AEPD (Spain) - PS/00483/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
(→Facts) |
||
(One intermediate revision by one other user not shown) | |||
Line 51: | Line 51: | ||
}} | }} | ||
The Spanish DPA fined an adult content website €8000 for its unlawful use of cookies and providing insufficient information related to their nature and purposes, as well for having an outdated privacy policy, which was based on data protection laws prior to the entry into force of the GDPR. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Spanish DPA (AEPD) initiated proceedings exercising its investigation powers under [[Article 58 GDPR|Article 58 GDPR]] against Ramona Films S.L. (previously Kalandrakas Films S.L.), owner of https://www.putalocura.com, a website containing adult and pornographic material. | The Spanish DPA (AEPD) initiated proceedings exercising its investigation powers under [[Article 58 GDPR|Article 58 GDPR]] against Ramona Films S.L. (previously Kalandrakas Films S.L.), owner of https://www.putalocura.com, a website containing adult and pornographic material. The investigation was related to the possible processing of personal data and profiling of data subjects below the age of 14. In particular, the AEPD inquired the controller regarding the risk of processing activities that could take place if a minor gained unauthorised access to the website’s contents, a data protection impact assessment related to these risks, the technical and organisational measures implemented to ensure data protection, as well as its privacy policy. | ||
The investigation was related to the possible processing of personal data and profiling of data subjects below the age of 14. In particular, the AEPD inquired the controller regarding | |||
=== Holding === | === Holding === | ||
In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor. | In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor. | ||
However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR. | |||
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide | However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Law of Information Society Services (LSSI)], which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR. | ||
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of [[ | |||
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide users with adequate data protection information, in violation of [[Article 13 GDPR]]. | |||
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of [[Article 13 GDPR]]. However, this fine was reduced to €8000 because the controller did not object to the fine and paid it voluntarily within the period established by the AEPD to do so, although the reduction of the fee paid for by the controller did not include an express acceptance of culpability regarding the violations held by the AEPD. The AEPD also ordered the controller to modify its privacy and cookie policy in order to comply with GDPR. | |||
== Comment == | == Comment == |
Latest revision as of 16:19, 20 April 2022
AEPD (Spain) - PS/00483/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22.2 LSSI |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 11.03.2021 |
Decided: | 03.01.2022 |
Published: | 13.04.2022 |
Fine: | 8000 EUR |
Parties: | Ramona Films, S.L. |
National Case Number/Name: | PS/00483/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA fined an adult content website €8000 for its unlawful use of cookies and providing insufficient information related to their nature and purposes, as well for having an outdated privacy policy, which was based on data protection laws prior to the entry into force of the GDPR.
English Summary
Facts
The Spanish DPA (AEPD) initiated proceedings exercising its investigation powers under Article 58 GDPR against Ramona Films S.L. (previously Kalandrakas Films S.L.), owner of https://www.putalocura.com, a website containing adult and pornographic material. The investigation was related to the possible processing of personal data and profiling of data subjects below the age of 14. In particular, the AEPD inquired the controller regarding the risk of processing activities that could take place if a minor gained unauthorised access to the website’s contents, a data protection impact assessment related to these risks, the technical and organisational measures implemented to ensure data protection, as well as its privacy policy.
Holding
In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor.
However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR.
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide users with adequate data protection information, in violation of Article 13 GDPR.
