized vendors
within the IAB EUROPE transparency and consent framework itself.
(ANNEX II)

That in accordance with the criteria provided by the integrated vendors themselves

in TFC 2.0 every effort has been made to comply with the
regulations, allowing us to use certain cookies of vital importance for the
survival of our environment. Thus, for example, the cookie used by Comscore, is
download to the user's terminal equipment, but is nevertheless subject to the
acceptance of this for the collection and processing of information. Attached is the
explanatory document of the operation provided by the "vendor" in which the

indicates how different parameters are granted based on their actions (1
consent, 0 no consent, null no action), capturing and treating the
information only if consent is granted and therefore the cookie integrates
the "parameter 1". In this way, and despite the fact that the download occurs
effectively, such a device would not capture information without the consent of the
Username. (ANNEX III and IV).


Likewise, we have Google analytical cookies, implementing the
criteria indicated for the correct adaptation and implementation in TFC 2.0, of
in accordance with the following instructions which, likewise, will only be used if
the user provides their effective consent. These cookies will be used with the
purpose of extracting aggregate statistics that will serve us to objectively measure

web traffic by checking the number of real users, in order to ensure that the
statistics used by Comscore, a provider that allows us to monetize the
advertising, are real and errors are not occurring whose consequences at the level
business are of great importance. It has been implemented with the window variable
'gtag_enable_tcf_support'] = true. Following the instructions of

https://support.google.com/analytics/answer/10022331?hl=es to comply with the IAB v2,
as can be seen in annex V.

In addition to those previously mentioned, our website uses an analytical cookie
technique of the first part (Chartbeat), whose functions consist in determining the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/3








number of users in real time (session cookie) within the web, allowing
ensure security against a possible DDDOS attack, or detect possible traffic
unusual, as well as the purpose of allowing us to visualize which news of those included in
the website have more traffic in order to analyze the self-interest of our
readers in published content. This cookie will only process information

aggregate of a certain number of users that, in no case, will allow
individualize or identify them. Although these cookies have the
definition of "Analytics", taking into account the activity sector, are really
necessary and fundamental for the use of the website, as well as for the
survival of the environment, since intrinsically it is necessary to know how
Users interact with the information, as has always happened in the media

traditional communication.

This criterion is followed in the same way by all the major media outlets.
national communication using cookies of this type in a similar way,
In such a way that an application contrary only to our case, would suppose a serious

economic impairment, generating an unattainable inequality for our
company. Being aware that the LSSICE 34/2002 applies to the Regulation
General Data Protection, as it is a special rule,
We understand that such data processing could be based on a clear interest
legitimate in accordance with article 6.1. f) and recital 47 of the Regulation
General Data Protection 679/2016, by our company, having

taking into account the low relevance for the privacy of those affected, as well as the
service of clear interest to the users we provide.

That also the rest of the cookies, have been blocked with mechanisms
additional to the implementation of TFC 2.0. not being able to guarantee, as if it happens
with Comscore, that the information will not be processed. Despite the fact that through

implementation of TFC 2.0 should now work correctly and no capture of any
type of information, it is verified that cookies are downloaded, not having
distinction between those users who grant consent and those who do not
regarding the treatment and therefore, it is decided to implement an additional measure, of
the same way it was done with the advertising cookies listed above to
It is only downloaded if there is express and effective consent.


Likewise, in addition to the cookies already mentioned, we have cookies
techniques that allow the website to function properly whose download is
It occurs regardless of the consent of the users. The functionalities
of these are limited to the following uses: - Cookies loading the CMP by means of the
which guarantees compliance with the regulations on cookies. - Loading and

sports scoreboard interface display. - Control access to our
web and guarantee its security. - Guarantee accessibility to the website.

That, likewise, the cookie policy has been updated
adapting the recommendations set out to what is indicated in the Cookies Guide

published by this authority, being able to check in the link
https://www.cope.es/pagina/politicas-de-cookies.

