AEPD (Spain) - PS/00024/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 57: Line 57:
===Dispute===
===Dispute===


Does the installation of such cookies before obtaining consent constitute a violation of Article 22(2) LSSI, the Spanish Law implementing the e-Privacy Directive?
Does the installation of such cookies before obtaining consent constitute a violation of Article 22(2) [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 LSSI], the Spanish Law implementing the e-Privacy Directive?
===Holding===
===Holding===
The AEPD concluded that the installation of third-party non-necessary cookies before obtaining consent from the user constitutes a violation of the cookies regulation.
The AEPD concluded that the installation of third-party non-necessary cookies before obtaining consent from the user constitutes a violation of the cookies regulation.

Revision as of 14:39, 6 April 2021

AEPD - PS/00024/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 22(2) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 29.03.2021
Fine: 5000 EUR
Parties: ABANCA CORPORACIÓN BANCARIA, S.A.
National Case Number/Name: PS/00024/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined €5,000 (reduced to €3,000) Abanca Corporación Bancaria for using unnecessary cookies on their website before obtaining the consent of the user.

English Summary

Facts

The AEPD received a complaint regarding the installation of cookies by Abanca without consent. According to it, third-party cookies, namely Google and Weborama cookies, were installed even before the cookie banner appeared.

Dispute

Does the installation of such cookies before obtaining consent constitute a violation of Article 22(2) LSSI, the Spanish Law implementing the e-Privacy Directive?

Holding

The AEPD concluded that the installation of third-party non-necessary cookies before obtaining consent from the user constitutes a violation of the cookies regulation.

The AEPD imposed a fine on Abanca of €5,000, that was subsequently reduced to €3,000 due to the acknowledgement of responsibility and the early payment. Additionally, they ordered Abanca to implement the adequate modifications on their websites so they will not use cookies before obtaining consent from the user.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/17










     Procedure No.: PS / 00024/2021


RESOLUTION R / 00230/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY

In the sanctioning procedure PS / 00024/2021, instructed by the Spanish Agency for

Data Protection to ABANCA CORPORACIÓN BANCARIA, S.A., after the complaint
submitted by A.A.A., and based on the following,

                                 BACKGROUND

FIRST: On March 5, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against ABANCA
CORPORACIÓN BANCARIA, S.A. (hereinafter, the claimed), through the Agreement
which is transcribed:

<<

Procedure No.: PS / 00024/2021
935-240719
           AGREEMENT TO START THE SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Agency for Data Protection before
the entity, ABANCA CORPORACIÓN BANCARIA, S.A. with CIF .: A70302039, holder of
the website, *** URL.1, (hereinafter, “the claimed entity”), by virtue of the

claim submitted by D.A.A.A. (hereinafter, "the claimant"), for
alleged violation of data protection regulations, and taking into account the
following:
                                     FACTS


FIRST: On 08/21/20, the claimant sent this Agency a written statement of
claim, indicating, among others, the following:

"When accessing the web, it generates a series of cookies, before even being accepted in the
banner that appears for this purpose, among them are third-party cookies
like "Youtube", "Google" and even "*** URL.2". In this sense, it should be noted that

any user does not have the "real" option not to be tracked by third parties since the
web loads them at the same time as the warning ”.

SECOND: In view of the facts presented in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded

to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation
(EU) 2016/679 (RGPD). Thus, dated 10/20/20, an informative request is addressed to
the claimed entity.


THIRD: On 11/20/20, the claimed entity submitted a written reply
upon request, in which it indicated, among others, the following:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/17








“The claimant states that on the web *** URL.1, it would not be obtaining the
User consent for the installation of cookies not strictly necessary
since these appear installed by default, not giving the option to oppose their

installation.

However, and in order to clarify the facts that could have motivated the
claim to which this request for information refers, has been made
a review and analysis of the operation of the consent management system
of cookies that the Entity has implemented on its website. On the occasion of this work

review and analysis, it has been verified that the operation of the aforementioned
management of cookie consents conforms to the provisions of current regulations
and, in particular, to the provisions of Regulation (EU) 2016/679 of the European Parliament
and of the Council, of April 27, 2016, regarding the protection of natural persons
with regard to the processing of personal data and the free circulation of these

data and repealing Directive 95/46 / CE (hereinafter, “General Regulation
of data protection "or" RGPD "); in Law 34/2002, of July 11, on services of
the information society and electronic commerce (hereinafter, "LSSI"); on the
Organic Law 3/2018, of December 5, on Data Protection and Guarantee of
Digital Rights (hereinafter, "LOPDGDD"); as well as in the Guides on the Use of
Cookies published by the AEPD (hereinafter, "the Guide" or "Cookie Guide").


