AEPD (Spain) - EXP202316737: Difference between revisions
m (→Facts) |
m (→Facts) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 61: | Line 61: | ||
}} | }} | ||
The DPA fined a clothing retailer €20,000 for | The DPA fined a clothing retailer €20,000 for failing to demonstrate that the data subject had consented to commercial advertisements when providing their e-mail address in order to receive a digital receipt for a purchase. | ||
=== Facts === | === Facts === | ||
On the 24 October 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller a clothing | On the 24 October 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, a clothing retailer called “Nude project”. The data subject alleged that the controller had infringed [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Law 34/2002] which is the Spanish national implementation of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 EU e-privacy Directive]. | ||
On the 23 September 2023, the data subject was in one of the controller’s shops and upon requesting the receipt for a purchased item was told that they can only be provided digitally. They had the option of either providing an e-mail address or a telephone number and | On the 23 September 2023, the data subject was in one of the controller’s shops and upon requesting the receipt for a purchased item, was told that they can only be provided digitally. They had the option of either providing an e-mail address or a telephone number and were then handed a tablet to enter their e-mail address. The data subject details that the tablet did not show any option to object to receiving advertising. | ||
Before filing the complaint, the data subject had received three advertisement e-mails from the controller. The e-mails included a passage which offered the option of unsubscribing from the advertising e-mails. | |||
The controller argued that cashiers inform customers that receipts are preferably delivered digitally but that it is possible to get a physical receipt. It further claimed that the tablet does display | The controller argued that cashiers inform customers that receipts are preferably delivered digitally but that it is possible to get a physical receipt. It further claimed that the tablet does display an option to object to receiving advertising and provided three screenshots as proof. The first screenshot was of the tablet screen showing a box agreeing to advertisement which could be unticked, the second screeshot showed the data subject's account which showed a ticked box to receive advertisements via e-mail and the third showed a confirmation of the data subject having unsubscribed from the e-mail advertisements. | ||
=== Holding === | === Holding === | ||
The AEPD stated, that in order to show that consent was obtained according to the requirements of the GDPR, the controller must keep a record of the actions carried out to obtain consent of the data subject. | The AEPD stated, that in order to show that consent was obtained according to the requirements of the GDPR, the controller must keep a record of the actions carried out to obtain consent of the data subject. | ||
The AEPD highlights that the controller did not for example provide a log demonstrating that the data subject gave consent or a screenshot of the signature of the data subject together with the user ID. Therefore, the controller had submitted no evidence which showed that the data subject had given consent to commercial advertisements as per the requirements of [[Article 7 GDPR|Article 7 GDPR]]. | The AEPD highlights that the controller did not for example provide a log demonstrating that the data subject gave consent or a screenshot of the signature of the data subject together with the user ID. Therefore, the controller had submitted no evidence which showed that the data subject had given consent to commercial advertisements as per the requirements of [[Article 7 GDPR|Article 7 GDPR]]. | ||
The AEPD | |||
The AEPD further stated that the controller's intent constituted an aggravating factor. By leaving customer's with no other option but to receive advertising communications via e-mail or text message in order to be provided with a receipt, the controller intentionally breached the provisions of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Law 34/2002]. | |||
The AEPD sanctioned the controller for a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 21 of Law 34/2002] | The AEPD sanctioned the controller for a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 21 of Law 34/2002], classified as minor under [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 38(4)(d) of Law 34/2002,] with a fine of €20,000. | ||
== Comment == | == Comment == |
Latest revision as of 08:07, 13 November 2024
AEPD - EXP202316737 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Ley 34/2002 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 24.10.2023 |
Decided: | 09.09.2024 |
Published: | |
Fine: | 20,000 EUR |
Parties: | The Nude Project |
National Case Number/Name: | EXP202316737 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA fined a clothing retailer €20,000 for failing to demonstrate that the data subject had consented to commercial advertisements when providing their e-mail address in order to receive a digital receipt for a purchase.
Facts
On the 24 October 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, a clothing retailer called “Nude project”. The data subject alleged that the controller had infringed Law 34/2002 which is the Spanish national implementation of the EU e-privacy Directive.
On the 23 September 2023, the data subject was in one of the controller’s shops and upon requesting the receipt for a purchased item, was told that they can only be provided digitally. They had the option of either providing an e-mail address or a telephone number and were then handed a tablet to enter their e-mail address. The data subject details that the tablet did not show any option to object to receiving advertising.
