AEPD (Spain) - PS/00385/2020: Difference between revisions

From GDPRhub
No edit summary
Line 31: Line 31:




|National_Law_Name_1=LSSI Article 22(2)  
|National_Law_Name_1=Article 22(2) LSSI
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
|National_Law_Name_2=LSSI Article 38(4)(g)
|National_Law_Name_2=Article 38(4)(g) LSSI
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758



Revision as of 08:42, 30 March 2021

AEPD - PS/00385/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Article 58(2)(b) GDPR
Article 22(2) LSSI
Article 38(4)(g) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 8000 EUR
Parties: n/a
National Case Number/Name: PS/00385/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that the website of a “paperwork management” company breached Article 7 GDPR by providing users with only a “generic” means for giving consent, and that the website’s cookie policies breached Spanish national law.

English Summary

Facts

10 individuals complained about the Canary Click Consulting website, who claimed to offer processing services for obtaining certain official certificates.

The individuals complained that they had to enter personal data and pay a fee in order to receive official certificates, but only received instructions on obtaining the certificates once they did this. Several complainants also stated that the company gave them no information about the storage or deletion of their data once they asked for a refund.

On their investigation, the AEPD found the following:

  • URL 1’s privacy policy stated that personal data would only be used for “strictly necessary purposes”, but also that marketing was an object of the processing. URL 1 also did not provide an option to reject cookies.
  • URLs 2, 3 and 4 had no cookie banner and no rejection mechanism in their cookie policies. When users sought to delete cookies, the URLs instructed them to “configure the browser on their terminal equipment.”

Dispute

Were URLs 1-4 in breach of the GDPR?

Holding

The AEPD held that Canary Click Consulting breached European and Spanish data protection law.

It held that URL 1 breached Article 7 of the GDPR because the users had to “generically” give their consent to all processing purposes, meaning they could not withdraw consent for specific purposes, such as marketing. For this the AEPD issued Canary Click with a warning and ordered them to bring URL 1 and their privacy policy in line with Article 6(1)(a) GDPR within a month.

The AEPD also held that URLs 1-4 breached Article 22(2) of the Law 34/2002 (LSSI), the Spanish law implementing the e-Privacy Directive. For this, Canary Click was fined €8,000, i.e. €2,000 per URL.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                  1/18








     Procedure Nº: PS / 00385/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE

In the sanctioning procedure PS / 0385/2020, followed by the entity, CANARYCLICK

CONSULTING SL with CIF .: B76323666, (hereinafter, "the claimed entity"), owner
of the web pages: *** URL.1; *** URL.2; *** URL.3 and *** URL.4, under the nine
(9) claims filed against them, for alleged violation of regulations
of data protection and taking into account the following:


                                   BACKGROUND:

FIRST: On 04/30/19, the MINISTRY OF HEALTH, CONSUMPTION AND WELL-
ESTAR SOCIAL, sends this Agency a written complaint against the web *** URL.1, in
stating in it that:


"The portal denounced, from the first moment gives the impression of being a page
official of the European institutions since the logo of the European Parliament appears and
a video from the European Commission which can mislead people to
which is being run as it really is a private company. That at the end of the page
gina in a paragraph of very reduced type informs about the company that owns the website.

That you have to enter personal data (name and surname, ID, phone number
phone, email, social security affiliation number and email address
postal mail) to know the price of said management (69 euros) or consult the letter pe-
queña at the end of the website. That incomplete information is given on the assignment of da-
personal data, since the question arises as to what this company does with the data of the

consumers. That in the privacy section of the website it is not specified with
who the data is shared and for how long the data will be stored
cough".

SECOND: On 11/06/19, claimant No. 2, sends this Agency a written statement of

complaint against the web, *** URL.2, indicating in it that:

“That website uses all kinds of official symbols to mislead the city.
damage and that you provide them with all your personal data (NIE, telephone number, address, name
their parents' names), in order to send official certificates ”.


THIRD: On 11/07/19, the claimant no. 3, sent this Agency a letter of
complaint against the web *** URL.2, indicating in it that:

"On September 3 you receive a receipt of having paid the administrative fees
of the criminal record certificate and a courier says he must be himself

Whoever obtains the requested certificate in person with what the procedure for which he paid
has not occurred. That after filing a complaint the amount is claimed again
collected and the deletion of your data without having received any response ”.

FOURTH: On 06/20/20, claimant No. 4, sends this Agency a written statement of-

Announcement against the web *** URL.4, indicating in it that:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








“The web offers management services through the web to obtain certificates. It
they actually offer are instructions on how to get those certificates, but
this is discovered once the payment has been made ”.


