AEPD (Spain) - EXP202301323: Difference between revisions
(→Facts) |
(Short summary changed) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2= | ||
|Type= | |Type=Internal Appeal | ||
|Outcome=Rejected | |Outcome=Rejected | ||
|Date_Started=10.08.2021 | |Date_Started=10.08.2021 | ||
Line 28: | Line 28: | ||
|Currency= | |Currency= | ||
|GDPR_Article_1= | |GDPR_Article_1=Article 7(3) GDPR | ||
|GDPR_Article_Link_1= | |GDPR_Article_Link_1=Article 7 GDPR#2 | ||
|GDPR_Article_2= | |GDPR_Article_2=Article 60(8) GDPR | ||
|GDPR_Article_Link_2= | |GDPR_Article_Link_2=Article 60 GDPR#7 | ||
|EU_Law_Name_1= | |EU_Law_Name_1= | ||
Line 38: | Line 38: | ||
|EU_Law_Link_2= | |EU_Law_Link_2= | ||
|National_Law_Name_1= | |National_Law_Name_1= Article 22 LSSI | ||
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 | |National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 | ||
|National_Law_Name_2= | |National_Law_Name_2= | ||
Line 45: | Line 45: | ||
|National_Law_Link_3= | |National_Law_Link_3= | ||
|Party_Name_1=Turner Broadcasting System España | |Party_Name_1=Turner Broadcasting System España, S.L. | ||
|Party_Link_1= | |Party_Link_1= | ||
|Party_Name_2= | |Party_Name_2= | ||
Line 52: | Line 52: | ||
|Party_Link_3= | |Party_Link_3= | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Not appealed | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=lm | |Initial_Contributor=lm | ||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA dismissed an internal appeal | The Spanish DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish LSSI instead of the GDPR applies and that it would need to verify the data subject's claim which was not possible because the website was deactivated in the meanwhile. | ||
== English Summary == | == English Summary == | ||
Line 70: | Line 70: | ||
The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website. | The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website. | ||
Through its own investigation of the webpage, the AEPD confirmed that the website the data subject initially visited now redirected to another one. On the redirected page, only technical or necessary cookies were used. As the website only uses necessary cookies, no option to withdraw consent was necessary. Additionally, it noted that the information in the cookie banner and the cookie policy was accurate. Consequently, [https://www.aepd.es/documento/ai-00057-2023.pdf in its decision] the AEPD found no violation of applicable law. | |||
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that it would have been for the Austrian DPA under [[Article 60 GDPR#8|Article 60(8) GDPR]] to adopt and notify the decision (not the AEPD). Second, the data subject argued that the AEPD failed to consider the data subject’s website visit and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner of the redirected website, Google Analytics cookies, which are not strictly necessary, are installed. These cookies can only be installed where valid consent has been obtained – the website, however, offered no permanently visible option to withdraw consent. Revoking consent required multiple steps, including opening the privacy policy in order to find a link within this policy to an English-language portal and sending the controller an email requesting to withdraw consent. According to the data subject this is not an easy way to withdraw consent and violates [[Article 7 GDPR#3|Article 7(3) GDPR]]. | |||
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that the Austrian DPA | |||
=== Holding === | === Holding === | ||
The AEPD dismissed the appeal, concluding that only the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish ePrivacy | The AEPD dismissed the internal appeal, concluding that only the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish LSSI] (the implementation of the ePrivacy directive) is relevant to the case, not the GDPR. | ||
First, the AEPD rejected the data subject’s argument that the | First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a ''lex specialis'' that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI. | ||
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and | The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims. However, it could only be established that the website no longer existed and redirected to a different site. | ||
Finally, the DPA dismissed the third argument because it was not raised in the initial | Finally, the DPA dismissed the third argument because it was not raised in the initial complaint. | ||
== Comment == | == Comment == | ||
'' | '''I. Who decides if a case is a GDPR cross-border case? Issues when handling an ePrivacy and GDPR case''' | ||
The decision of the AEPD is an excellent example of issues of international data protection complaints. | |||
While the Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of § 165 TKG, which stems from Article 5(3) ePrivacy Directive) and forwarded it to the Spanish DPA, probably assuming that the case at hand involved cross-border processing and needs to be dealt with according to one stop shop mechanism (see Article 56 GDPR). The Spanish DPA, however, claims that only Article 22 LSSI (which also stems from Article 5(3) ePrivacy Directive) is applicable. It shows that in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under ePrivacy Directive related legislation, the GDPR of if it falls under both. As far as evident, the Austrian DPA is not even aware of a decision in the current case. | |||
Additionally, in the case at hand the data subject who lodged a complaint in German with the Austrian DPA received a decision in Spanish. Unfortunately, these situations are common and the data subject frequently deprived of a decision from the authority where they lodged the complaint and in the language of this complaint. | |||
While the AEPD claims that only the LSSI is applicable, this seems to be incorrect. The complaint concerned both setting cookies on the device of the complainant and the use of the data by the controller that occurred later on. Already in the initial complaint lodged at the Austrian DPA it was stated that both the GDPR <u>and</u> the relevant ePrivacy legislation apply. The latter one would apply to storing and gaining access to data in the complainant's terminal equipment, the GDPR to any processing of personal data thereafter. Consequently, at least a part of the "GDPR part" of the complaint was not dealt with by the AEPD. Assuming that the GDPR was applicable, a decision within the meaning of Article 60(8) GDPR should have been issued by the Austrian DPA. | |||
This showcases the issues of complaints that concern both ePrivacy Directive legislation and the GDPR. | |||
'''II. What are the facts of the case and which moment is relevant?''' | |||
Furthermore, the AEPD did not investigate the individual situation of the complainant. While the complainant had provided sufficient evidence to reconstruct each detail of their visit to the website through technical means (among others through an HAR-file of the website visit), the AEPD did not consider such evidence. | |||
It visited the website almost three years after the complainant. Unsurprisingly, it found changes to the website and continued to assess the website on basis of these findings. This is, unfortunately, a common practice of different data protection authorities. However, SAs would need to take into account the situation of the complainant (see Recital 141 GDPR, Internal EDPB Document 02/2021 para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to deactivate a website (or discontinue a service, etc.), no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account. | |||
In this regard the AEPD puts forward the argument that it needs to prove an infraction, otherwise the presumption of innocence would operate. This is true for sanctioning procedures. However, establishing if the controller complied with the law or did not and order the deletion of the processed data, in case such data processing was illegal, is not a sanction. The controller would need to comply with the law in any case (with or without intervention of the the authority). To that extent no sanction is imposed and it is not clear how the presumption of innocence would be relevant. Also, the decision of the AEPD was not issued in the course of a sanctioning procedure. | |||
'''III. Current cookie banner of the redirected website''' | |||
Although the AEPD did not proceed with any investigation against the redirected website, the cookie banner of this site now features two equivalent options to accept and reject cookies in the first layer. This could be a reaction to the [https://www.aepd.es/guias/guia-cookies.pdf updated cookie guidelines (version of January 2024) of the Spanish AEPD]. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 15:41, 27 March 2024
AEPD - EXP202301323 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 7(3) GDPR Article 60(8) GDPR Article 22 LSSI |
Type: | Internal Appeal |
Outcome: | Rejected |
Started: | 10.08.2021 |
Decided: | 15.03.2024 |
Published: | |
Fine: | n/a |
Parties: | Turner Broadcasting System España, S.L. |
National Case Number/Name: | EXP202301323 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The Spanish DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish LSSI instead of the GDPR applies and that it would need to verify the data subject's claim which was not possible because the website was deactivated in the meanwhile.
English Summary
Facts
In May 2021 a data subject accessed a website that, in their view, did not offer a reject button in the first layer of the cookie banner, used a deceptive link design for certain options in the cookie banner, used colors and contrast to nudge users regarding their options in the cookie banner and did not provide for an option to withdraw consent that would be as easy to use as the option to give consent.
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website.
Through its own investigation of the webpage, the AEPD confirmed that the website the data subject initially visited now redirected to another one. On the redirected page, only technical or necessary cookies were used. As the website only uses necessary cookies, no option to withdraw consent was necessary. Additionally, it noted that the information in the cookie banner and the cookie policy was accurate. Consequently, in its decision the AEPD found no violation of applicable law.
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that it would have been for the Austrian DPA under Article 60(8) GDPR to adopt and notify the decision (not the AEPD). Second, the data subject argued that the AEPD failed to consider the data subject’s website visit and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner of the redirected website, Google Analytics cookies, which are not strictly necessary, are installed. These cookies can only be installed where valid consent has been obtained – the website, however, offered no permanently visible option to withdraw consent. Revoking consent required multiple steps, including opening the privacy policy in order to find a link within this policy to an English-language portal and sending the controller an email requesting to withdraw consent. According to the data subject this is not an easy way to withdraw consent and violates Article 7(3) GDPR.
Holding
The AEPD dismissed the internal appeal, concluding that only the Spanish LSSI (the implementation of the ePrivacy directive) is relevant to the case, not the GDPR.
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a lex specialis that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI.
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims. However, it could only be established that the website no longer existed and redirected to a different site.
Finally, the DPA dismissed the third argument because it was not raised in the initial complaint.
Comment
I. Who decides if a case is a GDPR cross-border case? Issues when handling an ePrivacy and GDPR case
The decision of the AEPD is an excellent example of issues of international data protection complaints.
While the Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of § 165 TKG, which stems from Article 5(3) ePrivacy Directive) and forwarded it to the Spanish DPA, probably assuming that the case at hand involved cross-border processing and needs to be dealt with according to one stop shop mechanism (see Article 56 GDPR). The Spanish DPA, however, claims that only Article 22 LSSI (which also stems from Article 5(3) ePrivacy Directive) is applicable. It shows that in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under ePrivacy Directive related legislation, the GDPR of if it falls under both. As far as evident, the Austrian DPA is not even aware of a decision in the current case.
Additionally, in the case at hand the data subject who lodged a complaint in German with the Austrian DPA received a decision in Spanish. Unfortunately, these situations are common and the data subject frequently deprived of a decision from the authority where they lodged the complaint and in the language of this complaint.
While the AEPD claims that only the LSSI is applicable, this seems to be incorrect. The complaint concerned both setting cookies on the device of the complainant and the use of the data by the controller that occurred later on. Already in the initial complaint lodged at the Austrian DPA it was stated that both the GDPR and the relevant ePrivacy legislation apply. The latter one would apply to storing and gaining access to data in the complainant's terminal equipment, the GDPR to any processing of personal data thereafter. Consequently, at least a part of the "GDPR part" of the complaint was not dealt with by the AEPD. Assuming that the GDPR was applicable, a decision within the meaning of Article 60(8) GDPR should have been issued by the Austrian DPA.
This showcases the issues of complaints that concern both ePrivacy Directive legislation and the GDPR.
II. What are the facts of the case and which moment is relevant?
Furthermore, the AEPD did not investigate the individual situation of the complainant. While the complainant had provided sufficient evidence to reconstruct each detail of their visit to the website through technical means (among others through an HAR-file of the website visit), the AEPD did not consider such evidence.
It visited the website almost three years after the complainant. Unsurprisingly, it found changes to the website and continued to assess the website on basis of these findings. This is, unfortunately, a common practice of different data protection authorities. However, SAs would need to take into account the situation of the complainant (see Recital 141 GDPR, Internal EDPB Document 02/2021 para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to deactivate a website (or discontinue a service, etc.), no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.
In this regard the AEPD puts forward the argument that it needs to prove an infraction, otherwise the presumption of innocence would operate. This is true for sanctioning procedures. However, establishing if the controller complied with the law or did not and order the deletion of the processed data, in case such data processing was illegal, is not a sanction. The controller would need to comply with the law in any case (with or without intervention of the the authority). To that extent no sanction is imposed and it is not clear how the presumption of innocence would be relevant. Also, the decision of the AEPD was not issued in the course of a sanctioning procedure.
III. Current cookie banner of the redirected website
Although the AEPD did not proceed with any investigation against the redirected website, the cookie banner of this site now features two equivalent options to accept and reject cookies in the first layer. This could be a reaction to the updated cookie guidelines (version of January 2024) of the Spanish AEPD.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure No.: EXP202301323 (AI/00057/2023) Replacement Appeal No. RR/00111/2024 Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), against the resolution issued by the Director of the Spanish Agency for the Protection of Data in the procedure AI/00057/2023, for violation of the provisions of the Law 34/2002, of July 11, on Information Society Services and Commerce Electronic (LSSI) and based on the following: FACTS FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of Data issued Resolution to File Actions in procedure AI/00057/2023, open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.: B82320227, owner of the website https://www.canaltnt.es, for the alleged violation of article 22 of the LSSI. The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded on the record. SECOND: As proven facts of the aforementioned procedure, there was evidence of the following: - When trying to enter the website that is the subject of the claim, https://www.canaltnt.es, It was found that this no longer existed, redirecting the user to a new page website, https://www.warnertv.es whose owner is the entity Discovery Networks SL, with CIF B-86815560, different from the entity initially claimed, (Turner Broadcasting System España, with CIF.: B82320227). THIRD: On 02/14/24, this Agency has received a written appeal for replacement presented by the appellant, in which it stated the following: FIRST – Lack of notification by the DSB 1. On January 24, 2024, the AEPD adopted its resolution, which was notified to this part on January 29, 2024. However, according to the article 60(8) GDPR is the supervisory authority to which the claim, i.e. the DSB, who should have adopted and notified the resolution to the person interested in this case. 2. Therefore, the resolution adopted by the AEPD must be considered null of right, as provided in article 47(1)(b) LPACAP. SECOND – The AEPD did not consider the facts or the petition of the claim 3. The AEPD did not consider the specific circumstances of the visit of the website of this party, set forth in the claim in detail. In fact, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 It seems that the AEPD decided based on the banner that appeared on the website of the controller during your own visit. 4. However, the control authority must provide an effective response to the individual situation of the interested party, taking into account the circumstances individuals and the facts about which the claim presented by the interested. This follows from Considering 141 GDPR, from Article 77. RGPD and Article 65(3)(b) of the LOPDGDD. 5. In addition, this party requested in its complaint various measures to be adopted by the AEPD (see First Fact). The formulated petitum determines specifically requested and underlines the need for an evaluation of the individual situation of this part. In particular, the person responsible continues to try the personal data of this party unlawfully. 6. In light of the configuration of the claim ex article 77(1) GDPR that “is conceived as a mechanism capable of effectively protecting the rights and interests of the interested parties” it is beyond any doubt that the AEPD should have responded to what was requested by this party. It directly agrees with the provisions of article 88(2) LPACAP. No However, the AEPD resolution does not provide a concrete response to this petition. part. 7. Therefore, the resolution must be annulled in accordance with art 48(1) LPACAP. B. MATERIAL ASPECTS THIRD – The AEPD applies an erroneous criterion 8. As stated above, this party visited the website of the controller and, in addition to not having an equivalent option to reject the use of the cookies in the first layer of the banner (violation type A, C, D, E), checked that there was no easy possibility to withdraw consent awarded (type K violation). 9. On the other hand, in the appealed resolution the AEPD states that during its own visit the person responsible only installed strictly necessary cookies, so no It was not necessary to offer an option to reject cookies, nor an option to withdraw consent. 10. However, upon checking this part again on the website https://www.warnertv.es/, it is observed that after selecting “Accept” in the banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed Analytics. These are cookies that can only be installed in the case of have obtained valid consent (Annex 1). 11. Although the person responsible has implemented two equivalent options in its banner cookie, does not offer a permanently visible option that allows withdrawal of consent. At the bottom of the main page there is only one link C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 to the privacy policy, in which there is a link to the “Portal of request for individual rights” (in English). On this portal you can then send an email to withdraw consent. This does not represent a possibility to “revoke consent easily” and “at any time” moment” as required by article 7(3) GDPR and as provided in the AEPD in relation to the withdrawal of consent.2 12. From the above it follows that the AEPD is based on a verification which turns out to be wrong. The controller uses Google Analytics cookies that do not They are strictly necessary. However, the person responsible still does not offer a simple possibility to withdraw consent once given. 