Before filing the complaint, the data subject had received three advertisement e-mails from the controller. The e-mails included a passage which offered the option of unsubscribing from the advertising e-mails.
The controller argued that cashiers inform customers that receipts are preferably delivered digitally but that it is possible to get a physical receipt. It further claimed that the tablet does display an option to object to receiving advertising and provided three screenshots as proof. The first screenshot was of the tablet screen showing a box agreeing to advertisement which could be unticked, the second screeshot showed the data subject's account which showed a ticked box to receive advertisements via e-mail and the third showed a confirmation of the data subject having unsubscribed from the e-mail advertisements.
Holding
The AEPD stated, that in order to show that consent was obtained according to the requirements of the GDPR, the controller must keep a record of the actions carried out to obtain consent of the data subject.
The AEPD highlights that the controller did not for example provide a log demonstrating that the data subject gave consent or a screenshot of the signature of the data subject together with the user ID. Therefore, the controller had submitted no evidence which showed that the data subject had given consent to commercial advertisements as per the requirements of Article 7 GDPR.
The AEPD further stated that the controller's intent constituted an aggravating factor. By leaving customer's with no other option but to receive advertising communications via e-mail or text message in order to be provided with a receipt, the controller intentionally breached the provisions of Law 34/2002.
The AEPD sanctioned the controller for a violation of Article 21 of Law 34/2002, classified as minor under Article 38(4)(d) of Law 34/2002, with a fine of €20,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 Procedure No.: EXP202316737 (PS/00110/2024) SANCTIONING PROCEDURE RESOLUTION From the actions carried out by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On 10/24/23, D. A.A.A. (the complaining party), filed a complaint with the Spanish Data Protection Agency. The complaint is directed against the entity NUDE PROJECT, S.L. with CIF.: B01945328, (the respondent party), for the alleged violation of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI). The complainant states that on 23/09/23 he went to a store of the defendant entity to make a purchase and that, when he requested the corresponding purchase receipt, he was told that it was not possible to deliver it physically, and that he had to provide his email address or telephone number, being forced to provide said data to receive the corresponding purchase receipt. He also states that, when he provided said data on a Tablet in the establishment, at no time did any message or form appear where he could object to receiving advertising. Despite this, he has received up to three advertising emails from the defendant entity in his email, all without having authorized it. The following documentation is attached to the complaint: - Dated 23/09/23, 28/09/23 and 01/10/23, a copy of the emails sent from the NUDE PROJECT address <help@nude—project.com> received by the complainant, containing advertising messages and photographs, such as, for example: o NUDE PROJECT© Thank you for your purchase! Visit Our store. Order summary … o NUDE PROJECT© NEW IN T-SHIRTS HOODIES BOTTOMS o By Artists, For Artists… o So, let's play who's who... you choose. Also, we have some last units of new Playboy garments. Have a look. JACK HAB LOW… or PLAYBOY CARDIGAN PLAYMATE SHIRT PLAYBOY CHINO PANTS SHOP THE LOOK DRAKE… or CHESS KNITTED POLO POOL DENIM PANTS CHAMPAGNE PROBLEMS HAT NAVY SHOP THE LOOK RIHAN NA… or WOMEN RACING JACKET BIG HEART WHITE BABY BUNNY BOWLING BAG WHITE/NAVY SHOP THE LOOK LIL NAS sedeagpd.gob.es 2/16 In each of the emails received, there is the following message, in English: Do you no longer want to receive these emails? Unsubscribe. NUDE PROJECT CIPujadas. 81 Barcelona. Barcelona 08005) SECOND: On 11/22/23, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, (LOPDGDD), this Agency transferred said claim to the respondent party so that it could proceed to analyze it and report, within a period of one month, on what was set forth in the claim letter. The transfer was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), by electronic notification, with access to the content of the notification taking place on 12/01/23 as recorded in the file. No response has been received to this transfer letter. THIRD: On 01/24/24, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant was admitted for processing. FOURTH: On 03/12/24, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the entity NUDE PROJECT, S.L., in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged infringement of article 21 of the LSSI, classified as "minor" in art. 38.4.d) of the same regulation. In the opening agreement it was determined that the sanction that could be imposed, taking into account the evidence existing at the time of the opening, would amount to a total of 20,000 euros (twenty thousand euros). FIFTH: Having been notified of the aforementioned initiation agreement in accordance with the rules established in the LPACAP, the respondent party submitted a written statement of allegations on 03/27/24, in which it states the following: “First.