AEPD (Spain) - PS/00603/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 53: | Line 53: | ||
}} | }} | ||
The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a | The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a privacy policy, and for the use of non-essential cookies without providing appropriate information through a cookie banner. | ||
== English Summary == | == English Summary == | ||
Line 59: | Line 59: | ||
=== Facts === | === Facts === | ||
A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner. | A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner. | ||
The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy. | The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy. | ||
The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner. | The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner. | ||
=== Holding === | === Holding === | ||
The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
The AEPD also held that the online store had violated its obligation under [[Article 13 GDPR|Article 13 GDPR]] to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a | The AEPD also held that the online store had violated its obligation under [[Article 13 GDPR|Article 13 GDPR]] to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a privacy policy and not disclosing any details as to who the controller of that personal data would be. | ||
Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Law of Information Society Services (LSSI)], which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, as well as the possibility to reject non-essential cookies. | |||
Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total fine of €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to €1800. | |||
The AEPD also ordered the owner of the store to incorporate an adequate privacy policy and cookie banner in order to comply with GDPR and national data protection provisions. | |||
== Comment == | == Comment == |
Latest revision as of 16:47, 27 April 2022
AEPD (Spain) - PS/00603/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 13 GDPR Article 22.2 Spanish Law of Information Society Services (LSSI) |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.12.2020 |
Decided: | 10.01.2022 |
Published: | 18.04.2022 |
Fine: | 1800 EUR |
Parties: | Lia's Clothes |
National Case Number/Name: | PS/00603/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a privacy policy, and for the use of non-essential cookies without providing appropriate information through a cookie banner.
English Summary
Facts
A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner.
The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy.
The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner.
Holding
The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated Article 6(1) GDPR.
The AEPD also held that the online store had violated its obligation under Article 13 GDPR to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a privacy policy and not disclosing any details as to who the controller of that personal data would be.
Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, as well as the possibility to reject non-essential cookies.
Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total fine of €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to €1800.
The AEPD also ordered the owner of the store to incorporate an adequate privacy policy and cookie banner in order to comply with GDPR and national data protection provisions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: PS/00603/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On January 10, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against A.A.A. (onwards, the claimed party), through the Agreement that is transcribed: << Procedure No.: PS/00603/2021 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency before Mrs. A.A.A., with NIF.: ***NIF.1, owner of the website: https://liasclothes.olistshops.com/, (hereinafter, "the claimed party"), under the claim filed by the entity ZULMAR SANTAMARÍA, S.L., (hereinafter, “the claimant party"), for the alleged violation of data protection regulations, and taking into account the following: ACTS FIRST: On 12/13/20, this Agency received a letter of complaint, in which, among others, it indicated the following: “We denounce the website https://liasclothes.olistshops.com/ for breaching both the RGPD like LSSI. Specifically, it does not provide information about the Data Controller. or your contact information. There is no LEGAL NOTICE with the owner's information. Nor has it published its PRIVACY POLICY or COOKIES POLICY”. SECOND: On 01/28/21, this Agency sent a letter to the party claimed requesting information regarding the claim filed, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/18 in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, on the protection of personal data and guarantee of digital rights, (“LOPDGDD”). THIRD: On 04/26/21, by the Director of the Spanish Agency for Data Protection is dictated agreement of admission to processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when assessing possible reasonable indications of a violation of the rules in the field of competences of the Spanish Agency for Data Protection. FOURTH: On 11/03/21, the General Subdirectorate for Data Inspection addressed an informative request to the claimed party, under the powers of investigation granted to the control authorities in article 57.1 of the RGPD. According to a certificate from the State Post and Telegraph Society, the requirement sent to the claimed party, on 11/03/21 through the SICER service, was delivered at destination, on 11/10/21, being the receiver, Mr. B.B.B.. ***NIF.2. FIFTH: On 12/15/21, this Agency carried out the following checks on the reported website, https://liasclothes.olistshops.com/: a).