AEPD (Spain) - EXP202104460: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
mNo edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Spanish DPA imposed a €2,000 fine on the entity Preicos Juridicos S.L. who owns the website, https://www.preicojuridicos.com, for violating Article 22(2) of the Spanish | The Spanish DPA imposed a €2,000 fine on the entity Preicos Juridicos S.L. who owns the website, https://www.preicojuridicos.com, for violating Article 22(2) of the Spanish Law of Information Society Services and Electronic Commerce” (LSSI) regarding the Cookie Policy implemented on its website. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
An individual ("Complaining party") failed a complaint with the AEPD indicating that the website owned by Preicos Juridicos (https://www.preicojuridicos.com) violates data protection regulations as well as information society services, with regard to the | An individual ("Complaining party") failed a complaint with the AEPD indicating that the website owned by Preicos Juridicos (https://www.preicojuridicos.com) violates data protection regulations as well as information society services, with regard to the Cookie Policy implemented, since when trying to enter the website and reject all cookies, it was expelled from the website making it impossible for the complaining party to continue browsing it. | ||
The complainant raised the following issues: | The complainant raised the following issues: | ||
* When entering the web for the first time, without accepting cookies or performing any action on the page, non-technical or necessary cookies are used, some whose domain belongs to third parties, and some of them, are first party cookies which are managed by Preicos Juridicos. | |||
on the page, non-technical or necessary cookies are used, some whose domain belongs to third parties, and some of them, are first party cookies which are managed by Preicos Juridicos. | * There is a cookie banner on the main page of the website that provides visitors with the option to 'Accept' or 'Do Not Accept'. However, if the visitor wishes to reject all cookies that are not necessary or technical, by clicking on the 'Do not accept' option, the website expels the visitor from the website. On the contrary, if the visitor chooses to accept all cookies, by clicking on the 'Accept' option, the website allows the visitor to continue browsing and consequently, all cookies are deployed. | ||
* The "Cookies Policy" on the website provides visitors with information about what cookies are, what types of cookies uses the site web, how to manage cookies through the browsers installed on the user's terminal equipment. But there is no information about the cookies used the website, its functionality, whether they are their first party or third-party or the time they will be active. | |||
The AEPD transferred the complaint to Preicos Juridicos, giving them the opportunity to contest the facts. Preicos Juridicos indicated that the complaint was unfounded given that users were able to navigate the site without accepting or rejecting the cookies. The measures Preicos Juridicos adopted on foot of this complaint were: | |||
1. The elimination of cookies from the web and; | |||
The | 2. The elimination of the cookie banner, which made it possible to read the legal documents in the site. Preicos further clarified that no personal data has been stored or is stored through cookies. | ||
Nevertheless, the AEPD initiated an investigation into Preico Juridicos website. | |||
=== Holding === | === Holding === | ||
1. Regarding the "Cookies Policy" of the website www.preicojuridicos.com | '''1. Regarding the "Cookies Policy" of the website www.preicojuridicos.com:''' | ||
* '''On the use of cookies in the terminal equipment without consent:''' Article 22(2) of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Necessary cookies are exempt from compliance with Article 22(2) LSSI. In this case, it has been confirmed that cookies that are not necessary or technical have been deployed, particularly cookies whose domain is Google Analytics. | |||
In the case at hand, the AEPD found that the banned presented on the Homepage did not provide visitors with the corresponding information about the use of cookies. | * '''About the information provided in the cookie banner:''' The controller responsible for the website must be clearly identified on the first layer of the cookie banner, if its identity cannot be found in other sections of the page. It must also include a description of the purposes of the cookies that will be used and if they are first or third party cookies. In addition, it must include generic information on the type of data collected. It should also include specifications as to whether user profiles are created as well as information on how accept, configure, and reject the use of cookies. Apart from the generic information about cookies, in the banner there must be a clearly visible link to a second informative layer on the use of the cookies. This same link can be used to lead the user to the control panel of cookie configuration, provided that access to the configuration panel is direct, that is, that the user does not have to navigate inside the second layer to locate it. In the case at hand, the AEPD found that the banned presented on the Homepage did not provide visitors with the corresponding information about the use of cookies. | ||
* '''In terms of consent for using non-necessary cookies:''' | |||