FIFTH: On 07/07/20, claimant No. 5 sends this Agency a written statement of-
Announcement against the web *** URL.3, indicating in it that:

“They have charged him for managing a registration. That at the moment he realized
that it was not an official page and sent an email to make the cancellation. That to

The next day they told him that he could not cancel or make the return that had been
past the period. They have not sent any paper. The only thing they have sent you
It is a document where it says what you have to bring and where to present it. That they have not
performed no management. That on the web it says that they carry out the steps to
that you do not have to leave home. That they have replied to emails saying that already

They have given him what he paid, which is the file that says where he has to present the
papers that she has to look for ”.

SIXTH: On 07/07/20, claimant No. 6 sends this Agency a written statement of-
Announcement against the web *** URL.4, indicating in it that:


"On this website they are dedicated to collecting user data with the excuse of managing them
official certificates and charging for it. Who proceeded to ask them to destroy their
data (ID, dates of birth, telephone numbers, email) and they return the money. That
They promise to return the money, but they do not refer to destroying the data ”.


SEVENTH: On 07/22/20, claimant No. 7, sends this Agency a letter of
complaint against the web *** URL.4, indicating in it that:

"He made an order on their website to obtain the environmental label of Madrid and they have not
answered or received nothing. That this company has scammed you and wants you to remove

They have all your data. That no one in the company can be contacted ”.

EIGHTH: On 08/16/20, claimant No. 8, sent this Agency a written statement of-
Announcement against the web *** URL.4, indicating in it that:

"He requested the processing of the European health card without knowing that said page was

a fraud and thinking it was an official body. That they did not carry out the procedure and
they do not return the money to him ”.

NINTH: On 09/18/20, claimant No. 9, sends this Agency a letter of
complaint against the web *** URL.4, indicating in it that:


"The web is supplanting the Ministry of Justice in terms of the dispatch service
of various certificates. That the person in charge is named XXXXXXXXX. That the content
do of the web simulates that of the Ministry. That they do not provide the service. Who requested the cance-
disclosure of your personal data without obtaining a response ”.


TENTH: In view of the facts presented in the claims and the information
provided in the documents presented, both by the claimants and by the entity
claimed, this Agency carried out, on 10/30/20, the following verifications-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








on the privacy policy and the cookie policy on the web pages denounced
ciated:


A) .- Regarding the web page *** URL.1, the following aspects were verified:

a) .- On the home page of this website, through the link << request a European health card-
ropea >>, the web redirects to a form where personal data can be collected
of users such as name, ID, telephone, email, affiliation number gives the security
corporate identity, domicile, etc.


b) .- On said page there is a banner, at the bottom of it with the following
information text:

“*** URL.1 does not sell any product directly, it is a consistent service

to facilitate the user in obtaining the services offered on the web. Pro-
final pipeline is the document or documents that are requested through this website, which
They can also be obtained by the user directly by going to the organizations
nisms of the corresponding state, autonomous or local administration and in a manner
free or in some cases paying a public rate or price. Administrations
public institutions offer citizens different ways of relating to it, presenting

cial, postal, telematic (with or without digital certificate, through username and password)
ña or by phone). The user can choose any of them, but for this he must
have the necessary knowledge, free time to move if you want
do it in person, do the management at the required time if you want to do it by phone
phone and appropriate tools (such as computer equipment equipped with

do with the applications and necessary configuration). You can also use the services
cios of an administrative management professional. *** URL.1 is a private entity and
independent of any body, limiting itself to acting as facilitator of management
administrative purposes, such as administrative agency. We specify the expenses of
management for the service offered on this website: European Health Card (€ 59 tax

included). *** URL.1 carries out all the procedures by qualified experts, administrative managers
collegiate tratives. XXXXXXXXX is a trademark of certified procedures on-
line, all previous and subsequent communications will be made from the domain
*** DOMAIN.1- According to article 1 of the current Organic Statute of the Profession of
Administrative Manager: "Administrative managers are professionals who, without prejudice to
cio of the power to act by means of representation that to the interested parties or

In accordance with article 24 of the Law of Administrative Procedure, they dedicate themselves
monthly and with such character of professionalism and perception of fees to promote,
request and carry out all kinds of procedures that do not require the application of the technique
reserved to the legal profession, relating to those matters that in the interest of the
natural or legal laws, and at their request, are followed before any organ of the

Public Administration, informing its clients of the status and vicissitudes of the procedure
ment by which they are developed ". More information here: *** ADDRESS.1

c) .- Through the link, << Legal Notice >>, existing at the bottom of the page
main, the web redirects to a new page: *** URL.5, which provides information,

on the identification data of the owner of the same.

d) .- Through the link << Privacy Policy >>, existing at the bottom of the
main page, the web redirects to a new page, whose address is: *** URL.6, which

