AEPD (Spain) - PS/00268/2020: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00268/2020 to AEPD (Spain) - PS/00268/2020) |
Latest revision as of 14:23, 13 December 2023
AEPD - PS/00268/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22(2)of the Law on services of the information society and electronic commerce. |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.01.2021 |
Published: | 16.02.2021 |
Fine: | 2000 EUR |
Parties: | The Washpoint SL |
National Case Number/Name: | PS/00268/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a €2000 fine on The Washpoint SL for failing to provide a Privacy Policy on their website (Article 13 GDPR) and for the absence of a reject button on the second layer of their Cookie Policy (Article 22(2) LSSI).
English Summary
Facts
The claimant filed a complaint against The Washpoint SL on the basis that the company's website did not have a Privacy Notice nor a Cookie Notice.
The Spanish DPA (AEPD) when to verify the claims and highlighted that it was proven that, with regards to the Privacy Policy, there was no link to any document or page outlining this. There is therefore no information provided on processing of the users' personal data.
With regards to the Cookie Policy, the Spanish DPA also confirmed that there was no mechanism to reject cookies in the second layer of the Cookie Policy. There was only information available on how the user can configure browser settings in their terminal equipment.
Dispute
Does the lack of a Privacy Policy lead to a violation of Article 13 GDPR?
Does the absence of a reject button in the second layer of the cookie policy lead to a violation of Article 22(2) LSSI?
Holding
In relation to the Privacy Policy, the Spanish DPA (AEPD) held that there was a possibility for The Washpoint SL to collect information concerning the users' personal data. However, due to the lack of a link to any Privacy Policy or information on the processing of the users' personal data, the DPA held that there was a violation of Article 13 GDPR.
In relation to the missing reject button from the second layer of the Cookie Policy, the Spanish DPA held that this constituted a violation of Article 22(2) of the Spanish Law on services of the information society and electronic commerce (LSSI).
The DPA considered that the lack of a information or a privacy policy in breach of Article 13 GDPR should be sanctioned with a fine of €1000. Additionally, the DPA held that the violation of Article 22(2) LSSI due to the lack of a reject button in the cookie banner should be sanctioned with a fine of €1000 as well. Therefore, the overall fine imposed on The Washpoint SL amounted to €2000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure No.: PS / 00268/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00268/2020, instructed by the Spanish Agency for Data Protection to the entity, THE WASHPOINT S.L. with CIF .: B67354894, owner of the website, http://thewashpoint.com/, (hereinafter, “the entity claims- da ”), by virtue of a complaint filed by D.A.A.A., (hereinafter,“ the claimant ”), and based on the following, BACKGROUND FIRST: On 01/02/20, you have an entry in this Agency, a complaint filed by the claimant in which it indicated, among others, the following: "The website http://thewashpoint.com lacks a Legal Notice and Privacy Policy. dad. It also does not have a cookie notice. Despite this, he uses a form to rec- ger personal data ”. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the SG of Data Inspection proceeded to carry out actions tions for its clarification, in accordance with article 65.4 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights chos digital (LOPDGDD). Thus, on 02/07/20 and 02/18/20, he addressed two es- Information request credits to the claimed entity. According to the certificate of the Electronic Notifications and Electronic Address Service Enabled, the request sent to the claimed entity on 02/07/20, through the NOTIFIC @ service, was automatically rejected at the destination address, on 02/18/20. According to a certificate from the State Postal and Telegraph Society, the request to send to the claimed association on 02/18/20, through the SICER service, it was returned to origin with the annotation of "absent". THIRD: On 09/08/20, by this Agency, the website is consulted reported, verifying the following aspects of the privacy policy and the cookie policy implemented on said page: A) Regarding the Privacy Policy: It has been verified that, on the reported website, http://thewashpoint.com (https://thewashpoint.com/es/franchise-lavanderias-autoservicio/), there is NO link that redirects to the "privacy policy". It only exists, in the << contact tab to >> the following information: ADDRESS: THE WASHPOINT S.L.U. C.I.F .: B67354894; Calle dels Sentmenat 12; Sabadell, 08203 Barcelona Spain. PHONE +34 693 00 88 71 E-MAIL: hola@thewashpoint.com In addition, it is found that on said page it is required to provide the name, location, the email and telephone number of the clients who wish to contact said entity dad. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 B) Regarding the Cookies Policy: b.1.- When accessing the main page of the web, http://thewashpoint.com, (first layer), it is verified that, at the bottom of it, there is a banner with the following following information: “We use our own and third party cookies to improve our services and show you advertising related to your preferences by analyzing your browsing habits vegation ”. << Cookies policy >> - <<Ok>> b.2.- If you access the "cookie policy" page, through the corresponding link tooth, informs, among others, about: what are cookies and what types of cookies are used za this web page. Regarding the management of cookies, the website refers the user to configure the navigation. gator used in your terminal equipment. FOURTH: In view of the facts denounced from the verifications carried out by this Agency, the Director of the Spanish Agency for Data Protection, dated 09/25/20, agreed to initiate a sanctioning procedure against the claimed person, in under the established powers, for failing to comply with the provisions of article 22.2 of the LSSI, regarding the cookie policy of its website. FIFTH: Notified the initiation of the file on 10/09/20, to date, no It is clear that any response has been given to the initiation of the file within the period granted for this, for the appropriate legal purposes by the claimed entity. Of the actions carried out in this procedure, of the information and documents documentation presented by the parties, the following have been accredited: PROVEN FACTS 1º.- Regarding the “Privacy Policy” of the website http://thewashpoint.com, it has been verified that, in the same there is the possibility of collecting information on the personal data of the users but there is no link that redirects to the “policy privacy policy ”or area where it is provided, the information that, according to the current regulation on data protection is mandatory to offer the user in the time to collect your personal data 2º.- Regarding the “Cookies Policy”, of the website, http://thewashpoint.com, it has been verified that, in the second layer (cookie policy), there is no mechanism that makes it possible to reject cookies, referring the user to configure the browser used on your terminal equipment if you want to manage the use of the same more. FOUNDATIONS OF LAW I C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph second, from the LSSI. II The joint assessment of the documentary evidence in the procedure brings to the conclusion knowledge of the AEPD a vision of the denounced action that has been reflected It gives in the facts declared proven above related. Of the actions carried out, in relation to the "Privacy Policy" and the "Cookies Policy", of the claimed website, http://thewashpoint.com, has been verified the following aspects: Regarding the "Privacy Policy", it has been verified that there is the possibility of collecting information about users' personal data, but not There is no link that redirects to the "privacy policy" or area where it is provided. ne, the information that, according to current legislation on data protection It is mandatory to offer the user at the time of collecting their personal data. In this sense, article 13 of the RGPD establishes the information that must be provided cite the interested party at the time of collection of their personal data. Information which should appear in the "privacy policy" of the website. Therefore, the known facts could constitute an infringement, attributable to the claimed, for violation of article 13 of the RGPD. For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD ”. This offense can be sanctioned with a fine of a maximum of € 20,000,000 or, for a company, of an amount equivalent to a maximum of 4% of the volume total annual global business menu for the previous financial year, opting for the higher amount, in accordance with article 83.5.b) of the RGPD. In accordance with the indicated precepts, in order to set the amount of the penalty to impose in the present case, it is considered that the sanction to be imposed should be adjusted in accordance with the following aggravating criteria established in art. 83.2 of GDPR: - The category of personal data affected by the infringement, (section g). - Due to the way in which this AEPD has learned of the infringement, through through the complaint filed by an individual, (section h). The balance of the circumstances contemplated in article 83.2 of the RGPD, with respect to Regarding the offense committed by violating the provisions of its article 13, it allows setting a penalty of 1,000 euros, (one thousand euros), regarding the non-existence of a “policy of emptiness ”, on the website denounced. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 III Regarding the "Cookies Policy" of the website, it has been verified that, in the second layer (cookie policy), there is no mechanism that makes it possible to reject set cookies, referring the user to configure the browser used on their computer terminal if you want to manage the use of them. The exposed facts suppose on the part of the claimed entity, the commission of a violation of article 22.2 of the LSSI. This offense is classified as "minor" in the Article 38.4 g), of the aforementioned Law, which considers as such: “Use al- data storage and recovery when the information has not been provided or obtained the consent of the recipient of the service in the terms required by Article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, according to with article 39 of the aforementioned LSSI. Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 1,000 euros (one thousand euros), for the violation of article 22.2 of the LSSI, Regarding the cookie policy carried out on the website of its ownership. Thus, it is considered appropriate to impose on the claimed entity, a total sanction of 2,000 euros (two thousand euros) = 1,000 euros for violation of article 13 of the RGPD and 1,000 euros for violation of article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Spanish Agency Data Protection Policy, RESOLVES IMPOSE: to the entity, THE WASHPOINT S.L. with CIF .: B67354894, holder of the pa- gina web, http://thewashpoint.com/, two sanctions, regarding the privacy policy and regarding the cookie policy on the website of its ownership, consisting of: - 1,000 euros (one thousand euros), for the violation of article 13) of the RGPD, regarding the privacy policy of its website. - 1,000 euros (one thousand euros), for the violation of article 22.2) of the LSSI, regarding of its Cookies Policy. REQUEST: to the entity, THE WASHPOINT S.L., so that, within a month From this act of notification, proceed to take the necessary measures to: - Adapt the privacy policy of the website of its ownership to the stipulations side in article 13 of the RGPD. - The necessary information about cookies is incorporated into the website and it has been- bilite a mechanism that allows you to reject all cookies. NOTIFY: this resolution to the entity THE WASHPOINT S.L. Warn the sanctioned person that the sanction imposed must be effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad- Public Ministries (LPACAP), within the voluntary payment period indicated in article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK, S.A. or otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative chamber of the National Court, in accordance with the provisions set out in article 25 and section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the two months from the day following notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency had no knowledge of the filing of the contentious-administrative appeal trative within a period of two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es