# Consent must be collected for the use of non-necessary cookies. This consent can be obtained by doing click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, as valid consent. Similarly, access to a second layer of the information, as well as the necessary navigation so that the user manage their preferences in relation to cookies can be considered as acceptance. | |||
click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, as valid consent. Similarly, access to a second layer of the information, as well as the necessary navigation so that the user manage their preferences in relation to cookies can be considered as acceptance. | # The use of "Cookie Walls", which block content and access to the web, forcing the user to accept the use of cookies in order to access the page and continue browsing, it's not permitted. | ||
# If the option offered is to adjust the cookie settings, the link should take the user directly to said settings page. To facilitate the selection, in addition to a granular cookie management system, two more buttons can be implemented in the configuration, one to accept all cookies and another to reject all. If the user saves his choice without having selected any cookies, the website must understand that the user has rejected all cookies. Regarding this second possibility, in no case will the pre-marked boxes be admissible. | |||
# If for the configuration of cookies, the website refers to the configuration of the browser installed on the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. In this case, the person responsible for the website must also offer a mechanism that allows you to reject the use of cookies and/or do it in a granular way, on your own web page. | |||
# The withdrawal of the consent previously given by the user must be possible at any time. To this end, the person responsible for the website must offer a mechanism that makes it possible to withdraw consent easily at any time. | |||
# If through the cookie settings it is not possible to avoid the use of third-party cookies once accepted by the user, information should be provided on how to delete them. For example, that user should delete third-party cookies on their own browser or the system enabled by the third parties for it. | |||
allows you to reject the use of cookies and/or do it in a granular way, on your own web page. | |||
In this case, the AEPD has verified that there is no possibility of rejecting cookies that are not technical or necessary, nor is there any type of control panel where they can be managed granularly or by groups. | In this case, the AEPD has verified that there is no possibility of rejecting cookies that are not technical or necessary, nor is there any type of control panel where they can be managed granularly or by groups. | ||
* '''Regarding the information provided in the Cookie Policy:''' Detailed information on the characteristics of cookies must be provided in the Cookies Policy, including information on the definition and generic function of cookies (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the owner of the website and/or also by third parties with identification of the latter; the period of conservation of cookies in the terminal equipment; and if applicable, information on data transfers to third countries and profiling that involves automated decision-making. In this case, it has been found that in the "Cookies Policy" of the website there is no information or identify the cookies used by the site, their functionality, if they are own or third party or the time they will be active. | |||
Detailed information on the characteristics of cookies must be provided in the Cookies Policy, including information on the definition and generic function of cookies (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the owner of the website and/or also by third parties with identification of the latter; the period of conservation of cookies in the terminal equipment; and if applicable, information on data transfers to third countries and profiling that involves automated decision-making. | |||
In | |||
In summary, the deficiencies detected in the verification of the web page www.preicojuridicos.com are: | In summary, the deficiencies detected in the verification of the web page www.preicojuridicos.com are: | ||
* The use of cookies that are not technical or necessary, without the prior consent of users. | |||
* The non-existence of an information banner about cookies on the page website main. | |||
* The impossibility of rejecting cookies that are not technical or necessary or make it granular. | |||
* The lack of information in the "Cookies Policy" about the cookies used the web and the time they will be active. | |||
All the anomalies indicated | All the anomalies indicated infringe article 22(2) of the LSSI. In consequence, the AEPD imposed on the entity Preicos Juridicos, S.L. owner of the website, https://www.preicojuridicos.com, a fine of €2,000, for the violation of article 22.2 LSSI, regarding the Policy implemented on your website. | ||
== Comment == | == Comment == |
Revision as of 23:41, 19 September 2022
AEPD - PS-00030-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 7 GDPR Article 22(2) of the Spanish Law of Information Society Services and Electronic Commerce |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00030-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | PL |
The Spanish DPA imposed a €2,000 fine on the entity Preicos Juridicos S.L. who owns the website, https://www.preicojuridicos.com, for violating Article 22(2) of the Spanish Law of Information Society Services and Electronic Commerce” (LSSI) regarding the Cookie Policy implemented on its website.
