AEPD (Spain) - PS/00291/2020: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00291/2020 to AEPD (Spain) - PS/00291/2020) |
||
(3 intermediate revisions by one other user not shown) | |||
Line 51: | Line 51: | ||
|}} | |}} | ||
The Spanish DPA | The Spanish DPA issued a warning to an events organiser whose website did not provide clear information on cookies nor allowed users to reject cookies, in violation of the Spanish law implementing the e-Privacy Directive. The DPA issued a warning rather than a fine because the event organiser was a natural and not a legal person. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' | A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' organiser related a the wedding of a cousin that they had attended, to which the events' organiser repsonded forwarding their comments together with identifying data of the data subject to the groom and bride without informing the data subject first. | ||
The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' | The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' organiser, finding that they were using cookies without providing enough information to the users and there was no "reject" button. | ||
=== Holding === | === Holding === | ||
The Spanish DPA held that this was a violation of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Act implementing the e-Privacy Directive] (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all. | The Spanish DPA held that this was a violation of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Act implementing the e-Privacy Directive] (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all. | ||
Line 65: | Line 65: | ||
== Comment == | == Comment == | ||
Surprisingly, the Spanish DPA does not | Surprisingly, the Spanish DPA does not analyse the actual complaint of the data subject which is that the company forwarded her comments and other identifying personal data to the bride and groom (relatives of the data subject) without having properly informing her about it. In my personal view, this would be a violation of Article 13(1)(c) and (e) GDPR. | ||
Furthermore, it is unclear from the decision of the Spanish DPA what is the link the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects. | Furthermore, it is unclear from the decision of the Spanish DPA what is the link the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects. |
Latest revision as of 14:26, 13 December 2023
AEPD - PS/00291/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 6(1) GDPR Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00291/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | E Rodriguez Montes |
The Spanish DPA issued a warning to an events organiser whose website did not provide clear information on cookies nor allowed users to reject cookies, in violation of the Spanish law implementing the e-Privacy Directive. The DPA issued a warning rather than a fine because the event organiser was a natural and not a legal person.
English Summary
Facts
A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' organiser related a the wedding of a cousin that they had attended, to which the events' organiser repsonded forwarding their comments together with identifying data of the data subject to the groom and bride without informing the data subject first.
The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' organiser, finding that they were using cookies without providing enough information to the users and there was no "reject" button.
Holding
The Spanish DPA held that this was a violation of the Spanish Act implementing the e-Privacy Directive (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all.
The Spanish DPA decided to issue a written warning instead of a economic fine because the website belonged to a natural person and not a legal person.
Comment
Surprisingly, the Spanish DPA does not analyse the actual complaint of the data subject which is that the company forwarded her comments and other identifying personal data to the bride and groom (relatives of the data subject) without having properly informing her about it. In my personal view, this would be a violation of Article 13(1)(c) and (e) GDPR.
Furthermore, it is unclear from the decision of the Spanish DPA what is the link the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4 Procedure No.: PS / 00291/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00291/2020, instructed by the Spanish Agency for Data Protection, before Ms. A.A.A. (*** COMPANY.1), with NIF: *** NIF.1, holder of the website, *** URL.1, (hereinafter, "the person claimed"), by virtue of a complaint presented by Ms. B.B.B., (hereinafter, “the claimant”), and having as base the following: BACKGROUND: FIRST: On 10/28/19, you have an entry in this Agency, a complaint filed by the claimant in which it indicated, among others, the following: “I come to report to the Data Protection Agency that my rights on the part of the company *** COMPANY.1, destined for profit to the organization of weddings and events, for disclosing, without my consent, my image, my identity and personal data, as well as my opinion expressed privately on your network social of Instagram (whose justification is attached Doc. No. 1). “I attended as a guest at the wedding organized by the company *** EMPRESA.1, which It has a social network on Instagram and where it privately admits opinions about the event that it organizes, that is, opinions can be expressed that remain reserved between me and said company. Recognizing that my opinions, no were favorable to the wishes of said company, opinions at all times referred to to the organization of the event I attended, and always with the aim of improving so much their appearance as the service they provide for future events, I find that the opinion that I issued privately in the space that they have reserved for it, has been transmitted with my photograph and personal identification via the internet with screenshot (whose justification is attached to Doc. No. 2) included in a intentionally and in bad faith to the bride and groom, that is, to my first cousin sending them and this without my authorization, which has generated a serious family problem difficult to solve, which has led me to file the corresponding complaint for the violation of my rights by the company *** COMPANY.1, I have to to state that this company organizes the events for profit and there is no reflected your CIF on the internet ". SECOND: In view of the facts presented in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 12/11/19 and 02/24/20 they are addressed informative requirements to the claimed person. According to the certificate of the State Postal and Telegraph Society, the requirement sent to the claimed entity, on 12/11/20, through the SICER service, was returned to origin by the postal service with the message "absent" and "not picked up of the mailing list service ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/4 According to the certificate of the State Postal and Telegraph Society, the requirement sent to the claimed person, on 02/24/20, through the SICER service, was collected at destination by A.A.A. (*** COMPANY.1) *** NIF.1, on 03/09/20. THIRD: On 09/20/20, by this Agency, the website is consulted reported, checking the following aspects of the privacy policy and the cookie policy implemented on said page: A) .