- First of all, we must indicate that the statement of facts does not reflect the reality of what happened. This party has received advice on privacy, personal data protection and electronic commerce, so it is aware of the obligation provided for in the aforementioned article to obtain the express consent, or that it had been requested by the recipient of the same, to allow the sending of advertising communications by email or equivalent means. The company that I represent has been able to verify that the complainant effectively made a purchase at the company's store located in La Roca Village on September 23, 2023 at 5:00 p.m. However, this entity must indicate that the consent of its clients was obtained in order to send them commercial communications, and furthermore, there are a series of measures implemented by default to avoid sending communications to those clients who have not requested it or whose consent has not been expressly obtained. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 At the time of payment, the cashier informs you that, in accordance with the commitment to eliminate paper, the ticket is preferably delivered electronically by email. However, it is not true that the option of delivering the physical ticket was not given, nor that a message or form to oppose the receipt of advertising did not appear on the establishment's Tablet. Attached as DOCUMENT Nº 2 is a screenshot of the Tablet screen in which you can see in the “customer options” section a first tab called “accept advertising”, which as you can see is unchecked by default. At that moment all customers are expressly asked if they wish to accept the sending of advertising before opening said tab, which occurred in this case. That is, the complainant expressly accepted the sending of advertising, since he was interested in receiving information about other products of the brand that would be subsequently marketed. Attached as DOCUMENT Nº 3 is a screenshot of the final purchase in which you can see the customer's subscription to said advertising by email to be sent to the address ***EMAIL.1 If you look at the screenshot of Document Nº 2 you can draw different conclusions: Firstly, we can see how the box for commercial communications by email has been checked because the user accepted that option during the purchase. Likewise, it can be observed that consent was not given to receive communications via SMS, which can be classified as another means of electronic communication equivalent to emails, according to article 21 of the LSSI. In this regard, and following the instructions of the client, all commercial communications were sent via email, for which the client's consent was obtained. Additionally, it can be observed that it was indicated that the notifications would be received in English. Nude Project, S.L. never sends advertising to people who have not given their express consent to such delivery by subscribing. Once D. A.A.A. had subscribed, it is true that Nude Project, S.L. sent the emails detailed in the agreement to initiate the sanctioning procedure. However, we must point out that the client was fully aware that he could cancel the subscription since this is stated in each email that is sent. In fact, the complainant canceled the subscription on December 20, 2023 at 8:57 a.m., simply by clicking on the link he received in the emails under the word "unsubscribe". The proof of said deletion is provided as DOCUMENT NO. 4. It is therefore surprising that if he did not wish to receive emails, he could have easily C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 cancelled the subscription upon receiving the first one on the same day of purchase, September 23, or the second one a few days later (September 28). We would like to emphasise that from the moment you unsubscribed, Nude Project, S.L. has not sent any other commercial communications. In short, we consider that Nude Project, S.L. has acted correctly, complying with the mandates of its client, both in sending commercial communications and in unsubscribing; and all of this in strict compliance with the provisions of current legislation. Second.- In any case and in a subsidiary manner, we understand that the actions of Nude Project, S.L. will be covered by the second section of article 21 of Law 34/2002 on Information Society Services and Electronic Commerce. This law establishes that: 1. The sending of advertising or promotional communications by email or other equivalent means of electronic communication that have not previously been requested or expressly authorised by the recipients of the same is prohibited. 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider has lawfully obtained the recipient's contact details and used them to send commercial communications regarding products or services of its own company that are similar to those that were initially contracted. In any case, the provider must offer the recipient the possibility of opposing the processing of their data for promotional purposes through a simple and free procedure, both at the time of data collection and in each of the commercial communications sent to them. When the communications have been sent by email, this means must necessarily consist of the inclusion of an email address or other valid electronic address where this right can be exercised, and the sending of communications that do not include this address is prohibited. We have underlined the second section of said article since it establishes that the first section is not applicable (prohibition of sending advertising communications), when the following requirements are met: - There is a prior contractual relationship. - The provider had lawfully obtained the client's contact details. - The provider used said data to send commercial communications regarding products or services of its own company similar to those that were the subject of the contract. The action of Nude Project, S.L. is covered by the second section of the aforementioned article because: 1) The complainant D. A.A.A. contracted with Nude Project, S.L. the acquisition of a product (varsity sweatshirt) on September 23, 2023. 2) Nude Project, S.L. lawfully obtained the client's data as the client was the one who voluntarily provided it, ordering the sending of the purchase ticket by email. 