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








provides information about, the personal data that is collected; on
how this personal data is obtained; about the purpose of data processing;
on the legal basis for the processing of personal data; on the terms or criteria

data retention rivers; Automated decisions and the elaboration of
profiles; the recipients; on the exercise of users' rights over the
processing of personal data and the possibility of contacting the
AEPD;

e) .- The "Cookies Policy" of the web, has the following characteristics:


.- When entering the home page of the web, *** URL.1 (first layer) and, without accepting
cookies or perform any action on the web, it has been verified that they are used
non-necessary cookies: XXXXXXXXX


.- There is a banner at the bottom of it with the following information:

    "This Website uses its own and third-party cookies, in order to access and use your
    information for the purposes indicated below. To accept its use
    you can click the button I accept all cookies. If you do not agree
    With some of these, you will be able to customize your options through this panel. No-

    us and the companies that collaborate with us, we will use your information obtained
    nested through cookies. To know the collaborating companies that incorporate
    For your cookies on our website, you can access through the view button
    our partners. You can configure your preferences and / or revoke cookies by se-
    stopped for each of the mentioned partners. Additional information: access

    to our Cookies Policy ”.

    The user allows the use of cookies for the following purposes:

    Storage and access to information <<Reject>> <<Accept>>

    Measurement <<Reject>> <<OK>>
    Personalization <<Reject>> <<Accept>>
    Personalization <<Reject>> <<Accept>>
    Selection, submission, content report <<Reject>> <<Accept>>

                 << REJECT ALL >> << ACCEPT ALL >>


.- If any of the <<reject>> buttons of any group of cookies or
you want to reject all cookies, there is no evidence of any reaction on the part
of the web page, appearing a new banner with the message: “Attention: the use of
this website is limited by the acceptance of cookies used to improve the

quality of service to our users. The non-acceptance of these supposes the disqualification
tion of this website ”. << Accept Cookies and Continue Browsing >>

.- From here on, it is not allowed to continue browsing if all cookies are not accepted,
therefore, it is mandatory to accept all cookies if you want to continue browsing no

allowing the option of rejecting them, without groups or all at once. Once accepted
All cookies, the web allows you to browse the page,



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








.- Through the link, << Cookies-Policy >>, existing at the bottom of the page.
main page, the web redirects to a new page, *** URL.7, where information is provided
training on applicable legislation; what are cookies; or the types of cookies

existing, but no information is provided about the cookies used by the page
web, nor the time they remain active in the terminal equipment. There is also no
mechanism that allows rejecting all cookies in this second layer. On
how the elimination of cookies can be managed, the page refers the user to
configure the browser installed on your terminal equipment.


B) .- Regarding the web page *** URL.2

a) .- On the home page, through the link, << obtain your documentation of crimes
criminal online >> or through the link, << obtain your documentation of sexual crimes-
them online >>, the web redirects to a form where personal data of the

users such as name, DNI, number. phone, email, no. of affiliation to the se-
social security or domicile.

b) .- On said page there is a banner, at the bottom, with the following text:

“Www.registrocivilpenales.com does not sell any product directly, rather it is a

service consisting of facilitating the user in obtaining the services offered
cen on the web. The final product is the document or documents that are requested by
through this website, which can also be obtained by the user directly
going to the corresponding state, regional or local administration bodies.
clients and free of charge or in some cases by paying a public fee or price.

co. Public administrations offer citizens different forms of rela-
contact her (in person, by post, telematics, ...). The user can choose any-
you want them, but for this you must have the necessary knowledge, the
free time to move and do the management at the required time and the tools
adequate tools (digital certificate or electronic signature, computer equipment equipped

with the applications and necessary configuration,…). You can also use the services
cios of an administrative management professional. XXXXXXXXX is a private entity
independent of any official body, limiting itself to acting as facilitators.
dor of administrative procedures as administrative agency. We specify the
management expenses for the service offered on this website: Criminal Offenses Documentation
(€ 49 taxes included) Documentation Of Sexual Crimes (€ 49 taxes)

cough included) being able to select the type of shipment desired. civilpenales.com
carries out all the procedures by qualified experts, collegiate administrative managers.
Registrocivilpenal.com is a trademark of Registrocivilpenal.com, all
Previous and subsequent communications will be made from the domain Registrocivilpe-
nal.com According to article 1 of the current Organic Statute of the Management Profession

Administrative: "Administrative Managers are professionals who, without prejudice to the
power to act through representation conferred on the interested parties by the article
Article 24 of the Administrative Procedure Law, are engaged in a habitual way and with
such character of professionalism and perception of fees to be promoted, requested and carried out
perform all kinds of procedures that do not require the application of the reserved legal technique.