In relation to the operation of the cookies that ABANCA has implemented in
the Website, it must be based on the fact that, prior to obtaining the
consent from the affected party, they are only downloaded to the device at
through which the user connects to the Web, those cookies that have been

cataloged as "technical" or strictly necessary by ABANCA allowing,
in addition, the management of consents through a configuration panel
clearly visible, either from the first layer of information (that is, through the
cookie banner that appears when the user connects to the Website).


In this sense, see Annex I attached to this writing, where the content of the
banner or "Cookie Notice"), either from the second layer (Cookies Policy.
In this sense, see Annex II attached to this document, where reference is made to the
location of the Cookies Policy on the Website). For these purposes, it is not idle
Remember that, as this Agency has been maintaining in section 2.1.2 of
the Cookie Guide published in July 2020, cookies classified as

"Technical" are exempt from compliance with the obligations of article 22.2 of the
LSSI provided that they are used to provide the service requested by the user. In
In this sense, as identified in the Cookies Policy of the Website, the
"Technical" cookies are those that allow browsing the Web, being
necessary and essential for it to work properly. The description

Detailed information on "technical" cookies is included in the "Configuration of
cookies ”, accessible at the bottom of the banner, in which it is determined that: These
Cookies are necessary for the Website to function correctly, so it is not
can be disabled in our systems. They are only configured in response to
actions you take when requesting services, such as setting your preferences for

privacy, login or fill out forms. You can configure your browser
to block or alert about these cookies, but some areas of the Website do not
they will work.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/17








These cookies do not store any personally identifiable information.
Likewise, the user of the Website is informed that technical cookies are not
they can deactivate from our systems, including a label of "Always active"

in the "Cookie Settings" console. This statement is reinforced by what
provided in the section "Your privacy" (see, in this regard, Annex III and Annex IV
attached to this writing), included within the privacy preference center
-also within the "Cookie Settings" console -, which indicates what
next: Pressing the "Save configuration" button will save the selection of
cookies you have made. If you have not activated any option, press this button

will be equivalent to rejecting all cookies, except for technical ones.

With the aim of offering the user clear, complete and transparent information about
the use of technical cookies used by the Web, after the descriptive text of the
A list of the cookies that comprise this category is provided.

by clicking on "Cookies used". Accessing this tab shows a list
comprehensive list of cookies in which the Web user can view all the
information about each cookie and, in particular, the name of the cookie, host,
duration, type, category and description (see, for these purposes, Annex V attached).

In relation to the other types of cookies used by the Website (this

is; analysis cookies, personalization cookies and advertising cookies), in the
"Cookie Configuration" console offers a description of each group of
cookies and their purposes (see in this sense, Annex VI attached to this document), as well
as an enumeration of the cookies used in each of the
corresponding groups establishing, consequently, the same structure that

for technical cookies. In addition, a more succinct definition of
each group of cookies.

Unlike technical or strictly necessary cookies, the operation of
the cookies included in any of the three groups of cookies identified in the

The previous paragraph responds to the preferences of the user of the Website. In this way,
it is in the interest of this party to show that, in accordance with the guidelines
of this Agency, there are no pre-marked boxes and the aforementioned cookies are not
downloaded until there is a clear affirmative action by the user of the Site
Web; action consisting of expressly marking the box (es) corresponding to
each group of cookies and saving the settings made according to their

preferences.

Additionally, although the Web user consents at a certain time
the download of any types of cookies mentioned, you are also offered the
possibility of eliminating them from the device through which you connect to the Website (at

except for the aforementioned technical cookies to which we have referred above).
And this because it allows, permanently to the user of the Web access to the
configuration system through the Cookies Policy, in the section "What
Are there types of cookies and which ones do we use? ”, in which an access button is incorporated
Directly to the cookie configuration panel.


