AEPD (Spain) - EXP202307483: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 61: Line 61:
}}
}}


The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish LSSI applied instead of the GDPR and that the controller had brought its website into compliance.
The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish ePrivacy law applied instead of the GDPR and that the controller had brought its website into compliance.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. In addition, the data subject noticed that the controller installed cookies on the data subject’s browser before obtaining the data subject’s consent.  
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user to consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent.  


The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023.  
The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023.  


The AEPD found no violations and issued a resolution archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn.  
The AEPD found no violations and issued a decision archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020/2022 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn.  


On 11 December 2023, the data subject filed an internal appeal making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to [[Article 60 GDPR|Article 60 GDPR]], the Austrian DPA should been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the processing raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made over a year after the data subject’s incident occurred. Next, the data subject restated its argument that the controller had installed cookies prior to obtaining consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent and withdrawal of consent in the simplest form possible. The AEPD’s cookie guidance should be in conformance with this obligation, not the other way around. Finally, the data subject pointed out that the AEPD maintained contradictory criteria concerning the need to allow the rejection of cookies in the first layer of the cookie banner.
On 11 December 2023, the data subject filed an internal appeal (''recurso de reposición'') making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to [[Article 60 GDPR|Article 60(8) GDPR]], the Austrian DPA should have been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the facts raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made more than two years after the data subject’s website visit occurred. Third, the data subject restated its argument that the controller had installed cookies without obtaining valid consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent in the first layer of the cookie banner. The AEPD’s cookie guidance should be interpreted according to this legal obligation, not the other way around. In addition, nudging users through colors, contrast, design and size was said to be unfair and not transparent. Finally, the data subject pointed out that the AEPD maintained contradictory criteria regarding the rejection of cookies in the first layer of the cookie banner.


=== Holding ===
=== Holding ===
The AEPD dismissed the appeal, concluding that only the Spanish LSSI (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR.  
On 22 April 2024 the AEPD dismissed the appeal, concluding that only the Spanish [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 LSSI] (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR.  


First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected all of the data subject’s GDPR claims.
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected the data subject’s argument about the GDPR being applicable.


The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case.
The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case.


Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the LOPDGDD, Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR.
Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 LOPDGDD], Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR.


== Comment ==
== Comment ==
Line 88: Line 88:
The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners.
The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners.


The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011678&Artikel=&Paragraf=165&Anlage=&Uebergangsrecht= § 165 TKG], which stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to one stop shop mechanism (see [[Article 56 GDPR]]). In hearing the appeal, however, the AEPD claimed that only [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22 LSSI] (which also stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) is applicable. The AEPD did not directly address the data subject's argument that their data was processed as a result of the cookies installed on their browser before they were prompted with a cookie banner. It did not detail why only the LSSI applies in this case.  
The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011678&Artikel=&Paragraf=165&Anlage=&Uebergangsrecht= § 165 TKG], which stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to the one stop shop mechanism (see [[Article 56 GDPR]]). During the appeal procedure, however, the AEPD claimed that only [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22 LSSI] (which also stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) is applicable. The AEPD did not directly address the data subject's argument that their data was processed as a result of the cookies installed without valid consent. It did not detail why only the LSSI applies in this case.  


The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both.
The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both.


'''II. Statute of Limitations under LSSI'''
'''II. What are the facts of the case and which moment is relevant?'''


Article 45 LSSI imposes a statute of limitations for infringements and sanctions upon those infringements. Translated into English, it states the following:<blockquote>''The most serious infringements shall be subject to a limitation period of three years, serious infringements shall be subject to a limitation period of two years and minor infringements shall be subject to a limitation period of six months; sanctions imposed for very serious infringements shall be subject to a limitation period of three years, serious infringements shall be subject to a limitation period of two years and minor infringements shall be subject to a limitation period of one year.'' </blockquote>The AEPD focuses on the infringement aspect of the provision, noting that the infringement in this case would be time-barred because three years have elapsed since it was allegedly committed. As a result, it states, it cannot examine the merits of the complaint.  
The AEPD did not investigate the individual situation of the complainant. While the complainant provided evidence to reconstruct each detail of their visit to the website through technical means, the AEPD did not consider such evidence and instead focused on its own experience with the webpage years after the data subject filed the complaint.


