AEPD (Spain) - PS/00141/2020: Difference between revisions

From GDPRhub
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 57: Line 57:
The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA).  
The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA).  


Additionally, upon accessing the website, several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.  
Additionally, upon accessing the website, the Spanish DPA found that several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.  


===Dispute===
===Dispute===

Latest revision as of 14:05, 13 December 2023

AEPD - PS/00141/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 22(2) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.11.2020
Published: 02.12.2020
Fine: 8000 EUR
Parties: Asociación de Víctimas por Arbitrariedades Judiciales (JAVA)
National Case Number/Name: PS/00141/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a fine of € 8000 on Asociación de Víctimas por Arbitrariedades Judiciales (JAVA). JAVA infringed Article 6(1)(a) GDPR by publishing illegal recordings on its website and also infringed Article 22(2) LSSI due to its cookie policy.

English Summary

Facts

The complainants complained that illegal recordings of witness statements were recorded by a lawyer in a corruption case. These recordings were used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (hereafter JAVA).

Additionally, upon accessing the website, the Spanish DPA found that several Google Analytics cookies were dropped without any consent from the user. There was also a cookie banner when accessing the website with a link to the privacy policy. Clicking on this linked the user to JAVA's privacy policy where information on cookies was provided. However, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.

Dispute

Is publishing illegal recordings of a witness on a website an infringement of Article 6(1)(a) GDPR?

Is placing cookies without consent when visiting a webpage and not having a "refusal all" button on the cookie banner an infringement of Article 22(2) LSSI?

Holding

The Spanish DPA (AEPD) held that JAVA infringed Article 6(1)(a) by publishing recordings obtained illegally and, therefore, without consent. This infringement lead to the DPA imposing a fine of € 5000 on JAVA.

In relation to the cookie policy, the Spanish DPA held that the wording of the cookie banner "This website uses cookies so that you have the best user experience " lead to confusion as the message lacked clarity. The DPA also held that the fact that visiting the website lead to (unnecessary) Google Analytics cookies being placed without the user's consent was an infringement of Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI). Additionally, the DPA held that the absence of a "Refuse all" button in the cookie banner was also a violation of Article 22(2) LSSI. For these violations of LSSI, the Spanish DPA imposed an additional fine of € 3000 on JAVA.

The Spanish DPA therefore imposed a total fine of € 8000 on JAVA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/8









     Procedure No.: PS / 00141/2020
938-051119
               RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 00141/2020, instructed by the Spanish Agency for
Data Protection, before the entity, ASSOCIATION OF VICTIMS BY ARBITRARIAT-
DADES JUDICIALES, (JAVA), with CIF .: G16614174, owner of the website: *** URL.1
(hereinafter, "the claimed entity"), for alleged infringement of Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/16, regarding Protection

of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of this Data (RGPD) and for alleged infringement of Law 34/2002,
of July 11, Services of the Information Society and Electronic Commerce
(LSSI), based on the following:


                                  BACKGROUND

FIRST: On 03/14/19, you have an entry in this Agency, complaint filed
by D. A.A.A., and D. B.B.B. (hereinafter, “the claimants”), where they stated, among
others, the following:


“In the Court of Instruction No. *** COURT.1 of *** LOCALIDAD.1 is being followed
a complex macro cause of corruption. In one of the separate pieces of this
cause, the lawyer in the case, *** DATE.1, made an illegal recording and
clandestine testimony of various witnesses that was used after
riormente to file on August 31, 2017, a complaint against the Judge

and the Prosecutor of the case, which was inadmissible for processing by means of a resolution issued by the
TSJ of *** LOCALIDAD.2 on December 11, 2017.

The signatories of the complaint are advertising the aforementioned on social networks
recordings and have made available to those responsible for the website called

nothing: *** URL.1, of the Association of Victims of Judicial Arbitrariness (JAVA),
part of the recording made, where they use the aforementioned recordings to call them
literally corrupt. It is reported that: The aforementioned website does not collect the books
nks to the legal notice, cookie law and personal data pages; there is no link to one
page where you explain what type of cookies the website uses and information about the
owner of the page as well as contact information and there is no way to find out

unsubscribe from the newsletter.

