AEPD (Spain) - PS/00483/2021: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
No edit summary |
||
| Line 51: | Line 51: | ||
}} | }} | ||
The Spanish DPA fined an adult content website €8000 for its unlawful use of cookies and providing insufficient information related to their nature and purposes, as well for having an outdated privacy policy, which was based on data protection laws prior to the entry into force of the GDPR. | |||
== English Summary == | == English Summary == | ||
| Line 62: | Line 62: | ||
=== Holding === | === Holding === | ||
In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor. | In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor. | ||
However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR. | |||
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide | However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Law of Information Society Services (LSSI)], which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR. | ||
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of [[ | |||
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide users with adequate data protection information, in violation of [[Article 13 GDPR]]. | |||
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of [[Article 13 GDPR]]. However, this fine was reduced to €8000 because the controller did not object to the fine and paid it voluntarily within the period established by the AEPD to do so, although the reduction of the fee paid for by the controller did not include an express acceptance of culpability regarding the violations held by the AEPD. The AEPD also ordered the controller to modify its privacy and cookie policy in order to comply with GDPR. | |||
== Comment == | == Comment == | ||
Revision as of 21:03, 19 April 2022
| AEPD (Spain) - PS/00483/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR Article 22.2 LSSI |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 11.03.2021 |
| Decided: | 03.01.2022 |
| Published: | 13.04.2022 |
| Fine: | 8000 EUR |
| Parties: | Ramona Films, S.L. |
| National Case Number/Name: | PS/00483/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA fined an adult content website €8000 for its unlawful use of cookies and providing insufficient information related to their nature and purposes, as well for having an outdated privacy policy, which was based on data protection laws prior to the entry into force of the GDPR.
English Summary
Facts
The Spanish DPA (AEPD) initiated proceedings exercising its investigation powers under Article 58 GDPR against Ramona Films S.L. (previously Kalandrakas Films S.L.), owner of https://www.putalocura.com, a website containing adult and pornographic material.
The investigation was related to the possible processing of personal data and profiling of data subjects below the age of 14. In particular, the AEPD inquired the controller regarding the risk management of processing activities that could take place if a minor gained unauthorised access to the website’s contents, a data protection impact assessment related to these risks, the technical and organisational measures implemented to ensure data protection, as well as its privacy policy.
Holding
In its investigation, the AEPD determined that the page contained a warning that the website contained adult material, and to abandon the website in case of being a minor.
However, the AEPD found that the website did not have a mechanism that permitted the rejection of non-essential cookies, or a second layer to allow the granular acceptance of specific cookies. Additionally, the AEPD also found that when accessing the website, the use of non-essential cookies took place without prior consent, and that there was insufficient information related to the nature of the cookies, and if any of them were third party cookies. The AEPD held that the website’s cookie policy violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, and that where the use of a cookie entails processing that makes it possible to identify the user, data controllers must provide users with information in compliance with the provisions of the GDPR.
Furthermore, the AEPD found that the website’s privacy policy referred to the previous data protection laws in Spain, which were derogated when the GDPR entered into force. Therefore, the AEPD held that the website did not provide users with adequate data protection information, in violation of Article 13 GDPR.