The limitation period under the LSSI begins to run on the day that the alleged infringement was committed (see, e.g., [https://www.aepd.es/documento/e-04793-2011.pdf E/04793/2011] pages 3-5). A statute of limitations of an infringement or sanction assessment will typically be suspended when an administrative proceeding of a sanctioning or enforcement nature is initiated. As noted by the Spanish Supreme Court in [https://www.poderjudicial.es/search/openDocument/597f1caa7d499fe0 Decision 97/2002], "''If the Administration has pursued the offence in a timely manner and had sanctioned it, without incurring inactivity for a period exceeding that of a statute of limitations, what happens next, as to the delay in resolving the appeals in administrative headquarters, it does not affect the statute of limitations for the offence but simply to determine whether the Body that authored the original decision acted in accordance with the Legal Order. The delay in the express decision of the appeals will give rise to the fiction of the negative or dismissive silence that allows the judicial challenge of the alleged act, but will not result in a statute of limitations for the infringement when it has not occurred within its own area, i.e. in the sanctioning file that ends and culminates with the decision imposing the sanction''." [translated]
It visited the website over two years after the data subject and, unsurprisingly, found changes to the website. The AEPD assessed the website on basis of these findings. This is unfortunately a common practice among some DPAs. However, DPAs need to take into account the situation of the complainant (see Recital 141 GDPR, [https://www.edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en Internal EDPB Document 02/2021] para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to change a website no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.


Where there is an appeal for a sanction decision, the limitation period will thus remain suspended throughout the appeal process (barring excessive inactivity delays). But what happens in the case of decisions to archive?
'''III. Current cookie banner of the website'''


In this case, where a sanctioning procedure was not pursued, the AEPD seems to interpret Article 45 LSSI's limitation period to continue running as though proceedings were not initiated to begin with. This is not the first time that the AEPD has interpreted Article 45 LSSI's limitation period to continue running after non-sanctioning proceedings have commenced. In [https://www.aepd.es/documento/ai-00282-2022.pdf EXP202202620], for example, the AEPD archived a timely complaint filed with the AEPD against a French company because there would be insufficient time left in the limitation period to request collaboration from the French DPA. The implications of this are significant. A decision to archive a case is still a decision on the merits -- it determines that there is no violation or corrective measure. This is a decision of consequence that can thus be appealed by the data subject. If the limitation period is not paused, data subjects' complaints that are interpreted to fall under the LSSI and do not incur sanctioning proceedings effectively lose their ability to be appealed within the AEPD, given that it is rare for the AEPD to investigate complaints and issue decisions -- much less appeals -- within two to three years of the complaints being made.
Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users who understandably would think that withholding consent would require them to take further steps of creating an account in order to use the website. This seems to be misleading.
 
'''III. What are the facts of the case and which moment is relevant?'''
 
The AEPD did not investigate the individual situation of the complainant. While the complainant provided evidence to reconstruct each detail of their visit to the website through technical means, the AEPD did not consider such evidence and instead focused on its own experience with the webpage months after the data subject filed the complaint.
 
It visited the website over two years after the data subject and, unsurprisingly, found changes to the website. The AEPD assessed the website on basis of these findings. This is unfortunately a common practice among some DPAs. However, DPAs need to take into account the situation of the complainant (see [[Recital 141 GDPR]], [https://www.edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en Internal EDPB Document 02/2021] para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to deactivate a website (or discontinue a service, etc.), no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.
 
'''IV. Current cookie banner of the redirected website'''
 
Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users to understandably would think that withholding consent would require them to take further steps of creating an account in order to use the website. The second layer of the cookie banner allows users to 'disagree to all' or 'agree to all.'


== Further Resources ==
== Further Resources ==

Latest revision as of 11:51, 2 May 2024

AEPD - EXP202307483
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
LSSI
Type: Internal Appeal
Outcome: Rejected
Started: 21.08.2021
Decided: 22.04.2024
Published:
Fine: n/a
Parties: Adevinta Spain, S.L.
National Case Number/Name: EXP202307483
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish ePrivacy law applied instead of the GDPR and that the controller had brought its website into compliance.