In the aforementioned section, the Web user is again informed that, if they save the
cookie settings without having taken any action or activated any option,
will be equivalent to rejecting all cookies (with the exception of technical cookies that,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/17








as we say, they are always active by default). Finally, also in
the sections "How to view cookies?" and "How to delete cookies?",
included in the Cookies Policy, Web users are informed that they can

search and view the cookies installed on your device, as well as the possibility
to delete and block the cookies stored through the settings and
browser settings they have installed.

In conclusion, of all the above, and for justification purposes, it is incorporated, as
Annex VII attached to this document, evidence of the exclusive download of cookies

techniques prior to obtaining consent, as well as the
operation of the other cookies on the Website depending on the selection
made by the user of the Web according to their preferences.

In July 2019, the Cookies Policy was updated, incorporating the

forecasts that, based on the provisions of current regulations, resulted
necessary, that is to say: ● Identification of the person in charge of the Web; ● Purposes of the
cookies, identifying between the use of own and third party cookies; ● Definition
of cookies; ● Cookies used by the Website; ● Identification of who uses
cookies, in particular, from third parties; ● How to view cookies
downloaded in the browser, as well as the way in which the users of the Website

they can eliminate them; ● Actions that the user of the Web could exercise: accept the
cookies or manage your preferences to accept only some typologies or, by the
otherwise, reject them all.

Subsequently, and on the occasion of the publication by the Agency of the Cookie Guide

In November 2019, the aforementioned Cookie Policy was
again subject to review and update by this part. To comply with
the new guidelines contained in the aforementioned Guide, with special attention to
reinforce the duty of information to users of the Web, among other issues of
less relevance, the following was incorporated into the Cookies Policy: i) indication of the term of

conservation of data associated with the configuration of cookies accepted by
the user of the Website; and, ii) a direct link to the ABANCA Privacy Policy
so that users can obtain detailed information about their privacy.
Finally, on the occasion of the recent publication by the Agency of the update
of the Cookie Guide in July 2020, we have carried out a new analysis and
Review of the Web Cookies Policy. As a result of the aforementioned analysis, it was agreed

a line of action aimed at updating said Cookies Policy to: ●
Inform of the possible update of the Cookies Policy due to requirements
legislative, instructions to the Control Authority or variation of the operation of
cookies used by the Website; ● Incorporate a brief description of the types
of existing cookies; ● Strengthen the information addressed to Web users

in relation to the way of managing your consents, as well as informing of the
possibility of visualizing the different types of cookies through the panel
"Cookie settings"; ● Inform web users that if they save the
cookie configuration without having selected any box, said action
It will be equivalent to rejecting all cookies on the Website; and ● Reinforce, for the purposes of

transparency and clarity, the information provided to users of the Web in relation to
with the use of third-party cookies and, in particular, on the possibility of carrying out
international data transfers by them.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/17








In view of the foregoing, it can be concluded that, both the Cookies Policy in force in the
Web at the time of the claim that concerns us, such as the current one
Cookies Policy (accessible at *** URL.3) conform to the provisions of the regulations

valid. In particular, on the occasion of this latest revision, the user of
the Web, in a concise, transparent and intelligible way, the following information and
functionalities: a) Identification of the person in charge of the Web. b) Definition and function
generic cookies. c) Typology of cookies used on the Website. d)
Direct access button to the consent management console for the
cookie download. e) Identification of who uses cookies. In this section

specify the third parties that provide services to ABANCA, incorporating information
about the purposes of the cookies used by them, the possibility of making
international data transfers and links to information are also included
specific offered by each of the third parties about their cookies. f) Form of
view the cookies installed in the browser and the possibility of restricting them,

block or delete them. g) Period of conservation of the data generated by the
use of cookies. h) How to accept, deny or revoke consent in
regarding the use of cookies. i) Referral to the Privacy Policy (through
a direct and easily accessible link) in relation to the other information
required in article 13 of the RGPD.


These supporting documents include, as Annex VIII attached to this document, the
Cookies Policy in force on the Website at present.