- Regarding the processing of personal data: 1. The web works as a "virtual catalog", where the user who wants to make any purchase must enter your personal data, in the "purchase" form, https://liasclothes.olistshops.com/checkout, such as name, address, phone or email. Once all the personal data has been entered, you must click on the option <<send order>>, there being no acceptance box for the “Privacy Policy”. Privacy” on the form. It only exists, at the bottom of the form there is The next message: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/18 “After receiving your order, we will contact you to confirm your information and arrange payment. As we do not yet offer payment through the website, we We will contact you by WhatsApp, phone or email to organize the delivery and payment of your purchase. need help? get in touch: 34685792696 infozapatones@gmail.com”. b).- About the Privacy Policy: There is no “Privacy Policy”, nor any type of link that redirects the user to a second layer where you are informed of the necessary aspects about the treatment of your personal information. On the web there is only the following information about the Responsible for the website: “contact: 34685792696 infozapatones@gmail.com” There is a link to "Legal Notice" located at the bottom of the page, through the which, the website displays a banner with the following information: "Legal notice: "Olist Shops" is a provider of content, via "virtual catalog", for use free, being the total responsibility of the advertiser the publication of products and/or services, marketing and delivery, exempting the developers from any responsibility for misuse of the application. c).- About the Cookies Policy: 1.- When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain is Google Analytics: (_ga, _gid, _gat), but that is installed associated with the domain of the web manager. 2.- There is no type of banner that informs about cookies on the main page or first layer of the web. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/18 3.- There is no mechanism that makes it possible to reject cookies that are not technical or necessary. There is also no cookie control panel that enable the management of these, in a granular way or by groups. 4.- There is no "Cookies Policy", or link that redirects the user to the second layer where you are informed in more detail about cookies. SIXTH: In view of the facts denounced, in accordance with the evidence of that is available, the Data Inspection of this Spanish Agency for the Protection of Data considers the above, does not comply with current regulations, therefore that the opening of this sanctioning procedure proceeds. FOUNDATIONS OF LAW I.- Competition: - About the "Privacy Policy": It is competent to initiate and resolve this Sanctioning Procedure, the Director of the Spanish Agency for Data Protection, by virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of these Data (RGPD) and, as established in arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), Sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the effect, mentioning in point 1.d), that of: "notifying the person in charge or in charge of the treatment of alleged infringements of these Regulations” and in 2.i), that of: “impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case.". - About the Cookies Policy: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/18 It is competent to initiate and resolve this Sanctioning Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI). II.- On the non-existence of an acceptance box, which generates a record of the con- feeling in the purchase form. It has been verified that in the "purchase" form, https://liasclothes.olistshop- s.com/, once the personal data has been entered, there is no acceptance box. tion of the "Privacy Policy", being able to send personal data directly clicking on the link: <<send order>>, therefore, there is no possibility of give consent through an affirmative, clear and voluntary act for the transaction treatment of personal data. In this sense, article 6.1.a) of the RGPD, establishes, on the legality of the treatment of personal data, that the treatment of these will only be lawful if at least one of the conditions indicated in point 1, among which is: a) the interested party gave their consent for the processing of their personal data for one or several specific purposes (...)”. Consent must be given through an affirmative, informed and free act The silence pre-checked boxes or inaction are not considered “having given consent”. implicit treatment”, for the treatment of personal data. Therefore, it is compulsory compliance with the fact that in order to obtain the consent of the users, they are provided with a blank box or similar mechanism where you can give the consent of a affirmative, informed and free manner. Before providing personal data and giving consent to their processing, It would be desirable that the interested party be recommended to read and understand the privacy policy. emptiness Also, it would be considered good practice to remind the user of their choice of permissions and request a confirmation of your consent, in the same way that many times a second confirmation is requested when the user unsubscribes from an online service or advertising communications. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/18 Thus, article 72.1.b) of the LOPDGDD considers it very serious, for the purposes of prescription, “The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation”. This infraction can be sanctioned with a maximum fine of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. The balance of the circumstances contemplated, with respect to the infraction committed, by violating the provisions of article 6.1 of the RGPD, and considering that the owner of the claimed web page is a natural person, it allows setting an initial sanction of 1,000 euros, (one thousand euros), when carrying out an illicit treatment of personal data obtained from the "purchase" form of the web page of its ownership. Along with this and in accordance with article 58.2 of the RGPD, the corrective measure that could be imposed on the owner of the web page would consist of ordering him to take the necessary measures to adapt it to current regulations, with the inclusion of a mechanism that enables users of this to provide their consent for the treatment of your personal data, in a clear, affirmative and voluntary way. III.