gives to the legal profession, related to those matters that are in the interest of natural persons or
legal, and at their request, are followed before any body of the Public Administration
public, informing their clients of the status and vicissitudes of the procedure by which
are developed ”More information here: XXXXXXXXX.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18









c) .- Through the link << Legal Notice >>, existing at the bottom of the page
main page, you are redirected to a new page, *** URL.8, which provides information about

Read the Identifying data of the owner of the same.

d) .- Through the link, << Privacy Policy >>, existing at the bottom of the
main page, the web redirects to the page *** URL.9, where information is provided
information on the person responsible for the page; the terms or criteria of conservation of the
data, automated decisions and profiling, recipients; the no

international data transfer, user rights and the possibility of
file a claim with the AEPD.

e) .- The "Cookies Policy" of the web, has the following characteristics:


.- When entering the web and, without accepting cookies or taking any action on the web,
Cookies are loaded in the browser: _ga, _gid, associated with Google Analytics.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.


.- If there is a link, << Cookies Policy >>, at the bottom of the main page-
pal, which redirects to the page, *** URL.10, where information is provided about, what
are cookies or what types of cookies does this website use (own: asp.net_Ses-
sionID and Google Analytics: _ga, _gat, _gid);


.- Regarding the consent to use cookies, the web refers to the configuration of the navigation-
gator installed in terminal equipment

C) .- Regarding the web page, *** URL.3


a) .- On the initial page of *** URL.3 through the "certificates" tab you can access
to various links, whose objective is to obtain official certificates such as birth certificates,
death, marriage, working life, criminal, etc. In each one, a formula is displayed
river where it is possible to obtain personal data of users such as the name
bre, the DNI, the telephone number, the email or the address.


b) .- On said main page there is a banner, at the bottom of it with the
following text:

“*** URL.3 does not sell any product directly, it is a consistent service
to facilitate the user in obtaining the services offered on the web. Pro-

final pipeline is the document or documents that are requested through this website, which
They can also be obtained by the user directly by going to the organizations
nisms of the corresponding state, autonomous or local administration and in a manner
free or in some cases paying a public rate or price. Administrations
public institutions offer citizens different ways of relating to it (present-

cial, by post, telematics, ...). The user can choose any of them, but to
This must have the necessary knowledge, free time to move-
and do the management on the required schedule and with the appropriate tools (certifi-
digital data or electronic signature, computer equipment equipped with the applications and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18








necessary configuration,…). You can also use the services of a professional
of administrative management. *** URL.3 is a private entity independent of any-
any official body limiting itself to acting as facilitator of administrative

You go as an administrative agency. We specify the management costs for each
service offered on the web: European Health Card (€ 59 including taxes), Certi-
Certificate of Labor Life (€ 29 plus taxes), Certificate of Criminal Offenses (tax
included), Birth Certificate (€ 30 taxes included), Birth Certificate
trimony (€ 40 taxes included), Registration Certificate (€ 29 taxes
included), Certificate of Last Wills (€ 40 taxes included), Certificate of

Death (€ 40 including taxes). Additionally, in some documents, the
user will be able to select the number of certificates they wish to obtain, they will be able to select
cing if you want to apostille the documentation, legalize in Maec or Perform a translation
Sworn statement. Each of these additional services has a management cost due-
mind specified on the web at the time prior to hiring. At the cost of management

tion, shipping costs must be added based on the selected rate and the
corresponding taxes *** URL.3 carries out all the procedures by qualified experts,
collegiate administrative managers. According to article 1 of the current Organic Statute
of the Administrative Manager Profession: “Administrative Managers are professionals
nal that, without prejudice to the power to act through representation that the
interested parties confers article 24 of the Administrative Procedure Law, it is dedicated to

can regularly and with such a character of professionalism and collection of fees
to promote, request and carry out all kinds of procedures that do not require the application of
the legal technique reserved for the legal profession, relating to those matters that are in the interest of
of natural or legal persons, and at their request, are followed before any body
of the Public Administration, informing its clients of the status and vicissitudes of the

procedure by which they are developed "More information here: *** ADDRESS.1"

c) .- Through the link, << Legal Notice >>, existing at the bottom of the page
main, the web redirects to a new page, *** URL.11, which provides information,
about the owner this: CANARYCLICK CONSULTING SL, B76323666 and domiciled at

*** ADDRESS. 2.

d) .- Through the link, << Privacy Policy >>, existing at the bottom of the
main page, the web redirects to a new page whose address is: *** URL.12, which
provides information about the identification of the person responsible for the page; the pla-
zos or criteria for data conservation; automated and elaborate decisions

tion of profiles, the purposes of the treatment, the legal basis; the recipients of the
data; the non-international transfer of data; the rights of users and the
ability to file a claim with the AEPD.

e) .- On the "Cookies Policy", when entering the home page of the website (first

mere layer), the following aspects are checked:

.- When entering the web and, without accepting cookies or taking any action on the web,
use non-necessary cookies: XXXXXXXXX.