That even in the case of a sector whose main source of income comes through the
online advertising, all reasonable efforts have been made to comply with the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/11








regulations and the minimum possible cookies will be treated to guarantee the correct
operation of the web. Attached as ANNEX VI, a screenshoot of the cookies
that are downloaded initially, in which you can see the adequacy of the

themselves.

Likewise, we place ourselves at the full disposal of this authority to collaborate,
modify or respond to any request that it may make to improve the
treatment system, since as we have indicated our intention is to comply
with the regulations and guarantee the privacy of our users ”.


FOURTH: On 05/04/21, this Agency carries out the following
Checks on the claimed web page:

1.- When entering the web https://www.cope.es/ and, without accepting cookies or making any

action on the web, it is verified that unnecessary cookies are used:
_chartbeat2; _cb_svref; _cb_ls; gig_canary_ver; _gid; _cb; _ga; gig_canar;
didomi_token, whose domains belong to www.cope.es

2. When entering the web, a first layer notice is displayed about the existence of
cookies:

                      "Your privacy is important to us:

 With your agreement, we and our partners use cookies or similar technologies.
to store, access and process personal data such as your visit to this website.
   You can withdraw your consent or object to data processing based on

  legitimate interests at any time by clicking on "More information" or on
                    our Privacy Policy on this website.

        We and our partners do the following data processing:
      Store or access information on a device, Ads and content

 targeting, ad and content measurement, audience information and
   product development, precise geographic location data and identification
                      using device characteristics.

                     << More information >> <<< accept and close >> ”.


3.- If you access the cookies control panel, through the link << more
information >>, the web redirects to a new page where the following is provided
information:

“We and our partners place cookies, access and use information not

responsive on your device to improve our products and personalize advertisements and
other content on this website. You can accept all or part of these
operations. For more information about cookies, partners and how
we use your data, to review your options or these operations for each partner,
visit our privacy policy.


Skip to: << Accept all >>

+ Use precise geographic location data: Reject <-> Accept

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/11








+ Develop and improve products: Reject <-> Accept
+ Use market research: Reject <-> Accept
+ Measure content performance: Reject <-> Accept
+ Measure ad performance: Reject <-> Accept
+ Select custom content: Reject <-> Accept

+ Create a profile for content personalization: Reject <-> Accept
+ Select personalized ads: Reject <-> Accept
+ Create a personalized advertising profile: Reject <-> Accept
+ Select basic ads: Reject <-> Accept
+ Store or access information on a device: Reject <-> Accept
+ Actively scan for identification: Reject <-> Accept


If you give your consent for the above purposes, you also allow this website
and its partners operate the processing of the following data: + Collate and combine
offline data sources. + Guarantee security, avoid fraud and debug errors.
+ Receive and use for identification the characteristics of the device that is

sent automatically. + Technically serve ads or content + and Link
different devices << See our partners >>

                       << Reject all >> --- << Accept all >>
4.- If the "Cookies Policy" is accessed through the link in the part
bottom of the main page, the web redirects to a new page

https://www.cope.es/pagina/politicas-de-cookies, where information is provided
about, what are cookies and what are they used for; what information a cookie stores;
what type of cookies exist and identifies the cookies used by the website, both
own and those of third parties, the purpose they have and the time they will be active.

SIXTH: In view of the facts denounced, in accordance with the evidence of

that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers the above, does not comply with current regulations, therefore
that the opening of this sanctioning procedure proceeds.

                            FOUNDATIONS OF LAW


                                            I
It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the
art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI), is competent to initiate
and resolve this Penalty Procedure, the Director of the Spanish Agency for

Data Protection.
                                            II
    - On the use of unnecessary cookies prior to consent:

Article 22.2 of the LSSI establishes that information must be provided to users

clear and complete information on the use of storage and recovery devices.
tion of data and, in particular, on the purposes of data processing. This information
Information must be provided in accordance with the provisions of the GDPR.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/11








Therefore, when the use of a cookie involves a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on data protection
cough.


However, it is necessary to point out that they are exempt from compliance with the
Obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of the terminals and the network and those that provide a service
expressly requested by the user.

