AEPD (Spain) - PS/00475/2021: Difference between revisions
(→Facts) |
mNo edit summary |
||
Line 46: | Line 46: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Carmen Villarroel | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel] | ||
| | | | ||
}} | }} |
Latest revision as of 14:26, 24 November 2022
AEPD (Spain) - PS/00475/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22(2) LSSI |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | 04.01.2022 |
Fine: | 20000 EUR |
Parties: | MyHeritage, LTD |
National Case Number/Name: | PS/00475/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined a online genealogy platform €20,000 (reduced to €16,000 because of an early payment) for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.
English Summary
Facts
A Spanish Consumers and Users Organisation lodged a complaint with the Spanish DPA (AEPD) against MyHeritage, LTD, an online genealogy platform that offers a genetic testing service that analyses the user's DNA. The Spanish branch is part of a company based in Israel.
The complainant raised several issues:
- International transfers of personal data outside the EEA to countries without adequate guarantees, as stipulated in Article 46 GDPR.
- Processing of personal data without a clear legal basis, and lack of adequate information given to the data subject.
- Processing of genetic personal data (DNA) that does not seem to comply with any of the exceptions contained in Article 9(2) GDPR.
- Disclosure to other users of the personal data of third parties that are included in the genealogical trees.
- Disclosure of personal data of users among which "DNA Matches" or "Smart Matches" (similarities between their DNA) are established.
- Assignments to third parties for strange purposes (e.g. to protect their rights or the property of other users).
- Doubtful sharing of information with "Genealogy partners".
- Deficiencies in information and consent related to cookies.
- Legitimization of "investigations" based on consent. Doubts about whether they really get consent, what this investigation really consists of, its purposes, as well as the information provided to the data subjects.
- Doubts about the processing of data for commercial purposes (opposition to the sending of advertising communications and what legal basis is used to send these, clarifying whether cookies are their own or third-party cookies, which is not clear in the privacy policy).
- Deficiencies in information about the processing activities.
- The privacy policy does not clearly specify that one should send their genetic material and not that of another. This issue could refer to the security measures to prove that a person is sending you their genetic material and not that of another person.
- Other deficiencies in the matter of information to users from Article 13 GDPR.
- No doors are closed to possible assignments or sales under license of health information or DNA of users who are not Russian, Norwegian and Swedish.
- Processing of minors' data between 13 years and the minimum age that each country establishes to provide consent without needing that of their parents or guardians.
- Other deficiencies in the drafting of the policy (inconsistencies, duplicities, omissions, ambiguities, etc.)
- Issues related to the exercise of rights.
- Doubts about the storage period of data once deleted, and the scope of the deletion.
Hence, the AEPD launched a general investigation.
Holding
According to the AEPD, the controller did not provide all the information required by Article 13 GDPR, since information about the right to portability and to restrict the processing was missing, as well as information about the right to lodge a complaint with the supervisory authority. In this regard, AEPD issued a reprimand to the controller and ordered them to include such information.
The AEPD found no evidence whatsoever of a violation of Article 6 GDPR, nor of Article 8 GDPR. There was also no violation of Article 9 GDPR, since the exception for explicit consent from Article 9(2)(a) GDPR applied.
With regard to international transfers of data, the AEPD concluded that there was no evidence of a violation, since the complainant did not point to any specific risks, and the controller manifested that they were working on new Standard Contractual Clauses (SCCs).
The AEPD also disregarded all the other allegations, finding no violations whatsoever, except in relation to cookies. Regarding cookies, the AEPD found that the website placed unnecessary own and third-party cookies before asking for consent. Additionally, the information offered in the banner was insufficient, and the cookies policy did not identify the cookies the web used. According to the AEPD, such facts constituted a violation of Article 22(2) LSSI, (the Spanish law implementing the e-Privacy Directive), and fined the controller €20,000, that were reduced to €16,000 because of an early payment.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/30 File No.: PS / 00475/2021 RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT VOLUNTARY Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On October 1, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning procedure to MYHERITAGE, LTD (hereinafter, the claimed party), through the Agreement that is transcribed: << File No.: PS / 00475/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following: FACTS FIRST: The ORGANIZATION OF CONSUMERS AND USERS (hereinafter, the complaining party) on July 1, 2020 filed a claim with the Agency Spanish Data Protection. The claim is directed against MY HERITAGE, LTD (hereinafter, the claimed party). The reasons on which you base the claim are the following. The Organization of Consumers and Users (OCU) indicates a series of possible breaches of data protection regulations by the person responsible for the web portal https://www.myheritage.es/, in which they are offered to Spanish residents Genealogical services, including DNA analysis and comparisons: - International transfers of personal data outside the EEA to countries without guarantee C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/30 adequate fees, as stipulated in art. 46 GDPR. - Processing of personal data without a clear legitimation basis, and lack of information- adequate treatment to the affected person. -Treatment of personal data of a genetic nature (DNA) that does not seem to comply none of the premises contained in art. 9.2 GDPR. - Disclosure to other users of the personal data of third parties that are included in family trees. - Disclosure of personal data of users among which are established "Coinciden- DNA Matches "or" Smart Matches "(similarities between your DNA). - Assignments to third parties for strange purposes (eg to protect their rights or property) other users) - Doubtful sharing of information with "Genealogy partners" - Deficiencies in information and consent to "cookies" - Legitimation of "investigations" based on consent. Doubts about whether to really understand, what this research really consists of, and the purposes of the itself, as well as the information provided to the owners of the data. - Doubts about the processing of data for commercial purposes (opposition to the sending of co- advertising communications, and what basis of legitimacy is used for shipments, clarification rando if they are own or of third parties - in the policy it is not clear). - Deficiencies in information about the treatments carried out: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/30 - The privacy policy does not clearly specify that one should send their ma- genetic material and not that of another. This question could refer to that of security measures. to prove that a person is sending you their genetic material and not that of another person. - Other deficiencies in the matter of information to users (art. 13 RGPD) - Do not close doors to possible assignments or sales under license of information from health or DNA of users other than Russian, Norwegian and Swedish. - Treatment of data of minors between 13 years and the minimum age that each country is- table to accept the consent of a staff without needing that of their parents or tutors. - Other deficiencies in the drafting of the policy (inconsistencies, duplications, omission- nes, ambiguities, etc.) - Issues related to the exercise of rights: - Doubts about the conservation of data once deleted, and the scope of the deletion nation. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. No response has been received to this letter, although there has been no record of his reply. reception by the claimed party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/30 THIRD: On November 30, 2020, the Director of the Spanish Agency of Data Protection agreed to admit to processing the claim presented by the party claimant. FOURTH: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the investigation authorities in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Protec- tion of Data, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: - On 05/24/2021 DIGITAL VALLADOLID, S.L. sends this Agency the following you information and statements: That the owner of the domain myheritage.es is A.A.A .. - Dated 08/24/2021 MYHERITAGE LTD. sends this Agency the following information mation and representations of its unofficial translation from English: (…) - On 07/22/2020 it is verified that in the privacy policy of myherita- ge.es consists of: 1. In the section “WHAT PERSONAL INFORMATION IS COLLECTED FROM YOU OR ABOUT YOU?": “2) Information about your family and third parties: You can also enter other information personal training about yourself and others while creating your tree. genealogical bowl or study of your family on the Website, for example, names, relationships tions, dates and places of birth and death, contact information such as a email address and photos. If you decide to invite a family member or other person to view or edit your family tree, we will ask for the email address and name of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/30 said person. Before issuing the invitation, you will need to ensure that you have the consent of this person to transmit their data to MyHeritage. When creating a family tree, you decide which relatives to add to the family tree. tree, whether it adds deceased, living, or both, and what information it provides about they. To add living relatives to the family tree, you will need to obtain their consent. prior mentoring. Before adding living minor relatives to the family tree, you must obtain the consent of your parent or guardian. " 2. In the section "WHAT DO WE USE YOUR PERSONAL INFORMATION FOR?" consists of: "[...] iv) For internal company uses: In order to improve the Service and develop new products and services, we may use your personal information to perform internal data analysis, to study the use made of the Website, to diagnose problems and ensure the security of the Service, to identify trends usage patterns and to determine the effectiveness of promotional campaigns. For For example, we can examine how much time visitors spend on each page of the Si- tio Web and how they navigate through it. We will only use this information to improve the Website. We use your IP address to provide you with the Website and our Service, as well as as well as to diagnose problems in our servers. Your IP address is also used to gather broad demographic information, such as the geographic distribution of our members. When you visit the Service for the first time, we will use your address IP address to offer you the Service in the language that we consider most appropriate for the geographic region in which it originates. […] " 3. In the section “WILL MYHERITAGE DISCLOSE YOUR PERSONAL INFORMATION TO THIRDS?" consists of: “The personal information that you provide us will never be sold or transferred under license. cence. We will never sell or license DNA or health information to third parties without your express informed consent. We will never sell or give up Licensed DNA or health information belonging to users from Russia, No- begs or Sweden under any circumstances (even if they give an informed consent) mado express). […] " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/30 4. In the section "DATA CONSERVATION" it appears: "[...] In some cases, when you or we remove your content, you may per- copies of such information are conspicuously kept in other places to the extent that such copy has been shared with others or otherwise distributed according to your privacy settings or has been copied or stored by others users. For example, other users may have copied part of your tree nealogical in your own family tree. […] " 5. In the section “HOW CAN YOU ELIMINATE INFORMATION ABOUT YOU OR YOUR FAMILY OR CAN YOU LET US KNOW? " consists of: "[...] In case of controversies or problems with other types of personal information present on the Website about you, contact us at the primary address vacy@myheritage.com. If you are a registered member of the Website and send us a request regarding information that you entered on the Website, we will ask you to communicate with us from the same email address as used to register on the Website. If not, we may need to verify your identity before considering your request. If you need additional help, you can write an email to the primary address vacy@myheritage.com to ask us to help you remove any information tion you want, and our staff will promptly address your request unless, upon examination, it is deemed illegitimate. […] " - On 05/24/2021 it is verified that the myheritage.es cookie policy The sections consist of: to. What are cookies and why does MYHERITAGE use them? b. What are the different types of cookies? c. How to manage your cookie preferences? d. How to manage cookies through your browser settings? C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/30 and. How to disable interest-based advertising? F. Will this cookie policy be modified? - On 07/22/2020 it is verified that in the terms and conditions of myherita- ge.es consists of: 1. In the “DNA Services” section: "[...] Furthermore, you declare that any DNA sample you provide, as well as any information you transfer or upload that relates an individual to your Test Results DNA, refers either to your DNA or, solely with respect to the use of the Services DNA genealogy data, to the DNA of a person of whom you are the guardian or of the that you have obtained legal authorization to provide us with your DNA. […] " - On 08/30/2021 it is verified that in the privacy policy of myherita- ge.es consists of: 1. In the section “WILL MYHERITAGE DISCLOSE YOUR PERSONAL INFORMATION TO THIRDS?" consists of: "WE WILL NEVER SELL OR GRANT LICENSES WITH RESPECT TO THE PERSONAL INFORMATION PROVIDED BY YOU, INCLUDING INFORMATION GENETIC MATION AND HEALTH INFORMATION, TO THIRD PARTIES, INCLUDING INSURANCE COMPANIES, GOVERNMENT AGENCIES, OTHERS COMPANIES OR EMPLOYERS. " FOUNDATIONS OF LAW C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/30 I Competence - About the "Privacy Policy", "Treatment" and "Transfers": It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection, by virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, Relating to the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of this Data (RGPD) recognizes each Au- Control and, as established in arts. 47, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), Sections 1) and 2) of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment of the alleged infringements of this Regulation ”and in 2.i), that of: “Impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case." Article 3.2 of the RGPD establishes territorial jurisdiction, noting the following: 2. This Regulation applies to the processing of personal data of interested parties. residing in the Union by a person in charge or manager not established in the Union, when the treatment activities are related to: a) the offer of goods or services to said interested parties in the Union, independently if they are required to pay, or b) the control of their behavior, insofar as it takes place in the Union. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/30 - About the Cookies Policy: It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI), is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection. Article 4 of the LSSI establishes territorial jurisdiction for providers established in a State not belonging to the European Union or Space European Economic, noting the following: "To providers established in countries that are not members of the European Union or of the European Economic Area, the provisions of articles 7.2 and 11.2. The providers that direct their services specifically to the Spanish territory will be subject, in addition, to the obligations provided for in this Law, provided that this does not contravene the provisions of international treaties or conventions that are applicable. " II Upon receipt of the broad and generic complaint presented by the complaining party, mante, preliminary investigation actions were initiated consisting of requesting information mation to the claimed party located in Israel. To not have data of any claimant, The research carried out is generic and it has not been possible to address more specific questions. chalk. For a better understanding of the result of these actions, they are included in different the denounced facts separated. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/30 Regarding deficiencies in the information provided to users whose data is object of treatment. Article 5 of the RGPD regarding the principles that must govern data processing personal mention among them that of transparency. Section 1 of the precept provides ne: "The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("Legality, loyalty and transparency") " Manifestation of the principle of transparency is the obligation incumbent on the data controllers to inform, in the terms of article 13 of the RGPD, to the owner of personal data when they are obtained directly from the interested party: "one. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, their re presenter; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis- treatment statement; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimacy of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in Their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to guarantees appropriate or appropriate and the means to obtain a copy of these or the fact of that have been borrowed. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/30 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the moment in which the personal data is obtained sonal, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation- tion of their treatment, or to oppose the treatment, as well as the right to portability data quality; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the feeling prior to withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and are informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences views of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent treatment of data personal coughs for a purpose other than that for which they were collected, will provide to the interested party, prior to said subsequent treatment, information about that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of sections 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. " In this sense, Recital 60 of the RGPD says that “The principles of treatment loyal and transparent require that the interested party be informed of the existence of the tion of treatment and its purposes. The data controller must provide the interested party sado as much additional information is necessary to guarantee a treatment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/30 fair and transparent, taking into account the specific circumstances and context in that personal data is processed. The interested party must also be informed of the existence tenance of profiling and the consequences of such elaboration. Yes the personal data is obtained from the interested parties, they must also be informed of if they are obliged to facilitate them and of the consequences if they do not. " The information collected in the privacy policy, which has been updated and expanded- da, does not respond to all the requirements contained in article 13 of the RGPD. It is found that there is no information on the possibility of exercising the right of portability and the right to limit treatment. Likewise, the right of the intellectuals is not indicated. rested from filing a claim with the supervisory authority. The form used violates article 13 of the RGPD conduct that is subsumable in article 83.5 of the RGPD which provides: “Violations of the provisions The following will be sanctioned in accordance with section 2, with administrative fines of EUR 20,000,000 maximum or, in the case of a company, of an equal amount equivalent to a maximum of 4% of the total global annual turnover for the financial year above, opting for the one with the highest amount: (...) b) The rights of the interested parties in accordance with articles 12 to 22; " For the mere purposes of prescription, article 74.1.a) of the LOPDGDD considers as slight “a) Failure to comply with the principle of transparency of information or the right to information of the affected person for not providing all the information required by the Articles 13 and 14 of Regulation (EU) 2016/679. ”. The statute of limitations for the light fractions provided for in Organic Law 3/2018 is one year. Article 58.2 of the RGPD establishes: “Each supervisory authority shall have all the following corrective powers listed below: to) (..) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/30 b) direct a warning to any data controller or processor when If the processing operations have infringed the provisions of this Regulation- ment; c) ... d) order the person in charge or in charge of treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; (...) i) impose an administrative fine in accordance with article 83, in addition or instead of of the measures mentioned in this section, according to the circumstances of each particular case ”. In the present case, taking into account the special circumstances that concur and conform to Recital 148 of the RGPD, according to which when there is a minor infringement instead of the fine, the warning sanction may be imposed, in this phase of the procedure, and without prejudice to the result of the investigation, it is estimated that for the infringement of article 13 of the RGPD, it is necessary to impose the sanction of warning to; taking into account that the privacy policy is very complete, although they have omitted two pieces of information: the possibility of exercising the right of portability and treatment, and the right to file a claim with the authority of control. Likewise, in the event that the resolution goes in the same direction as this agreement, It would be appropriate to impose the corrective measure described in article 58.2.d) RGPD and order tell the respondent to prepare a data collection form that offers to the affected all the information that is obliged to provide under article 13 of the GDPR. III Regarding the treatment of user data Article 6 of the RGPD, “Legality of the treatment”, specifies in section 1 the assumptions coughs in which the processing of third party data is considered lawful: "one. The treatment will only be lawful if it meets at least one of the following conditions. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/30 nes: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another Physical person. e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary to satisfy the legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests interests or fundamental rights and freedoms of the interest do not prevail. that require the protection of personal data, in particular when the interested party sado be a boy. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out zado by public authorities in the exercise of their functions. two. (…)" Article 4 of the RGPD, “Definitions”, section 2, offers a legal concept of “treatment ment ":" any operation or set of operations carried out on personal data data or set of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of enabling access, collation, interconnection, limitation, suppression sion or destruction ”. The investigated entity legitimizes the processing of your data in the consent of the in- interested party, in which the treatment is necessary to execute a contract entered into with the user, and that the treatment is necessary to comply with a legal obligation per- relevant. Although the legal basis of section c) of article 6.1 of the RGPD refers to the existence of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/30 of “a legal obligation”, and the AEPD's Legal Office indicates that the sentiment do of the expression "legal obligation" contained in article 6.1.c) of the RGPD is equivalent, in the Spanish regulation of data protection, to the obligation established in a law in a formal sense, to a norm with the force of law. The investigated entity can legitimize mar the treatment of personal data in the first two sections of the article 6.1 of the RGPD. In relation to the possible disclosure of personal information, they state that as part of the periodic reviews they carry out to their privacy policy to ensure ensure that the information they provide accurately reflects the way they treat personal data, have reviewed this policy and have specified the cases of communication disclosure of data to third parties “if required by law or during a judicial process, or for prevent fraud and cybercrime. " In the present case, according to the data available at this time of agreement to initiate the sanctioning procedure, no evidence has been found that prove a breach of the provisions of article 6 of the RGPD. Data processing of children under 13 years of age Article 7 of the LOPDGDD establishes the following: "one. The processing of personal data of a minor only It may be based on your consent when you are over fourteen years of age. Exceptions are those cases in which the law requires the assistance of the owners of the homeland. power or guardianship for the celebration of the act or legal business in which context is Obtain consent for the treatment. "two. The treatment of the data of minors under fourteen years of age, based on the Consent, will only be lawful if it consists of that of the holder of parental authority or guardianship, with the scope determined by the holders of parental authority or guardianship. " The investigated entity indicates that data of children under 14 years of age are not processed. For People over 14 years of age and up to 18 years do treat them and in all C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/30 cases have collected parental consent. In the present case, according to the evidence available at this time According to the initiation of the sanctioning procedure, it is considered that the treatment of data of the claimed website, does not contradict the provisions of article 7 of the LOPDGDD in relation to art. 8 of the GDPR. IV Regarding the treatment of special categories of user data These categories of data are regulated in article 9 of the RGPD, which de- The following ends in its first two sections: "one. The processing of personal data that reveals the origin is prohibited ethnic or racial beliefs, political opinions, religious or philosophical convictions, or union membership, and the treatment of genetic data, biometric data aimed at identifying unequivocally identify a natural person, data related to health or data related to you to the sexual life or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the circumstances occurs. following: a) the interested party gave their explicit consent for the treatment of said personal data for one or more of the specified purposes, except when the Right- the Union or the Member States establishes that the aforementioned prohibition in section 1 it cannot be lifted by the interested party; b) the treatment is necessary for the fulfillment of obligations and the exercise cio of specific rights of the person responsible for the treatment or of the interested party in the scope of labor law and social security and protection, insofar as this is Authorized by Union law of the Member States or a collective agreement in accordance with the law of the Member States that establishes adequate guarantees respect for the fundamental rights and interests of the interested party; c) the treatment is necessary to protect vital interests of the interested party or of another natural person, in the event that the interested party is not qualified, physical or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/30 legally, to give your consent; d) the treatment is carried out, within the scope of its legitimate activities and with the due guarantees, by a foundation, an association or any other body non-profit, whose purpose is political, philosophical, religious or union, always that the treatment refers exclusively to current or former members of the organizations or persons who maintain regular contact with them in relation to with their purposes and provided that personal data is not communicated outside of them without the consent of the interested parties; e) the treatment refers to personal data that the interested party has made ma- not publicly; f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts act in the exercise of their judicial function; g) the treatment is necessary for reasons of an essential public interest, on the basis of Union or Member State law, which must be proportionate nal to the objective pursued, to respect essentially the right to data protection and establish adequate and specific measures to protect the interests and rights fundamentals of the interested party; h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker's work capacity, medical diagnosis, provision of assistance health or social care or treatment, or management of health care systems and services health and social assistance, on the basis of Union or State law members or by virtue of a contract with a healthcare professional and without prejudice to the conditions and guarantees referred to in section 3; i) the treatment is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to the health, or to guarantee high levels of quality and safety of care health and medicines or health products, on the basis of the Right to the Union or the Member States to establish appropriate and specific measures to protect the rights and freedoms of the interested party, in particular professional secrecy sional; j) the treatment is necessary for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes, in accordance with article 89 (1) on the basis of Union or Member State law, which must be proportional to the objective pursued, respect essentially the right to data protection and establish adequate and specific measures to protect the interests and fundamental rights of the interested party. " On the other hand, with regard to the treatment of special categories of city data, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/30 Spanish danos, article 9.1 of the LOPDGDD is applicable, which indicates the following tea: "one. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid discriminatory situations, the consent of the affected person alone will not be enough to lift the prohibition of the processing of data whose main purpose is to identify your ideology, union affiliation, religion, sexual orientation, racial or racial beliefs or origin ethnic. The provisions of the preceding paragraph will not prevent the processing of said data under the other assumptions contemplated in article 9.2 of the Regulation (EU) 2016/679, when applicable. " The claimed entity provides a DNA KIT service to users who want to use it. In the Register of treatment activities they differentiate the purpose of carrying out the Family tree for the DNA KIT service. Regarding the purpose, the claimed entity indicates the following: "The main purpose is the provision of our DNA services. This means dispatching the DNA kit to the user / reci- pient following a purchase, to perform genetic analysis and to present the DNA results, which include Ethnicity Estimates and optionally also DNA Matches ”, that is, the fi- main purpose is genetic testing and obtaining results; optionally with the results they can get matches between users. It is a specific service that has the main purpose of obtaining the map genetic of the subject. Well, in the privacy policy and in the answer to the request for information carried out by this Agency, the investigated entity indicates that the processing of «data special category "or" sensitive personal data "is only allowed when there is a relevant exemption. Special category data includes genetic information, which they treat as part of the DNA Services, as well as any information about your ethnicity or information from the Questionnaire Health. In such cases, special category data or personal data sensitive, the prohibition of their treatment is lifted by virtue of the consent explicit and informed of the user. The details of the data processing C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/30 DNA and information that can be shared with third parties, it consists detailed in the Acts section. In the present case, according to the data available at this time of agreement to initiate the sanctioning procedure, no evidence has been found that prove a breach of what is stipulated in article 9 of the RGPD. V Treatment of user data for commercial purposes The complaint raises questions about the processing of data for commercial purposes and if possible the opposition to the sending of advertising communications. The sending of advertising emails is regulated in article 21 of the LSSI, which establishes: "one. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. Throughout In this case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free, both at the time of data collection and at each of the commercial communications that you direct. When the communications had been sent by email, said means must necessarily consist of the inclusion of an email address or other valid email address where this right can be exercised, the sending of communications that do not include said address. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/30 In relation to commercial communications, the claimed entity indicates that it is They see about products or services that are identical or similar to those that users used or acquired. Users can choose not to receive further communications to through the "unsubscribe" link present at the bottom of the communications or modifying your preferences. SAW Deficiencies in the use and information of cookies This Agency has been able to verify that, when entering the initial page of the web, (first layer), without taking any action on it and without rejecting cookies, The website uses non-necessary cookies, both its own and those of third parties. Also, in the initial page the banner does not report well; the cookie policy does not identify the cookies they use. The exposed facts could suppose on the part of the claimed entity the commission of the violation of article 22.2 of the LSSI, according to which: “Service providers may use storage and retrieval devices ration of data in terminal equipment of recipients, provided that the same We have given their consent after information has been provided to them clear and complete on its use, in particular, on the purposes of the treatment of the data, in accordance with the provisions of Organic Law 15/1999, of December 13, protection of personal data. When technically possible and effective, the consent of the recipient to accept the data processing may be facilitated by using the parameters from the browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to only in order to carry out the transmission of a communication over a communication network electronic devices or, insofar as is strictly necessary, for the provision of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/30 an information society service expressly requested by the recipient. River". This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: "Use data storage and recovery devices when the information had not been provided or the consent of the recipient had not been obtained. natario of the service in the terms required by article 22.2. ”, which may be sanctioned nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigation phase, and without prejudice to Whatever results from the instruction, it is considered that the sanction should be ner in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equi- value to degree of guilt according to the Judgment of the Hearing National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system for obtaining consent informed service that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 20,000 euros (twenty thousand euros), for the violation of article 22.2 of the LSSI, regarding the cookie policy made on the myheritage.es website. VII Legitimation of "research" based on consent MYHERITAGE has reported that users from Spain have been excluded two of the research project carried out with broad purposes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/30 Data retention The information provided by the entity in its privacy policy is as follows: We will retain your personal information only for as long as necessary to Comply with the purposes for which it was collected and with the applicable legislation. This means means that we will store your personal information for as long as necessary. river to provide our services, unless we have a legal basis for keep it for a longer period of time (for example, once your subscription ends tion, we may still have a legitimate interest in using your contact details to offer you our service commercially). We also keep the information personal information we need to complete pending tasks and to exercise our legal rights and assert our claims, as well as determine nothing personal information that we must keep for a specified period of time ceptive (in the latter case, our treatment of such information is limited). Yes you accept the DNA Informed Consent Agreement, we may retain the information provided pursuant to it for as long as it deems- We are necessary for the research purposes contained therein. In some cases, when you or we remove your content, you may per- copies of such information are conspicuously kept in other places to the extent that such copy has been shared with others or otherwise distributed according to your privacy settings or has been copied or stored by others users. For example, other users may have copied part of your tree nealogical in your own family tree. The information removed and deleted may da is kept in backup copies for a limited time for internal use from our company, but it will not be available to you or other users. The first paragraph of the information complies with the provisions of article 17 of the RGPD regarding the deletion of data. If the interested party opposes receiving publicity, no They may keep any data for that purpose. The second paragraph warns of the possibility that, if the user himself has left his genealogical tree publicly, blica, can be copied or saved by third parties. Therefore, they inform about the criteria used for the conservation of the data; he has- referring to the possibility that if the user has made his / her family tree public logical, it can be copied and kept by third parties outside the claimed entity. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/30 International data transfers Article 45 of the RGPD establishes the following: "one. A transfer of personal data may be made to a third country or international organization when the Commission has decided that the third country, a territory or one or more specific sectors of that third country, or the international organization national authorities guarantee an adequate level of protection. Said transfer cia will not require any specific authorization. 2. When evaluating the adequacy of the level of protection, the Commission shall take into account ta, in particular, the following elements: a) the rule of law, respect for the human rights and fundamental freedoms, relevant legislation, both general and general as well as sectoral, including that relating to public security, defense, nationality and criminal legislation, and the access of public authorities to data personal, as well as the application of said legislation, the norms of protection of data, professional standards, and security measures, including social standards, On subsequent transfers of personal data to another third country or international organization observed in that country or international organization, jurisprudence, as well as as the recognition of the interested parties whose personal data is being transferred due to effective and enforceable rights and administrative remedies and legal actions cials that are effective; b) the existence and effective operation of one or more independent control authorities in the third country or to which a international organization, with the responsibility of guaranteeing and enforcing the data protection rules, including adequate enforcement powers, to assist and advise interested parties in the exercise of their rights, and to cooperate with the supervisory authorities of the Union and of the Member States, and c) the international promises made by the third country or international organization of in question, or other obligations derived from agreements or instruments legally binding, as well as their participation in multilateral or regional systems, in particular in relation to the protection of personal data. 3. The Commission, after having assessed the adequacy of the level of protection, may will decide, by means of an implementing act, that a third country, a territory or one or several specific sectors of a third country, or an international organization guaranteeing C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/30 provide an adequate level of protection in accordance with the provisions of section 2 of the Sente article. The execution act will establish a periodic review mechanism, at the least every four years, taking into account all relevant events in the third country or in the international organization. The act of execution will specify its territorial and sectoral scope of application, and, where appropriate, will determine the authority or control authorities referred to in paragraph 2, letter b) of this article. The The implementing act shall be adopted in accordance with the examination procedure referred to re Article 93, paragraph 2. 4. The Commission will continuously monitor events in the country. third parties and international organizations that may affect the effective application of tion of the decisions taken pursuant to paragraph 3 of this article and of decisions taken on the basis of Article 25 (6) of the Directive 95/46 / EC. 5. When the information available, in particular after the review to which it refers referred to in paragraph 3 of this article, show that a third country, a territory or a specific sector of that third country, or an international organization no longer guarantees an adequate level of protection pursuant to paragraph 2 of this article, the Commission sion, through acts of execution, will repeal, modify or suspend, to the extent necessary and without retroactive effect, the decision referred to in section 3 of the present I article. Said implementing acts shall be adopted in accordance with the procedure examination referred to in article 93, paragraph 2. For imperative reasons of urgency duly justified agency, the Commission will adopt acts of immediate execution- enforceable in accordance with the procedure referred to in article 93, section 3. 6. The Commission shall enter into consultations with the third country or international organization. nal with a view to remedying the situation that gave rise to the decision taken in accordance with section 5. 7. Any decision in accordance with paragraph 5 of this article is entered into will tend without prejudice to the transfers of personal data to the third country, to a territory or one or more specific sectors of that third country, or the international organization national in question by virtue of articles 46 to 49. 8. The Commission shall publish in the Official Journal of the European Union and on its page C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 25/30 on the web a list of third countries, territories and specific sectors in a third country, and international organizations with respect to which it has decided to guarantees, or no longer, an adequate level of protection. 9. Decisions taken by the Commission pursuant to article 25, paragraph 6 of Directive 95/46 / EC will remain in force until they are amended, replaced removed or repealed by a decision of the Commission adopted in accordance with the sections 3 or 5 of this article. " Article 46 establishes the possibility of transmitting personal data to a third country or international organization if it had offered adequate guarantees and on condition of that the interested parties have enforceable rights and effective legal actions. The ar- The following article regulates the binding corporate rules and article 49 establishes the exceptions in which personal data may be transferred in the event of certain circumstances specific circumstances. Given that the complaint raises doubts about the legality of the transfers, without specifying exact risks, when requesting information about these transfers, MYHERITAGE indicates that after the Schrems II ruling they are reviewing the clauses contractual standard following the recommendations of the EDPB. According to the data of those available at this time, there is no evidence to prove the in- compliance with regard to international transfers. Therefore, in accordance with the foregoing, by the Director of the Spanish Agency Data Protection Policy, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE to MYHERITAGE, LTD, with NIF 513410662, for the alleged violation of article 13 of the RGPD typified in the ar- Article 83.5.b) of the same Regulation, and direct a warning for this infraction. SECOND: INITIATE SANCTIONING PROCEDURE for MYHERITAGE, LTD, with NIF 513410662, for the alleged violation of article 22.2) of the LSSI, punishable C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 26/30 in accordance with the provisions of art. 39) and 40) of the aforementioned Law, regarding the “Policy of Cookies ”of the web page of its ownership, sanctioning with a fine of 20,000 euros. THIRD: For the purposes of article 64.2.b) LPACAP, the claim could be ORDERED in accordance with the provisions of article 58.2 d) of the RGPD that, within the period of ten business days from the date on which the resolution so agreed is executive, proceed, on the one hand, to adapt the data collection form of those who request their services according to the provisions of article 13 of the RGPD. FOURTH: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sec- tor Public (LRJSP). FIFTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim action filed by the complaining party and its documentation, as well as the documents data obtained and generated by the General Sub-Directorate of Data Inspection in the actions prior to the start of this sanctioning procedure. SIXTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, the san- tion that may correspond would be APPEARANCE and € 20,000 (twenty thousand euros) ros). SEVENTH: NOTIFY this agreement to MYHERITAGE, LTD, with NIF 513410662, granting him a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document If, within the stipulated period, no allegations are made to this initiation agreement, the same C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 27/30 It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the term granted for the formulation of allegations to the Sentence initiation agreement; which will entail a reduction of 20% of the blood tion to be imposed in the present procedure. With the application of this re- duction, the penalty would be set at € 16,000 (sixteen thousand euros), resolving- the procedure being imposed with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will reduce the amount of 20%. With the application of this reduction, the blood tion would be set at € 16,000 (sixteen thousand euros), and its payment will involve the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be established at € 12,000 (twelve thousand euros). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or resource in the administration trative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above, you must make it effective by entering account no. ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Protection Agency tion of Data in the banking entity CAIXABANK, S.A., indicating in the concept the procedure reference number at the top of this document. cument and the cause of reduction of the amount to which it avails itself. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 28/30 Likewise, you must send proof of admission to the Subdirectorate General of Ins- to continue with the procedure according to the amount entered. gives. The procedure will have a maximum duration of nine months from the date of the cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed after this period, its expiration will occur and, consequently, the file of proceedings; In accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA- CAP, there is no administrative appeal against this act. 935-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On November 2, 2021, the claimed party has proceeded to payment of the sanction in the amount of 16,000 euros making use of one of the two reductions provided for in the Inception Agreement transcribed above. Therefore, it has not The acknowledgment of responsibility has been accredited. THIRD: The payment made entails the waiver of any action or recourse in progress against the sanction, in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 29/30 of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses classified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The reduction percentage provided for in this section may be increased Regulatory. " In accordance with the aforementioned, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00475/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to MYHERITAGE, LTD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 30/30 administrative litigation before the Contentious-administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 937-160721 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es