English Summary

Facts

In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user to consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent.

The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023.

The AEPD found no violations and issued a decision archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020/2022 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn.

On 11 December 2023, the data subject filed an internal appeal (recurso de reposición) making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60(8) GDPR, the Austrian DPA should have been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the facts raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made more than two years after the data subject’s website visit occurred. Third, the data subject restated its argument that the controller had installed cookies without obtaining valid consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent in the first layer of the cookie banner. The AEPD’s cookie guidance should be interpreted according to this legal obligation, not the other way around. In addition, nudging users through colors, contrast, design and size was said to be unfair and not transparent. Finally, the data subject pointed out that the AEPD maintained contradictory criteria regarding the rejection of cookies in the first layer of the cookie banner.

Holding

On 22 April 2024 the AEPD dismissed the appeal, concluding that only the Spanish LSSI (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR.

First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected the data subject’s argument about the GDPR being applicable.

The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case.

Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the LOPDGDD, Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR.

Comment

I. Who decides if a case is a GDPR cross-border case? Issues when handling an ePrivacy and GDPR case

The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners.

The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of § 165 TKG, which stems from Article 5(3) ePrivacy Directive) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to the one stop shop mechanism (see Article 56 GDPR). During the appeal procedure, however, the AEPD claimed that only Article 22 LSSI (which also stems from Article 5(3) ePrivacy Directive) is applicable. The AEPD did not directly address the data subject's argument that their data was processed as a result of the cookies installed without valid consent. It did not detail why only the LSSI applies in this case.

The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both.

II. What are the facts of the case and which moment is relevant?

The AEPD did not investigate the individual situation of the complainant. While the complainant provided evidence to reconstruct each detail of their visit to the website through technical means, the AEPD did not consider such evidence and instead focused on its own experience with the webpage years after the data subject filed the complaint.

It visited the website over two years after the data subject and, unsurprisingly, found changes to the website. The AEPD assessed the website on basis of these findings. This is unfortunately a common practice among some DPAs. However, DPAs need to take into account the situation of the complainant (see Recital 141 GDPR, Internal EDPB Document 02/2021 para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to change a website no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.

III. Current cookie banner of the website

Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users who understandably would think that withholding consent would require them to take further steps of creating an account in order to use the website. This seems to be misleading.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