Based on these considerations, the AEPD issued a total fine of €10,000 on the controller, €5000 for the violation of Article 22.2 LSSI and €5000 for the violation of Article 13 GDPR. However, this fine was reduced to €8000 because the controller did not object to the fine and paid it voluntarily within the period established by the AEPD to do so, although the reduction of the fee paid for by the controller did not include an express acceptance of culpability regarding the violations held by the AEPD. The AEPD also ordered the controller to modify its privacy and cookie policy in order to comply with GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18
File No.: PS/00483/2021
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On January 3, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against RAMONA FILMS,
SL (hereinafter, the claimed party), through the Agreement that is transcribed:
<<
Procedure No.: PS/00483/2021
AGREEMENT TO START A SANCTION PROCEDURE
Of the actions carried out ex officio by the Spanish Agency for the Protection of
Data before the entity, RAMONA FILMS, S.L. with CIF.: B87763405, owner of the page
web: https://www.putalocura.com, for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Natural Persons in what
regarding the Processing of Personal Data and the Free Circulation of these Data
(RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal and Guarantee of Digital Rights (LOPDGDD), and attending to the
following:
ACTS
FIRST: Dated 03/11/21, the Director of the Spanish Agency for
Data Protection agreed to open preliminary investigation actions against
to the entity, RAMONA FILMS, S.L. (previously, KALANDRAKAS FILMS, SL),
taking into account the investigative powers that the supervisory authority may have
for this purpose, established in section 1), of article 58 of the RGPD, and in relation to the
possible treatment of personal data of minors under fourteen years of age, obtained
while browsing the website and their possible profiling.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/18
SECOND: On 03/13/21 and 05/28/21, by this Agency, in relation to
stipulated in article 65.4 of the LOPDGDD Law, was sent to the RAMONA entity
FILMS, SL, two separate letters requesting information on the following points: The
management of the risks associated with the treatment activities in which it could be
produce an illegitimate access of a minor to the content they offer; The evaluation
of impact related to data protection regarding risk analysis; Measures
technical and organizational measures implemented in your entity that suppose access limitation
of minors to the content offered; Limitations for minors
access such content; Privacy policy and public location thereof;
Technical and organizational measures to be taken in your entity in case of eventual verification
of improper access by a minor to its contents: Technical measures and
organizational measures that reflect the protection of personal data and the processes of
verification and evaluation of the effectiveness of the measures and clarification of whether they
profiling of the personal data of those who access its contents.
According to a certificate from the Electronic Notifications and Electronic Address Service, the
request sent to the claimed entity, on 03/13/21, through the service of
notifications NOTIFIC@, was received at destination on 03/15/21.
According to a certificate from the State Post and Telegraph Society, the request sent
to the claimed entity, on 05/28/21, through the SICER service, it was received
Appointed at destination on 06/04/21 by D. A.A.A.; ***NIF.1.
THIRD: On 09/09/21, this Agency carried out the following
checks on the website https://www.putalocura.com:
a).- Regarding the processing of personal data:
1.- The website has a contact form, located at the bottom of
the page: https://www.putalocura.com/contacto, where you can enter data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/18
personal, such as name and email. Before submitting the form
You must accept the <<_ General Conditions of Contract>> and you must mark: “_
Do not be a robot”, after which an automatic confirmation message appears.
contact reception.
2.- The following warning message is available in the footer of the website:
”Leave this website if you are a minor: Website with adult content”
b).- About the Privacy Policy:
1.- If you access the "Privacy Policy" of the aforementioned website, through the link
existing at the bottom of the main page, the web redirects the user to a
new page: https://www.putalocura.com/politica-de-privacidad, where
provides the following information:
"one. In compliance with the provisions of Organic Law 15/1999, of December 13,
Protection of Personal Data (hereinafter "LOPD"), Kalandrakas
Films S.L.U. (hereinafter KF) informs the user that all character data
that you provide us through the web will be incorporated into files,
created and maintained under the responsibility of KF, (reviewed in point 3.2) (...)”
2.- If you access the "Legal Notice" page of the aforementioned website, through the link
existing at the bottom of the main page, the web redirects the user to a
new page: https://www.putalocura.com/aviso-legal, where it is provided
information about the Company's data; data from the Mercantile Registry; on
intellectual property and on the conditions of use of the web.
Regarding access to content, the following is indicated: “Exclusively for adults and
of forbidden access for minors and of an erotic and/or pornographic nature and
that could hurt your sensibilities. By accessing this website and/or the
contents, you expressly accept that you are of legal age (minimum 18 years in
Spain) and that you have no legal limitation to access voluntarily to
adult content of an erotic and/or pornographic nature, exonerating KF from
any responsibility in this regard.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/18
c).- About the Cookies Policy:
1.- When entering the web for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies are used that are not technical or
necessary, whose domain is Google Analytics: (_ga, _gid, _gat) but that is
installed associated with the domain of the web manager.
2.- There is a banner about cookies on the main page of the website, with the following
message:
“This website uses its own and third-party cookies to offer you a better service. Yes
If you continue browsing, we consider that you accept its use. <<Read more>>.