A screenshot of a web page of *** URL.1 is attached, where there is an article
it with the title “FIRST COMPLAINT. *** DATE.2. ”, Written by the profile“ *** PROFILE.1 ”and
dated February 6, 2019, where, among others, you can read: “… Judge C.C.C. Y

the Prosecutor D.D.D. they put in prison ...
...
Why this effort not to record them? The judge not only refused to record them
when they asked for it in advance, but rather. in view of what
The statements were being as usual, the lawyer reiterated it in person.

na twice. Can you imagine the answer? Here you have it:

Audios refusing to record: ...
...
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








their testimonies are considered false by the Judge and the Prosecutor, replacing the
legal warning that must be given to all witnesses, in threats and coercion.
Four audios Reading Rights:
….
C.C.C. warns the witness of the obligation to tell the truth, including that he is

false witnesses come and they will not allow it.
 ...
SIX AUDIOS OF ABUSE:
 ...
They pressure the witness to rectify his testimony but they are not successful.
...

The lawyer when leaving the "statements" filed a written complaint before the Court.
do. The same judge and prosecutor denied the conduct that, thanks to the recording,
tipping point in the cause: the malicious practice was no longer a rumor, it was a
reality. Thank you E.E.E. "

SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the protection of the powers of investigation
tion granted to the control authorities in article 57.1 of the Regulation (EU)

2016/679 (RGPD). Thus, with dates 04/02/19 and 04/14/19; 09/19/19 and 10/20/19 go
requirements and reiterations of information to the claimed entity, producing the
following results:

    - According to the certificate of the Electronic Notification Service and Elec-
       Trónica Enabled, of the Ministry of Territorial Policy and Public Administration,
       the request sent to the claimed entity on 04/02/19, through the service
       Notice of Notific @, was rejected by the entity on 04/13/19.

    - According to the certificate of the State Postal and Telegraph Society, the requirement
       sent to the claimed entity on 04/14/19, to the address ASOCIACIÓN DE
       VICTIMS BY JUDICIAL ARBITRARITIES (JAVA) *** ADDRESS 1, a
       Through the SICER service, he was picked up at his destination on 05/27/19 at 7:12 PM,

       being the receiver of the same, D. F.F.F. *** NIF.1
    - According to the certificate of the Electronic Notification Service and Elec-
       Trónica Enabled, of the Ministry of Territorial Policy and Public Administration,

       the request sent to the claimed entity on 09/19/19, through the service
       cio de Notific @, was rejected by the entity on 09/30/19.

    - According to the certificate of the State Postal and Telegraph Society, the requirement
       sent to the claimed entity on 10/20/19, to the address: ASOCIACIÓN DE
       VICTIMS BY JUDICIAL ARBITRARITIES (JAVA) *** ADDRESS 1,
       Through the SICER service, he was picked up at the destination by D. G.G.G. *** NIF.2

THIRD: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the protection of the powers of investigation
tion granted to the control authorities in art 57.1 of the RGPD. So dated

04/02/19 and 09/19/19, two informative requests are addressed to D. E.E.E., who
According to the complaint, it was the lawyer who made the unauthorized recordings.
    - According to the certificate of the State Correos Society, the request sent to the

       interested 04/02/19, through the SICER service, the 1st delivery was attempted on
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








        04/04/19 at 08:21, with the result being "Absent". The 2nd delivery attempt is
        made on 04/08/19 at 18:29, being the result of "Absent", being returned
        to origin as it was not collected from the "Post Office" "list" service either.

    - According to the certificate of the State Correos Society, the request sent to the
        interested 09/19/19, through the SICER service, the 1st delivery was attempted on
        09/27/19 at 09:15, with the result being “Absent”. The 2nd delivery attempt is

        performed on 09/30/19 at 18:28, being the result of "Absent", being returned
        to origin as it was not collected from the "Post Office" "list" service either.

FOURTH: On 04/23/20, by the General Subdirectorate of Inspection of
Data, it is verified that the recordings referred by the complainants are published

falls in url: *** URL.2

The following aspects regarding the privacy policy are also checked
and the cookie policy of the web.

a) .- Regarding the information included in the "Legal Notice" of the website *** URL.3, do

reference to: the owner of the website; contacting the owner; information about the
Intellectual property and information on links to other sites or pages
Web.

b) .- On the information included in the "Privacy Policy" of the website

*** URL.4, refers to: the person responsible for the treatment; the treatment of data
cough: the principles used; the purposes of the treatment; Legitimation; the Desti-
natarios; provenance; the terms of conservation; the legitimacy of the treatment;
the rights of the interested parties; on the transfer of data to third parties and on
security measures.