In this sense, the GT29, in its Opinion 4/201210, interpreted that among cookies

excepted would be the User's input Cookies ”(those used to re-
fill out forms, or as a management of a shopping cart); Authentication cookies
User identification or identification (session); user security cookies (those
used to detect erroneous and repeated attempts to connect to a website);
media player session cookies; session cookies to balance character

ga; User interface customization cookies and some add-on cookies
(plug-in) to exchange social content.

These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the

user before using any other type of cookies, both first and foremost
third party, session or persistent.

In the verification carried out by this Agency on the claimed website, it was possible to
verify that, when entering the main page and without taking any action on the
mimas or accept cookies, the following unnecessary cookies were used:


    - _cb (www.cope.es) Analytical cookie used to store the identifier
        unique visitor for chartbeat tracking, (tool for the
        real-time website metrics analysis) (active 1 year).

    - _chartbeat2 (www.cope.es). Analytical cookie used to store

        statistical information on the number of visits to the website, (active 30 days).

    - _ga (.cope.es). Analytical cookie used to distinguish users on the site
        web (active 2 years).

    - _cb_svref (www.cope.es). Analytical cookie used to store the

        original origin of the site visitor, (active in the session).

    - _cb_ls (www.cope.es). Analytical cookie used for browsing analysis and
        control of active users, (active 1 year).


    - web_gid (.cope.es). Analytical cookie used to distinguish users (active
        24 hours).

                                              III
    - About the cookie information banner in the first layer:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/11









In this banner, in addition to including generic information about cookies, you must
be a clearly visible link directed to the second informational layer about the use

of cookies.

In the present case, the existing banner on the main page only includes a
link to the cookie configuration panel, there is no link that redirects to the
user to the cookie policy page. There is also no link, within the
configuration panel that redirects to the cookie policy. There is only one link

in this panel that redirects to the privacy policy, but if the user decides to access
to it, the page returns the user to the banner of the main page.

There is only the possibility of accessing the cookie policy and, therefore, the information
detailed training on them, once the cookies have been accepted or rejected, to

through the link at the bottom of the main page of the web << political-
ca of cookies >>.
                                             IV
The facts presented in the previous sections could suppose, on the part of the
claimed, the commission of the infraction of article 22.2 of the LSSI, according to the
which:


“Service providers may use storage and retrieval devices
ration of data in terminal equipment of recipients, provided that the same
We have given their consent after information has been provided to them
clear and complete on its use, in particular, on the purposes of the treatment of

the data, in accordance with the provisions of Organic Law 15/1999, of December 13,
protection of personal data.

When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters

from the browser or other applications.

The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network
electronic devices or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient.

River".

This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information had not been provided or the consent of the recipient had not been obtained.

natario of the service in the terms required by article 22.2. ”, which may be sanctioned
nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.

It is considered, on the other hand, that the sanction to be imposed should be adjusted according to
with the following aggravating criteria, established in art. 40 of the LSSI:


    - The existence of intentionality, an expression that must be interpreted as equi-
        value to degree of guilt according to the Judgment of the Hearing
        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/11








        the entity denounced the determination of a system for obtaining consent
        informed service that conforms to the mandate of the LSSI.


Based on these criteria, it is deemed appropriate to impose on the claimed entity
an initial penalty of 2,000 euros, (two thousand euros), for the violation of article 22.2
of the LSSI, regarding the cookie policy carried out on the website of its owner-
dad.

In accordance with the foregoing, by the Director of the Spanish Agency for Pro-

Data protection,
                                     HE REMEMBERS:

START: SANCTIONING PROCEDURE to the entity RADIO POPULAR S.A. with
CIF .: A28281368, owner of the website, https://www.cope.es/, for the violation of the

article 22.2) of the LSSI, punishable in accordance with the provisions of art. 39) and 40) of
the aforementioned Law, regarding the "Cookies Policy".

APPOINT: as Instructor to D. R.R.R., and Secretary, where appropriate, to Ms. S.S.S., indi-
Whereas any of them may be challenged, as the case may be, in accordance with the provisions
cited in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the

Public Sector (LRJSP).