ABANCA has been carrying out different actions to adapt to the regulations
in force in relation to the management of cookies on the Web and, in particular, the Guide

on the Use of Cookies by the AEPD published in November 2019 and
updated in July of this year 2020. Thus things, and in order to give
compliance with the obligation imposed in article 22.2 LSSI, consisting of the
necessary to obtain the prior, express and informed consent of the user of the
website so that cookies can be used, it was implemented in the

Website a consent management platform that allows the Entity
carry out the necessary developments and configurations so that the management of cookies from
The Web complies with the requirements established by the regulations and, especially, allows
users to manage in an easy and accessible way their preferences in relation to
the use of cookies at any time. As reported in the banner on the
home page of the Web, users can configure or reject cookies from

according to your preferences simply by “clicking” on the “Settings” button
Cookies ”. Carrying out this action displays a configuration panel in the
that the user can view the different types of cookies used by the
Website and activate or deactivate its download according to your preferences (to this
panel can also be accessed through the Cookies Policy by pressing the button

of "Cookie Settings" included in the section "What types of cookies are there and
which ones do we use? ”). In this way, it is guaranteed that the downloading of the cookies that
require the prior consent of the user of the Web is not installed on your
terminal until its acceptance, specifically, through the
cookie management console.


The decision taken regarding this claim As set out in
the FIRST section of this document, on the occasion of the notification received,
has carried out a review and analysis of the consent management system of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/17








cookies that the Entity has implemented on its website, concluding that the aforementioned
system conforms to the provisions of current regulations. Due to the above, I do not know
has considered it necessary to adopt any decision and / or take actions

additional information regarding the claim filed with this Agency whenever
The Cookies Policy approved by this Entity has been and is in accordance with the regulations
that is applicable at all times, in addition to complying with the guidelines and
requirements set forth in the different Cookies Guide published by the AEPD. By
All the above, I REQUEST that, considering this writing presented in time and
form, together with the accompanying documents, the

information request (Ref. E / 08020/2020) made to ABANCA, without prejudice
to remain at the disposal of the AEPD to provide documentation and / or information
complementary that this Agency may deem appropriate "

FOURTH: On 01/20/21, by the Director of the Spanish Agency for

Data Protection an agreement is issued for the admission of processing of the complaint
submitted by the claimant, in accordance with article 65 of the Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (LPDGDD), considering that the answer given by the person
claimed to this Agency in relation to the claimed facts does not prove its
submission to current legislation.


FIFTH: On the part of this Agency, on 02/28/21, checks are carried out
on the Cookies Policy on the website, *** URL.1 checking the
following features:
1.- When entering the initial page of the web, (first layer), without taking any action

on it and without rejecting cookies, it is verified that the following are used
Non-necessary third-party cookies:




    - IDE.- (*** URL.2). that allows Google to serve ads based on the
        visits that users make on their sites or on other Internet sites.




    - NID.- (*** URL.4), which allows showing Google ads in the services of
        Google to users who are not logged in.




    - 1P_JAR.- (*** URL.4), Cookie that transfers data to Google to make the
        more attractive advertising.




    - CONSENT.- (*** URL.4), Cookie acceptance function





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/17








    - AFFICHE_W.- (*** URL.5). contains the identifier of the terminal equipment to be
        installs during the first visit to one of the Weborama network sites.




2.- On the initial page, (first layer), a banner is displayed with the following

information about cookies:



  “ABANCA uses its own and third-party cookies both to improve your experience of

    user to show you commercial content tailored to your interests
 by analyzing your browsing habits. The only personal information that
We will collect your IP data associated with the configuration you make of the

  cookies. You can configure or reject cookies according to your preferences
                 by clicking on the "Cookie Settings" button.


      For more information, please, access our << cookie policy >>



                << Cookie Settings >> << Accept Cookies >>




3.- If you choose to access the << cookie settings >>, through the link

corresponding, the web redirects the user to a configuration panel where it appears
The next message:




"The web pages you visit can store or retrieve information from your
browser, mainly in the form of cookies. This information can be about you,
your preferences or your device and is mainly used to make the page

web works as expected. Generally, this information does not identify you
direct way, but it can give you a more personalized web experience. All
Cookies on this Website are disabled by default, except for cookies

techniques that, as we indicate in the corresponding section, are necessary and not
can be deactivated from our systems. You can configure your preferences in

relation with cookies by "clicking" on the different headings of each
category, as well as obtain more information about each category of cookies. Keep in
Note that, in case you do not activate some types of cookies, your experience of use

the Website may be affected and also the services that we can offer you.