<<Accept>>
If you choose to accept cookies, using the <<accept>> option you check
that the cookies indicated above continue to be used, as well as if the
browsing the website itself.
3.- If you choose to access the "Cookies Policy", through the link <<read more> or
through the existing link at the bottom of the main page <<Policy of
cookies>>, the web redirects to a new page: https://www.putalocura.com/politica-
de-cookies, where information is provided about what cookies are and what types
of cookies exist.
There is no mechanism that enables the rejection of all non-technical cookies
or the possibility of granularly managing cookies.
FOURTH: In view of the reported facts, in accordance with the evidence
that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers the above, does not comply with current regulations, therefore
that the opening of this sanctioning procedure proceeds.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/18
FOUNDATIONS OF LAW
I.- Competition:
- About the "Privacy Policy":
It is competent to initiate and resolve this Sanctioning Procedure, the Director of
the Spanish Agency for Data Protection, by virtue of the powers that art 58.2
of the RGPD and, as established in arts. 47, 64.2 and 68.1 of the LOPDGDD Law.
For its part, sections 1) and 2), of article 58 of the RGPD, list,
respectively, the investigative and corrective powers that the supervisory authority
may provide for this purpose, mentioning in point 1.d), that of: "notify the
responsible or in charge of the treatment the presumed infractions of the present
Regulation” and in 2.i), that of: “imposing an administrative fine in accordance with
Article 83, in addition to or instead of the measures mentioned in this paragraph,
depending on the circumstances of each case.
- About the Cookies Policy:
It is competent to initiate and resolve this Sanctioning Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the
art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI).
II.- About the "Privacy Policy" of the website:
It has been verified that on the website: https://www.putalocura.com, you can
obtain personal data from users through the "contact" tab, such as the
name and email.
However, it has been found that the "Privacy Policy" of the website,
https://www.putalocura.com/politica-de-privacidad, does not adjust to the information that
should be provided according to article 13 of the RGPD, since all of it is referred to and
focused on the repealed Organic Law 15/1999, of December 13, on the Protection of
Personal data.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/18
Well, in accordance with the provisions of article 99 of the RGPD, the entry into
force and application of the new RGPD was: "twenty days after its publication in the
Official Journal of the European Union (05/25/16)” and would be applicable from May 25
of 2018”. Therefore, as of 05/25/18, the LO was repealed. 15/1999, (LOPD),
applying compulsorily, from that date, the current RGPD and from the
07/12/18 the new LOPDGDD.
In application of the RGPD, its article 13, establishes the information that must be
provide the interested party at the time of obtaining their personal data. This is:
“1. When personal data relating to him is obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide: a)
the identity and contact details of the person in charge and, where appropriate, of their
representative; b) the contact details of the data protection officer, in his
case; c) the purposes of the treatment to which the personal data is destined and the basis
legal treatment; d) when the treatment is based on article 6, paragraph 1,
letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or
the categories of recipients of personal data, if any; f) where appropriate, the
intention of the controller to transfer personal data to a third country or
international organization and the existence or absence of an adequacy decision
of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or
Article 49, paragraph 1, second paragraph, reference to adequate guarantees or
appropriate and the means to obtain a copy of them or the fact that
have lent.
2. In addition to the information mentioned in section 1, the person in charge of the
treatment will facilitate the interested party, at the moment in which the data is obtained
personal, the following information necessary to guarantee data processing
fair and transparent: a) the period during which the personal data will be kept or,
when this is not possible, the criteria used to determine this period; b) the
existence of the right to request access to data from the data controller
related to the interested party, and its rectification or deletion, or the limitation of its
treatment, or to oppose the treatment, as well as the right to the portability of the
data; c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in
any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal; d) the right to file a claim with
a control authority; e) if the communication of personal data is a requirement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/18
legal or contractual, or a necessary requirement to enter into a contract, and if the
The interested party is obliged to provide personal data and is informed of the
possible consequences of not providing such data; f) the existence of decisions
you automate, including profiling, referred to in article 22,
paragraphs 1 and 4, and, at least in such cases, significant information about the logic
applied, as well as the importance and expected consequences of said treatment
for the interested party”.
Therefore, in accordance with the evidence obtained and without prejudice to what
result of the investigation, the exposed facts could suppose the violation, for
part of the entity that owns the web page in question, of article 13 of the RGPD.
Regarding this, article 72.1.h) of the LOPDGDD, considers it very serious, for
of prescription, “the omission of the duty to inform the affected party about the treatment
of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD”
This infraction can be sanctioned with a maximum fine of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5.b) of the RGPD.
In accordance with the precepts indicated, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction to be imposed in
the present case, it is considered appropriate to graduate the sanction in accordance with the
following aggravating criteria established in article 83.2 of the RGPD:
- The duration of the infringement, taking into account that current regulations, this
is, the RGPD, is mandatory since 05/25/18, and that from that
Date the LOPD was repealed, by which the website is still governed
in question, (section a).
The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the infraction committed, by violating the provisions of article 13 of the
RGPD, makes it possible to set an initial penalty of 5,000 euros (five thousand euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/18
On the other hand, and in accordance with article 58.2 of the RGPD, the corrective measure
that could be imposed on the person responsible for the website in question would consist of
order you to take the necessary measures to adapt the privacy policy to
what is stipulated in the current regulations, that is, the RGPD and the LOPDGDD.
III.- About the "Cookies Policy" of the website:
a).- Regarding the installation of cookies in the terminal equipment prior to
consent:
Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR. Therefore,
when the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.
However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of the terminals and the network and those that provide a service
expressly requested by the user.
In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies
excepted would be the user input Cookies” (those used to
filling in forms, or managing a shopping cart); cookies from
user authentication or identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
plugin (plug-in) to exchange social content. These cookies would remain
excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be
necessary to inform or obtain consent on its use.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/18
On the contrary, it will be necessary to inform and obtain the prior consent of the user.
before the use of any other type of cookies, both first and
third party, session or persistent.
In the verification carried out on the web page in question, it was found that, when
entering its main page and without performing any type of action on it,
use unnecessary cookies without the prior consent of the user.
b).- About the existing cookie information banner in the first layer
(Homepage):
The banner on cookies of the first layer must include information regarding the
identification of the editor responsible for the website, in the event that their identifying data
tives do not appear in other sections of the page or that their identity cannot be disclosed.
obvious attachment to the site itself. You must also include an ID
generic of the purposes of the cookies that will be used and if these are own or
also from third parties, without it being necessary to identify them in this first layer. Ade-
Furthermore, it should include generic information about the type of data to be collected
and used in the event that user profiles are created and must include informa-
tion and the way in which the user can accept, configure and reject the use of
cookies, with the warning, where appropriate, that if a certain action is carried out,
It will be understood that the user accepts the use of cookies.
Apart from the generic information about cookies, in this banner there must be an en-
clearly visible link directed to a second informative layer on the use of the
cookies. This same link can be used to take the user to the configuration panel.
guration of cookies, as long as the access to the configuration panel is direct, this
is, that the user does not have to navigate inside the second layer to locate it.
In the case at hand, in the cookie information banner on the
first layer of the denounced web, with the message:
“This website uses its own and third-party cookies to offer you a better service. Yes
If you continue browsing, we consider that you accept its use.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/18
The purposes for which the cookies will be used are not identified and if they are
own or third parties.
c).- Regarding consent to the use of unnecessary cookies:
For the use of non-excepted cookies, it will be necessary to obtain the consent
expressly stated by the user. This consent can be obtained by doing
click on, “accept” or inferring it from an unequivocal action performed by the user that
denotes that consent has unequivocally occurred. Therefore, the mere
user inactivity, scrolling or browsing the website, will not be considered
effects, a clear affirmative action in any circumstance and will not imply the
provision of consent itself. Similarly, access to the second
layer if the information is presented in layers, as well as the necessary navigation to
that the user manage their preferences in relation to cookies in the panel of
control, nor is it considered an active behavior from which the
acceptance of cookies.
The existence of "Cookie Walls" is not allowed either, that is, windows
pop-ups that block the content and access to the web, forcing the user to
accept the use of cookies to be able to access the page and continue browsing.
If the option is to go to a second layer or cookie control panel, the link
it should take the user directly to that configuration panel. To facilitate se-
lesson, the panel can be implemented, in addition to a granular management system
of cookies, two more buttons, one to accept all cookies and another to reject-
all of them If the user saves his choice without having selected any cookie,
You will understand that you have rejected all cookies. Regarding this second possibility,
In no case are the pre-marked boxes in favor of accepting cookies admissible.
If for the configuration of cookies, the web refers to the browser configuration
installed in the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also offer, and in any case, a mechanism that
allows you to reject the use of cookies and/or do it in a granular way, on your own page.
web page
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/18
On the other hand, the withdrawal of the consent previously given by the user de-
It should be able to be done at any time. To this end, the publisher must offer a
mechanism that makes it possible to withdraw consent easily at any time.
unto This facility will be considered to exist, for example, when the user has access to
so simple and permanent to the cookie management or configuration system.
If the editor's cookie management or configuration system does not allow to avoid the
use of third-party cookies once accepted by the user, information will be provided
training on the tools provided by the browser and third parties, de-
being aware that, if the user accepts third-party cookies and later wishes to
delete them, you must do it from your own browser or the system enabled by the
third parties for it.
In the case at hand, in the banner of the first layer there is no option to re-
Chase all cookies nor is there the option to redirect the user to a panel
control so you can manage cookies in a granular way.
There is also no mechanism to reject all non-technical cookies.
cases or failing that, that can be managed granularly in the second
layer (Cookie Policy).
d).- On the information provided in the second layer (Policy of
Cookies):
More detailed information about cookies should be provided in the Cookies Policy.
characteristics of cookies, including information about, the definition and general function
cookie information (what are cookies); about the type of cookies used and
its purpose (what types of cookies are used on the website); the identification of
who uses the cookies, that is, if the information obtained by the cookies is treated
only by the publisher and/or also by third parties with identification of the latter; the period-
do of conservation of the cookies in the terminal equipment; and if it is the case, information
on data transfers to third countries and the elaboration of profiles that im-
Apply automated decision making.
In the case at hand, the information about cookies that is provided in the
second layer of the web, it has been detected that the identification of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/18
the cookies that are used, if they are their own or from third parties, nor the time they are
will be active in the terminal equipment.
IV- Violation of the Cookies Policy
The deficiencies detected in the "Cookies Policy" of the website in question,
could suppose on the part of the claimed entity, the commission of the infraction of the
Article 22.2 of the LSSI, since it establishes that:
“Service providers may use storage devices and
recovery of data in terminal equipment of the recipients, provided that
they have given their consent after they have been provided
clear and complete information on its use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13
December, on the protection of personal data.
Where technically possible and effective, the recipient's consent to
Accepting the processing of the data may be facilitated through the use of the parameters
from the browser or other applications.
The foregoing will not prevent the possible storage or access of a technical nature to the sole
purpose of effecting the transmission of a communication over a communications network
electronic or, to the extent that is strictly necessary, for the provision of
a service of the information society expressly requested by the
addressee".
This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and retrieval devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/18
After the evidence obtained in the preliminary investigation phase, and without prejudice to
whatever results from the investigation, it is considered appropriate to graduate the sanction to
impose in accordance with the following aggravating criteria, established by art. 40 of
the LSSI:
- The existence of intentionality, an expression that must be interpreted as
equivalent to a degree of guilt according to the Judgment of the
National High Court of 11/12/07 relapse in Appeal no. 351/2006,
corresponding to the denounced entity the determination of a system of
Obtaining informed consent that is in accordance with the mandate of the LSSI.
In accordance with these criteria, it is considered appropriate to impose an initial sanction of
5,000 euros, (two thousand euros), for the infringement of article 22.2 of the LSSI, regarding
the cookie policy made on the website in question.
On the other hand, and in accordance with article 58.2 of the RGPD, the corrective measure
that could be imposed on the entity responsible for the website would consist of order-
order him to take the necessary measures on the web page of his ownership to
adapt it to current regulations, including a mechanism that makes it impossible to use
tion of non-necessary cookies before the user gives his consent for it;
including a mechanism that makes it possible to reject all cookies or to do so
ma granular through a control panel and extend the information provided in the
banner of the main page and in the "Cookies Policy" adapting it to the regulations
in force, indicated in section III of the Legal Basis.