13. From what is stated in this FJ it follows that the criterion adopted in the resolution appealed is contrary to the legal system and must be annulled. By virtue of what is stated in this writing, and in accordance with the mentioned provisions, this part REQUESTS: I. That an APPEAL OF REPLACEMENT against the resolution of the Director of the Spanish Agency of Data Protection of January 24, 2024 within the framework of the procedure with file number EXP202301323, and, after admitting it, the investigative actions that are necessary, in accordance with the applicable procedural and material standards. II. That the nullity be declared of the resolution appealed for the reason stated in the legal basis first and that the continuation of the procedure. III. That, if full nullity is not declared, the appealed resolution is annulled for the reasons set out in the grounds. FOUNDATIONS OF LAW Yo Competence. The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI. II Response to the allegations In relation to the statements made by the appellant, it is worth noting the following: First: The appellant alleges in the section “First, points 1-2”, of the FJ of his writing that the resolution should have been made by the Austrian supervisory authority, in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD must be considered null and void, according to article 47(1)(b) LPACAP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 Well, with respect to this allegation, it must be clarified that Spanish Law governs the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that, There is a special standard (LSSI) and a general standard (RGPD) that regulate a concrete fact, the first prevails over the second. This principle does not mean that, in the event of application of both standards (one general rule and another special one), the first is repealed, but the simultaneous validity of both rules, although the special rule will be applied with preference to the general rule in those cases contemplated in it. Regarding the case at hand, there is such a coincidence, that is, in the Ordinance Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and another of a special nature, such as the LSSI that regulates the same facts. If we look at what Article 1 of the GDPR establishes, its purpose is the following: 1.This Regulation establishes the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free circulation of such data. 2.This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to data protection personal. 3.The free circulation of personal data in the Union may not be restricted or prohibited for reasons related to the protection of natural persons with regard to the processing of personal data. While the object of the LSSI, established in its article 1, indicates that: 1. The object of this Law is the regulation of the legal regime of the services of the information society and contracting via electronic, regarding the obligations of service providers including those who act as intermediaries in the transmission of content through telecommunications networks, commercial communications via electronic, information before and after the conclusion of contracts electronic devices, the conditions relating to their validity and effectiveness and the regime sanction applicable to service providers of the society of the information. 2. The provisions contained in this Law will be understood without prejudice to the provided in other state or regional regulations outside the regulatory scope coordinated, or that have as their purpose the protection of health and safety public, including the safeguarding of national defense, the interests of the consumer, the tax regime applicable to the services of the society of the information, the protection of personal data and the regulations governing competition defense. For its part, article 2 of the aforementioned standard (LSSI) establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 1. This Law will apply to the service providers of the society of the information established in Spain and the services provided by them. It will be understood that a service provider is established in Spain when your residence or registered office is in Spanish territory, as long as these coincide with the place where it is actually centralized administrative management and direction of its businesses. In other case, the place where said management or direction is carried out will be taken into account. Therefore, in application of the “Principle of Regulatory Specialty”, the application of the specific standard, that is, the LSSI, on the general standard, the RGPD, by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.: B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es). Regarding the jurisdiction to hear the case, article 43.1 of the LSSI, establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency Data on the imposition of sanctions for the commission of infractions classified in the articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, While article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." And the fourth additional provision of said standard establishes, with respect to the powers attributed to the AEPD by other laws, which: "The provisions of Title VIII and in its development regulations will be applicable to the procedures that the Agency Spanish Data Protection Agency had to process in exercise of its powers that were attributed to it by other laws." Therefore, since the claimed entity has its registered office in Spanish territory, it is competent to hear the claim, the Spanish Data Protection Agency, based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and Fourth additional provision of said rule to the detriment of the control authority Austrian Second: The appellant states in the section “Second, points 3-7” of the FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances specific to the visit to the appellant's website, based solely, for the resolution of the file, in the verification that the AEPD itself made of the information banner that appears on the website, without responding to what was requested in the claim, forgetting the requests made by the appellant…” To respond to this allegation, we must start from the principle that governs all judicial or administrative procedure such as the “Principle of Presumption of Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not is based on a previous evidentiary activity on which the body competent person can base a reasonable judgment of guilt, and entails, among C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 other demands, that of the Administration proving and, therefore, motivating, not only the facts constituting the infringement, participation in such facts and the circumstances that constitute a graduation criterion, but also guilt that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26; 14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14 February). Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the administration that proves guilt because "it is not the interested party who has to prove lack of guilt." The presumption of innocence, a fundamental right of citizenship according to art 24.2 of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights, It is expressly included in our regulations for the procedures administrative sanctions where among the rights of the interested party in the disciplinary administrative procedure will have the right "To the presumption of not existence of administrative responsibility until the contrary is proven." And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the right to the presumption of innocence, which applies without exception in the field of administrative sanctioning procedure, according to the Constitutional Court in ruling 66/2007, of March 27, means that "no sanction can be imposed "any that is not based on a previous lawful evidentiary activity", and implies also the recognition of the right to an administrative sanctioning procedure due or with all the guarantees, that respects the principle of contradiction and in which the alleged perpetrator has the opportunity to defend his own positions, prohibiting the initiation of disciplinary proceedings when it is appreciable unequivocally or manifests the absence of rational indications that it has been committed an infringing conduct, or in which illegality or illegality is absent. culpability" What the Public Administration cannot is raise administrative responsibility in the facts presented by the complaining party, without first verifying the veracity of the themselves. In the case at hand, this verification was based on the review of the website object of the claim (https://www.canaltnt.es), where it was verified that it no longer existed, redirecting the user to a new web page belonging to a different owner. Third: The appellant states in the section “Third.- points 8 to 13” that at check the new website https://www.warnertv.es/, it is observed that after Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed of Google Analytics, which are not strictly necessary and that there is no possibility of withdrawing consent once given. First of all, we must mention that the website https://www.warnertv.es, to which which the appellant mentions in her appeal for reconsideration, the website was not the object of initial claim, so its analysis is not appropriate within the scope of this appeal. replacement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 However, having said the above, it is worth remembering that, although this new website (https://www.warnertv.es) comes up due to the fact that when trying to access the web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the user to the new page. Now, the appellant states that, on this new web page https://www.warnertv.es observes that, when the user gives consent, the website begins to use two new cookies that are not of a technical nature (“_ga” and “_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the possibility of withdrawing consent once given by requesting this Agency that the investigative actions that are necessary to be carried out clarify the facts you claim. Therefore, this is a new fact not mentioned in the initial claim. The The appellant cannot claim that at the appeal stage the facts that he did not express in a previous procedural phase. The LPACAP provides in its article 118 the following procedural rule: “No account in the resolution of the resources, facts, documents or allegations of the appellant, when, having been able to provide them in the processing of allegations, he does not I've done. Nor may the taking of evidence be requested when the lack of realization in the procedure in which the appealed resolution was issued outside attributable to the interested party.” This standard contains a rule that is nothing more than the positive concretion for the common administrative sphere of the general principle that the The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle Its purpose, among others, is to prevent the processing of allegations from being useless and evidence of the application procedures, as would result if the interested parties could choose, at their discretion, the moment at which to present evidence and allegations, since this would be contrary to an elementary procedural order. All of this, without prejudice to the possibility of submitting a new claim if you consider that such events violate regulations that confer powers on the Spanish Agency of Data Protection. III Conclusion Consequently, in the present appeal for reconsideration, the appellant has not provided new facts or legal arguments that allow reconsideration of the validity of the contested resolution. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS (IMI- Austria), against the archiving resolution issued by the Director of the Agency Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the art. 77.2 of the GDPR. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative route, it may be filed in the period of two months counting from the day following the notification of this act as provided in article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the referred legal text. Sea Spain Martí Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es