By pressing the "Save configuration" button, the selection of cookies that

you have done. If you have not activated any option, pressing this button will be equivalent to
reject all cookies, except technical ones. << More information >>

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/17










Then a granular configuration panel appears where the web allows

manage cookies by groups, pre-marked in the "off" option:



    - Techniques  "always active"

    - Analysis  Off  ON


    - Personalization  Off  ON

    - Advertising  Off  ON




    - << Allow All >> << Save Configuration >>



If you choose to "save configuration" which, according to the message, is equivalent to "reject

all cookies ”, the website removes the initial banner and allows you to continue browsing the
page.




4.- On the "Cookies Policy" page, accessible through the link indicated in
the banner, or through the link at the bottom of the main page, the
web redirects to a new page *** URL.3, where information about

what cookies are and what they are used for; what information a cookie stores; what type
of cookies exist; The link to the configuration console of the
cookies; identifies third parties that use cookies through the web (Google

Analytics; Adobe Analytic and Adobe Target).



In order to view the cookies used by the website, it refers to the

information provided on the control panel.



    - On how to manage the use of cookies directly through the site

        web, it informs that:



We show information about our Cookies Policy the first time you access

to the Website. Given this information, you can perform the following actions:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/17










Accept cookies. You can accept the use of cookies, which will allow you to use

all the functionalities of the Website without restrictions. In this case, you will not
view this notice when accessing any page of the Website.




Modify the cookie settings. You can get more information about
what are cookies, what are the cookies used by the Website, know the

ABANCA Cookies Policy and modify the cookie settings to
adapt it to your preferences.




At any time you can manage your consents related to the
different types of cookies used by the Website by accessing the console
configuration, permanently available in the section What cookies

do we use? of this Cookies Policy.



SIXTH: In view of the facts denounced, in accordance with the evidence of

that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers the above, does not comply with current regulations, therefore

that the opening of this sanctioning procedure proceeds.


                            FOUNDATIONS OF LAW

                                             I

It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the
art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI), is competent to initiate
and resolve this Penalty Procedure, the Director of the Spanish Agency for

Data Protection.
                                             II
In the present case, the claimant indicates that, when accessing the website *** URL.1, it
generates a series of cookies, before even being accepted in the banner that appears

For this purpose, among them are third-party cookies that are not necessary.

Information requested from the complainant on these aspects, it indicated, among others,
that, “(…) they are only downloaded to the device through which the user is
connects to the Web, those cookies that have been classified as "technical" or strictly

necessary by ABANCA allowing, in addition, the management of consents
through a clearly visible configuration panel, either from the first layer of
information (that is, through the cookie banner that appears when the user
connects to the Website) (…) ”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/17









    - On the use of unnecessary cookies without the prior consent of the
        Username:


Technical cookies are those that allow the user to navigate through
a web page, platform or application and the use of the different options or
services that exist in it, including those that the publisher uses to allow the
management and operation of the website and enable its functions and services, such as, for
example, control traffic and data communication, identify the session, access

restricted access parts, remember the elements that make up an order, carry out
the process of purchasing an order, managing the payment, controlling fraud linked to
the security of the service, make the request for registration or participation in a
event, count visits for the purposes of billing licenses of the software with which
the service (website, platform or application) works, use security elements

while browsing, store content for broadcasting videos or sound,
enable dynamic content (for example, loading animation of a text or image)
or share content through social networks.

Also belong to this category, due to their technical nature, those cookies that
allow the management, in the most efficient way possible, of the advertising spaces that,

as one more element of design or "layout" of the service offered to the user, the
publisher has included in a web page, application or platform based on criteria
such as edited content, without the collection of information from users for purposes
different, such as personalizing that advertising content or other content.


Technical cookies will be exempt from compliance with the obligations
established in article 22.2 of the LSSI when they allow the service to be provided
requested by the user, as in the case of the cookies listed in the
previous paragraphs. However, if these cookies are also used for purposes
not exempt, they will be subject to said obligations.