.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18








.- If there is, on the contrary, a link to the << Cookies Policy >>, at the bottom
of the main page that redirects to the page, *** URL.13, where information is provided
information about what cookies are or what types of cookies this website uses and why

how long they are used, (own: asp.net_SessionID and Google Analytics: _ga, _gat,
_gid).

.- On how to block, revoke or eliminate the cookies used, the page refers to the
browser configuration installed on the terminal equipment.


D) .- Regarding the web page, *** URL.4

a) .- On the home page of the web, through the tabs << request online >>, you ac-
gives to various links to obtain official certificates of birth, death,
tion, marriage, working life, criminal…. In each of these links, a

form, where personal data of the users are collected, such as the name, the
DNI, telephone number, email, social security affiliation number, etc.

b) .- On said page there is a banner, at the bottom of it with the following
text:


"This website belongs to a Private Company belonging to an Admi-
nistrative that helps the user in obtaining the services offered in the
itself, without the need to travel in most cases and facilitating
price and procedures to obtain it


Request information through *** URL.4 does not require any software installed
additional for access to any of the services offered on this website
*** URL.4 does not sell any product directly, it is a consistent service
to facilitate the user in obtaining the services offered.


The final product is the document or documents that are requested through this website,
that can also be obtained by the user directly by going to the
corresponding state, regional or local administration bodies and in the form of
ma free or in some cases paying a public rate or price.

Public administrations offer citizens different ways of relating to

be with her (in person, by post, telematics, ...). User can choose any
of them, but for this you must have the necessary knowledge, the time
free to move and do the management at the required time and tools
adequate (digital certificate or electronic signature, computer equipment equipped with the
applications and necessary configuration,…). You can also use the services of

an administrative management professional. *** URL.4 is a private and independent entity
pending of any official body limiting itself to acting as facilitator of
administrative tasks such as administrative agency.

We specify the management costs for each service offered on the web: Card

European Healthcare (€ 59 taxes included), Work Life Certificate (€ 29 plus tax)
positions), Certificate of Criminal Offenses (taxes included), Certificate of Birth
payment (€ 30 taxes included), Marriage Certificate (€ 40 taxes included),
Registration Certificate (€ 29 taxes included), Certificate of Last Voices

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








Councils (€ 89 taxes included), Death Certificate (€ 40 taxes included)
two). Additionally, in some documents, the user may select the number
of certificates you want to obtain, you can select if you want to apostille the

tion, legalize in Maec or Make a sworn translation. Each of these services
additional services have a management cost duly specified on the web at the time
ment prior to hiring. To the management cost, the expenses of
shipping based on the selected rate and the corresponding taxes *** URL.4
carries out all the procedures by qualified experts, collegiate administrative managers.
According to article 1 of the current Organic Statute of the Profession of Administrative Manager

trative: “The Administrative Managers are professionals who, without prejudice to the
tad to act through representation conferred on the interested parties by article 24
of the Administrative Procedure Law, are engaged in a habitual way and with such quality
character of professionalism and perception of fees to promote, request and carry out
all kinds of procedures that do not require the application of the legal technique reserved for

the legal profession, related to those matters that in the interest of natural or legal persons
cases, and at their request, are followed before any organ of the Public Administration,
informing their clients of the status and vicissitudes of the procedure by which they
sarrollan ”More information here: *** ADDRESS.1.

c) .- Through the link, << Legal Notice >>, existing at the bottom of the page

main, the web redirects to a new page, *** URL.14, which provides information,
About the owner of the page: *** ADDRESS. 1.

d) .- Through the link << Privacy Policy >>, existing at the bottom of the
main page, the web redirects to a new page whose address is: *** URL.15,

that provides information about the purposes of the processing of personal data
final, the legal basis of the treatment; about consent; the purposes; the ne-
gativa; on the terms or criteria for data retention; self-decisions
nuances and profiling, recipients, non-international transfer,
nal of the data, the rights of the users and the possibility of filing a claim

before the AEPD.

e) .- On the "Cookies Policy", when entering the home page of the website (first
mere layer), the following aspects are checked

.- When entering the web and, without accepting cookies or taking any action on the web,

check that they use non-necessary cookies: MUID, _uetsid,

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.


.- If there is, on the contrary, a link to the << Cookies Policy >>, at the bottom
of the main page that redirects to the page, *** URL.16, where information is provided
information about: what are cookies or what types of cookies does the website use:
pias (asp.net_SessionID) and third parties (Google Analytics: _ga, _gat, _gid).


