AEPD (Spain) - EXP202307483: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202307483 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/informes-y-resoluciones/resoluciones?f%255B0%255D=ley_tipificacion_gravedad%253AReglamento%2520General%2520de%2520Protecci%25C3%25B3n%2520de%2520Datos |Original_Source_Language_1=Spanish |Original_Source_Languag...") |
mNo edit summary |
||
Line 19: | Line 19: | ||
|Original_Source_Language__Code_2= | |Original_Source_Language__Code_2= | ||
|Type= | |Type=Internal Appeal | ||
|Outcome=Rejected | |Outcome=Rejected | ||
|Date_Started=21.08.2021 | |Date_Started=21.08.2021 | ||
|Date_Decided= | |Date_Decided=22.04.2024 | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
Line 54: | Line 54: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name= | ||
|Appeal_To_Status= | |Appeal_To_Status=Not appealed | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
Line 68: | Line 68: | ||
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. In addition, the data subject noticed that the controller installed cookies on the data subject’s browser before obtaining the data subject’s consent. | In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. In addition, the data subject noticed that the controller installed cookies on the data subject’s browser before obtaining the data subject’s consent. | ||
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023. | The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023. | ||
The AEPD found no violations and issued a resolution archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn. | The AEPD found no violations and issued a resolution archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn. |
Revision as of 16:27, 29 April 2024
AEPD - EXP202307483 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | LSSI |
Type: | Internal Appeal |
Outcome: | Rejected |
Started: | 21.08.2021 |
Decided: | 22.04.2024 |
Published: | |
Fine: | n/a |
Parties: | Adevinta Spain, S.L. |
National Case Number/Name: | EXP202307483 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish LSSI applied instead of the GDPR and that the controller had brought its website into compliance.
English Summary
Facts
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. In addition, the data subject noticed that the controller installed cookies on the data subject’s browser before obtaining the data subject’s consent.
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023.
The AEPD found no violations and issued a resolution archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn.
On 11 December 2023, the data subject filed an internal appeal making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60 GDPR, the Austrian DPA should been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the processing raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made over a year after the data subject’s incident occurred. Next, the data subject restated its argument that the controller had installed cookies prior to obtaining consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent and withdrawal of consent in the simplest form possible. The AEPD’s cookie guidance should be in conformance with this obligation, not the other way around. Finally, the data subject pointed out that the AEPD maintained contradictory criteria concerning the need to allow the rejection of cookies in the first layer of the cookie banner.
Holding
The AEPD dismissed the appeal, concluding that only the Spanish LSSI (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR.
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected all of the data subject’s GDPR claims.
The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case.
Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the LOPDGDD, Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
On April 22, 2024, the Director of the Spanish Agency for the Protection of Data has issued the following resolution signed electronically: File No.: EXP202307483 RESOLUTION OF REPLACEMENT APPEAL Examined the appeal for reconsideration filed by Noyb – European Center for Digital Rights in the name and representation of XXX (hereinafter, the party appellant), against the resolution issued by the Director of the Spanish Agency of Data Protection, dated November 8, 2023, and based on the following: FACTS FIRST: On June 1, 2023, it was entered into the Spanish Agency of Data Protection (hereinafter, AEPD) complaint letter with registration number registration REGAGE23e00035234524, presented by the appellant, for a alleged violation of Article 22.2 of Law 34/2002, of July 11, on security services the information society and electronic commerce (hereinafter, LSSI). In particular due to the following circumstances: The claim, filed with the Austrian Data Protection Authority in dated August 11, 2021, states that the way to obtain consent for installation of storage devices and data recovery (cookies) through the banner used on the website https://www.milanuncios.com/, not would comply with current regulations, mainly due to the following causes: 1. The option to reject the installation of cookies only exists in the second layer. In this way, accepting the treatment activities is done through a single click, but at least two are needed to reject said treatment. 2. The button colors are misleading because the "Accept and close" has more prominent colors than the "Configure" option, which would be indicating to the user that it is the expected option and the only easy way out of the banner. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/2/8 3. The contrast of the buttons is misleading since it highlights the option to accept about the configure, combined with the color style of the buttons. 4. Withdrawing consent is not as easy as giving it. The complaining party was unable to easily find an option to remove the consent. Did not find a featured removal banner or other option similar. Additionally, it should be noted that, examining the operation of the website, it is Note that non-excepted cookies are installed before granting consent for it. Furthermore, when the consent option is pressed through the consent manager, "disable all", checks that they are not removed from the user's terminal equipment non-excepted cookies installed when visiting the page or granting the consent for one or more of the purposes specified in the data manager consent, so said procedure does not comply with what is established in the regulations in force. SECOND: The mechanism prior to the admission for processing of the claims that are formulated before the AEPD, provided for in article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter, LOPDGDD), consists of transferring them to the delegates of data protection designated by those responsible or in charge of processing, or to these when they have not been designated. The fourth additional provision of the LOPDGDD also allows the aforementioned mechanism to be applied to claims that are filed for alleged violations of other laws that attribute powers to the Spanish Data Protection Agency. With the purpose indicated in the aforementioned article, the claim was transferred to ADEVINTA SPAIN, S.L. (hereinafter, the claimed party) to proceed with its analysis and provide a response within a period of one month. On September 21, 2023, the claimed party filed in the Registry Electronic AEPD response to the transfer action and request for information. THIRD: On September 1, 2023, in accordance with article 65.5 of the LOPDGDD, the claim presented is admitted for processing. FOURTH: On November 8, 2023, after analyzing the documentation that appeared in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, agreeing to file the claim. The resolution was notified to the appellant on November 8, 2023, as recorded accredited in the file. FIFTH: On December 11, 2023, the appellant presents a new written through the Electronic Registry of the AEPD, against the resolution issued to the file EXP202307483, in which he shows his disagreement with the resolution contested and requesting that the processing of the initial claim continue presented. The following apply to the above facts: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/3/8 FOUNDATIONS OF LAW Yo Competence On a preliminary basis, it should be noted that the new document presented by the appellant has not been classified as an appeal for reconsideration. However, the section 2 of article 115 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), establishes that the error or lack of qualification of the appeal by the appellant will not be obstacle to its processing, provided that its true character is deduced, therefore that the document presented will be processed as an appeal for reconsideration. The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the LPACAP and article 43 of the LSSI. II Response to the allegations presented In relation to the statements made by the appellant, which reiterate basically those already made in your claim, it should be noted that they have already were analyzed and rejected in the contested resolution, the foundations of which They remain fully in force. After transferring the claim, in accordance with article 65.4 and the provision fourth addition of the LOPDGDD, it was considered that the initiation of a sanctioning procedure as the claim had been attended to and that it was appropriate agree to file the claim made. In this sense, in response to the transfer action, the claimed party accompanied information from which it is inferred that the issues were resolved raised in the claim: The claimed party has stated that it adheres to the Transparency Consent IAB Framework (TCF) with the objective of ensuring transparency and complying with the obligations derived from the LSSI and the RGPD. Consider that the measures adopted linked to the duty to inform and regarding consent, are in line with the criteria of the Guide on the use of cookies 2020 valid until the 11th July 2023, date after the claim filed by NOYB. Note that both the Cookies Policy and the consent manager are accessible to the user through the footer of the page. With respect to obtaining and rejecting consent, you agree to follow the recommendations established by the Guide on the use of cookies 2020, through a button to accept cookies and another to configure that redirects to the panel in which consent can be managed. This panel is accessible from the link in the footer page and from there the consent can be revoked at any time C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/4/8 granted. Additional information is also provided in the Cookies Policy, in which The link to the configuration panel is also provided. Regarding the design, "it has been arranged in the site's own colors and contrasts, and taking into account that the 2020 Cookies Guide did not necessarily provide for the same." However, the entity's willingness to comply with the requirements established by the guides on the use of cookies, having