- Regarding the Privacy Policy: a.1.) .- It has been verified that, on the web page *** URL.1, through the tab <<contact>>, there is the following information: “Call, write or send us signs of smoke, but get in touch that the dates fly ”: Telephone: *** TELEPHONE.1; Email: *** EMAIL.1; Address: *** ADDRESS.1, *** LOCATION.1 © 2020 *** COMPANY.1 - << Legal notice >> a.2.) .- The only way that the website has to collect personal data from the interested persons is through e-mail, so, in principle, the The only data that is provided to the web is the email address of the interested party, in addition to the data that he, of his own accord, provides within the email message sent. However, there are also links to your profile in the social networks, through which the entity can be contacted. a.3.) .- Through the existing link "legal notice", both on the <<contact>> page as in the main page, the web redirects to a page where it is provided information on: the identification data of the owner of the website; the legislation applicable; the identification of the person responsible for the treatment; the legitimation of data treatment; the time of conservation of the data; the possible transfer of data; the rights of the interested party; where to exercise rights; the measurements of safety; treatment based on the consent of the affected party; The duty of confidentiality and the right to complain to the AEPD. B) .- Regarding the Cookies Policy: b.1.- When accessing the main page of the web, *** URL.1, (first layer), there is a banner at the bottom of it, with the following message: “This website uses cookies, you can see the cookie policy here. If you continue By browsing you are accepting it ”<<ACCEPT>> b.2.) .- If the "cookie policy" is accessed through the link in the banner, the web redirects to a page where information is provided about: what are cookies and what types of cookies this website uses. - To disable cookies, the page provides the following information: "You can allow, block or delete the cookies installed on your computer by configuring the browser options installed on your computer. Most web browsers offer the possibility of allow, block or delete cookies installed on your computer. Then, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/4 You can access the settings of the most frequent web browsers to accept, install or deactivate cookies (…) ”. FOURTH: Notified of the initiation of the file, on 10/20/20, to date, no It is clear that any response has been given to the initiation of the file, within the period granted for this, for the appropriate legal purposes by the claimed entity. Of the actions carried out in this procedure, of the information and documents documentation presented by the parties, the following have been accredited: PROVEN FACTS 1.- It has been verified that, on the website *** URL.1, personal data can be collected sonals of the interested persons through the emails sent to the claimed person. 2.- Through the link << legal notice >> the web redirects to a page where it is provided- provides information on: the identification data of the owner of the website; the legisla- applicable tion; the identification of the person responsible for the treatment; the legitimation of the tra- data storage; the time of conservation of the data; the possible transfer of data; the rights of the interested party; where to exercise rights; security measures; the treatment based on the consent of the affected party; the duty of confidentiality and the right to claim before the AEPD. 3.- Regarding the Cookies Policy: 3.1.- When accessing the main page of the web, *** URL.1, (first layer), there is a banner at the bottom of it, with the following message: “This website uses cookies, you can see here the << cookie policy >>. If I continue when browsing you are accepting it " <<ACCEPT>> 3.2.- If the "cookie policy" is accessed, through the link in the banner, the web redirects to a page where information is provided on: what are the cookies and what types of cookies this website uses. To manage cookies, the page refers to the user when configuring the browser installed on their terminal equipment: FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph second, from the LSSI. II The joint assessment of the documentary evidence in the procedure brings to knowledge of the AEPD a vision of the denounced action that has been reflected It gives in the facts declared proven above related. In relation to the "Cookies Policy" of the website denounced, it is verified that, the information provided in the banner of the first layer is little clarifying the purpose of the cookies that are used. There is also no mechanism that allows rejecting all cookies. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/4 The exposed facts suppose, on the part of the claimed, the commission of the infraction of article 22.2 of the LSSI. This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. In accordance with these criteria, and considering that the person responsible for the website is a natural person, it is considered appropriate to impose a penalty of warning, for the infringement of article 22.2 of the LSSI, regarding the cookie policy carried out in the website of your ownership. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, RESOLVES APPEAR: to Dª. A.A.A. (*** COMPANY.1), with NIF: *** NIF.1, owner of the website, *** URL.1, for the violation of article 22.2 of the LSSI, with regard to the policy of cookies of the web page of its ownership. REQUIRE: to Dª. A.A.A. (*** COMPANY.1), so that, within a month, counting from the notification of this resolution, modify the website of your ownership, res- pect of the cookie policy, adapting the information provided in the banner on cookies of the first layer and including a mechanism that allows to reject all you give the cookies. NOTIFY: this resolution to Ms. A.A.A. (*** COMPANY.1). In accordance with the provisions of article 50 of the LOPDPGDD, this Re- solution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the The interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day after notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months from the day following the notification tion of this act, as provided in article 46.1 of the aforementioned Law. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es