.- Regarding the management of cookies, the web refers to the configuration of the browser ins-
felled in terminal equipment.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








ELEVENTH: In view of the events denounced, the Director of the Spanish Agency
that of Data Protection, dated 11/03/20, agreed to initiate a sanctioning procedure.
dor to the claimed entity, by virtue of the powers established, for non-compliance

of what is stipulated in the articles:

.- Warning, for the violation of article 7) of the RGPD, regarding the collection of the
consent of the clients for the treatment of their personal data when di-
This treatment is for purposes other than the execution of the contract.


.- 8,000 euros (eight thousand euros), for the violation of article 22.2) of the LSSI, regarding
of the "Cookies Policy" on the web pages of its ownership, *** URL.1; *** URL.2;
*** URL.3 and *** URL.4

TWELFTH: The initiation agreement has been notified to the claimed person, it has not been received

in this Agency, no brief of allegations at the initiation of the file, in the
riodo granted for this purpose.
                                  PROVEN FACTS

A) .- On the consent given by the users of the website *** URL.1:
        In the "Privacy Policy" of the reported website, *** URL.6, it is indicated that:

        “The personal data that is collected is strictly necessary.
        years for (…) as necessary for sending newsletters
        and own commercial offers ”. Also, in the section that informs about the
        purpose of the treatment it is indicated that: “We will treat your personal data
        nal provided through our web forms for “(…) the sending of co-

        commercial communications relating to the goods or services that make up
        our activity, and / or news or bulletins related to our sector ”.
B) .- About the "Cookies Policy" of the complaint web pages:

        - Regarding the web, *** URL.1:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- Although there is the option to reject all cookies on the initial page or even
the option to manage cookies in a granular way, if the user performs this action
It is not known that the web executes it because the same banner appears again with the option
tion, << Accept Cookies and Continue Browsing >> and does not allow to continue browsing if not

All cookies are accepted, so everything indicates that the option to reject
cookies or manage them in a granular way is not activated.

.- In the second layer (Cookies Policy), information is provided on the legislation
applicable ratio; what are cookies; or the types of cookies that exist, but are not
provides information on the cookies used by the website, or the time that
remain active. On how you can manage the elimination of cookies, the
page refers the user to configure the browser installed on their terminal equipment.

    - Regarding the web, *** URL.2:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no
mechanism that allows rejecting all cookies on this page. On how to

can manage the elimination of cookies, the page refers the user to configure
the browser installed on your terminal equipment.
    - Regarding the web, *** URL.3:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.

.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no
mechanism that allows rejecting all cookies on this page. On how to

can manage the elimination of cookies, the page refers the user to configure
the browser installed on your terminal equipment.

    - Regarding the web, *** URL.4:
.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.

.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no

mechanism that allows rejecting all cookies on this page. On how to
can manage the elimination of cookies, the page refers the user to configure
the browser installed on your terminal equipment.

                             FOUNDATIONS OF LAW
                                              I

                                       Competence:

    - About the Privacy Policy and consent:

By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the Parliament

Council and European Council, of 04/27/16, regarding the Protection of Natural Persons
Regarding the Processing of Personal Data and the Free Circulation of es-
The Data (RGPD) recognizes each Control Authority and, as established in the
arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), the Director of the

Spanish Data Protection Agency is competent to resolve this procedure.
I lie.

    - About the Cookies Policy:

In accordance with the provisions of art. 43.1, second paragraph, of the Law

34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), is competent to resolve this Penalty Procedure, the
Director of the Spanish Agency for Data Protection.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18









                                              II
A) .- On the consent given by the users of the website, *** URL.1:


As indicated on the website, the purpose for which the data is processed is for management
to obtain the European Health Card or proceed with its renewal.

However, in its Privacy Policy, *** URL.6, it is indicated, among others, that: "
personal data that is collected is strictly necessary for the

sending newsletters and own commercial offers (…) ”. Later, it
continues to indicate: “(…) we will treat your personal data provided through
our web forms for sending commercial communications related to the
goods or services that make up our activity, and / or related news or bulletins
two with our sector (…) ”.


Article 6.1.b) of the RGPD, establishes that the processing of personal data will be
lawful if necessary for the performance of a contract in which the interested party is a party
tea. In this case, the processing of personal data by the person responsible
It will be lawful as long as the purpose for which they are used is related to obtaining
tion of the European Health Insurance Card.