V-Initial total sanction:
In accordance with the criteria set out in the previous points, the initial total sanction to be
impose would be 10,000 euros (ten thousand euros): 5,000 euros (five thousand euros), for the
infringement of article 13 of the RGPD and 5,000 euros (five thousand euros), for the infringement
of article 22.2 of the LSSI.
Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/18
START: SANCTION PROCEDURE against the entity, RAMONA FILMS, S.L. with
CIF.: B87763405, owner of the website: https://www.putalocura.com, for the
following offenses:
- Violation of article 13 of the RGPD, when collecting personal data of the
users of the web pages of its ownership without having adapted it to the
current regulations on data protection.
- Violation of article 22.2 of the LSSI, regarding irregularities
detected in the "Cookies Policy" of the website.
APPOINT: R.R.R. as Instructor, and Secretary, if applicable, S.S.S., indicating
that any of them may be challenged, where appropriate, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).
INCORPORATE: to the disciplinary file, for evidentiary purposes, the international claim
put by the claimant and their documentation, the documents obtained and generated
by the Subdirectorate General for Data Inspection during the investigation phase.
nes, all of them part of this administrative file.
WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the
Common Administrative Procedure of the Public Administrations, the sanction that
could correspond would be:
- 5,000 euros (five thousand euros), for the infringement of article 13 of the RGPD, without
prejudice to what results from the investigation of this file.
- 5,000 euros (five thousand euros) for the infringement of article 22.2 of the LSSI, without
prejudice to what results from the investigation of this file.
NOTIFY: this agreement to initiate sanctioning proceedings to the entity,
RAMONA FILMS, S.L., granting a hearing period of ten business days to
to formulate the allegations and present the evidence it deems appropriate.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/18
If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed was a fine, it may recognize its responsibility within the
zo granted for the formulation of allegations to this initial agreement; what
will be accompanied by a reduction of 20% of the sanction to be imposed in the
present procedure, equivalent in this case to 2,000 euros. With the application of
this reduction, the sanction would be established at 8,000 euros, resolving the problem
ceding with the imposition of this sanction.
Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which supposes
There will be a reduction of 20% of the amount of this, equivalent in this case to 2,000
euros. With the application of this reduction, the penalty would be established at 8,000
euros and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of the penalty would be
set at 6,000 euros (six thousand euros).
In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the withdrawal or waiver of any action or resource in the administrative process.
deal against the sanction.
If you choose to proceed to the voluntary payment of any of the amounts indicated
above, you must make it effective by depositing it in account Nº ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the item the reference number
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/18
ence of the procedure that appears in the heading of this document and the cause
of reduction of the amount to which it avails itself.
Likewise, you must send proof of income to the General Subdirectorate of Ins-
request to continue with the procedure in accordance with the amount entered.
gives.
The procedure will have a maximum duration of nine months from the date of
page of the start-up agreement or, where appropriate, of the draft start-up agreement. elapse-
do this period will produce its expiration and, consequently, the filing of actions;
in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA-
CAP, against this act there is no administrative appeal.
Sea Spain Marti
Director of the Spanish Agency for Data Protection.
>>
SECOND: On February 22, 2022, the claimed party has proceeded to pay
of the penalty in the amount of 8,000 euros using one of the two
reductions provided for in the Start Agreement transcribed above. Therefore, it has not
acknowledgment of responsibility has been confirmed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/18
THIRD: The payment made entails the waiver of any action or resource in via
against the sanction, in relation to the facts referred to in the
Home Agreement.
FOUNDATIONS OF LAW
I
In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of
services of the information society and electronic commerce (hereinafter
LSSI), the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), grants each authority of
control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of
December 5, Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this
procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
Finally, the fourth additional provision "Procedure in relation to the
competences attributed to the Spanish Data Protection Agency by other
laws" establishes that: "The provisions of Title VIII and its implementing regulations
will apply to the procedures that the Spanish Agency for the Protection of
Data would have to be processed in the exercise of the powers attributed to it by
other laws."
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:
"one. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/18
3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.
The reduction percentage provided for in this section may be increased
regulations."
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00483/2021, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to RAMONA FILMS, S.L..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
937-240122
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