3) Nude Project, S.L. sent commercial communications to its client, now the complainant, via C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 emails in which information was provided about products similar to the one purchased by Mr. A.A.A.. 4) Nude Project, S.L. gave the client the opportunity to unsubscribe in each email it sent, simply by clicking on a link. 5) Nude Project, S.L. did not send a single email to the complainant after he expressed his desire not to receive any more commercial communications. Third.- The sending of the purchase receipt by email is protected by Royal Decree 1619/2012 of 30 November, which approves the Regulations governing billing obligations. Specifically, article 8 specifies that invoices may be issued by any means, on paper or in electronic format, while article 9 supports invoices that are issued and received in electronic format. Fourth.- In terms of sanctions, the Constitutional Court has established as one of the basic pillars for the interpretation of administrative sanctioning law that the basic principles and guarantees present in the field of criminal law are applicable, with certain nuances, in the exercise of any sanctioning power of the Public Administration (for example, in the Constitutional Court's rulings 76/1990, 120/1994, 154/1994, 23/1995, 97/1995, 147/1995, 45/1997 of April 26, among many others). Article 25.1 of the Constitution establishes that no one may be convicted or sanctioned for actions or omissions that at the time of their occurrence did not constitute a crime, misdemeanor or administrative infraction according to the legislation in force at that time. The Constitutional Court has held that the principle of typicality consists of the need for normative predetermination of the offending conduct and the corresponding sanctions (SSTC 61/1990, 116/1993, 151/1997, 124/2000113/2002, 129/2003, 297/2005, 129/2006 etc.). In the same sense, article 27 of Law 40/2015 on the Legal Regime of the Public Sector defines the principle of typicality in the same terms in that only violations of the legal system provided for as such violations by a Law may constitute administrative infractions. In the present case, disciplinary proceedings are initiated and a sanction is proposed against Nude Project, S.L. for having allegedly infringed article 38.4.d) of Law 34/2002 on Information Society Services and Electronic Commerce, which classifies as a minor infraction “the sending of commercial communications by email or other equivalent means of electronic communication, when said sending does not comply with the requirements established in article 21 and does not constitute a serious infraction” Given that, as we have seen, the actions of Nude Project, S.L. is protected by the second section of article 21, the imposition of a sanction would constitute a violation of the principle of typicality that governs all administrative sanctioning procedures. In the rulings of the National Court (5 February 2019 EDJ 2019/543106, 25 March 2016 EDJ 2016/66100, 4 FEBRUARY 2010 EDJ 2010/12007, 23 May 2007 EDJ 2007/76092) of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 which we are aware of and which have been handed down in similar cases, sanctions are only upheld in cases where the affected parties received emails after expressly stating their opposition to receiving them. In the present case, the situation is completely different. The complainant not only gave his express authorization to receive commercial communications, but could have replied to the first communication received indicating that he did not wish to receive any more. This could be done in several ways: - Clicking in the indicated place in the email "unsubscribe". - Replying to the email received - Sending a message to customer service. In the "about us" section of the website www.nude-project.com there is a direct form to send any questions or considerations. There is also a direct email to send it, specifically, help@nude-project.com - Indicating it personally in any of the company's physical stores. We are therefore not in the cases regulated in the Sentences in which the sanction imposed by the AEPD has been validated. Fifth.- We also oppose the grading of the sanction that appears in the agreement initiating the sanctioning procedure, which applies the aggravating circumstance of the existence of intent, when in our opinion it is not applicable, and also without taking into consideration the rest of the circumstances provided for in article 40 of Law 34/2002 on Information Society Services and Electronic Commerce. The existence of intent is justified in that commercial communications were sent after obtaining the client's email address in order to send the purchase receipt and there being no possibility of rejecting the sending of commercial communications when the email is provided. The application of this circumstance is absolutely erroneous since as has been proven: 1) The client expressly allowed the sending of commercial communications, modifying at that time the corresponding tab of the application; given that he was expressly interested in receiving commercial communications. 2) Once the purchase receipt was received, the customer was perfectly able to cancel his subscription, just as he was able to do when he received the other two communications. 3) The complainant himself deleted his subscription on December 20, 2023. The National Court's ruling of June 21, 2023 (EDJ 2023/606757) considers the application of this aggravating circumstance of intentionality to be correct in the case where a commercial email is sent after the user expressly expressed his opposition, but not in the case at hand. But what is more, the truth is that none of the other circumstances of article 40 apply to the actions of Nude Project, S.L., specifically: o Period of time during which the infringement is supposedly committed, which according to the complaint itself is only 8 days. o Recidivism: Non-existent in this case since Nude Project, S.L. has not been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 sanctioned for an infringement of the same nature. o Nature and amount of the damages caused. No damages have been caused in this case. o Benefits obtained from the infringement: Nude Project, S.L. has not obtained any benefits given that the customer did not purchase any items after his purchase on September 23. o The turnover is non-existent. That is to say, in this case, the sanction imposed should have taken into account all of these circumstances, so a fine of 20,000 euros when the range is between 1 and 30,000 euros seems clearly excessive. This incorrect application represents the violation of another constitutional right, such as the principle of proportionality, which has been established as an instrument of control over discretionary administrative decisions. It is included in articles 103.1 and 106 of the Spanish Constitution and in article 29 of Law 40/2015 on the Legal Regime of the Public Sector. In this last article it is determined that the appropriateness and necessity of the sanction to be imposed and its adaptation to the seriousness of the act constituting the infringement must be observed on the basis of four criteria: a) Degree of guilt or intentionality b) Continuity or persistence of the conduct c) Damages caused d) Recidivism. Given all the above, we understand that the hypothetical sanction should be in any case within the lower quarter of the amount proposed in the Standard. Sixth.- As a continuation of the previous argument, we invoke the application of article 39 ter of Law 24/2002 in the sense that we understand that there is sufficient data so that, even in the case that the infringement could be understood to have been committed, the archiving of the sanctioning procedure is agreed and in its place a warning with the adoption of corrective measures determined by the competent body. In this regard, we indicate that this entity, having obtained the recommendations of our advisors on personal data protection, has decided to carry out the following actions, aimed at avoiding a repeat of an incident such as the one that is the subject of notification: The aforementioned advisors are requested to provide information on the legal considerations regarding consent in electronic communications. The written statement of allegations is accompanied by the following documentation: - DOCUMENT No. 1 – Screenshot showing the option to receive advertising unchecked by default. - DOCUMENT No. 2 – Screenshot of the claimant's account, where it is indicated that electronic communications can be sent because they have given their consent, their contact email, and the option to send communications by SMS unchecked. - DOCUMENT No. 3 – First communication with the option to unsubscribe. - DOCUMENT No. 4 – Withdrawal of consent to receive commercial communications by the complainant. - DOCUMENT No. 5.- Report with considerations on consent in commercial communications. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/16 - DOCUMENT No. 6.- Screenshot of registration in the system. - DOCUMENT No. 7 – Screenshot with the system check carried out on 03/21/24. SIXTH: On 07/30/24, a resolution proposal was made in the sense that the Director of the AEPD would sanction the respondent party for violation of the provisions of article 21 of the LSSI, classified as "minor" in art. 38.4.d) of the same regulation with a penalty of 20,000 euros (twenty thousand euros). In FD II of the resolution proposal, the objections were answered at the initiation of the file: First: The complainant states in his complaint that on 09/23/23, when making a purchase in one of the establishments of the entity being claimed, he was told that it was not possible to deliver the physical purchase ticket and that he had to provide his email address or telephone number. He also points out that, when providing said data on a Tablet of the establishment, at no time did any message or form appear through which he could object to receiving advertising, having received up to three advertising emails from the entity in his email without having authorized it. To corroborate the above, a copy of the three advertising emails received on 23/09/23, 28/09/23 and 01/10/23 is attached. For its part, the respondent party states in its written allegations to the initiation of the file that it is true that the claimant made a purchase in one of its stores on 23/09/23 but that at the time of making the payment, the cashier informed him that in accordance with the commitment to eliminate paper, the ticket is preferably delivered electronically by email, there being also the option of delivering the physical ticket. That the claimant agreed to receive the ticket by email and that when giving it, he was expressly asked if he wished to accept the sending of advertising before opening said tab, which occurred in this case and is attached to the capture of the screen of the Tablet where the option to receive advertising is shown unchecked by default; the screenshot of the claimant's account, where the list of purchases made appears, on the one hand, the only one dated 09/23/23 and on the other hand, the email address: ***EMAIL.1; and a copy of the screen for withdrawing consent to receive commercial communications where the following information appears: Email Unsubscribe: ***EMAIL.1 Unsubscribe Date Dec 20, 2023 at 8:57 pm. Now, regarding the consent that the user gives to the person responsible for the processing of his/her data so that, for example, as in the present case, he/she can send him/her commercial communications, Directive 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/16 on the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of such Data (RGPD) establishes, points 105 to 108, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 105. Recital 42 establishes that: “When the processing is carried out with the consent of the interested party, the controller must be able to demonstrate that the latter has given his/her consent to the processing operation.” 106. Controllers are free to develop methods to comply with this provision that are tailored to their daily operations. At the same time, the obligation to demonstrate that a controller has obtained valid consent should not in itself lead to excessive additional data processing. This means that controllers should have sufficient data to show a link to the processing (to show that consent was obtained), but should not collect further information. 107. It is up to the controller to demonstrate that it has obtained valid consent from the data subject. The GDPR does not prescribe how this should be done exactly. However, the controller must be able to demonstrate that in a specific case a data subject has given consent. The obligation to demonstrate consent will exist for the duration of the data processing activity in question. After the end of that activity, proof of consent should not be kept longer than is strictly necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e). 108. For example, the controller must keep a record of the declarations of consent received, so that it can demonstrate how and when consent was obtained, and the information that was provided to the data subject at the time must also be demonstrated. The controller must also be able to demonstrate that the data subject was informed and that the controller's workflow met all relevant criteria for valid consent. The logic underlying this obligation in the GDPR is that controllers must be accountable for obtaining valid consent from data subjects and for the consent mechanisms they have adopted. For example, in an online context, a controller could retain information about the session in which consent was expressed, together with documentation about the consent workflow when that session took place, and a copy of the information that was presented at that time to the data subject. It would not be sufficient to refer only to a correct configuration of the website in question. The GDPR establishes that consent must be “free, specific, informed and unequivocal”. In addition, the interested party must be given control over it and be given the possibility of accepting or rejecting the terms under which it is given. Article 7 of the GDPR establishes that, when the treatment is carried out based on consent, this must be verifiable and the controller must be able to demonstrate that the interested party gave it in a valid manner. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 The GDPR does not establish a specific mechanism on how the controller must be able to prove that it has obtained valid consent, having freedom to implement the form of obtaining and recording that best suits the processes of the organization but, at least, must be able to prove who gave the consent, when, how and for what, as well as the information that was provided at the time of obtaining it. This obligation remains in force as long as the processing of personal data continues to be carried out under the initial conditions in which the data was collected and must be verifiable in the event of an audit or inspection. It is therefore of interest to implement tools that offer guarantees to the various parties involved in the consent process and allow them to manage the processing of personal data that is being carried out. Therefore, to assess whether consent is granted in a valid manner, the data controller must keep a log of the actions carried out to obtain consent. In the present case, the entity being complained about only presents a capture of the screen of a Tablet where the option to receive advertising is displayed unchecked by default; the screenshot of the claimant's account, where on the one hand the list of purchases made appears and on the other hand, the claimant's email address and the screenshot of a screen of the Tablet where the withdrawal of consent to receive commercial communications appears but does not provide, for example, a history of the "log" that can demonstrate that the interested party gave consent to receive commercial communications in a valid manner, or a screen where the signature of the interested party appears together with the ID number, thus complying with what is established in the current regulations, regarding the obligation of those responsible for the treatment to demonstrate that they have obtained consent in a valid manner. In short, on the one hand, the claimant, in his complaint, states that he has received commercial communications from the defendant without prior authorization, thereby breaching the provisions of article 21 of the LSSI, and on the other, from the documentation presented by the defendant in its allegations at the initiation of the file, there is no evidence that the interested party gave valid consent to receive commercial communications, as established in article 7 of the GDPR. Second: Regarding the grading of the sanction in which the aggravating circumstance of the existence of intentionality is applied, stating that it is not applicable, since, according to the defendant, the client expressly allowed the sending of commercial communications, and once the purchase receipt was received, the client could perfectly cancel his subscription, just as he could do when he received the other two communications and did so on 09/20/23. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 State that, with regard to the fact that the complainant expressly allowed the sending of commercial communications, as set out in the previous section, in relation to the point, in this case, there is no evidence that the complainant clearly expressed consent to receive commercial communications as established in article 7 of the RGPD and in relation to the fact that the complainant was able to unsubscribe easily and directly, both when receiving the purchase receipt and through the emails received, indicate that this file is not dealing with the possibility of opposition to the processing of personal data for promotional purposes as established in section 2 of article 21 of the LSSI, but rather the fact that before being able to exercise his right to oppose receiving advertising, the complainant received advertising emails without him having requested them or expressly permitted them, article 21.1 LSSI, so, in the case at hand, the application of the burden of intent is considered correct, in the sense that these events could and should have been avoided, observing and complying with a rule that imposed a duty of care. The claimant continues by stating that “(…) the sanction imposed should have taken into account all of these circumstances, so a sanction of 20,000 euros when the range is between 1 and 30,000 euros seems excessive (…), thereby violating the principle of proportionality (…)”. Regarding the latter, let us remember that the infringement charged is classified as “minor” in art. 38.4.d) of the LSSI and that article 39.1.c) establishes that said infringements may be sanctioned with a fine of up to 30,000 euros and to graduate said sanction, article 40 LSSI, establishes that said graduation will be taken into account in the following criteria: a) The existence of intentionality. b) Period of time during which the infringement has been committed. c) Recidivism by committing infringements of the same nature, when this has been declared by a final resolution. d) The nature and amount of the damages caused. e) The benefits obtained by the infringement. f) Volume of turnover affected by the infringement committed. g) Adherence to a code of conduct or a system of advertising self-regulation applicable to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been favourably reported by the competent body or bodies. Furthermore, article 29.3 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (RJSP), establishes that, (…) in the imposition of sanctions by Public Administrations, the appropriateness and necessity of the sanction to be imposed and its adequacy to the seriousness of the fact constituting the infringement must be observed (…)”. In our case, it is considered that it is appropriate to graduate the sanction to be imposed according to the existence of intent (section a), as has been set out above and therefore, it is considered that the amount of the sanction complies with the proportionality criteria of article 29 of the LRJSP and 40 of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/16 the LSSI, without the initially proposed sanction reaching the maximum of the range established for this type of infraction. The notification of the aforementioned resolution proposal was carried out in accordance with the rules established in the LPACAP, by electronic notification, with access to the content of the notification taking place on 01/08/24 as recorded in the file. No response has been received to this written resolution proposal. In view of all the actions taken, the Spanish Data Protection Agency in this procedure considers the following proven facts: PROVEN FACTS First: It has been established that on 23/09/23 the claimant made a purchase in the store of the defendant located in La Roca Village. Second: It is known that the claimant received, in the email ***EMAIL.1 on the days 23/09/23, 28/09/23 and 01/10/23, three emails sent from the address NUDE PROJECT <help@nude—project.com> containing advertising messages and photographs in English, such as: - NUDE PROJECT© Thank you for your purchase! ¡Visit Our store. Order summary … - NUDE PROJECT© NEW IN T-SHIRTS HOODIES BOTTOMS - By Artists, For Artists… - So, let's play who's who... you choose. Also, we have some last units of new Playboy garments. Have a look. JACK HAB LOW… - PLAYBOY CARDIGAN PLAYMATE SHIRT PLAYBOY CHINO PANTS SHOP THE LOOK DRAKE… - CHESS KNITTED POLO POOL DENIM PANTS CHAMPAGNE PROBLEMS HAT NAVY SHOP THE LOOK RIHAN NA… - WOMEN RACING JACKET BIG HEART WHITE BABY BUNNY BOWLING BAG WHITE/NAVY SHOP THE LOOK LIL NAS - Screenshot of the Tablet showing the option to receive advertising unchecked by default. - Screenshot of the claimant's account, where the list of purchases made appears, the only one dated 09/23/23, and on the other hand, the email address: ***EMAIL.1 with the annotation "notifications will be made in English". It can be seen that the option "subscribed email" is checked and the option to send communications by SMS is unchecked. There is no signature of the claimant's authorization. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 - Copy of the screen for withdrawing consent to receive commercial communications where the following information appears, in English: Email Unsubscribed: ***EMAIL.1Subscription details Status Unsubscribed or Method Email Link Date Dec 20, 2023, at 8:57 pm UTC. (Unsubscribe Email: ***EMAIL.1 Subscription details Status: Unsubscribe Date Dec 20, 2023) LEGAL BASIS I Competence. In accordance with the provisions of article 43.1 of the LSSI and the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures." The fourth additional provision "Procedure in relation to the powers conferred on the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Data Protection Agency must process in the exercise of the powers attributed to it by other laws." II Prohibition of unsolicited or expressly authorized commercial communications The LSSI prohibits unsolicited or expressly authorized commercial communications, based on a concept of commercial communication that is classified as an information society service and is defined in its Annex as: “f) Commercial communication”: any form of communication aimed at promoting, directly or indirectly, the image or the goods or services of a company, organization or person who carries out a commercial, industrial, artisanal or professional activity. Therefore, the concept of commercial communication, according to the previous definition, includes all forms of communication intended to promote, directly or indirectly, goods, services or the image of a company, organization or person with a commercial, industrial, artisanal or professional activity. On the other hand, the LSSI in its Annex a) defines “Information Society Service” as “any service normally provided for a fee, at a distance, by electronic means and at the individual request of the recipient, which also includes services not remunerated by their recipients, to the extent that they constitute an economic activity for the service provider”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/16 According to section d) of the aforementioned Annex, the recipient is the “natural or legal person who uses, whether or not for professional reasons, an information society service” III Classification of the infringement committed by sending commercial communications without having been requested or expressly authorized. The fact that the respondent sends advertising emails to the complainant that had not previously been requested or expressly authorized constitutes a violation of the provisions of article 21 of the LSSI, as it establishes the following: “1. The sending of advertising or promotional communications by email or other equivalent means of electronic communication that have not previously been requested or expressly authorized by the recipients of these is prohibited. 2. The provisions of the previous section will not apply when there is a prior contractual relationship, provided that the provider has lawfully obtained the recipient's contact details and used them to send commercial communications regarding products or services of its own company that are similar to those that were initially the subject of the contract with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of their data for promotional purposes through a simple and free procedure, both at the time of data collection and in each of the commercial communications sent to them. When the communications have been sent by email, this means must necessarily consist of the inclusion of an email address or other valid electronic address where this right can be exercised, and the sending of communications that do not include this address is prohibited.” IV Sanction The aforementioned infringement is classified as “minor” in art. 38.4.d) of said regulation, which qualifies as such, “The sending of commercial communications by email or other equivalent means of electronic communication when said sendings do not comply with the requirements established in article 21 and do not constitute a serious infringement.” According to the provisions of article 39.1.c) of the LSSI, minor infringements may be sanctioned with a fine of up to €30,000, while article 40 of the LSSI establishes the criteria for grading the amount of the sanctions: “The amount of the fines imposed will be graded according to the following criteria: a) The existence of intent. b) Period of time C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 during which the infringement has been committed. c) Recidivism in the commission of infringements of the same nature, when this has been declared by a final resolution. d) The nature and amount of the damages caused. e) The profits obtained from the infringement. f) Volume of turnover affected by the infringement committed. g) Adherence to a code of conduct or a system of advertising self-regulation applicable to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been favourably reported by the competent body or bodies." Based on the evidence obtained, it is considered that the sanction to be imposed should be graded in accordance with the aggravating criteria established in art. 40 LSSI: - The existence of intentionality (section a), since, if the customer wishes to receive the purchase ticket, he must provide the email address or telephone number where it will be sent, but he will also receive commercial communications by said means, even if he does not wish to, since there is no possibility of rejecting the sending of commercial communications when the email or telephone number is provided. According to these criteria, it is considered appropriate to propose a fine of 20,000 euros (twenty thousand euros), for the violation of article 21.1 of the LSSI. In accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on the entity NUDE PROJECT, S.L. with CIF: B01945328, for the infringement of article 21 of the LSSI, classified as “minor” in art. 38.4.d), a fine of 20,000 euros (twenty thousand euros). SECOND: TO NOTIFY this resolution to the entity NUDE PROJECT, S.L. THIRD: To warn the sanctioned party that the sanction imposed must be made effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, within the voluntary payment period indicated in article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by depositing it in the restricted account No. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at the banking entity CAIXABANK, S.A. or otherwise, it will be collected in the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, interested parties may optionally file an appeal for reconsideration with the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the final resolution in administrative proceedings may be provisionally suspended if the interested party expresses his intention to file an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a written document addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. The documentation proving the effective filing of the administrative appeal must also be transferred to the Agency. If the Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will consider the precautionary suspension to be terminated. Mar España Martí Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es