English Summary
Facts
An individual ("Complaining party") failed a complaint with the AEPD indicating that the website owned by Preicos Juridicos (https://www.preicojuridicos.com) violates data protection regulations as well as information society services, with regard to the Cookie Policy implemented, since when trying to enter the website and reject all cookies, it was expelled from the website making it impossible for the complaining party to continue browsing it.
The complainant raised the following issues:
- When entering the web for the first time, without accepting cookies or performing any action on the page, non-technical or necessary cookies are used, some whose domain belongs to third parties, and some of them, are first party cookies which are managed by Preicos Juridicos.
- There is a cookie banner on the main page of the website that provides visitors with the option to 'Accept' or 'Do Not Accept'. However, if the visitor wishes to reject all cookies that are not necessary or technical, by clicking on the 'Do not accept' option, the website expels the visitor from the website. On the contrary, if the visitor chooses to accept all cookies, by clicking on the 'Accept' option, the website allows the visitor to continue browsing and consequently, all cookies are deployed.
- The "Cookies Policy" on the website provides visitors with information about what cookies are, what types of cookies uses the site web, how to manage cookies through the browsers installed on the user's terminal equipment. But there is no information about the cookies used the website, its functionality, whether they are their first party or third-party or the time they will be active.
The AEPD transferred the complaint to Preicos Juridicos, giving them the opportunity to contest the facts. Preicos Juridicos indicated that the complaint was unfounded given that users were able to navigate the site without accepting or rejecting the cookies. The measures Preicos Juridicos adopted on foot of this complaint were:
1. The elimination of cookies from the web and;
2. The elimination of the cookie banner, which made it possible to read the legal documents in the site. Preicos further clarified that no personal data has been stored or is stored through cookies.
Nevertheless, the AEPD initiated an investigation into Preico Juridicos website.
Holding
1. Regarding the "Cookies Policy" of the website www.preicojuridicos.com:
- On the use of cookies in the terminal equipment without consent: Article 22(2) of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Necessary cookies are exempt from compliance with Article 22(2) LSSI. In this case, it has been confirmed that cookies that are not necessary or technical have been deployed, particularly cookies whose domain is Google Analytics.
- About the information provided in the cookie banner: The controller responsible for the website must be clearly identified on the first layer of the cookie banner, if its identity cannot be found in other sections of the page. It must also include a description of the purposes of the cookies that will be used and if they are first or third party cookies. In addition, it must include generic information on the type of data collected. It should also include specifications as to whether user profiles are created as well as information on how accept, configure, and reject the use of cookies. Apart from the generic information about cookies, in the banner there must be a clearly visible link to a second informative layer on the use of the cookies. This same link can be used to lead the user to the control panel of cookie configuration, provided that access to the configuration panel is direct, that is, that the user does not have to navigate inside the second layer to locate it. In the case at hand, the AEPD found that the banned presented on the Homepage did not provide visitors with the corresponding information about the use of cookies.
- In terms of consent for using non-necessary cookies:
- Consent must be collected for the use of non-necessary cookies. This consent can be obtained by doing click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, as valid consent. Similarly, access to a second layer of the information, as well as the necessary navigation so that the user manage their preferences in relation to cookies can be considered as acceptance.
- The use of "Cookie Walls", which block content and access to the web, forcing the user to accept the use of cookies in order to access the page and continue browsing, it's not permitted.
- If the option offered is to adjust the cookie settings, the link should take the user directly to said settings page. To facilitate the selection, in addition to a granular cookie management system, two more buttons can be implemented in the configuration, one to accept all cookies and another to reject all. If the user saves his choice without having selected any cookies, the website must understand that the user has rejected all cookies. Regarding this second possibility, in no case will the pre-marked boxes be admissible.
- If for the configuration of cookies, the website refers to the configuration of the browser installed on the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. In this case, the person responsible for the website must also offer a mechanism that allows you to reject the use of cookies and/or do it in a granular way, on your own web page.
- The withdrawal of the consent previously given by the user must be possible at any time. To this end, the person responsible for the website must offer a mechanism that makes it possible to withdraw consent easily at any time.
- If through the cookie settings it is not possible to avoid the use of third-party cookies once accepted by the user, information should be provided on how to delete them. For example, that user should delete third-party cookies on their own browser or the system enabled by the third parties for it.