created working groups with the objective of adapting the mechanisms of consent to these guidelines. As far as this Agency is concerned and after the analysis carried out within the powers attributed to it, it has been determined that the consent manager is aligned with the recommendations established in the Guide on the use of cookies from June 2022, following one of the examples provided. The Information shown in the first layer is completed with additional information from the control panel accessed through the "Setup" button. Additionally, the panel It is permanently accessible through the footer of the website. This panel has the necessary mechanisms through which you can enable or disable all cookies, or do it manually on a granular basis. I don't know install any storage device if it has not been enabled, since They are disabled by default as indicated in the guide. About the contrast of the buttons, in the Guide on the use of cookies from June 2022, no recommendations were indicated in this regard, although the update of the July 2023 guide adapts its content to the Guidelines of the European Committee of Data protection on dark patterns. With reference to the withdrawal of consent, it is noted that in the footer of the website there is a permanent link to the configuration panel, allowing in at all times the user rejects the use of non-excepted cookies in their browser. Additionally, the Cookies Policy provides additional information on how eliminate them through the configuration of the most common browsers including links to said information. Finally, it is noted that the website does not install cookies not excepted with character prior to obtaining consent and the correctness is verified operation of the mechanism to uninstall them, so that, after having accepted installation, these are deactivated when consent is withdrawn through the configuration panel. In the appeal for reconsideration, he alleges that a procedural violation has occurred, since The Austrian Authority forwarded the claim to the AEPD under article 56 of the REGULATION (EU) 2016/679 of the European Parliament and of the Council, of April 27 of 2016, relating to the protection of natural persons with regard to processing of personal data and the free circulation of these data and by which repeals Directive 95/46/EC (General Data Protection Regulation) (in forward, GDPR). Points out that, in accordance with the single window mechanism and in accordance to article 60 of the GDPR, the Austrian Authority is the one who should have adopted and notified of the resolution. Therefore, it considers that the AEPD was incompetent to carry out C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/5/8 such action is carried out, and, by failing to comply with the procedural regulations, it is null and void. void. Likewise, it considers that the AEPD has limited itself to examining the processing of data made by the claimed party in a generic manner by examining its website, without entering to examine the specific circumstances of the appellant, specifically, the situation during the visit to the appellant's website. Therefore, it would occur a lack of consistency with the initial claim, by resolving in the abstract on the adaptation of the website to the regulations but without responding to the substance of the claim. The appellant also points out that the claimed party processed his personal data when installing cookies without consent, so that the RGPD applies, and this was considered by the Austrian Authority when referring the claim to the AEPD. On the other hand, it also highlights that both the RGPD and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 regarding the treatment of personal data and the protection of privacy in the communications sector electronic communications (Directive on privacy and electronic communications) (in (hereinafter, ePrivacy Directive) also provide that the rejection of the treatment in the “simplest possible” way, and that the regulations cannot be interpreted European Union in accordance with the AEPD Cookies Guide, but the Guide must be interpreted in accordance with the applicable European regulations. Finally, consider that the AEPD has maintained a criterion that is contradictory to regarding the need to allow the rejection of cookies in the first layer. On the applicability of the single window mechanism and the lack of competition, it is It should be noted that, regardless of the criteria of the Austrian Authority, in the In this case it is concluded that the RGPD is not applicable, but rather that we are only We are facing a possible violation of the ePrivacy Directive. This standard is is transposed into the Spanish legal system by the LSSI (among others norms), and, as the appellant itself acknowledges, it does not have a collaboration mechanism such as the RGPD, and must therefore process the claim only by the AEPD, the competent authority that resolved and notified the file that is the subject of this appeal in accordance with the law. Therefore, it is not possible to appreciate non-compliance with the applicable regulations, and this reason for resource. On the other hand, in relation to the examination of the specific infringement object of the initial claim, produced at the time of the visit on January 25, 2021 by the appellant, it is necessary to highlight that, in accordance with article 45 of the LSSI: Very serious infractions will expire after three years, serious ones after two. years and mild ones at six months; sanctions imposed for very serious offenses serious offenses will expire after three years, those imposed for serious offenses after two years and those imposed for minor offenses per year. Therefore, regardless of whether there may have been an infringement that occurred On the aforementioned date, said infraction would be currently prescribed, not being C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/6/8 possible for the AEPD to examine the substance of the matter at present, since the On January 25, 2024, three years would have passed since its commission. Finally, on the adequacy of the website of the complained party to the regulations currently in effect, as discussed in the archival resolution and has now been reiterated, the claimed party has adapted, after the visit object of the initial claim, its website, so that it currently complies with the requirements indicated for a cookie banner. Article 65.6 of the LOPDGDD provides: “After admission for processing, if the person responsible or person in charge of the treatment demonstrate that they have adopted measures for the compliance with applicable regulations, the Spanish Data Protection Agency may resolve the file of the claim, when in the specific case there are circumstances that advise the adoption of other more moderate solutions or alternatives to corrective action, provided that no actions have been initiated prior investigation or any of the procedures regulated in this law organic”. Likewise, the fourth additional provision of the LOPDGDD provides that “What provided in Title VIII and in its development regulations will apply to the procedures that the Spanish Data Protection Agency had to process in the exercise of the powers attributed to it by other laws.” In it In this case, after the transfer of the claim, the claimed party has adopted measures for compliance with regulations. Therefore, the file resolution It is in accordance with the law, and the present appeal must be dismissed. III Conclusion In short, in view of the transfer actions carried out by the AEPD, it has been verified that the claim has been addressed by the claimed party. In this regard, it should be noted that, although the documentation presented deduces a possible initial discordance between the action or inaction of the party claimed and the provisions of the applicable regulations, the processing of the claim in accordance with the provisions of article 65.4 and the fourth additional provision of the LOPDGDD, has led to the solution of the issues raised, without the need to clarify administrative responsibilities within the framework of a procedure sanctioner. In this sense, it is worth mentioning the exceptional nature of the procedure sanctioning, from which it follows that - whenever possible - the choice must be made prevalence of alternative mechanisms in the event that they are protected by the current regulations, as occurs in the case subject to this appeal for replacement. In summary, the principles applicable to the procedure must be brought up sanctioner. The AEPD exercises the sanctioning power ex officio. Therefore, it is exclusive competence of the AEPD to assess whether there are administrative responsibilities that must be purged in a sanctioning procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/7/8 elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, as indicated in the appealed resolution and in the present appeal for reconsideration. Therefore, given that, in the present appeal for reconsideration, no new facts, documents or legal arguments that allow reconsideration of the validity of the contested resolution, it is appropriate to agree to reject it. IV Untimely resolution Due to reasons of operation of the administrative body, therefore not attributable to the appellant, to date the mandatory statement of this Agency regarding this appeal. In accordance with the provisions of article 24 of the LPACAP, the meaning of silence administrative in the procedures for challenging acts and provisions is dismissive. However, and despite the time that has passed, the Administration is obliged to dictate express resolution and to notify it in all procedures regardless of their form of initiation, as provided in article 21.1 of the aforementioned LPACAP. In cases of rejection due to administrative silence, the resolution expresses After the expiration of the term, it will be adopted by the Administration without binding any to the meaning of silence, as provided in article 24.3 of the same law. Therefore, it is appropriate to issue the resolution that finalizes the appeal procedure. reinstatement filed. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by XXX against the resolution of this Agency issued on November 8, 2023, by the that it is agreed to file the claim referred to ADEVINTA SPAIN, S.L. SECOND: NOTIFY this resolution to the appellant. Against this resolution, which puts an end to the administrative route, it may be filed in the period of two months counting from the day following the notification of this act as provided in article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the referred Law. 1179-260324 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/8/8 What is notified for appropriate purposes in accordance with art. 40 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (BOE 2-10) and as established in art. 29.2, section b) of the Real Decree 389/2021, of June 1, approving the Agency Statute Spanish Data Protection