AEPD (Spain) - EXP202301323: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 79: | Line 79: | ||
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a ''lex specialis'' that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI. | First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a ''lex specialis'' that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI. | ||
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and | The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims. However, it could only be established that the website no longer existed and redirected to a different site. | ||
Finally, the DPA dismissed the third argument because it was not raised in the initial claim. | Finally, the DPA dismissed the third argument because it was not raised in the initial claim. | ||
Revision as of 14:11, 27 March 2024
| AEPD - EXP202301323 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 7(3) GDPR Article 60(8) GDPR Article 22 LSSI |
| Type: | Internal Appeal |
| Outcome: | Rejected |
| Started: | 10.08.2021 |
| Decided: | 15.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Turner Broadcasting System España, S.L. |
| National Case Number/Name: | EXP202301323 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA dismissed an internal appeal challenging its decision that it was not necessary for a controller to provide a reject button on its webpage, finding that the question arose under Spain’s ePrivacy Law rather than the GDPR.
English Summary
Facts
In May 2021 a data subject accessed a website that, in their view, did not offer a reject button in the first layer of the cookie banner, used a deceptive link design for certain options in the cookie banner, used colors and contrast to nudge users regarding their options in the cookie banner and did not provide for an option to withdraw consent that would be as easy to use as the option to give consent.
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website.
Through its own investigation of the webpage, the AEPD confirmed that the website the data subject initially visited now redirected to another one. On the redirected page, only technical or necessary cookies were used. As the website only uses necessary cookies, no option to withdraw consent was necessary. Additionally, it noted that the information in the cookie banner and the cookie policy was accurate. Consequently, in its decision the AEPD found no violation of applicable law.
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that it would have been for the Austrian DPA under Article 60(8) GDPR to adopt and notify the decision (not the AEPD). Second, the data subject argued that the AEPD failed to consider the data subject’s website visit and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner of the redirected website, Google Analytics cookies, which are not strictly necessary, are installed. These cookies can only be installed where valid consent has been obtained – the website, however, offered no permanently visible option to withdraw consent. Revoking consent required multiple steps, including opening the privacy policy in order to find a link within this policy to an English-language portal and sending the controller an email requesting to withdraw consent. According to the data subject this is not an easy way to withdraw consent and violates Article 7(3) GDPR.
Holding
The AEPD dismissed the internal appeal, concluding that only the Spanish LSSI (the implementation of the ePrivacy directive) is relevant to the case, not the GDPR.
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a lex specialis that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI.
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims. However, it could only be established that the website no longer existed and redirected to a different site.
Finally, the DPA dismissed the third argument because it was not raised in the initial claim.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8
Procedure No.: EXP202301323 (AI/00057/2023)
Replacement Appeal No. RR/00111/2024
Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION
EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria),
against the resolution issued by the Director of the Spanish Agency for the Protection of
Data in the procedure AI/00057/2023, for violation of the provisions of the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI) and based on the following:
FACTS
FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of
Data issued Resolution to File Actions in procedure AI/00057/2023,
open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:
B82320227, owner of the website https://www.canaltnt.es, for the alleged
violation of article 22 of the LSSI.
The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF
INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded
on the record.
SECOND: As proven facts of the aforementioned procedure, there was evidence of
the following:
- When trying to enter the website that is the subject of the claim, https://www.canaltnt.es,
It was found that this no longer existed, redirecting the user to a new page
website, https://www.warnertv.es whose owner is the entity Discovery Networks SL,
with CIF B-86815560, different from the entity initially claimed, (Turner
Broadcasting System España, with CIF.: B82320227).
THIRD: On 02/14/24, this Agency has received a written appeal for
replacement presented by the appellant, in which it stated the following:
FIRST – Lack of notification by the DSB
1. On January 24, 2024, the AEPD adopted its resolution, which was notified
to this part on January 29, 2024. However, according to the
article 60(8) GDPR is the supervisory authority to which the
claim, i.e. the DSB, who should have adopted and notified the
resolution to the person interested in this case.
2. Therefore, the resolution adopted by the AEPD must be considered null
of right, as provided in article 47(1)(b) LPACAP.
SECOND – The AEPD did not consider the facts or the petition of the claim
3. The AEPD did not consider the specific circumstances of the visit of the
website of this party, set forth in the claim in detail. In fact,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8
It seems that the AEPD decided based on the banner that appeared on the
website of the controller during your own visit.
4. However, the control authority must provide an effective response to the
individual situation of the interested party, taking into account the circumstances
individuals and the facts about which the claim presented by the
interested. This follows from Considering 141 GDPR, from Article 77.
RGPD and Article 65(3)(b) of the LOPDGDD.
5. In addition, this party requested in its complaint various measures to be adopted
by the AEPD (see First Fact). The formulated petitum determines
specifically requested and underlines the need for an evaluation of the
individual situation of this part. In particular, the person responsible continues to try
the personal data of this party unlawfully.
6. In light of the configuration of the claim ex article 77(1) GDPR that
“is conceived as a mechanism capable of effectively protecting the
rights and interests of the interested parties” it is beyond any doubt that the
AEPD should have responded to what was requested by this party. It
directly agrees with the provisions of article 88(2) LPACAP. No
However, the AEPD resolution does not provide a concrete response to this petition.
part.