For any other data processing, the person in charge must do so in a manner
lawful, in accordance with the provisions of article 6.1 of the RGPD, that is: “a) the interested party
gave your consent for the processing of your personal data for one or more
specific purposes; b) the treatment is necessary for the execution of a contract in the

that the interested party is part of or for the application at the request of this of measures
pre-contractual; c) the treatment is necessary for the fulfillment of a
legal obligation applicable to the person responsible for the treatment; d) treatment is necessary
to protect vital interests of the interested party or of another natural person; e) treatment
is necessary for the fulfillment of a mission carried out in the public interest or in the

exercise of public powers conferred on the data controller; f) the
treatment is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the interested party prevail
that require the protection of personal data, in particular when the interested party
be a child.


If the controller chooses to base the lawfulness of the treatment on consent, (6.1.a),
It will only be lawful if the interested party gave their consent for the processing of their data
personal for each of the different purposes. It is not valid, therefore, to mark the
chair of acceptance of the privacy policy, consenting to it, in a generic way

ca, all the purposes of data processing.

For its part, article 7 of the RGPD indicates, regarding consent, that:

"one. When the treatment is based on the consent of the interested party, the person in charge

must be able to demonstrate that he consented to the processing of his personal data
endings. 2. If the consent of the interested party is given in the context of a declaration
written that also refers to other matters, the request for consent is
sit in such a way that it is clearly distinguishable from other matters, intelligently

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18








gible and easily accessible and using clear and simple language. It will not be binding nin-
A part of the declaration that constitutes an infringement of these Regulations. 3. the
interested party will have the right to withdraw their consent at any time. The withdrawal

The consent given will not affect the legality of the treatment based on the consent.
prior to withdrawal. Before giving consent, the interested party will be informed
made of it. It will be as easy to withdraw consent as it is to give it. 4. When evaluating whether the
consent has been freely given, it shall be taken into account to the greatest possible extent
the fact whether, among other things, the performance of a contract, including the provision of
of a service, is subject to consent to the processing of personal data that

they are not necessary for the execution of said contract ”.

Likewise, article 6.2 of the LOPDGDD indicates, on the treatment based on the
feeling, that: “2. When it is intended to base the treatment of the data on the
sentiment of the affected person, for a plurality of purposes, it will be necessary to

specific and unequivocal way that said consent is granted for all of them.

Therefore, the known facts constitute an infringement, attributable to the claim.
mado, for violation of art. 7 of the aforementioned RGPD, when collecting the
users' sentiment, through a generic action for all purposes of the trade.
treatment of personal data.


For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes of
prescription, "Failure to comply with the requirements of article 7 of the RGPD".

This offense can be sanctioned with a fine of a maximum of € 20,000,000 or,

for a company, an amount equivalent to a maximum of 4% of the volume
total annual global business menu for the previous financial year, opting for the
higher amount, in accordance with article 83.5.b) of the RGPD.

However, Article 58.2) of the RGPD provides that: “Each supervisory authority dis-

will put all of the following corrective powers indicated below: b) san-
ting any person in charge or in charge of the treatment with warning when the
processing operations have infringed the provisions of this Regulation;
(…); i) impose an administrative fine in accordance with article 83, in addition or instead
of the measures mentioned in this section, according to the circumstances of
each particular case, therefore, the corresponding sanction would be a warning

proceedings, without prejudice to what results from the instruction of this file, since
In this case, it has not been verified that the claimed entity has sent
communications unrelated to the end of the contract.

In accordance with these criteria, it is considered appropriate to impose a sanction on the claimed person

of "warning", for the violation of article 7 of the RGPD, on the website of your
ownership *** URL.1.

                                              II
B) .- About the "Cookies Policy" of the complaint web pages:

        - Regarding the web, *** URL.1:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








.- Although there is the option to reject all cookies on the initial page or even
the option to manage cookies in a granular way, if the user performs this action
It is not known that the web executes it because the same banner appears again with the option

tion, << Accept Cookies and Continue Browsing >> and does not allow to continue browsing if not
All cookies are accepted, so everything indicates that the option to reject
cookies or manage them in a granular way is not activated.

.- In the second layer (Cookies Policy), information is provided on the legislation
applicable ratio; what are cookies; or the types of cookies that exist, but are not
provides information on the cookies used by the website, or the time that
remain active. On how you can manage the elimination of cookies, the
page refers the user to configure the browser installed on their terminal equipment.

    - Regarding the web, *** URL.2:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.

.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no
mechanism that allows rejecting all cookies on this page. On how to
can manage the elimination of cookies, the page refers the user to configure
the browser installed on your terminal equipment.

    - Regarding the web, *** URL.3:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.

.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no
mechanism that allows rejecting all cookies on this page. On how to
can manage the elimination of cookies, the page refers the user to configure

the browser installed on your terminal equipment.
    - Regarding the web, *** URL.4:

.- When accessing the main page of the web, it has been possible to verify that they are used
cookies not necessary, without taking any previous action.