In this case, the AEPD has verified that there is no possibility of rejecting cookies that are not technical or necessary, nor is there any type of control panel where they can be managed granularly or by groups.
- Regarding the information provided in the Cookie Policy: Detailed information on the characteristics of cookies must be provided in the Cookies Policy, including information on the definition and generic function of cookies (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the owner of the website and/or also by third parties with identification of the latter; the period of conservation of cookies in the terminal equipment; and if applicable, information on data transfers to third countries and profiling that involves automated decision-making. In this case, it has been found that in the "Cookies Policy" of the website there is no information or identify the cookies used by the site, their functionality, if they are own or third party or the time they will be active.
In summary, the deficiencies detected in the verification of the web page www.preicojuridicos.com are:
- The use of cookies that are not technical or necessary, without the prior consent of users.
- The non-existence of an information banner about cookies on the page website main.
- The impossibility of rejecting cookies that are not technical or necessary or make it granular.
- The lack of information in the "Cookies Policy" about the cookies used the web and the time they will be active.
All the anomalies indicated infringe article 22(2) of the LSSI. In consequence, the AEPD imposed on the entity Preicos Juridicos, S.L. owner of the website, https://www.preicojuridicos.com, a fine of €2,000, for the violation of article 22.2 LSSI, regarding the Policy implemented on your website.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS/00030/2022 (EXP202104460) RESOLUTION SANCTION PROCEDURE Of the actions carried out ex officio by the Spanish Agency for the Protection of Data before the entity PREICO JURÍDICOS, S.L., with CIF: B67071472, owner of the website, https://www.preicojuridicos.com; for the alleged violation of the data protection regulations: Regulation (EU) 2016/679, of the Parliament European and Council, of 04/27/16, regarding the Protection of Natural Persons regarding the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (LSSI), and attending to the following: BACKGROUND FIRST: Dated 09/26/21 D. A.A.A. (hereinafter, “the complaining party”), files a claim with this Agency indicating that the indicated website Previously, the data protection regulations and the services of the company are not complied with. information society, with regard to the Cookies Policy implemented since when trying to enter the web and reject all cookies, it is expelled from the website making it impossible for you to continue browsing the website. SECOND: On 11/17/21 and 11/29/21, this Agency transferred the claim to the party complained against so that it could respond to it, in accordance with the provisions of article 65.4 of the LOPDGDD Law. attempts to notification resulted in the following: a).- According to a certificate from the Electronic Notifications Service and Address Electronic, the shipment made to the claimed entity, on 10/18/21, through of the electronic notification service "NOTIFIC@", was rejected in destination on 11/28/21. b).- According to a certificate from the State Post and Telegraph Society, the shipment made to the claimed entity, on 11/29/21 through the service of Postal notification from Correos, was delivered at destination on 12/16/21, being the receiver: Mrs. B.B.B.. ***NIF.1. THIRD: On 12/26/21, by the Director of the Spanish Agency for Data Protection, an agreement is issued to admit the processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when assessing possible reasonable indications of a violation of the rules in the field of competences of the Spanish Agency for Data Protection. FOURTH: On 02/17/22, by the Subdirectorate General for Inspection of Data from this AEPD, the following preliminary investigation actions were carried out, in accordance with the provisions of article 67 of the LOPDGDD, regarding the characteristics presented by the Cookies Policy of the website, https://www.preicojuridicos.com/inicio/, verifying the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 1.- When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain belongs to third parties, but some of them, are installed associated with the domain of the person in charge of the web: Cookies Domain Type of Cookie ssupp.visits .preicojuridicos.com technical cookie ssupp.vid .preicojuridicos.com technical cookie _pk_id. .preicojuridicos.com analytical cookie _pk_ref. preicojuridicos.com analytical cookie _gid .preicojuridicos.com analytical cookie _gat_gtag_UA_1 .preicojuridicos.com analytical cookie _pk_ses.3.796c .preicojuridicos.com analytical cookie _ga .preicojuridicos.com analytical cookie _fbp .preicojuridicos.com advertising cookie _fr .preicojuridicos.com advertising cookie 2.- There is a banner about cookies on the main page of the website with the following information: The website www.preicojuridicos.com uses its own and third-party cookies to collect information that helps optimize navigation on the website. I don't know will use cookies to collect personal information unless accepted explicit by the user. <<Accept>> <<Not accept>> If you wish to reject all cookies that are not necessary or technical, by clicking in the <<Do not accept>> option, it is verified that the user is expelled from the web. If you choose to accept all cookies, by clicking on the <<Accept>> option, you will check how the web no longer expels the user from it and continues to use the cookies indicated above. 3.