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of Article 13 GDPR. However, this fine was reduced to €8000 because the controller did not object to the fine and paid it voluntarily within the period established by the AEPD to do so, although the reduction of the fee paid for by the controller did not include an express acceptance of culpability regarding the violations held by the AEPD. The AEPD also ordered the controller to modify its privacy and cookie policy in order to comply with GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: PS/00483/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On January 3, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against RAMONA FILMS, SL (hereinafter, the claimed party), through the Agreement that is transcribed: << Procedure No.: PS/00483/2021 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out ex officio by the Spanish Agency for the Protection of Data before the entity, RAMONA FILMS, S.L. with CIF.: B87763405, owner of the page web: https://www.putalocura.com, for the alleged violation of the regulations of data protection: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons in what regarding the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on Data Protection Personal and Guarantee of Digital Rights (LOPDGDD), and attending to the following: ACTS FIRST: Dated 03/11/21, the Director of the Spanish Agency for Data Protection agreed to open preliminary investigation actions against to the entity, RAMONA FILMS, S.L. (previously, KALANDRAKAS FILMS, SL), taking into account the investigative powers that the supervisory authority may have for this purpose, established in section 1), of article 58 of the RGPD, and in relation to the possible treatment of personal data of minors under fourteen years of age, obtained while browsing the website and their possible profiling. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/18 SECOND: On 03/13/21 and 05/28/21, by this Agency, in relation to stipulated in article 65.4 of the LOPDGDD Law, was sent to the RAMONA entity FILMS, SL, two separate letters requesting information on the following points: The management of the risks associated with the treatment activities in which it could be produce an illegitimate access of a minor to the content they offer; The evaluation of impact related to data protection regarding risk analysis; Measures technical and organizational measures implemented in your entity that suppose access limitation of minors to the content offered; Limitations for minors access such content; Privacy policy and public location thereof; Technical and organizational measures to be taken in your entity in case of eventual verification of improper access by a minor to its contents: Technical measures and organizational measures that reflect the protection of personal data and the processes of verification and evaluation of the effectiveness of the measures and clarification of whether they profiling of the personal data of those who access its contents. According to a certificate from the Electronic Notifications and Electronic Address Service, the request sent to the claimed entity, on 03/13/21, through the service of notifications NOTIFIC@, was received at destination on 03/15/21. According to a certificate from the State Post and Telegraph Society, the request sent to the claimed entity, on 05/28/21, through the SICER service, it was received Appointed at destination on 06/04/21 by D. A.A.A.; ***NIF.1. THIRD: On 09/09/21, this Agency carried out the following checks on the website https://www.putalocura.com: a).- Regarding the processing of personal data: 1.- The website has a contact form, located at the bottom of the page: https://www.putalocura.com/contacto, where you can enter data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/18 personal, such as name and email. Before submitting the form You must accept the <<_ General Conditions of Contract>> and you must mark: “_ Do not be a robot”, after which an automatic confirmation message appears. contact reception. 2.- The following warning message is available in the footer of the website: ”Leave this website if you are a minor: Website with adult content” b).- About the Privacy Policy: 1.- If you access the "Privacy Policy" of the aforementioned website, through the link existing at the bottom of the main page, the web redirects the user to a new page: https://www.putalocura.com/politica-de-privacidad, where provides the following information: "one. In compliance with the provisions of Organic Law 15/1999, of December 13, Protection of Personal Data (hereinafter "LOPD"), Kalandrakas Films S.L.U. (hereinafter KF) informs the user that all character data that you provide us through the web will be incorporated into files, created and maintained under the responsibility of KF, (reviewed in point 3.2) (...)” 2.- If you access the "Legal Notice" page of the aforementioned website, through the link existing at the bottom of the main page, the web redirects the user to a new page: https://www.putalocura.com/aviso-legal, where it is provided information about the Company's data; data from the Mercantile Registry; on intellectual property and on the conditions of use of the web. Regarding access to content, the following is indicated: “Exclusively for adults and of forbidden access for minors and of an erotic and/or pornographic nature and that could hurt your sensibilities. By accessing this website and/or the contents, you expressly accept that you are of legal age (minimum 18 years in Spain) and that you have no legal limitation to access voluntarily to adult content of an erotic and/or pornographic nature, exonerating KF from any responsibility in this regard. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/18 c).- About the Cookies Policy: 1.- When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain is Google Analytics: (_ga, _gid, _gat) but that is installed associated with the domain of the web manager. 2.- There is a banner about cookies on the main page of the website, with the following message: “This website uses its own and third-party cookies to offer you a better service. Yes If you continue browsing, we consider that you accept its use. <<Read more>>. <<Accept>> If you choose to accept cookies, using the <<accept>> option you check that the cookies indicated above continue to be used, as well as if the browsing the website itself. 3.- If you choose to access the "Cookies Policy", through the link <<read more> or through the existing link at the bottom of the main page <<Policy of cookies>>, the web redirects to a new page: https://www.putalocura.com/politica- de-cookies, where information is provided about what cookies are and what types of cookies exist. There is no mechanism that enables the rejection of all non-technical cookies or the possibility of granularly managing cookies. FOURTH: In view of the reported facts, in accordance with the evidence that is available, the Data Inspection of this Spanish Agency for the Protection of Data considers the above, does not comply with current regulations, therefore that the opening of this sanctioning procedure proceeds. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/18 FOUNDATIONS OF LAW I.- Competition: - About the "Privacy Policy": It is competent to initiate and resolve this Sanctioning Procedure, the Director of the Spanish Agency for Data Protection, by virtue of the powers that art 58.2 of the RGPD and, as established in arts. 47, 64.2 and 68.1 of the LOPDGDD Law. For its part, sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide for this purpose, mentioning in point 1.d), that of: "notify the responsible or in charge of the treatment the presumed infractions of the present Regulation” and in 2.i), that of: “imposing an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this paragraph, depending on the circumstances of each case. - About the Cookies Policy: It is competent to initiate and resolve this Sanctioning Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI). II.- About the "Privacy Policy" of the website: It has been verified that on the website: https://www.putalocura.com, you can obtain personal data from users through the "contact" tab, such as the name and email. However, it has been found that the "Privacy Policy" of the website, https://www.putalocura.com/politica-de-privacidad, does not adjust to the information that should be provided according to article 13 of the RGPD, since all of it is referred to and focused on the repealed Organic Law 15/1999, of December 13, on the Protection of Personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/18 Well, in accordance with the provisions of article 99 of the RGPD, the entry into force and application of the new RGPD was: "twenty days after its publication in the Official Journal of the European Union (05/25/16)” and would be applicable from May 25 of 2018”. Therefore, as of 05/25/18, the LO was repealed. 15/1999, (LOPD), applying compulsorily, from that date, the current RGPD and from the 07/12/18 the new LOPDGDD. In application of the RGPD, its article 13, establishes the information that must be provide the interested party at the time of obtaining their personal data. This is: “1. When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, in his case; c) the purposes of the treatment to which the personal data is destined and the basis legal treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or the categories of recipients of personal data, if any; f) where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to adequate guarantees or appropriate and the means to obtain a copy of them or the fact that have lent. 2. In addition to the information mentioned in section 1, the person in charge of the treatment will facilitate the interested party, at the moment in which the data is obtained personal, the following information necessary to guarantee data processing fair and transparent: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period; b) the existence of the right to request access to data from the data controller related to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to the portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a control authority; e) if the communication of personal data is a requirement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/18 legal or contractual, or a necessary requirement to enter into a contract, and if the The interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of decisions you automate, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and expected consequences of said treatment for the interested party”. Therefore, in accordance with the evidence obtained and without prejudice to what result of the investigation, the exposed facts could suppose the violation, for part of the entity that owns the web page in question, of article 13 of the RGPD. Regarding this, article 72.1.h) of the LOPDGDD, considers it very serious, for of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD” This infraction can be sanctioned with a maximum fine of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. In accordance with the precepts indicated, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction to be imposed in the present case, it is considered appropriate to graduate the sanction in accordance with the following aggravating criteria established in article 83.2 of the RGPD: - The duration of the infringement, taking into account that current regulations, this is, the RGPD, is mandatory since 05/25/18, and that from that Date the LOPD was repealed, by which the website is still governed in question, (section a). The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the infraction committed, by violating the provisions of article 13 of the RGPD, makes it possible to set an initial penalty of 5,000 euros (five thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/18 On the other hand, and in accordance with article 58.2 of the RGPD, the corrective measure that could be imposed on the person responsible for the website in question would consist of order you to take the necessary measures to adapt the privacy policy to what is stipulated in the current regulations, that is, the RGPD and the LOPDGDD. III.- About the "Cookies Policy" of the website: a).- Regarding the installation of cookies in the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie entails a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of the terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies excepted would be the user input Cookies” (those used to filling in forms, or managing a shopping cart); cookies from user authentication or identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of plugin (plug-in) to exchange social content. These cookies would remain excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent on its use. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/18 On the contrary, it will be necessary to inform and obtain the prior consent of the user. before the use of any other type of cookies, both first and third party, session or persistent. In the verification carried out on the web page in question, it was found that, when entering its main page and without performing any type of action on it, use unnecessary cookies without the prior consent of the user. b).- About the existing cookie information banner in the first layer (Homepage): The banner on cookies of the first layer must include information regarding the identification of the editor responsible for the website, in the event that their identifying data tives do not appear in other sections of the page or that their identity cannot be disclosed. obvious attachment to the site itself. You must also include an ID generic of the purposes of the cookies that will be used and if these are own or also from third parties, without it being necessary to identify them in this first layer. Ade- Furthermore, it should include generic information about the type of data to be collected and used in the event that user profiles are created and must include informa- tion and the way in which the user can accept, configure and reject the use of cookies, with the warning, where appropriate, that if a certain action is carried out, It will be understood that the user accepts the use of cookies. Apart from the generic information about cookies, in this banner there must be an en- clearly visible link directed to a second informative layer on the use of the cookies. This same link can be used to take the user to the configuration panel. guration of cookies, as long as the access to the configuration panel is direct, this is, that the user does not have to navigate inside the second layer to locate it. In the case at hand, in the cookie information banner on the first layer of the denounced web, with the message: “This website uses its own and third-party cookies to offer you a better service. Yes If you continue browsing, we consider that you accept its use. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/18 The purposes for which the cookies will be used are not identified and if they are own or third parties. c).- Regarding consent to the use of unnecessary cookies: For the use of non-excepted cookies, it will be necessary to obtain the consent expressly stated by the user. This consent can be obtained by doing click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, will not be considered effects, a clear affirmative action in any circumstance and will not imply the provision of consent itself. Similarly, access to the second layer if the information is presented in layers, as well as the necessary navigation to that the user manage their preferences in relation to cookies in the panel of control, nor is it considered an active behavior from which the acceptance of cookies. The existence of "Cookie Walls" is not allowed either, that is, windows pop-ups that block the content and access to the web, forcing the user to accept the use of cookies to be able to access the page and continue browsing. If the option is to go to a second layer or cookie control panel, the link it should take the user directly to that configuration panel. To facilitate se- lesson, the panel can be implemented, in addition to a granular management system of cookies, two more buttons, one to accept all cookies and another to reject- all of them If the user saves his choice without having selected any cookie, You will understand that you have rejected all cookies. Regarding this second possibility, In no case are the pre-marked boxes in favor of accepting cookies admissible. If for the configuration of cookies, the web refers to the browser configuration installed in the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the publisher opts for this option, it must also offer, and in any case, a mechanism that allows you to reject the use of cookies and/or do it in a granular way, on your own page. web page C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/18 On the other hand, the withdrawal of the consent previously given by the user de- It should be able to be done at any time. To this end, the publisher must offer a mechanism that makes it possible to withdraw consent easily at any time. unto This facility will be considered to exist, for example, when the user has access to so simple and permanent to the cookie management or configuration system. If the editor's cookie management or configuration system does not allow to avoid the use of third-party cookies once accepted by the user, information will be provided training on the tools provided by the browser and third parties, de- being aware that, if the user accepts third-party cookies and later wishes to delete them, you must do it from your own browser or the system enabled by the third parties for it. In the case at hand, in the banner of the first layer there is no option to re- Chase all cookies nor is there the option to redirect the user to a panel control so you can manage cookies in a granular way. There is also no mechanism to reject all non-technical cookies. cases or failing that, that can be managed granularly in the second layer (Cookie Policy). d).- On the information provided in the second layer (Policy of Cookies): More detailed information about cookies should be provided in the Cookies Policy. characteristics of cookies, including information about, the definition and general function cookie information (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the publisher and/or also by third parties with identification of the latter; the period- do of conservation of the cookies in the terminal equipment; and if it is the case, information on data transfers to third countries and the elaboration of profiles that im- Apply automated decision making. In the case at hand, the information about cookies that is provided in the second layer of the web, it has been detected that the identification of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/18 the cookies that are used, if they are their own or from third parties, nor the time they are will be active in the terminal equipment. IV- Violation of the Cookies Policy The deficiencies detected in the "Cookies Policy" of the website in question, could suppose on the part of the claimed entity, the commission of the infraction of the Article 22.2 of the LSSI, since it establishes that: “Service providers may use storage devices and recovery of data in terminal equipment of the recipients, provided that they have given their consent after they have been provided clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data. Where technically possible and effective, the recipient's consent to Accepting the processing of the data may be facilitated through the use of the parameters from the browser or other applications. The foregoing will not prevent the possible storage or access of a technical nature to the sole purpose of effecting the transmission of a communication over a communications network electronic or, to the extent that is strictly necessary, for the provision of a service of the information society expressly requested by the