In the present case, when entering the initial page of the indicated website, without performing
no action on it and without rejecting cookies, it is verified that
use non-necessary third-party cookies, such as:

    - “IDE”, whose domain is “*** URL.2” and that allows Google to publish ads

        based on the visits users make to their sites or other sites
        from Internet;
    - “NID”, whose domain is “*** URL.4”, which allows showing Google ads
        in Google services to users who are not logged in;
    - “1P_JAR”, whose domain belongs to “*** URL.4”, which transfers data to Google

        to make advertising more attractive to the user based on their
        preferences; or
    - "AFFICHE_W"; whose domain is "*** URL.5", which contains the identifier of the
        terminal equipment and is installed on the terminal equipment during the first visit to
        one of the Weborama web sites.

    - CONSENT.- (*** URL.4), Cookie acceptance function.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/17








In the cookie control panel "Cookie Settings", the web provides
information and identifies the cookies you use. In this case, about technical cookies

cas, the web informs that it uses the following:

"These cookies are necessary for the Website to function properly so
that cannot be deactivated in our systems. They are only configured in response to
the actions you take when requesting services, such as setting your preferences

privacy, log in or fill out forms. You can configure your browser
to block or alert about these cookies, but some areas of the Website do not
they will work. These cookies do not store any identifying information.
personal".


a) .- First Party Cookies:



    - ASP.NET_SessionId; JSESSIONID; OptanonAlertBoxClosed; ___XXXXX;

        ___XXXXX; entity; _dc_gtm_UA-xxxxxxxx; LSESSIONID; PHPSESSID;
        OptanonConsent; ___XXXXX; AB1Cookie; ABCookie; ___XXXXX;




b) .- Necessary cookies whose domain is "*** URL.1":



    - Remkt




c) .- Necessary cookies whose domain is "*** URL.6":




    - PHPSESSID; inbenta-iaf-jsonp



d) .- Necessary cookies whose domain is "*** URL.7":




    - LSESSIONID; ___XXXXX; ___XXXXX.




e) .- Necessary cookies whose domain is "cookielaw.org":



    - __cfduid

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/17










Regarding the advertising cookies used, the website indicates that it uses, among others, the following:
following:


"These cookies can include both standard advertising cookies and cookies
behavioral advertising. The first are those that allow the management
effective advertising space based on criteria such as edited content or
how often the ads are shown. The second are those
established through our Website by our advertising partners. Are
Cookies store information about your behavior on the Website obtained from

through the continuous observation of your browsing habits, which allows
develop a specific profile to show you personalized advertising based on
these. If you do not allow the use of these cookies, you will see less targeted advertising.

You can know the information of third-party advertising cookies by accessing
our Cookies Policy by “clicking” on “More information”.


a) .- Advertising cookie whose domain belongs to "*** URL.5":

Name AFFICHE_W
Guest *** URL.5
Duration 93 days

Type 3rd Party
Category Advertising Cookies
Description This domain is owned be Weborama, a France based online
                      advertising business (which translated into Spanish: “This domain
                      is owned by Weborama, an online advertising company

                      based in France ”).

b) .- Advertising cookies whose domain belongs to "*** URL.2":

IDE name
Guest *** URL.2

Duration 1 year
Type 3rd Party
Category Advertising cookies
Description This domain is owned by Doubleclick (Google). The main
                      business activity is: Doubleclick is Googles real time bidding
                      advertising exchange (which translated into Spanish: “This domain

                      is owned by Doubleclick (Google). The main activity
                      commercial is: Doubleclick is the advertising exchange of offers
                      in real time from Google ”.

It should be noted that the website does not identify in any of the groups of cookies that it uses.
za, the cookies detected when accessing the initial page, whose domain belongs to

"Goolge.com" and which are: NID, 1P_JAR and CONSENT.

Therefore, in the present case, the cookies detected when entering the initial page of
the web, without taking any action on it and without rejecting cookies, (IDE,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/17








NID, 1P_JAR and AFFICHE_W in addition to verifying that they are not necessary cookies,
are identified by the website itself as advertising, IDE and AFFICHE_W or,
They are not even identified by the web, as in the case of the

cookies: NID, 1P_JAR and CONSENT, whose domain belongs to “*** URL.4”.