.- There is NO banner on the main page of the web that informs about the use of
zation of cookies.

.- There is a link to the "Cookies Policy", where information is provided on,
what cookies are or what types of cookies this website uses, but there is no
mechanism that allows rejecting all cookies on this page. On how to

can manage the elimination of cookies, the page refers the user to configure
the browser installed on your terminal equipment.

The facts presented could suppose on the part of the claimed entity the commission
of the violation of article 22.2 of the LSSI, according to which:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18









“Service providers may use storage and retrieval devices
ration of data in terminal equipment of recipients, provided that the same

We have given their consent after information has been provided to them
clear and complete on its use, in particular, on the purposes of the treatment of
the data, in accordance with the provisions of Organic Law 15/1999, of December 13,
protection of personal data.

When technically possible and effective, the consent of the recipient to

accept the data processing may be facilitated by using the parameters
from the browser or other applications.

The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network

electronic devices or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient.
River".

This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices

when the information had not been provided or the consent of the recipient had not been obtained.
natario of the service in the terms required by article 22.2. ”, which may be sanctioned
nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.

After the evidence obtained in the preliminary investigation phase, and without prejudice to

Whatever results from the instruction, it is considered that the sanction should be
ner in accordance with the following aggravating criteria, established in art. 40 of the
LSSI:

    - The existence of intentionality, an expression that must be interpreted as equi-

        value to degree of guilt according to the Judgment of the Hearing
        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent
        informed service that conforms to the mandate of the LSSI.

    - Period of time during which the offense has been committed, as it is the first

        mere claim of April 2019, (section b).

Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of:


    - 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, res-
        pect of the cookie policy carried out on the website *** URL.1, of its title
        larity.

    - 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, res-

        pect of the cookie policy carried out on the website *** URL.2, of its title
        larity



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18








    - 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, res-
        pect of the cookies policy carried out on the website *** URL.3 of its title
        larity,


    - 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, res-
        pect of the cookie policy carried out on the website *** URL.4 of its title
        larity,

Therefore, the total sanction to be imposed, for infractions in the cookie policy in

the four web pages owned, would be 8,000 euros (eight thousand euros).

In view of the above, the following is issued:

                                        RESOLVES:


FIRST: IMPOSE the entity, CANARYCLICK CONSULTING SL with CIF .:
B76323666, owner of the web pages: *** URL.1; *** URL.2; *** URL.3 and *** URL.4:

    - A sanction of “warning”, for the infraction of article 7 of the RGPD, res-
        pect of the web page of its ownership *** URL.1, when collecting the

        consent of the users, through a generic action, for all
        purposes of the processing of personal data.

    - A penalty of 8,000 euros (eight thousand euros) for violation of article 22.2) of
        the LSSI, regarding the "Cookies Policy" on the owner's web pages.

        dad.

SECOND: REQUIRE: the entity CANARYCLICK CONSULTING SL., So that,
within a period of one month, counting from the notification of this resolution, adapt the page
website of its ownership, *** URL.1 as stipulated in article 6 of the RGPD and additionally

cuar, where appropriate, the cookie policies of its web pages as stipulated in the norm
valid policy of the LSSI.

THIRD: NOTIFY this resolution to the entity CANARYCLICK CONSUL-
TING SL and the claimant on the result of the claim.


Warn the sanctioned person that the sanction imposed must be effective once it is
executive this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-
Public Ministries (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulation, approved by Royal Decree 939/2005,

of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
Upon entering the restricted account No. ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.


Received the notification and once executive, if the date of execution is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is

will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.


Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the

Contentious-administrative Chamber of the National Court, in accordance with the provisions
set out in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
or two months from the day following the notification of this act, according to

the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party

do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other records provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this

resolution, would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection.












                                            ANNEX I
Claimants are identified by a number. This Annex provides personal data - name, surname and
NIF- of each claimant and the reference of the file opened by the AEPD to each of the claims
presented:



Claimant 1.- E / 06959/2019 M. OF HEALTH, CONSUMPTION AND SOCIAL WELFARE,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18











Complainant 2.- E / 11744/2019 A.A.A. - *** NIE.1

Claimant 3.- E / 11798/2019 B.B.B. - *** NIF.1
Claimant 4.- E / 05495/2020 C.C.C. - *** NIF.2
Claimant 5.- E / 06303/2020 D.D.D. - *** NIF.3
Claimant 6.- E / 06305/2020 E.E.E. - *** NIF.4
Claimant 7.- E / 07018/2020 F.F.F. - *** NIF. 5
Claimant 8.- E / 07821/2020 G.G.G. - *** NIF.6

Claimant 9.- E / 07825/2020 H.H.H. - *** NIF.7









































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es