- About the "Privacy Policy" of the website: On the web page in question, personal data of users can be obtained through through the "purchase" form. However, it has been found that there is no “Privacy Policy”, nor any type of link that redirects the user to a second layer where you are informed of the necessary aspects about the processing of your data personal. On the web there is only the following information about the person in charge from the page: “contact: 34685792696 infozapatones@gmail.com”. Article 13 of the RGPD establishes the information that must be provided to the interested in the moment of obtaining your personal data: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/18 “1. When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, in his case; c) the purposes of the treatment to which the personal data is destined and the basis legal treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or the categories of recipients of personal data, if any; f) where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to adequate guarantees or appropriate and the means to obtain a copy of them or the fact that have lent. 2. In addition to the information mentioned in section 1, the person in charge of the treatment will facilitate the interested party, at the moment in which the data is obtained personal, the following information necessary to guarantee data processing fair and transparent: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period; b) the existence of the right to request access to data from the data controller related to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to the portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a control authority; e) if the communication of personal data is a requirement legal or contractual, or a necessary requirement to enter into a contract, and if the The interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of decisions you automate, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and expected consequences of said treatment for the interested party”. For its part, article 72.1.h) of the LOPDGDD considers it very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/18 This infraction can be sanctioned with a maximum fine of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. The balance of the circumstances contemplated, with respect to the infraction committed, by violating the provisions of article 13 of the RGPD, and considering that the owner of the claimed web page is a natural person, it allows setting an initial sanction of 1,000 euros, (one thousand euros), for the lack of information on the website of its ownership Regarding the treatment of personal data obtained through the form of buy. Along with this and in accordance with article 58.2 of the RGPD, the corrective measure that could be imposed would consist in ordering him to take the necessary measures on the web page of its ownership to adapt it to current regulations, with the inclusion on the website of its ownership of a "Privacy Policy", adapted to the norm tive in force, that is, to the RGPD. IV.- About the "Cookies Policy" of the website: a).- Regarding the installation of cookies in the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie entails a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of the terminals and the network and those that provide a service expressly requested by the user. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/18 In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies excepted would be the user input Cookies” (those used to filling in forms, or managing a shopping cart); cookies from user authentication or identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of plugin (plug-in) to exchange social content. These cookies would remain excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent on its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user. before the use of any other type of cookies, both first and third party, session or persistent. In the verification carried out on the claimed website, it was found that, when enter the main page and without performing any action on it and without accepting cookies, non-necessary cookies were used. b).- About the existing cookie information banner in the first layer (Homepage): The banner on cookies of the first layer must include information regarding the identification of the editor responsible for the website, in the event that their identifying data tives do not appear in other sections of the page or that their identity cannot be disclosed. obvious attachment to the site itself. You must also include an ID generic of the purposes of the cookies that will be used and if these are own or also from third parties, without it being necessary to identify them in this first layer. Ade- Furthermore, it should include generic information about the type of data to be collected and used in the event that user profiles are created and must include informa- tion and the way in which the user can accept, configure and reject the use of cookies, with the warning, where appropriate, that if a certain action is carried out, It will be understood that the user accepts the use of cookies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/18 Apart from the generic information about cookies, in this banner there must be an en- clearly visible link directed to a second informative layer on the use of the cookies. This same link can be used to take the user to the configuration panel. guration of cookies, as long as the access to the configuration panel is direct, this is, that the user does not have to navigate inside the second layer to locate it. In the case at hand, it has been found that there is no type of banner that informs about cookies on the main page or first layer of the web. c).