addressee". This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and retrieval devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/18 After the evidence obtained in the preliminary investigation phase, and without prejudice to whatever results from the investigation, it is considered appropriate to graduate the sanction to impose in accordance with the following aggravating criteria, established by art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to a degree of guilt according to the Judgment of the National High Court of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the denounced entity the determination of a system of Obtaining informed consent that is in accordance with the mandate of the LSSI. In accordance with these criteria, it is considered appropriate to impose an initial sanction of 5,000 euros, (two thousand euros), for the infringement of article 22.2 of the LSSI, regarding the cookie policy made on the website in question. On the other hand, and in accordance with article 58.2 of the RGPD, the corrective measure that could be imposed on the entity responsible for the website would consist of order- order him to take the necessary measures on the web page of his ownership to adapt it to current regulations, including a mechanism that makes it impossible to use tion of non-necessary cookies before the user gives his consent for it; including a mechanism that makes it possible to reject all cookies or to do so ma granular through a control panel and extend the information provided in the banner of the main page and in the "Cookies Policy" adapting it to the regulations in force, indicated in section III of the Legal Basis. V-Initial total sanction: In accordance with the criteria set out in the previous points, the initial total sanction to be impose would be 10,000 euros (ten thousand euros): 5,000 euros (five thousand euros), for the infringement of article 13 of the RGPD and 5,000 euros (five thousand euros), for the infringement of article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/18 START: SANCTION PROCEDURE against the entity, RAMONA FILMS, S.L. with CIF.: B87763405, owner of the website: https://www.putalocura.com, for the following offenses: - Violation of article 13 of the RGPD, when collecting personal data of the users of the web pages of its ownership without having adapted it to the current regulations on data protection. - Violation of article 22.2 of the LSSI, regarding irregularities detected in the "Cookies Policy" of the website. APPOINT: R.R.R. as Instructor, and Secretary, if applicable, S.S.S., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). INCORPORATE: to the disciplinary file, for evidentiary purposes, the international claim put by the claimant and their documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigation phase. nes, all of them part of this administrative file. WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond would be: - 5,000 euros (five thousand euros), for the infringement of article 13 of the RGPD, without prejudice to what results from the investigation of this file. - 5,000 euros (five thousand euros) for the infringement of article 22.2 of the LSSI, without prejudice to what results from the investigation of this file. NOTIFY: this agreement to initiate sanctioning proceedings to the entity, RAMONA FILMS, S.L., granting a hearing period of ten business days to to formulate the allegations and present the evidence it deems appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/18 If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the zo granted for the formulation of allegations to this initial agreement; what will be accompanied by a reduction of 20% of the sanction to be imposed in the present procedure, equivalent in this case to 2,000 euros. With the application of this reduction, the sanction would be established at 8,000 euros, resolving the problem ceding with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which supposes There will be a reduction of 20% of the amount of this, equivalent in this case to 2,000 euros. With the application of this reduction, the penalty would be established at 8,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 6,000 euros (six thousand euros). In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the withdrawal or waiver of any action or resource in the administrative process. deal against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated above, you must make it effective by depositing it in account Nº ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the item the reference number C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/18 ence of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it avails itself. Likewise, you must send proof of income to the General Subdirectorate of Ins- request to continue with the procedure in accordance with the amount entered. gives. The procedure will have a maximum duration of nine months from the date of page of the start-up agreement or, where appropriate, of the draft start-up agreement. elapse- do this period will produce its expiration and, consequently, the filing of actions; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA- CAP, against this act there is no administrative appeal. Sea Spain Marti Director of the Spanish Agency for Data Protection. >> SECOND: On February 22, 2022, the claimed party has proceeded to pay of the penalty in the amount of 8,000 euros using one of the two reductions provided for in the Start Agreement transcribed above. Therefore, it has not acknowledgment of responsibility has been confirmed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/18 THIRD: The payment made entails the waiver of any action or resource in via against the sanction, in relation to the facts referred to in the Home Agreement. FOUNDATIONS OF LAW I In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of services of the information society and electronic commerce (hereinafter LSSI), the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), grants each authority of control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” Finally, the fourth additional provision "Procedure in relation to the competences attributed to the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Agency for the Protection of Data would have to be processed in the exercise of the powers attributed to it by other laws." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "one. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/18 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00483/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to RAMONA FILMS, S.L.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 937-240122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es