The section referring to the origin of the data states: “As a general rule, the
Personal data is always collected directly from the interested party, however, in de-
exceptions, the data may be collected through third parties.
nas, entities or services other than the interested party. In this sense, this extreme
will be transferred to the interested party through the informed consent clauses

contained in the different ways of collecting information and within a reasonable period
zoneable, once the data has been obtained, and at the latest within a month. "

c) .- About the "Cookies Policy" of the reported website:
1º.- When entering the web *** URL.1 and, without accepting cookies or taking any action,

On the web, the following persistent cookies are loaded in the browser:
    to. _ga, with performance purpose according to *** URL. 5. According to said website this cookie
        is associated with Google Analytics.

    b. _gat, with performance purpose according to *** URL. 5. According to said website this cookie
        is associated with Google Analytics.

    c. _gid, with performance purpose according to *** URL. 5. According to said website this cookie
        is associated with Google Analytics.

2º.- When entering the web, the following first layer notice about the existence of
cookie company:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








“This website uses cookies so that you have the best user experience. Yes
continue browsing you are giving your consent for the acceptance of cookies and
          the acceptance of our cookie policy, click the link to

                          << more information >> - <<accept>>

Through the link "cookies policy", you are redirected to the page *** URL.6, where

provides information on: what are cookies; its main functions; the you-
types of cookies that exist; own and third-party cookies used by the website
and how to manage cookie settings through browsers.

FIFTH: On 06/07/20, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the claimed entity, for infringement
of articles 6.1) of the RGPD, punishable in accordance with the provisions of art. 83 of the
aforementioned rule, regarding the processing of personal data without consent
of the claimants and by article 22.2) of the LSSI, punishable in accordance with the provisions

put in the art. 39) and 40) of the aforementioned Law, regarding the Cookies Policy of the
reported website.

SIXTH: On 06/19/20, the initiation of the file was notified to the complaining entity.
Madame, who has not submitted to this Agency, any writing or allegation, within the

the period granted for this purpose.

                                 PROVEN FACTS

1.- It is verified that the recordings referred to by the complainants are published

in url: *** URL.2
2.- It is found that on the reported web page, *** URL.1, without accepting cookies or
perform any action on the web, cookies do not need to be loaded in the browser

arias. In addition, there is NOT, in the second layer of the cookie policy, any mecha-
nism that allows the rejection of all cookies.


                            FOUNDATIONS OF LAW

                                             I
                                      Competition:


Regarding the processing of personal data, it is competent to resolve
this procedure the Director of the Spanish Agency for Data Protection, of
in accordance with the provisions of art. 58.2 of the RGPD in art. 47 of LOPDGDD.

Regarding the Cookies Policy, it is competent to resolve this procedure.

the Director of the Spanish Agency for Data Protection, in accordance with
with the provisions of art. 43.1 of the LSSI.


                                             II


In the present case, the complainants denounce that those responsible for the page
web *** URL.1 have used this medium to “call them corrupt”, publishing in the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








web your personal data without your consent, verified that it is recorded and published
each in url: *** URL.2


Therefore, as has been proven, an illegal recording of the proceedings was made
judicial agencies of the testimony of various witnesses that were later used
without the express consent of the interested parties, therefore, its obtaining was obtained
without the legal basis that would protect it, as it would be, article 6.1.a) of the RGPD when it is-
establishes that “the treatment will be lawful if the interested party gave their consent for the treatment
handling of your personal data ”, since even its use was additionally inadmissible.

Mitigated for processing in a complaint by the Superior Court of Justice of the Balearic Islands.

These facts are constitutive of an infraction, attributable to the defendant, for vulnerability
tion of article 6.1.a) of the RGPD, which indicates that the treatment will be lawful if “the interest
sado gave his consent to the processing of his personal data for one or

various specific purposes ”.

For its part, article 72.1.b) of the LOPDGDD considers a very serious infringement
See, for the purposes of prescription: "The processing of personal data without the concurrence of the
One of the conditions of legality of the treatment established in article 6 of the
RGPD ”.


This offense can be sanctioned with a fine of a maximum of € 20,000,000 or,
for a company, of an amount equivalent to a maximum of 4% of the volume
total annual global business menu for the previous financial year, opting for the
higher amount, in accordance with article 83.5.b) of the RGPD.


In accordance with the indicated precepts, in order to set the amount of the penalty to
impose in the present case, it is considered that the sanction to be imposed should be adjusted
in accordance with the following criteria established in article 83.2 of the RGPD:


    - The nature, severity and duration of the offense, taking into account the nature
        nature, scope or purpose of the treatment operation in question, as well as
        such as the number of interested parties affected and the level of damages
        who have suffered, (section a).

    - The intentionality or negligence in the infraction. In the present case we are

        before the intentionality in the use of the personal data of the claims
        mantes without their express consent, (section b).

    - The categories of personal data affected by the infringement,
        The data processed in this case are of a marked personal nature and therefore

        person identifiers (section g).

    - Any other aggravating factor applicable to the circumstances of the case. In this
        In this case, an attempt was made, up to 5 occasions, to collect information from the
        madame and / or those in charge, there being no type of response or

        gación in this Agency, to the requirements made, (section k).




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








The balance of the circumstances contemplated in article 83.2 of the RGPD, with respect to
Regarding the offense committed by violating the provisions of its article 6.1) it allows setting
a penalty of 5,000 euros. (five thousand euros).


                                              IV
Regarding the Cookies Policy of the reported website *** URL.1, it is agreed
test that, in the first Layer, (initial page), without accepting cookies or performing any
na action on it, cookies are installed in the browser, not necessary: _ga;
_gat, and _gid, associated with Google Analytics.


The banner about cookies that is displayed when accessing the main page provides
information that is not very concise or intelligible. By using the expression: “This website uses
cookies so that you have the best user experience ”, lead to confusion to
the message is unclear and in the second layer there is no mechanism that

allow the rejection of all cookies, in order to make it just as simple
give consent, as indicated on the initial page.
These facts are constitutive of an infraction, attributable to the defendant, for vulnerability

tion of the article of article 22.2 of the LSSI, according to which:
“Service providers may use storage and retrieval devices

ration of data in terminal equipment of recipients, provided that the same
We have given their consent after information has been provided to them
clear and complete on its use, in particular, on the purposes of the treatment of
the data, in accordance with the provisions of Organic Law 15/1999, of December 13,
protection of personal data.

When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters
from the browser or other applications.

The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network

electronic or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient
River".

This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information had not been provided or the consent of the recipient was obtained.
natario of the service in the terms required by article 22.2. ”, which may be sanctioned
nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.

After the evidence obtained in the preliminary investigations phase, it is considered that
the sanction to be imposed should be graduated according to the following criteria that

established by art. 40 of the LSSI:
    - The existence of intentionality, an expression that must be interpreted as equi-

        value to degree of guilt according to the Judgment of the Hearing
        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent
        informed service that conforms to the mandate of the LSSI.

    - Period of time during which the offense has been committed, since it is the
        claim March 2019, (section b).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8








Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the
LSSI.


Therefore, in accordance with the foregoing, by the Director of the Spanish Agency
Data Protection Policy,


                                       RESOLVES


IMPOSE: to the entity, ASSOCIATION OF VICTIMS BY ARBITRARITIES COURT

DICIALES, (JAVA), with CIF .: G16614174, owner of the website: *** URL.1, dos san-
tions, regarding the processing of personal data without consent and regarding
its cookie policy on its website, consisting of:

    - 5,000 euros (five thousand euros), for the violation of article 6.1) of the RGPD, res-
        The processing of personal data without the consent of the complainants.
        blankets.

    - 3,000 euros (three thousand euros), for the violation of article 22.2) of the LSSI, res-
        pect of its Cookies Policy.

REQUEST: to the entity, ASSOCIATION OF VICTIMS BY ARBITRARITIES JU-
DICIALES (JAVA), so that, within a month from this act of notification,
proceed to take the necessary measures to modify the banner about cookies of the
first layer and include in the second layer, a mechanism that allows rejecting all
the cookies.


NOTIFY: this resolution to the entity, ASSOCIATION OF VICTIMS BY
JUDICIAL ARBITRARITIES (JAVA), and to the claimant regarding the result of the
clamor.

Warn the sanctioned person that the sanction imposed must be effective once
this resolution is enforceable, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-

Public Ministries (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-

luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is
will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8








Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose

ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative chamber of the National Court, in accordance with the provisions

set out in article 25 and section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being

In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency had no knowledge of the filing of the contentious-administrative appeal
trative within a period of two months from the day following notification of this
resolution, would terminate the precautionary suspension.


Mar Spain Martí

Director of the Spanish Agency for Data Protection.






























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es