- Regarding consent to the use of unnecessary cookies: For the use of non-excepted cookies, it will be necessary to obtain the consent expressly stated by the user. This consent can be obtained by doing click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, will not be considered effects, a clear affirmative action in any circumstance and will not imply the provision of consent itself. Similarly, access to the second layer if the information is presented in layers, as well as the necessary navigation to that the user manage their preferences in relation to cookies in the panel of control, nor is it considered an active behavior from which the acceptance of cookies. The existence of "Cookie Walls" is not allowed either, that is, windows pop-ups that block the content and access to the web, forcing the user to accept the use of cookies to be able to access the page and continue browsing. If the option is to go to a second layer or cookie control panel, the link it should take the user directly to that configuration panel. To facilitate se- lesson, the panel can be implemented, in addition to a granular management system of cookies, two more buttons, one to accept all cookies and another to reject- all of them If the user saves his choice without having selected any cookie, You will understand that you have rejected all cookies. Regarding this second possibility, In no case are the pre-marked boxes in favor of accepting cookies admissible. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/18 If for the configuration of cookies, the web refers to the browser configuration installed in the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the publisher opts for this option, it must also offer, and in any case, a mechanism that allows you to reject the use of cookies and/or do it in a granular way, on your own page. web page On the other hand, the withdrawal of the consent previously given by the user de- It should be able to be done at any time. To this end, the publisher must offer a mechanism that makes it possible to withdraw consent easily at any time. unto This facility will be considered to exist, for example, when the user has access to so simple and permanent to the cookie management or configuration system. If the editor's cookie management or configuration system does not allow to avoid the use of third-party cookies once accepted by the user, information will be provided training on the tools provided by the browser and third parties, de- being aware that, if the user accepts third-party cookies and later wishes to delete them, you must do it from your own browser or the system enabled by the third parties for it. In the present case, it has been verified that there is no mechanism that makes it possible to reject cookies that are not technical or necessary. neither exists no control panel that would allow the management of cookies in a way granular or by groups. d).- On the information provided in the second layer (Policy of Cookies): More detailed information about cookies should be provided in the Cookies Policy. characteristics of cookies, including information about, the definition and general function cookie information (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the publisher and/or also by third parties with identification of the latter; the period- do of conservation of the cookies in the terminal equipment; and if it is the case, information on data transfers to third countries and the elaboration of profiles that im- Apply automated decision making. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/18 In the case at hand, it has been found that there is no "Cookies Policy", or link that redirects the user to the second layer where the user is informed about the necessary characteristics of cookies. V- Violation of the Cookies Policy The known facts could constitute an infraction, attributable to the responsible for the web, for violation of article 22.2 of the LSSI, since it establishes what: “Service providers may use storage devices and recovery of data in terminal equipment of the recipients, provided that they have given their consent after they have been provided clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data. Where technically possible and effective, the recipient's consent to Accepting the processing of the data may be facilitated through the use of the parameters from the browser or other applications. The foregoing will not prevent the possible storage or access of a technical nature to the sole purpose of effecting the transmission of a communication over a communications network electronic or, to the extent that is strictly necessary, for the provision of a service of the information society expressly requested by the addressee". This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and retrieval devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/18 After the evidence obtained in the preliminary investigation phase, and without prejudice to whatever results from the investigation, it is considered appropriate to graduate the sanction to impose in accordance with the following aggravating criteria, established by art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to a degree of guilt according to the Judgment of the National High Court of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the denounced entity the determination of a system of Obtaining informed consent that is in accordance with the mandate of the LSSI. In accordance with these criteria, it is considered appropriate to impose an initial sanction of 1,000 euros (one thousand euros), for the infringement of article 22.2 of the LSSI, regarding the cookie policy made on the website in question. Along with this, the corrective measure that could be imposed would consist of ordering that, take the necessary measures on the web page of its ownership to adapt it to current regulations, with the inclusion of a mechanism that makes it impossible to use of non-necessary cookies before the user gives his consent; including a mechanism that makes it possible to reject all cookies or do it in a granular way to through a control panel; including a homepage banner with information tion about cookies and a "Cookies Policy" with more detailed information in a Second layer. VI-Initial total sanction: In accordance with the criteria set out in the previous points, the total initial sanction to be impose would be 3,000 euros (three thousand euros): 1,000 euros (one thousand euros) for the infraction of article 6.1 of the RGPD; 1,000 euros (one thousand euros), for the infringement of article 13 of the RGPD and 1,000 euros (one thousand euros), for the infringement of article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/18 HE REMEMBERS: START: PUNISHMENT PROCEDURE against Ms. A.A.A. with NIF.: ***NIF.1, holder of the website: https://liasclothes.olistshops.com/, for the following infractions: - Violation of article 6.1 of the RGPD, due to the illicit use of data obtained from the “purchase” form on the website of your ownership, without the possibility of the user giving their consent. - Violation of article 13 of the RGPD, due to the non-existence of a “Privacy Policy”. Privacy”, on the website. - Violation of article 22.2 of the LSSI, regarding irregularities detected in the "Cookies Policy" of the website. APPOINT: D. R.R.R. as Instructor, and Secretary, if applicable, Ms. S.S.S., indi- stating that any of them may be challenged, where appropriate, in accordance with the provisions ed in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). INCORPORATE: to the disciplinary file, for evidentiary purposes, the international claim put by the claimant and their documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigation phase. nes, all of them part of this administrative file. WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond would be: - 1,000 euros (one thousand euros), for the infringement of article 6.1 of the RGPD, without prejudice of what results from the investigation of this file. - 1,000 euros (one thousand euros), for the infringement of article 13 of the RGPD, without prejudice of what results from the investigation of this file. - 1,000 euros (one thousand euros) for the infringement of article 22.2 of the LSSI, without prejudice to what results from the investigation of this file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/18 NOTIFY: this agreement to initiate sanctioning proceedings to Ms. A.A.A. granting him a hearing period of ten business days to formulate the allegations. tions and submit the evidence you deem appropriate. If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the zo granted for the formulation of allegations to this initial agreement; what will be accompanied by a reduction of 20% of the sanction to be imposed in the present procedure, equivalent in this case to 600 euros. With the application of this reduction, the sanction would be established at 2,400 euros, resolving the problem ceding with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which supposes There will be a reduction of 20% of the amount of this, equivalent in this case to 600 euros. ros. With the application of this reduction, the sanction would be established at 2,400 euros. ros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 1,800 euros (one thousand eight hundred euros). In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the withdrawal or waiver of any action or resource in the administrative process. deal against the sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/18 If you choose to proceed to the voluntary payment of any of the amounts indicated above, you must make it effective by depositing it in account Nº ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the item the reference number ence of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it avails itself. Likewise, you must send proof of income to the General Subdirectorate of Ins- request to continue with the procedure in accordance with the amount entered. gives. The procedure will have a maximum duration of nine months from the date of page of the start-up agreement or, where appropriate, of the draft start-up agreement. elapse- do this period will produce its expiration and, consequently, the filing of actions; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA- CAP, against this act there is no administrative appeal. Sea Spain Marti Director of the Spanish Agency for Data Protection. >> SECOND: On February 4, 2022, the claimed party has proceeded to pay of the sanction in the amount of 1800 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/18 administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW I In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of services of the information society and electronic commerce (hereinafter LSSI), the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), grants each authority of control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” Finally, the fourth additional provision "Procedure in relation to the competences attributed to the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Agency for the Protection of Data would have to be processed in the exercise of the powers attributed to it by other laws." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "one. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/18 except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00603/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to A.A.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-240122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es