- If you access the "Cookies Policy" through the existing link in the part bottom of the main page, the web redirects the user to a new page, https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided information to the user about what cookies are, what types of cookies the site uses web, how to manage cookies through the browsers installed on the computer user terminal. But there is no information or the cookies used are identified the website, its functionality, whether they are their own or third-party or the time they will be active. FIFTH: On 02/24/22, the respondent entity files a written response to the request made by this Agency, in which, among others, it indicates what Next: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 “The facts that motivate the claim is that the claimant states that Browsing on the website www.preicojuridicos.com would not be allowed if The installation of cookies has not been previously accepted. In addition, the information contained in the legal texts could not be accessed because the site visitor is expelled from the web if he does not accept the cookies. That the stated incidence is meaningless since without accepting or Reject the installation of cookies if navigation is allowed within the web www.preicojuridicos.com The measures adopted have been: the elimination of cookies from the web and the elimination of the cookie warning banner which makes it possible to read of legal texts. It is stated that they have not been stored or They store personal data through cookies. As for the decision adopted, as stated above, and In order to comply with current legislation, we have proceeded to eliminate of the cookies of the web www.preicojuridicos.com as well as the elimination of the warning banner. SIXTH: On 03/01/22, this Agency carried out the following verifications in, with respect to the characteristics that the Policy of Cookies from the website, https://www.preicojuridicos.com/, checking what Next: 1.- When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain belongs to third parties, but some of them, are installed associated with the domain of the person in charge of the web: Cookies Domain CONSENT .google.com / __Secure-ENID .google.com/ DV.google.com/ SOCS.google.com/ NID .google.com / AEC .google.com 2.- There is no type of banner about cookies on the main page of the website. 3.- If you access the "Cookies Policy" through the existing link in the part bottom of the main page, the web redirects the user to a new page, https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided information to the user about what cookies are, what types of cookies the site uses web, how to manage cookies through the browsers installed on the computer user terminal. But there is no information or the cookies used are identified the website, its functionality, whether they are their own or third-party or the time they will be active. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 SEVENTH: On 03/01/22, by the Director of the Spanish Agency for Data Protection, the initiation of the sanctioning procedure by the alleged infringement of article 22.2 LSSI, due to the deficiencies detected in its cookie policy, imposing an initial penalty of 2,000 euros (two thousand euros), based on the provisions of art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations (LPACAP). Attempts to notify the agreement to start the sanctioning file obtained as a result: - According to a certificate from the Electronic Notifications Service and Address Electronic, the shipment made to the claimed entity, on 03/01/22, through of the electronic notification service "NOTIFIC@", was rejected in destination on 03/12/22. Although the notification was validly made by electronic means, assuming carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of informative, a copy was sent by mail that was reliably notified in dated 06/15/22, signing the reception: Dª C.C.C.. ***NIF.2. In said notification, recalled its obligation to interact electronically with the Administration, and informed him of the means of access to said notifications, reiterating that, as far as thereafter, you will be notified exclusively by electronic means. EIGHTH: Notification of the initiation of the file to the entity claimed on 06/15/22, to Today's date, there is no record in this Agency of the reception of any type of brief of allegations to the initiation of the file. In this sense, article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP) - provision of which the defendant was informed in the agreement to open the procedure, establishes that, if allegations are not made within the stipulated period on the content of the initiation agreement, when it contains a pronouncement accurate about the imputed responsibility, it may be considered a proposal for resolution. In the present case, the agreement to start the disciplinary proceedings determined the facts in which the imputation was specified, the infraction of the LSSI attributed to the claimed party and the sanction that could be imposed. Therefore, taking into consideration that the respondent party has not made allegations to the agreement of start of the file and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in the present case resolution proposal PROVEN FACTS Of the actions carried out in this procedure and of the information and documentation presented by the claimant, the following have been accredited characteristics regarding the Cookies Policy of the website www.preicojuridicos.com C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 First: When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain belongs to third parties, but some of them, are installed associated with the domain of the person in charge of the web: Cookies Domain CONSENT .google.com / __Secure-ENID .google.com/ DV.google.com/ SOCS.google.com/ NID .google.com / AEC .google.com There is no type of banner about cookies on the main page of the website, nor no type of control panel where you can manage the use of cookies, for which is impossible to reject this type of cookies. If you access the "Cookies Policy" through the link at the bottom from the main page, the web redirects the user to a new page, https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided information to the user about what cookies are, what types of cookies the site uses web, how to manage cookies through the browsers installed on the computer user terminal. But there is no information or the cookies used are identified the website, its functionality, whether they are their own or third-party or the time they will be active. FOUNDATIONS OF LAW I.