                                              III
The facts presented could suppose on the part of the claimed entity the commission
of the violation of article 22.2 of the LSSI, according to which:


“Service providers may use storage and retrieval devices
ration of data in terminal equipment of recipients, provided that the same
We have given their consent after information has been provided to them
clear and complete on its use, in particular, on the purposes of the treatment of
the data, in accordance with the provisions of Organic Law 15/1999, of December 13,

protection of personal data.

When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters
from the browser or other applications.


The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network
electronic devices or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient.
River".


This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information had not been provided or the consent of the recipient had not been obtained.
natario of the service in the terms required by article 22.2. ”, which may be sanctioned

nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.

After the evidence obtained in the preliminary investigation phase, and without prejudice to
Whatever results from the instruction, it is considered that the sanction should be
ner in accordance with the following aggravating criteria, established in art. 40 of the
LSSI:


    - The existence of intentionality, an expression that must be interpreted as equi-
        value to degree of guilt according to the Judgment of the Hearing
        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent

        informed service that conforms to the mandate of the LSSI.

    - Period of time during which the offense has been committed, as it is the first
        mere claim of August 2020, (section b).


Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 5,000 euros (five thousand euros), for the violation of article 22.2 of the
LSSI, regarding the cookie policy made on the website *** URL.1.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/17








In accordance with the foregoing, by the Director of the Spanish Agency for Pro-
Data protection,
                                     HE REMEMBERS:


START: SANCTIONING PROCEDURE against the entity ABANCA CORPORACIÓN
BANCARIA, S.A. with CIF .: A70302039, owner of the website, *** URL.1 for the infringement
tion of article 22.2) of the LSSI, punishable in accordance with the provisions of art. 39) and
40) of the aforementioned Law, regarding the "Cookies Policy" of the website of its title-
rity.


APPOINT: as Instructor to D. B.B.B., and Secretary, where appropriate, to Ms. C.C.C., indicated
Whereas any of them may be challenged, as the case may be, in accordance with the provisions
cited in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).


INCORPORATE: to the sanctioning file, for evidentiary purposes, the inter-
put by the claimant and its documentation, the documents obtained and generated
by the Subdirectorate General for Data Inspection during the investigation phase.
nes, all of them part of the present administrative file.


WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations, the sanction that
that could correspond would be 5,000 euros (five thousand euros), for the infraction of the article
Assumption 22.2) of the LSSI, regarding the "Cookies Policy" on the website of its holder.
larity, without prejudice to what results from the instruction of this file.


WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that could
be imposed on the entity ABANCA CORPORACIÓN BANCARIA, S.A. would consist of OR-
TELL HIM to take the necessary measures on the website of his ownership
to adapt it, in such a way as to prevent the use of unnecessary cookies

before obtaining the user's consent.

NOTIFY: this agreement to initiate the sanctioning file to the entity
ABANCA CORPORACIÓN BANCARIA, granting a hearing period of ten
business days to make the allegations and present the evidence that it considers
convenient.


If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).


In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
zo granted for the formulation of allegations to the present initiation agreement; which
will entail a reduction of 20% of the penalty to be imposed in the

present procedure, equivalent in this case to 1,000 euros. With the application of
this reduction, the sanction would be established at 4,000 euros, resolving the
yield with the imposition of this sanction.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/17








In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will give a reduction of 20% of the amount of this, equivalent in this case to 1,000
euros. With the application of this reduction, the penalty would be set at 4,600
euros and its payment will imply the termination of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

established at 3,000 euros (three thousand euros).

In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or resource in the administrative way.
trative against the sanction.


If you choose to proceed to the voluntary payment of any of the amounts indicated
previously, you must make it effective by entering account number ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the concept the reference number

cia of the procedure that appears in the heading of this document and the cause
reduction of the amount to which it is accepted.

Likewise, you must send proof of admission to the Subdirectorate General of Ins-
pection to continue with the procedure in accordance with the amount entered.

gives.

The procedure will have a maximum duration of nine months from the date of the
cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed
that period will expire and, consequently, the file of actions; from

in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


Mar Spain Martí
Director of the Spanish Agency for Data Protection.








>>


SECOND: On March 23, 2021, the defendant has proceeded to pay the
penalty in the amount of 3,000 euros making use of the two planned reductions

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/17








in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.

                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/17









In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00024/2021, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to ABANCA CORPORACIÓN
BANCARIA, S.A ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.


                                                                                  936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection
































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es