INCORPORATE: to the sanctioning file, for evidentiary purposes, the inter-
put by the claimant and its documentation, the documents obtained and generated
by the Subdirectorate General for Data Inspection during the investigation phase.

nes, all of them part of the present administrative file.

WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations, the sanction that
could correspond, it would be 2,000 euros (two thousand euros), without prejudice to what

Sulte of the instruction of the present file.

WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that could
to impose itself on the entity, RADIO POPULAR S.A., would consist of ORDERING IT that, all
Take the necessary measures on the website of your ownership to adapt it to the
current regulations regarding "Cookies Policy", modifying it in such a way

that makes it impossible to use cookies that are not necessary until the user gives their
consent to this, as well as the inclusion of a link to the cookie policy
within the existing banner on the main page or first layer.

NOTIFY: this agreement to initiate the sanctioning file to the entity

RADIO POPULAR S.A. granting a hearing period of ten business days to
to formulate the allegations and present the evidence it deems appropriate.

If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/11








In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
zo granted for the formulation of allegations to the present initiation agreement; what

will entail a reduction of 20% of the penalty to be imposed in the
present procedure, equivalent in this case to 400 euros. With the application of
this reduction, the sanction would be set at 1,600 euros, resolving the
yield with the imposition of this sanction.

In the same way, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will give a reduction of 20% of the amount of this, equivalent in this case to 400 euros-
rivers. With the application of this reduction, the penalty would be set at 1,600 euros.
ros and its payment will imply the termination of the procedure.


The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be

established at 1,200 euros (one thousand two hundred euros).

In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or resource in the administrative way.
trative against the sanction.


If you choose to proceed to the voluntary payment of any of the amounts indicated
previously, you must make it effective by entering account No. ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the concept the reference number

cia of the procedure that appears in the heading of this document and the cause
reduction of the amount to which it is accepted.

Likewise, you must send proof of admission to the Subdirectorate General of Ins-
pection to continue with the procedure in accordance with the amount entered.
gives.


The procedure will have a maximum duration of nine months from the date of the
cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed
that period will expire and, consequently, the file of actions; from
in accordance with the provisions of article 64 of the LOPDGDD.


Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.

Mar Spain Martí

Director of the Spanish Agency for Data Protection.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/11


















>>

SECOND: On June 1, 2021, the defendant has proceeded to pay the
sanction in the amount of 1200 euros making use of the two planned reductions

in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process

administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/11









3. In both cases, when the sanction is solely of a pecuniary nature, the

competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00118/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to RADIO POPULAR S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                  936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection



















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es

@@ Line 57: / Line 57: @@
 Furthermore, non-strictly necessary cookies for the functioning of the website were installed on the user's device before consent was obtained, such as:
-* _cb: analytical cookie that stores the unique identifier for chartbeat tracking (tool for real-time website metrics analysis). (1 year active)
+* _cb: analytical cookie that stores the unique identifier for chartbeat tracking (tool for real-time website metrics analysis) (1 year active)
-* _chartbeat2: analytical cookie used to store statistics on the number of visits per year. (30 days active)
+* _chartbeat2: analytical cookie used to store statistics on the number of visits per year (30 days active)
-* _ga: analytical cookie used to distinguish between users of the website. (2 years active)
+* _ga: analytical cookie used to distinguish between users of the website (2 years active)
-* _cb_svref: analytical cookies used to store the origin of the visitors. (active during session)
+* _cb_svref: analytical cookies used to store the origin of the visitors (active during session)
-* _cb_ls: analytical cookie used for the analysis and control of active users' navigation. (1 year active)
+* _cb_ls: analytical cookie used for the analysis and control of active users' navigation (1 year active)
-* web_gid: analytical cookie used to distinguish users. (actrve 24 hours)
+* web_gid: analytical cookie used to distinguish users (active 24 hours)
 === Holding ===
 The Spanish DPA (AEPD) found that the controller was installing unnecessary cookies before asking for the consent of the user, what violated Article 22(2) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Act on Information Society Services and Electronic Commerce] (implementing the e-Privacy Directive). The controller should have sought the consent of the users before installing such cookies.