- Competition: It is competent to initiate and resolve this Sanctioning Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of the LSSI Law. II.- About the "Cookies Policy" of the website www.preicojuridicos.com a).- On the use of cookies in the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. So, when the use of a cookie entails a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 for the intercommunication of the terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies excepted would be the user input Cookies” (those used to filling in forms, or managing a shopping cart); cookies from user authentication or identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of plugin (plug-in) to exchange social content. These cookies would remain excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent on its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user. before the use of any other type of cookies, both first and third party, session or persistent that are not technical or necessary. In our case, when entering the web for the first time, without accepting cookies or performing no action on the page, it has been verified that cookies are used that are not technical or necessary, whose domain is Google Analytics. b).- About the existing cookie information banner in the first layer (Homepage): The banner on cookies of the first layer must include information regarding the identification of the editor responsible for the website, in the event that your data identifiers do not appear in other sections of the page or that their identity cannot obvious detachment from the site itself. It must also include a Generic identification of the purposes of the cookies that will be used and if they are own or also third parties, without it being necessary to identify them in this first layer. In addition, it must include generic information on the type of data to be collected. collect and use in case user profiles are created and must include information and the way in which the user can accept, configure and reject the use of cookies, with the warning, where appropriate, that if a certain action, it will be understood that the user accepts the use of cookies. Apart from the generic information about cookies, in this banner there must be a clearly visible link to a second informative layer on the use of the cookies. This same link can be used to lead the user to the control panel. cookie configuration, provided that access to the configuration panel is direct, that is, that the user does not have to navigate inside the second layer to locate it. In the case at hand, it has been found that there is no type of banner of information about cookies on the main page of the web. b).- Regarding consent to the use of unnecessary cookies: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 For the use of non-excepted cookies, it will be necessary to obtain the consent expressly stated by the user. This consent can be obtained by doing click on, “accept” or inferring it from an unequivocal action performed by the user that denotes that consent has unequivocally occurred. Therefore, the mere user inactivity, scrolling or browsing the website, will not be considered effects, a clear affirmative action in any circumstance and will not imply the provision of consent itself. Similarly, access to the second layer if the information is presented in layers, as well as the necessary navigation to that the user manage their preferences in relation to cookies in the panel of control, nor is it considered an active behavior from which the acceptance of cookies. The existence of "Cookie Walls" is not allowed either, that is, windows pop-ups that block the content and access to the web, forcing the user to accept the use of cookies to be able to access the page and continue browsing. If the option is to go to a second layer or cookie control panel, the link it should take the user directly to that configuration panel. To facilitate se- lesson, the panel can be implemented, in addition to a granular management system of cookies, two more buttons, one to accept all cookies and another to reject- all of them If the user saves his choice without having selected any cookie, You will understand that you have rejected all cookies. Regarding this second possibility, In no case are the pre-marked boxes in favor of accepting cookies admissible. If for the configuration of cookies, the web refers to the browser configuration installed in the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the publisher opts for this option, it must also offer, and in any case, a mechanism that allows you to reject the use of cookies and/or do it in a granular way, on your own page. web page On the other hand, the withdrawal of the consent previously given by the user de- It should be able to be done at any time. To this end, the publisher must offer a mechanism that makes it possible to withdraw consent easily at any time. unto This facility will be considered to exist, for example, when the user has access to so simple and permanent to the cookie management or configuration system. If the editor's cookie management or configuration system does not allow to avoid the use of third-party cookies once accepted by the user, information will be provided training on the tools provided by the browser and third parties, de- being aware that, if the user accepts third-party cookies and later wishes to delete them, you must do it from your own browser or the system enabled by the third parties for it. In our case, it has been found that there is no possibility of rejecting cookies that are not technical or necessary nor is there any type of control panel where they can be managed granularly or by groups. c).- On the information provided in the second layer (Policy of Cookies): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 More detailed information about cookies should be provided in the Cookies Policy. characteristics of cookies, including information about, the definition and general function cookie information (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies is treated only by the publisher and/or also by third parties with identification of the latter; the period- do of conservation of the cookies in the terminal equipment; and if it is the case, information on data transfers to third countries and the elaboration of profiles that im- Apply automated decision making. In our case, it has been found that in the "Cookies Policy" of the website there is no information or identify the cookies used by the site, their functionality, if they are own or third party or the time they will be active. III.- Qualification and sanction that corresponds with respect to the infraction committed with respect to to the Cookies Policy: The deficiencies detected in the verification of the web page www.preicojuridicos.com are: - The use of cookies that are not technical or necessary, without the prior consent of users. - The non-existence of an information banner about cookies on the page website main. - The impossibility of rejecting cookies that are not technical or necessary or make it granular. - The lack of information in the "Cookies Policy" about the cookies used the web and the time they will be active. All the anomalies indicated, with respect to the cookie policy suppose, for part of the claimed, the commission of the infraction of article 22.2 of the LSSI: “Service providers may use storage devices and recovery of data in terminal equipment of the recipients, on condition that they have given their consent after they have been provided clear and complete information on its use, in particular, on the purposes of data processing, in accordance with the provisions of the Law Organic 15/1999, of December 13, on the protection of personal data staff. Where technically possible and effective, the recipient's consent to accept the treatment of the data may be facilitated through the use of the appropriate parameters of the browser or other applications. The foregoing will not prevent the possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary, for the provision of a service of the information society expressly requested by the recipient. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and retrieval devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. In accordance with the criteria indicated above, it is considered appropriate to impose a sanction of 2,000 euros, (two thousand euros) to the claimed party, for the infraction of the article 22.2 of the LSSI, regarding the Cookies Policy made on your page Web. In view of the foregoing, the following is issued: RESOLVES: FIRST: IMPOSE the entity PREICO JURÍDICOS, S.L., with CIF: B67071472, owner of the website, https://www.preicojuridicos.com, a fine of 2,000 euros (two thousand euros), for the infringement of article 22.2 LSSI, regarding the Policy implemented on your website. SECOND: NOTIFY this resolution to the entity PREICO JURÍDICOS, S.L., and report the result to the complaining party. Warn the sanctioned party that the sanction imposed must be made effective once it is enforce this resolution, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Ad- Public Administrations (LPACAP), within the voluntary payment period indicated in article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- upon deposit in the restricted account Nº ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Agency for Data Protection at CAIXABANK Bank, S.A. or otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment will be until the 20th day of the following month or immediately after, and if is between the 16th and last day of each month, both inclusive, the term of the payment It will be valid until the 5th of the second following month or immediately after. In accordance with the provisions of article 82 of Law 62/2003, of December 30, bre, of fiscal, administrative and social order measures, this Resolution is will make public, once it has been notified to the interested parties. The publication is made will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection on the publication of its Resolutions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 Against this resolution, which puts an end to the administrative procedure, and in accordance with the established in articles 112 and 123 of the LPACAP, the interested parties may interpose have, optionally, an appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly contentious-administrative appeal before the Contentious-administrative Chamber of the National High Court, in accordance with the provisions placed in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the interested party do states its intention to file a contentious-administrative appeal. If it is- In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal tive within two months from the day following the notification of this resolution, would end the precautionary suspension. Sea Spain Marti Director of the Spanish Agency for Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es