On April 22, 2024, the Director of the Spanish Agency for the Protection of
Data has issued the following resolution signed electronically:
File No.: EXP202307483
RESOLUTION OF REPLACEMENT APPEAL
Examined the appeal for reconsideration filed by Noyb – European Center for
Digital Rights in the name and representation of XXX (hereinafter, the party
appellant), against the resolution issued by the Director of the Spanish Agency of
Data Protection, dated November 8, 2023, and based on the
following:
FACTS
FIRST: On June 1, 2023, it was entered into the Spanish Agency of
Data Protection (hereinafter, AEPD) complaint letter with registration number
registration REGAGE23e00035234524, presented by the appellant, for a
alleged violation of Article 22.2 of Law 34/2002, of July 11, on security services
the information society and electronic commerce (hereinafter, LSSI).
In particular due to the following circumstances:
The claim, filed with the Austrian Data Protection Authority in
dated August 11, 2021, states that the way to obtain consent
for installation of storage devices and data recovery
(cookies) through the banner used on the website https://www.milanuncios.com/, not
would comply with current regulations, mainly due to the following causes:
1. The option to reject the installation of cookies only exists in the second
layer. In this way, accepting the treatment activities is done through
a single click, but at least two are needed to reject said treatment.
2. The button colors are misleading because the "Accept and
close" has more prominent colors than the "Configure" option, which would be
indicating to the user that it is the expected option and the only easy way out of the
banner.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/2/8
3. The contrast of the buttons is misleading since it highlights the option to
accept about the configure, combined with the color style of the buttons.
4. Withdrawing consent is not as easy as giving it. The complaining party
was unable to easily find an option to remove the
consent. Did not find a featured removal banner or other option
similar.
Additionally, it should be noted that, examining the operation of the website, it is
Note that non-excepted cookies are installed before granting consent
for it. Furthermore, when the consent option is pressed through the consent manager,
"disable all", checks that they are not removed from the user's terminal equipment
non-excepted cookies installed when visiting the page or granting the
consent for one or more of the purposes specified in the data manager
consent, so said procedure does not comply with what is established in the
regulations in force.
SECOND: The mechanism prior to the admission for processing of the claims that are
formulated before the AEPD, provided for in article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), consists of transferring them to the delegates of
data protection designated by those responsible or in charge of processing, or
to these when they have not been designated. The fourth additional provision of the
LOPDGDD also allows the aforementioned mechanism to be applied to claims that are
filed for alleged violations of other laws that attribute powers to the
Spanish Data Protection Agency. With the purpose indicated in the aforementioned
article, the claim was transferred to ADEVINTA SPAIN, S.L. (hereinafter, the
claimed party) to proceed with its analysis and provide a response within a period of one
month. On September 21, 2023, the claimed party filed in the Registry
Electronic AEPD response to the transfer action and request for information.
THIRD: On September 1, 2023, in accordance with article 65.5
of the LOPDGDD, the claim presented is admitted for processing.
FOURTH: On November 8, 2023, after analyzing the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim. The resolution was
notified to the appellant on November 8, 2023, as recorded
accredited in the file.
FIFTH: On December 11, 2023, the appellant presents a new
written through the Electronic Registry of the AEPD, against the resolution issued to the
file EXP202307483, in which he shows his disagreement with the resolution
contested and requesting that the processing of the initial claim continue
presented.
The following apply to the above facts:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/3/8
FOUNDATIONS OF LAW
Yo
Competence
On a preliminary basis, it should be noted that the new document presented by the
appellant has not been classified as an appeal for reconsideration. However, the section
2 of article 115 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), establishes that the
error or lack of qualification of the appeal by the appellant will not be
obstacle to its processing, provided that its true character is deduced, therefore
that the document presented will be processed as an appeal for reconsideration.
The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the
LPACAP and article 43 of the LSSI.
II
Response to the allegations presented
In relation to the statements made by the appellant, which reiterate
basically those already made in your claim, it should be noted that they have already
were analyzed and rejected in the contested resolution, the foundations of which
They remain fully in force.
After transferring the claim, in accordance with article 65.4 and the provision
fourth addition of the LOPDGDD, it was considered that the initiation of a
sanctioning procedure as the claim had been attended to and that it was appropriate
agree to file the claim made.
In this sense, in response to the transfer action, the claimed party
accompanied information from which it is inferred that the issues were resolved
raised in the claim:
The claimed party has stated that it adheres to the Transparency Consent
IAB Framework (TCF) with the objective of ensuring transparency and complying with
the obligations derived from the LSSI and the RGPD. Consider that the measures
adopted linked to the duty to inform and regarding consent, are in
line with the criteria of the Guide on the use of cookies 2020 valid until the 11th
July 2023, date after the claim filed by NOYB.
Note that both the Cookies Policy and the consent manager are
accessible to the user through the footer of the page.