7. Therefore, the resolution must be annulled in accordance with art 48(1)
LPACAP.
B. MATERIAL ASPECTS
THIRD – The AEPD applies an erroneous criterion
8. As stated above, this party visited the website of the controller and,
in addition to not having an equivalent option to reject the use of the
cookies in the first layer of the banner (violation type A, C, D, E), checked
that there was no easy possibility to withdraw consent
awarded (type K violation).
9. On the other hand, in the appealed resolution the AEPD states that during its own
visit the person responsible only installed strictly necessary cookies, so no
It was not necessary to offer an option to reject cookies, nor an option
to withdraw consent.
10. However, upon checking this part again on the website
https://www.warnertv.es/, it is observed that after selecting “Accept” in the
banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed
Analytics. These are cookies that can only be installed in the case of
have obtained valid consent (Annex 1).
11. Although the person responsible has implemented two equivalent options in
its banner cookie, does not offer a permanently visible option that allows
withdrawal of consent. At the bottom of the main page there is only one link
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8
to the privacy policy, in which there is a link to the “Portal of
request for individual rights” (in English). On this portal you can then
send an email to withdraw consent. This does not represent
a possibility to “revoke consent easily” and “at any time”
moment” as required by article 7(3) GDPR and as provided in the
AEPD in relation to the withdrawal of consent.2
12. From the above it follows that the AEPD is based on a verification
which turns out to be wrong. The controller uses Google Analytics cookies that do not
They are strictly necessary. However, the person responsible still does not offer
a simple possibility to withdraw consent once given.
13. From what is stated in this FJ it follows that the criterion adopted in the resolution
appealed is contrary to the legal system and must be annulled.
By virtue of what is stated in this writing, and in accordance with the
mentioned provisions, this part
REQUESTS: I. That an APPEAL OF
REPLACEMENT against the resolution of the Director of the Spanish Agency of
Data Protection of January 24, 2024 within the framework of the procedure
with file number EXP202301323, and, after admitting it, the
investigative actions that are necessary, in accordance with the
applicable procedural and material standards. II. That the nullity be declared
of the resolution appealed for the reason stated in the
legal basis first and that the continuation of the
procedure. III. That, if full nullity is not declared,
the appealed resolution is annulled for the reasons set out in the grounds.
FOUNDATIONS OF LAW
Yo
Competence.
The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI.
II
Response to the allegations
In relation to the statements made by the appellant, it is worth noting the
following:
First: The appellant alleges in the section “First, points 1-2”, of the FJ of
his writing that the resolution should have been made by the Austrian supervisory authority,
in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD
must be considered null and void, according to article 47(1)(b) LPACAP.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8
Well, with respect to this allegation, it must be clarified that Spanish Law governs
the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that,
There is a special standard (LSSI) and a general standard (RGPD) that regulate a
concrete fact, the first prevails over the second.
This principle does not mean that, in the event of application of both standards (one
general rule and another special one), the first is repealed, but the
simultaneous validity of both rules, although the special rule will be applied with
preference to the general rule in those cases contemplated in it.
Regarding the case at hand, there is such a coincidence, that is, in the Ordinance
Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and
another of a special nature, such as the LSSI that regulates the same facts.
If we look at what Article 1 of the GDPR establishes, its purpose is the following:
1.This Regulation establishes the rules relating to the protection of
natural persons with regard to the processing of personal data and
rules relating to the free circulation of such data.
2.This Regulation protects the fundamental rights and freedoms of
natural persons and, in particular, their right to data protection
personal.
3.The free circulation of personal data in the Union may not be
restricted or prohibited for reasons related to the protection of
natural persons with regard to the processing of personal data.
While the object of the LSSI, established in its article 1, indicates that:
1. The object of this Law is the regulation of the legal regime of the
services of the information society and contracting via
electronic, regarding the obligations of service providers
including those who act as intermediaries in the transmission of content
through telecommunications networks, commercial communications via
electronic, information before and after the conclusion of contracts
electronic devices, the conditions relating to their validity and effectiveness and the regime
sanction applicable to service providers of the society of the
information.
2. The provisions contained in this Law will be understood without prejudice to the
provided in other state or regional regulations outside the regulatory scope
coordinated, or that have as their purpose the protection of health and safety
public, including the safeguarding of national defense, the interests of the
consumer, the tax regime applicable to the services of the society of the
information, the protection of personal data and the regulations governing
competition defense.
For its part, article 2 of the aforementioned standard (LSSI) establishes that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8
1. This Law will apply to the service providers of the society of
the information established in Spain and the services provided by them.
It will be understood that a service provider is established in Spain
when your residence or registered office is in Spanish territory,
as long as these coincide with the place where it is actually
centralized administrative management and direction of its businesses. In other
case, the place where said management or direction is carried out will be taken into account.
Therefore, in application of the “Principle of Regulatory Specialty”, the
application of the specific standard, that is, the LSSI, on the general standard, the RGPD,
by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:
B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es).
Regarding the jurisdiction to hear the case, article 43.1 of the LSSI,
establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency
Data on the imposition of sanctions for the commission of infractions classified in the
articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
While article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
And the fourth additional provision of said standard establishes, with respect to the
powers attributed to the AEPD by other laws, which: "The provisions of Title VIII
and in its development regulations will be applicable to the procedures that the Agency
Spanish Data Protection Agency had to process in exercise of its powers
that were attributed to it by other laws."
Therefore, since the claimed entity has its registered office in Spanish territory, it is
competent to hear the claim, the Spanish Data Protection Agency,
based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and
Fourth additional provision of said rule to the detriment of the control authority
Austrian
Second: The appellant states in the section “Second, points 3-7” of the
FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances
specific to the visit to the appellant's website, based solely,
for the resolution of the file, in the verification that the AEPD itself made of the
information banner that appears on the website, without responding to what was requested
in the claim, forgetting the requests made by the appellant…”
To respond to this allegation, we must start from the principle that governs all
judicial or administrative procedure such as the “Principle of Presumption of
Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not
is based on a previous evidentiary activity on which the body
competent person can base a reasonable judgment of guilt, and entails, among
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8
other demands, that of the Administration proving and, therefore, motivating, not only the
facts constituting the infringement, participation in such facts and the
circumstances that constitute a graduation criterion, but also guilt
that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26;
14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14
February).
Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the
administration that proves guilt because "it is not the interested party who has to
prove lack of guilt."
The presumption of innocence, a fundamental right of citizenship according to art 24.2
of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights,
It is expressly included in our regulations for the procedures
administrative sanctions where among the rights of the interested party in the
disciplinary administrative procedure will have the right "To the presumption of not
existence of administrative responsibility until the contrary is proven."
And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the
right to the presumption of innocence, which applies without exception in the field of
administrative sanctioning procedure, according to the Constitutional Court in
ruling 66/2007, of March 27, means that "no sanction can be imposed
"any that is not based on a previous lawful evidentiary activity", and implies
also the recognition of the right to an administrative sanctioning procedure
due or with all the guarantees, that respects the principle of contradiction and in which the
alleged perpetrator has the opportunity to defend his own positions,
prohibiting the initiation of disciplinary proceedings when it is appreciable
unequivocally or manifests the absence of rational indications that it has been
committed an infringing conduct, or in which illegality or illegality is absent.
culpability"
What the Public Administration cannot is raise administrative responsibility in
the facts presented by the complaining party, without first verifying the veracity of the
themselves. In the case at hand, this verification was based on the review of the
website object of the claim (https://www.canaltnt.es), where it was verified
that it no longer existed, redirecting the user to a new web page
belonging to a different owner.
Third: The appellant states in the section “Third.- points 8 to 13” that at
check the new website https://www.warnertv.es/, it is observed that after
Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed
of Google Analytics, which are not strictly necessary and that there is no
possibility of withdrawing consent once given.
First of all, we must mention that the website https://www.warnertv.es, to which
which the appellant mentions in her appeal for reconsideration, the website was not the object of
initial claim, so its analysis is not appropriate within the scope of this appeal.
replacement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8
However, having said the above, it is worth remembering that, although this new website
(https://www.warnertv.es) comes up due to the fact that when trying to access the
web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the
user to the new page.
Now, the appellant states that, on this new web page
https://www.warnertv.es observes that, when the user gives consent, the
website begins to use two new cookies that are not of a technical nature (“_ga” and
“_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the
possibility of withdrawing consent once given by requesting this Agency
that the investigative actions that are necessary to be carried out
clarify the facts you claim.
Therefore, this is a new fact not mentioned in the initial claim. The
The appellant cannot claim that at the appeal stage the
facts that he did not express in a previous procedural phase.
The LPACAP provides in its article 118 the following procedural rule: “No
account in the resolution of the resources, facts, documents or allegations of the
appellant, when, having been able to provide them in the processing of allegations, he does not
I've done. Nor may the taking of evidence be requested when the lack of
realization in the procedure in which the appealed resolution was issued outside
attributable to the interested party.” This standard contains a rule that is nothing more than the
positive concretion for the common administrative sphere of the general principle that the
The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle
Its purpose, among others, is to prevent the processing of allegations from being useless and
evidence of the application procedures, as would result if the interested parties
could choose, at their discretion, the moment at which to present evidence and allegations,
since this would be contrary to an elementary procedural order.
All of this, without prejudice to the possibility of submitting a new claim if you consider
that such events violate regulations that confer powers on the Spanish Agency
of Data Protection.
III
Conclusion
Consequently, in the present appeal for reconsideration, the appellant has not
provided new facts or legal arguments that allow reconsideration of the validity
of the contested resolution.
Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection
RESOLVES:
FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through
THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS
(IMI- Austria), against the archiving resolution issued by the Director of the Agency
Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8
SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION
INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the
art. 77.2 of the GDPR.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative route, it may be filed in the
period of two months counting from the day following the notification of this act
as provided in article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the
provided in article 25 and in section 5 of the fourth additional provision of the
referred legal text.
Sea Spain Martí
Director of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