With respect to obtaining and rejecting consent, you agree to follow the
recommendations established by the Guide on the use of cookies 2020, through
a button to accept cookies and another to configure that redirects to the panel in which
consent can be managed. This panel is accessible from the link in the footer
page and from there the consent can be revoked at any time
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/4/8
granted. Additional information is also provided in the Cookies Policy, in which
The link to the configuration panel is also provided.
Regarding the design, "it has been arranged in the site's own colors and contrasts,
and taking into account that the 2020 Cookies Guide did not necessarily provide for
the same." However, the entity's willingness to
comply with the requirements established by the guides on the use of cookies, having
created working groups with the objective of adapting the mechanisms of
consent to these guidelines.
As far as this Agency is concerned and after the analysis carried out within the
powers attributed to it, it has been determined that the consent manager
is aligned with the recommendations established in the Guide on the use of
cookies from June 2022, following one of the examples provided. The
Information shown in the first layer is completed with additional information from the
control panel accessed through the "Setup" button. Additionally, the panel
It is permanently accessible through the footer of the website. This
panel has the necessary mechanisms through which you can enable or
disable all cookies, or do it manually on a granular basis. I don't know
install any storage device if it has not been enabled, since
They are disabled by default as indicated in the guide.
About the contrast of the buttons, in the Guide on the use of cookies from June
2022, no recommendations were indicated in this regard, although the update of the
July 2023 guide adapts its content to the Guidelines of the European Committee of
Data protection on dark patterns.
With reference to the withdrawal of consent, it is noted that in the footer
of the website there is a permanent link to the configuration panel, allowing in
at all times the user rejects the use of non-excepted cookies in their browser.
Additionally, the Cookies Policy provides additional information on how
eliminate them through the configuration of the most common browsers including
links to said information.
Finally, it is noted that the website does not install cookies not excepted with
character prior to obtaining consent and the correctness is verified
operation of the mechanism to uninstall them, so that, after having accepted
installation, these are deactivated when consent is withdrawn through the
configuration panel.
In the appeal for reconsideration, he alleges that a procedural violation has occurred, since
The Austrian Authority forwarded the claim to the AEPD under article 56 of the
REGULATION (EU) 2016/679 of the European Parliament and of the Council, of April 27
of 2016, relating to the protection of natural persons with regard to
processing of personal data and the free circulation of these data and by which
repeals Directive 95/46/EC (General Data Protection Regulation) (in
forward, GDPR). Points out that, in accordance with the single window mechanism and in accordance
to article 60 of the GDPR, the Austrian Authority is the one who should have adopted and
notified of the resolution. Therefore, it considers that the AEPD was incompetent to carry out
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/5/8
such action is carried out, and, by failing to comply with the procedural regulations, it is null and void.
void.
Likewise, it considers that the AEPD has limited itself to examining the processing of data
made by the claimed party in a generic manner by examining its website, without entering
to examine the specific circumstances of the appellant, specifically, the
situation during the visit to the appellant's website. Therefore, it would occur
a lack of consistency with the initial claim, by resolving in the abstract on the
adaptation of the website to the regulations but without responding to the substance of the
claim.
The appellant also points out that the claimed party processed his personal data
when installing cookies without consent, so that the RGPD applies,
and this was considered by the Austrian Authority when referring the claim to the AEPD.
On the other hand, it also highlights that both the RGPD and Directive 2002/58/EC of the
European Parliament and of the Council of 12 July 2002 regarding the treatment of
personal data and the protection of privacy in the communications sector
electronic communications (Directive on privacy and electronic communications) (in
(hereinafter, ePrivacy Directive) also provide that the rejection of the
treatment in the “simplest possible” way, and that the regulations cannot be interpreted
European Union in accordance with the AEPD Cookies Guide, but the Guide must
be interpreted in accordance with the applicable European regulations.
Finally, consider that the AEPD has maintained a criterion that is contradictory to
regarding the need to allow the rejection of cookies in the first layer.
On the applicability of the single window mechanism and the lack of competition, it is
It should be noted that, regardless of the criteria of the Austrian Authority, in the
In this case it is concluded that the RGPD is not applicable, but rather that we are only
We are facing a possible violation of the ePrivacy Directive. This standard is
is transposed into the Spanish legal system by the LSSI (among others
norms), and, as the appellant itself acknowledges, it does not have a
collaboration mechanism such as the RGPD, and must therefore process the
claim only by the AEPD, the competent authority that resolved and notified
the file that is the subject of this appeal in accordance with the law. Therefore, it is not possible to appreciate
non-compliance with the applicable regulations, and this reason for
resource.
On the other hand, in relation to the examination of the specific infringement object of the
initial claim, produced at the time of the visit on January 25, 2021 by
the appellant, it is necessary to highlight that, in accordance with article 45 of the LSSI:
Very serious infractions will expire after three years, serious ones after two.
years and mild ones at six months; sanctions imposed for very serious offenses
serious offenses will expire after three years, those imposed for serious offenses after two
years and those imposed for minor offenses per year.
Therefore, regardless of whether there may have been an infringement that occurred
On the aforementioned date, said infraction would be currently prescribed, not being
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/6/8
possible for the AEPD to examine the substance of the matter at present, since the
On January 25, 2024, three years would have passed since its commission.
Finally, on the adequacy of the website of the complained party to the regulations
currently in effect, as discussed in the archival resolution and has now been
reiterated, the claimed party has adapted, after the visit object of the
initial claim, its website, so that it currently complies with the
requirements indicated for a cookie banner.
Article 65.6 of the LOPDGDD provides: “After admission for processing, if the person responsible
or person in charge of the treatment demonstrate that they have adopted measures for the
compliance with applicable regulations, the Spanish Data Protection Agency
may resolve the file of the claim, when in the specific case there are
circumstances that advise the adoption of other more moderate solutions or
alternatives to corrective action, provided that no actions have been initiated
prior investigation or any of the procedures regulated in this law
organic”. Likewise, the fourth additional provision of the LOPDGDD provides that “What
provided in Title VIII and in its development regulations will apply to the
procedures that the Spanish Data Protection Agency had to process
in the exercise of the powers attributed to it by other laws.” In it
In this case, after the transfer of the claim, the claimed party has adopted
measures for compliance with regulations. Therefore, the file resolution
It is in accordance with the law, and the present appeal must be dismissed.
III
Conclusion
In short, in view of the transfer actions carried out by the AEPD, it has been
verified that the claim has been addressed by the claimed party.
In this regard, it should be noted that, although the documentation presented
deduces a possible initial discordance between the action or inaction of the party
claimed and the provisions of the applicable regulations, the processing of the claim
in accordance with the provisions of article 65.4 and the fourth additional provision of the
LOPDGDD, has led to the solution of the issues raised, without the need
to clarify administrative responsibilities within the framework of a procedure
sanctioner.
In this sense, it is worth mentioning the exceptional nature of the procedure
sanctioning, from which it follows that - whenever possible - the choice must be made
prevalence of alternative mechanisms in the event that they are protected by the
current regulations, as occurs in the case subject to this appeal for
replacement.
In summary, the principles applicable to the procedure must be brought up
sanctioner. The AEPD exercises the sanctioning power ex officio. Therefore, it is
exclusive competence of the AEPD to assess whether there are administrative responsibilities
that must be purged in a sanctioning procedure and, consequently, the
decision on its opening, there being no obligation to initiate a procedure before
any request made by a third party. Such a decision must be based on the existence of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/7/8
elements that justify said initiation of the sanctioning activity, circumstances that
do not occur in the present case, as indicated in the appealed resolution and in the
present appeal for reconsideration.
Therefore, given that, in the present appeal for reconsideration, no new
facts, documents or legal arguments that allow reconsideration of the validity of the
contested resolution, it is appropriate to agree to reject it.
IV
Untimely resolution
Due to reasons of operation of the administrative body, therefore not attributable
to the appellant, to date the mandatory
statement of this Agency regarding this appeal.
In accordance with the provisions of article 24 of the LPACAP, the meaning of silence
administrative in the procedures for challenging acts and provisions is
dismissive.
However, and despite the time that has passed, the Administration is obliged to dictate
express resolution and to notify it in all procedures regardless of their
form of initiation, as provided in article 21.1 of the aforementioned LPACAP.
In cases of rejection due to administrative silence, the resolution expresses
After the expiration of the term, it will be adopted by the Administration without binding
any to the meaning of silence, as provided in article 24.3 of the same law.
Therefore, it is appropriate to issue the resolution that finalizes the appeal procedure.
reinstatement filed.
Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:
FIRST: DISMISS the appeal for reconsideration filed by XXX
against the resolution of this Agency issued on November 8, 2023, by the
that it is agreed to file the claim referred to ADEVINTA SPAIN, S.L.
SECOND: NOTIFY this resolution to the appellant.
Against this resolution, which puts an end to the administrative route, it may be filed in the
period of two months counting from the day following the notification of this act
as provided in article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the
provided in article 25 and in section 5 of the fourth additional provision of the
referred Law.
1179-260324
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/
CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024
Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/8/8
What is notified for appropriate purposes in accordance with art. 40 of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public (BOE 2-10) and as established in art. 29.2, section b) of the Real
Decree 389/2021, of June 1, approving the Agency Statute
Spanish Data Protection
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202307483&oldid=41138"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki