AEPD (Spain) - EXP202210347: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 72: Line 72:


=== Holding ===
=== Holding ===
The Spanish DPA initially dismissed the complaint because the Noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Article 5.6 of the LPACAP] (The Common Administrative Procedure of Public Administrations) and analysing the document provided by the claimant where she confers her representation to the organisation noyb (European Center for Digital Rights).
The Spanish DPA initially dismissed the complaint because the Noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Article 5.6 of the LPACAP] (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb (European Center for Digital Rights).


The Spanish Data Protection Agency conducted three separate verifications of Massimo Dutti’s website:  
The Spanish Data Protection Agency conducted three separate verifications of Massimo Dutti’s website:  

Revision as of 06:41, 3 October 2023

AEPD - PS-00051-2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 22.2 LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 500000 EUR
Parties: n/a
National Case Number/Name: PS-00051-2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: PS-00051-2023 (in ES)
Initial Contributor: sh

The Spanish DPA fined Massimo Dutti S.A €5,000 for putting non-essential cookies on the first layer of a cookie banner and utilising dark patterns to acquire consent. This decision is the first of noyb’s cookie complaints to result in a fine.  

English Summary

Facts

A data subject, represented by Noyb (European Centre for Digital Rights), disputed both the cookies employed by Massimo Dutti S.A. on their website and the dark patterns utilised by Massimo Dutti S.A. to entice users to 'accept all cookies.'

Checking the cookies installed before any interaction with the cookie banner revealed the setting of non-essential cookies. For example, two performance cookies ("AKA_A2" and "RT") which are used by Akamai Technologies, Inc. (a computing platform for the delivery of global Internet content of client companies) to optimise the response time between the visitor and the website. Four cookies were also detected that could not be classified (ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although Massimo Dutti, S.A classified them in s list that appears in the control panel as strictly necessary cookies.

Regarding dark patterns, there were several issues observed with the consent banner in the initial layer. Firstly, it lacked a 'reject all' button for non-essential cookies. Secondly, the 'accept all' button appeared similar to a regular button, while the 'manage cookies' option was presented as a mere link. Moreover, the 'accept all' button had a different color, which was also misleading. Lastly, withdrawing consent was not as straightforward as granting it. Once you had accepted all cookies or a specific group of cookies through the control panel, there was no clear and easy way to later withdraw your consent.

Holding

The Spanish DPA initially dismissed the complaint because the Noyb was not considered to be sufficiently accredited to represent the complianant. Noyb filed a written appeal for reconsideration which was upheld by the Director of the Spanish Data Protection Agency, taking into consideration the provisions of Article 5.6 of the LPACAP (The Common Administrative Procedure of Public Administrations) and analysing the documentation provided by the claimant where she confers her representation to the organisation noyb (European Center for Digital Rights).

The Spanish Data Protection Agency conducted three separate verifications of Massimo Dutti’s website:

1. Verification on 16/03/23:

  • Identified the use of cookies without prior user consent, including performance cookies and others.
  • Found that the initial cookie banner lacked clear and complete information on the purposes of cookie processing.
  • Detected the absence of a mechanism to withdraw consent once given.

2. Verification on 19/04/23:

  • Again observed the use of cookies without prior user consent.
  • Noted improvements in providing access to a cookie management panel but found issues with rejecting previously accepted non-technical cookies.

3. Verification on 06/06/23:

  • Observed that the website had addressed some deficiencies, allowing users to withdraw consent effectively.
  • The website no longer used cookies that were previously consented to, reverting to using only necessary cookies.

Since not enough had improved between the dates of 16/03/23 and 06/06/23, Massimo Dutti S.A. was held to breach Article 22.2 of the LSSI (Law of Information Society Services and Electronic Commerce) and was fined €5,000 by the Spanish DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/24








     File No.: EXP202210347 (PS/00051/2023)

               RESOLUTION OF SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following,
                                  BACKGROUND

FIRST: Dated 08/10/22, A.A.A. (hereinafter, the complaining party) filed

claim before the Spanish Data Protection Agency.

The claim was directed against GRUPO MASSIMO DUTTI, S.A. with NIE.:
A78115201, responsible for the website ***URL.1, (hereinafter, the claimed party),
for the alleged violation of data protection regulations: Regulation (EU)

2016/679, of the European Parliament and of the Council, of 04/27/16, relating to Protection
of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of these Data (RGPD), Organic Law 3/2018, of December 5,
of Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)
and Law 34/2002, of July 11, on Information Society Services and
Electronic Commerce (LSSI).


The facts, according to statements by the complaining party, are related to the
use of cookies and obtaining user consent. On the visit
that the complaining party claims to have created the website on 09/28/21, it presented a
banner in the first layer of consent in which there was no possibility of

“reject all cookies” that were not technical or necessary; Furthermore, the design
of the links was misleading because the button that leads to the option to “manage the
cookies” in the control panel uses a “link” layout – highlighted text or
underlined―, while the “Accept all cookies” button uses a design
typical “button” – square box with text. Besides, the colors and contrast of the

buttons are also misleading as different colors have been used for the
different options that were presented. It is also indicated in the claim that it is not
It is as easy to withdraw consent as it is to give it and once given, clicking on the
option “accept all cookies” or “accept some group of cookies” through the
control panel, it is not possible to remove it if you wish to do so later.


SECOND: On 04/10/22, by the Director of the Spanish Agency for
Data Protection an agreement is issued to inadmissibility for processing because, after the analysis
made on the documents provided and the concurrent circumstances, it is not
considered the representation of the complaining party to be sufficiently accredited


THIRD: On 11/01/22, the claimant presented a written appeal for
replacement that is estimated by the Director of the Spanish Agency for the Protection of
Data on 11/15/22, taking into consideration the provisions of article 5.6 of the
LPACAP and once the document provided by the claimant where
confers its representation to the organization NOYB, (European Center for Digital

Rights).




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/24








FOURTH: On 03/16/23, this Agency accessed the website
***URL.1, confirming the following characteristics about its “Policy of
Cookies":


       A.- About the cookies detected when accessing the website:

When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
The website has been verified to use the following cookies:


       a.1).- Strictly necessary cookies (4):

       Cookies Domain Description



   _abck ***DOMAIN.1 This cookie is used to detect
                                                 and defend yourself when a client
                                                 try to play a cookie. This
                                                 cookie manages the interaction with
                                                 online bots and take the measurements

                                                 appropriate days.



   bm_sz ***DOMAIN.1 This cookie is set by the provider
                                                 dor Akamai Bot Manager. This
                                                 cookie is used to manage the
                                                 interaction with online bots.
                                                 It also helps in prevention

                                                 of fraud.



   OptanonCon- ***DOMAIN.1 This cookie is set by OneTrust
   feeling to store details about the
                                                 category of cookies on the site and veri-
                                                 determine whether visitors have given or re-
                                                 consent to the use of
                                                 each category.




   ak_bmsc ***DOMAIN.1 Akamai uses this cookie to op-
                                                 optimize site security by dis-
                                                 distinguish between humans and bots.




       a.2).- Performance cookies (2):




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/24









       cookies Domain Description


   AKA_A2 ***DOMAIN.1 Akamai sets this cookie to
                                                improve performance and optimize
                                                the response time between the visit
                                                tant and the website.




   RT ***DOMAIN.1 Akamai sets this cookie to
                                                measure page loading time
                                                or other associated timers
                                                two with the page.



       Note: Akamai Technologies, Inc. is a corporation that provides, among others
       services, of a distributed computing platform for the delivery of
       global Internet content and application delivery. stores the

       server content of a client company on its own servers.
       When a user (client) wants to access that content (usually
       digital media such as Audio, Graphics, Animation, Video), all or
       part is downloaded from an Akamai server instead of the company's
       customer.


The Cookie “AKA_A2” appears on the website ***URL.2 as strictly necessary,
(***URL.3)

The “RT” Cookie, although it appears on the website ***URL.2, has performance but is necessary.
saria to improve the performance of the website, (***URL.4),

According to the entity, these cookies allow us to count visits and sources of circulation
in order to measure and improve the performance of the website. All the information we collect

These cookies are aggregated and therefore anonymous.

       a.3).- Unclassified cookies (4): Cookies that could not be classified but in
       The list of cookies existing in the control panel of the website appears.
       cen indicated by the person responsible for the website as “strictly necessary cookies”.
       sarias.”


 Domain cookie key


   ITXSESSIONID ***DOMAIN.1




   MDSESSION ***DOMAIN.1




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/24









 Domain cookie key


   bm_my ***DOMAIN.1




   bm_sv ***DOMAIN.1





       Note: These cookies that could not be classified appear in the list of
       cookies existing in the control panel of the website as “cookies
       strictly necessary” ***URL.1  <<Cookie settings>> 

       <<Strictly necessary cookies>>  <<information about cookies>>

B.- About the existing information regarding cookies on the home page and about the
management of these:

When you enter the website for the first time, a banner appears on the main page

of information about cookies, with the following message:

“By clicking “Accept all cookies”, you agree to cookies being stored
  on your device to improve site navigation, analyze site usage, and
      collaborate with our marketing studies. <<Cookie Policy>>


          <<Cookie settings>> <<Accept all cookies>>

If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel

where the different groups of pre-marked cookies appear in the position of
“OFF”:

       “Your privacy: Cookies and other similar technologies are a part
       essential to how our Platform works. The main objective of the
       cookies is to make your browsing experience more comfortable and efficient and

       to improve our services and the Platform itself. Likewise, we use
       cookies to be able to show you advertising that is of interest to you when you visit
       third-party websites and apps. Here you can get all the information about the
       cookies that we use and you can activate and/or deactivate them according to
       with your preferences, except for those Cookies that are strictly necessary

       for the operation of the Platform. Please note that blocking
       Some cookies may affect your experience on the Platform and the
       operation of it. By clicking “Confirm my preferences”,
       will save the cookie selection you have made. If you have not selected
       no option, pressing this button will be equivalent to rejecting all cookies.
       For more information you can visit our Cookies Policy. <<More

       information>>

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/24








       Technical or necessary cookies <<Always active>>

       These cookies are necessary for the Platform to function and cannot be
       deactivate in our systems. They are usually configured to
       respond to actions taken by you to receive services, such as

       adjust your privacy preferences, log in to the site, or cover
       forms. You can set your browser to block or alert the
       presence of these cookies, but some parts of the Platform do not
       they will work.

       Functionality or personalization cookies OFF ON


       These cookies allow the Platform to offer better functionality and
       personalization. They may be established by us or by third parties
       whose services we have added to our pages. If you do not allow these
       cookies some of our services will not work correctly. For

       activate or deactivate cookies use the corresponding button. "Active"
       means that cookies can be used. "Inactive" means that cookies
       they cannot be used.
                                                      <<Cookie information>>

       Analysis cookies OFF ON


       These cookies allow us to count visits and sources of circulation to
       be able to measure and improve the performance of our Platform. They help us to
       know which pages are the most or least popular, and see how many people
       They visit the site. If you do not allow these cookies we will not know when you visited our
       Platform. To activate or deactivate cookies use the button

       correspondent. "Active" means that cookies can be used.
       "Inactive" means that the cookies cannot be used.
                                                      <<Cookie information>>

       Cookies for advertising OFF ON


       These cookies may be throughout the Platform, placed by our
       advertising partners. These third parties may use them to create a profile of your
       interests and show you relevant ads on other sites. If you do not allow these
       cookies, you may receive less targeted advertising. To activate or deactivate the
       cookies uses the corresponding button. "Active" means that cookies are
       they can use. "Inactive" means that the cookies cannot be used.


                                                      <<Cookie information>>

       Social network cookies OFF  ON


       These cookies are set by a number of social media services
       that we have added to the site to allow you to share our content with
       your friends and networks. They are able to track your browser
       through other sites and create a profile of your interests. This may modify the
       content and messages you find on other web pages you visit. But

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/24








       If you allow these cookies, you will not be able to view or use these sharing tools.
       To activate or deactivate cookies, use the corresponding button. "Active"
       means that cookies can be used. "Inactive" means that cookies
       they cannot be used.
                                                      <<Cookie information>>


       <<Confirm my preferences>> <<Reject all>> <<Allow all>>

If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or

necessary in both cases, it is checked how the website continues to use cookies
detected at the beginning, that is:

 Cookies detected as Necessary Cookies according to Unclassified Cookies that
 technical or necessary. the “Cookies Policy” of the GRUPO entity

                             Akamai Technologies, Inc. MASSIMO DUTTI
                                                          states that they are
                                                          necessary in its “Policy
                                                          of Cookies”
 _abck AKA_A2 ITXSESSIONID
 bm_sz RT MDSESSION

 OptanonConsent bm_mi
 ak_bmsc bm_sv


C).- About the possibility of withdrawing consent to the use of cookies once

borrowed.

Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
own and third parties:


 Cookie Provider Cookie Provider
 MUID Bing.com ttp Tiktok.com
 ts Creativecdn.com U Creativecdn.com

 CONSEND Google.com NID Google.com
 SOCS Google.com AEC Google.com
 CLID Clarity.com _pinterest_ct_ua ct.pinterest.com

 _ga Google.com 1P_JAR Google.com
 _gid Google.com

However, it is found that there is no mechanism or access to the control panel.
control that allows you to later withdraw the consent given and reject these

cookies that had previously been accepted.

D.- About the information provided in the “Cookies Policy:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/24








If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
the main page, the website redirects the user to a new page ***URL.5, where

informs about what cookies are; the different types of cookies that exist and are
informs about the type of cookies used on the website and their purpose. I also know
informs how to update the browser of the terminal equipment to manage the
cookies.

If you want to know the list of cookies that the website says it uses, you must access

through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.

SIXTH: On 03/22/23, by the Directorate of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the claimed entity,

appreciate reasonable indications of violation of the provisions of art. 22.2 of the LSSI,
for the irregularities detected on its website regarding the “Policy of
Cookies”, that is, due to the absence of sufficient information in the first layer about
of the purposes of the installation of cookies, with an initial penalty of 5,000
euros and due to the impossibility of managing the cookies used once the
consent, with an initial penalty of 5,000 euros.


SEVENTH: On 04/18/23, the complaining entity presents a written statement of allegations to
the initiation of the file in which, among others, it indicates:

       First.- In relation to the first of the alleged violations of the article

       22.2 of the LSSI File No.: EXP202210347 (PS/00051/2023)Allegations
       to the Startup Agreement attributed to my client “due to the absence of information
       enough in the first layer about the purposes of installing the
       cookies", it should be noted that in the initial Agreement this assumption
       Non-compliance is described in detail as follows:


       “The second of the banners reproduced (and the one that has been proven to be
       established at the time of approval of this initiation agreement) is considered
       that does not provide “clear and complete” information about the purposes of the
       treatment.


       On the contrary, it simply states that cookies will be used “to
       improve site navigation, analyze site use and collaborate with
       our studies for marketing.”

       It is considered that such a generic reference lacks sufficient specificity

       of the purposes of use and would thereby violate the aforementioned article 22 of the
       Law 34/2002, of July 11, on Information Society Services and
       electronic commerce”.

       That is, as can be deduced from the literal wording of the Initiation Agreement, the text that

       It was published on 09/23/2022, it did meet the requirement of including
       sufficient information in the first layer about the purposes of the
       installation of cookies, while the text that was published
       On 03/16/2023 it did not meet this requirement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/24









       Faced with this conclusion included in the Initiation Agreement as a reason for
       attribute a breach of the aforementioned Article 22.2 LSSI to my client, it must be

       demonstrate the total equivalence in terms of information on
       purposes of the installation of cookies among the texts published on
       09/23/2022 and 03/16/2023, as explained in the following table:

        Text published on 09/23/2022 Text published on 03/16/2023


        “…analytical purposes…” “…to improve site navigation,
                                                 analyze its use…”


        “...to show you related advertising“...collaborate with our studies to
        with your preferences from your marketing…”
        Browsing habits and your profile…”



       Therefore, given this total equivalence in terms of information on purposes
       of the installation of cookies between the texts published on 09/23/2022 and
       03/16/2023, any breach of the Article must be flatly denied

       22.2 LSSI that is intended to be based on the absence of sufficient information
       in the first layer about the purposes of the installation of cookies.

       In any case, even when it is considered that the text that was
       published on 03/16/2023 in the first layer complies with the Regulations, it has been
       recovered and the one to which it is made is currently published

       reference in the Initiation Agreement as published on 09/23/2022.

       It should be noted that the return to the wording that was
       published on 09/23/2022, has no cause, to any extent, in the avoidance or
       rectification of a breach. Rather, what is intended is a

       improvement on the basis of the means of compliance that already existed, that is, that
       to which the Initiation Agreement refers as published on 03/16/2023.

       In fact, the publication of the text that was shown on 03/16/2023 occurred
       due to a human error that resulted in said text being published instead of the

       which was published on 09/23/2022.

       The text change now made, with the incorporation of the one to which
       referenced in the Initiation Agreement as published on 09/23/2022, it is
       You can see in the screenshot below:


               We use our own and third-party cookies for analytical and
               to show you advertising related to your preferences from
               your browsing habits and your profile. You can configure or reject the
               cookies by clicking on “Cookie Settings”. You can too
               accept all cookies by pressing the “Accept all cookies” button.

               For more information you can visit our. <<Cookie Policy>>

               <<Cookie settings>> <<Accept all cookies>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/24









       Second.- In relation to the second of the alleged violations of the article
       22.2 of the LSSI attributed to my client “due to the impossibility of managing the

       cookies used once the initial consent has been given”, it should be noted
       that such infringement is flatly denied, while the user has always
       willing and has the permanent possibility of managing cookies once
       Once the initial consent has been given through an access link to the
       “Cookie settings” where you can reject cookies with a simple
       click.


       Specifically, once the user accepts cookies on the home page or
       home of the Website and select the market (geographical) and catalog (women /
       man) that you want to access, you always have it available in the horizontal menu
       located in the footer of the website the “Cookie Settings” link

       (shot 1 below) with which you can access the console where you can
       reject cookies simply by clicking on the “Reject all” button
       (shot 2 below) or accept them again if you had rejected them
       previously (capture 3), through the corresponding buttons.

       Even though this possibility of accessing the “Cookie Settings” has

       present and easily accessible to the user at all times (with
       which, as has been said, non-compliance must be ruled out.
       reference to the Initiation Agreement), the
       access “Cookie Settings”, as described below.


       It must be made clear that this multiplication, reiteration or redundancy
       has no cause, to any extent, in the avoidance or cure of a
       breach. What is intended is the reinforcement of compliance, through
       of facilitating access to the “Cookie Settings”, which is nothing more than
       a facilitation or improvement on the basis of the means of compliance already

       existed.

       Specifically, in addition to the access link to the “Cookie Settings”,
       which has always been in the horizontal menu of the footer of the Website:

               - This same link has been included as the last of the links in the

               vertical menu located on the left side of the footer, just
               below the horizontal menu, as seen in the following screenshot, and
               where is the link to the Cookie Information or the Cookie Policy
               Privacy.


               - This same link has been included on the initial or home page of the Site
               website, just below the buttons to choose if you want to go to the catalog
               of a woman or a man, as seen in the following screenshot.

       For all of the above, through these Allegations, I come to REQUEST

       that this document is considered presented and the previous ones formulated
       Allegations in the Reference File, and prior to the appropriate procedures,
       In due course, a Resolution is issued deeming the non-existence of infringement


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/24








       any attributable to MASSIMO DUTTI in relation to the events described and the
       indicated regulations, proceeding to file the actions.


EIGHTH: On 04/19/23, this Agency accessed, once again, the
website ***URL.1, stating the following characteristics about its “Policy
of Cookies”:

       A.- About the cookies detected when accessing the website:


When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the web page in question and using the cookie detection tool of the
Google Chrome browser (<right mouse button> inspections application
cookies) it has been verified that the following cookies are used:


 Cookies detected as Necessary Cookies according to Unclassified Cookies that
 technical or necessary. the “Cookies Policy” of the GRUPO entity
                              Akamai Technologies, Inc. MASSIMO DUTTI
                                                           states that they are

                                                           necessary in its “Policy
                                                           of Cookies”

 _abck AKA_A2 ITXSESSIONID
 bm_sz RT MDSESSION

 OptanonConsent bm_mi
 ak_bmsc bm_sv




B.- About the existing information regarding cookies on the home page and about the
management of these:

When you enter the website for the first time, a banner appears on the main page
of information about cookies, with the following message:


      We use our own and third-party cookies for analytical purposes and to show you
  advertising related to your preferences based on your browsing habits and your profile.
    You can configure or reject cookies by clicking on “Cookie settings”.
   You can also accept all cookies by clicking the “Accept all cookies” button.
          For more information you can visit our. <<Cookie Policy>>

          <<Cookie settings>> <<Accept all cookies>>


If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel
where the different groups of pre-marked cookies appear in the position of

“OFF”:

       Technical or necessary cookies <<Always active>>


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/24









       Functionality or personalization cookies OFF ON

                                                     <<Cookie information>>

       Analysis cookies OFF ON


                                                     <<Cookie information>>

       Cookies for advertising OFF ON

                                                     <<Cookie information>>


       Social network cookies OFF  ON

                                                     <<Cookie information>>

       <<Confirm my preferences>> <<Reject all>> <<Allow all>>


If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or
necessary in both cases, it is checked how the website continues to use the same
cookies detected at the beginning.


C).- About the possibility of withdrawing consent to the use of cookies once
borrowed.

Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties:


MUID .clarity.ms /__Secure-1PAPISID .google.es /
APISID .google.es /__Secure-3PSID .google.es /
SSID A .google.es /__Secure-1PSID .google.es /
__Secure-3PAPISID .google.com /SAPISID .google.com /
SSID .google.com /HSID A .google.com /

SID .google.es /__Secure-1PSID .google.com /
SIDCC .google.com /SID .google.com /
__Secure-3PSID .google.com /__Secure-3PAPISID .google.es /
MUID 3 .bing.com /__Secure-1PSIDCC .google.com /
APISID .google.com /__Secure-3PSIDCC .google.com /
SAPISID .google.es /__Secure-1PAPISID .google.com /

ANONCHK .c.clarity.ms /CLID .clarity.ms /
NID .google.es /SEARCH_E .google.com /
MR .c.clarity.ms /ts .creativecdn.com/
_RwBf .bing.com /ACLUSR .bing.com /
ACL .bing.com /OIDR .bing.com /
SM .c.clarity.ms /BFB .bing.com /

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/24








BFBUSR .bing.com /SRCHUSR .bing.com /
SRCHD .bing.com /_ttp .tiktok.com /
1P_JAR .google.com /AID .google.com /
tt_viewer .teads.tv /AEC .google.com /
CONSENT .google.com /SOCS .google.com /

NID .google.com /OTZ .google.com /
u .creativecdn.com /OID .bing.com /
OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com
MR .c.bing.com /SRCHHPGUSR .bing.com /
SRCHUID .bing.com /SRM_B .c.bing.com /


There is a link to the control panel at the bottom of the website
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting
all cookies) groups are pre-checked “ON”.


However, if you wish to reject the use of cookies by clicking on the option
<<reject all>> or moving the cursor from the “ON” position to the
“OFF” of the different groups of cookies, and clicking on <<confirm my
preferences>>, it is observed that the website continues to use third-party cookies
installed when they were accepted at the beginning, making it impossible for the user, if desired
change your mind, now deny consent once given.


D.- About the information provided in the “Cookies Policy:

If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
The main page, the website displays a document:


***URL.6

where information is provided on what cookies are; the different types of cookies that
They exist and information is provided on the type of cookies used on the website and their purpose.
It also provides information on how to update the terminal equipment's browser to

manage cookies.

If you want to know the list of cookies that the website says it uses, you must access
through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.


NINTH: On 04/24/23, a proposed resolution was formulated in the sense of
that the Director of the AEPD sanction the claimed party, for violation of
as established in article 22.2 of the LSSI, since consent cannot be withdrawn, a
once provided, in the use of cookies that are not technical or necessary, with a
sanction of 5,000 euros (five thousand euros) and considering that the message that was

provides in the information banner about cookies: “We use our own cookies and
from third parties for analytical purposes and to show you advertising related to your
preferences based on your browsing habits and your profile. You can configure or
reject cookies by clicking on “Cookie Settings”. You can too
accept all cookies by pressing the “Accept all cookies” button. For more

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 13/24








information you can visit our”, is equivalent in terms of information about
purposes of the installation of cookies with that published on 09/23/22, does not contradict
with the provisions of article 22.2 of the LSSI.


TENTH: On 05/17/23, the claimed entity presented allegations to the
proposed resolution, where he stated, among others, the following:

       First.- In relation to the violation of article 22.2 of the LSSI attributed to me
       principal due to “the impossibility of rejecting the cookies used once

       initial consent has been given, even if there is a permanent link to the
       control panel”, it should be noted that in the Proposed Resolution this
       alleged breach is described in detail as follows:

               “It has been proven that there is a mechanism or access to the control panel

               permanent control at the bottom of the page <<settings
               cookies>> that allows access to the control panel for the management of
               the cookies. However, if you wish to reject the use of cookies
               by clicking on the <<reject all>> option or by moving the course
               from the “ON” position to the “OFF” position and clicking on <<confirm
               my preferences>>, it is observed that the website continues to use cookies

               from third parties installed when they were initially accepted.”

       The operation described in the Proposed Resolution (“…if desired
       reject the use of cookies by clicking on the option <<reject all>>
       or moving the course from the “ON” position to the “OFF” position and

       By clicking on <<confirm my preferences>>, you can see that the website is still
       using third-party cookies installed when they were accepted at
       beginning.”), is not complete to the extent that, as explained below,
       below, although the rejected cookies were still visible to the
       user, in no case were they used since they were blocked (it is spoken in

       passed due to the novelty that is explained in the Second Allegation).

       In this sense, clarify that the user could reject the cookies used
       once the initial consent has been given through the control panel, in
       so much that:


               - Tools were used to review the acceptance of cookies in
               execution time.
               - All cookies were reviewed just before use to ensure
               verify that the user had accepted the category in which they were
               incorporates the cookie.

               - In the event that the user has rejected cookies during the
               navigation, they were still in the browser's cookie system,
               but in no case were they used, since their use was blocked through
               of Javascript code.
               - This operation applied to both first-party and first-party cookies,

               as well as third-party cookies, with the exception of cookies strictly
               necessary.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/24








       In section “2. Cookie blocking model” of the document
       “Cookie system” which is incorporated as Annex I, is described and exemplified
       this model used until now on the Site and consisting of blocking the use

       of cookies rejected by the user through Javascript code.

       It should be noted that the operational novelty that follows this model and that
       stated in the Second Allegation, has been implemented as an improvement to
       the accreditation of compliance with the Regulations, since in no case
       We understand that the blocking model just described can

       considered a breach thereof.

       Before well, the cookie blocking model was considered to be a
       model fully in accordance with the applicable Regulations and, specifically, complied with the
       Article 22.2 of the LSSI on which the sanction to me is intended to be based

       principal.
       That is, it has evolved from a cookie blocking system
       rejected that already complied with the Regulations, towards a model of elimination /
       expiration of rejected cookies (explained in the Second Claim) that
       improves the accreditation of compliance with Article 22.2 of the LSSI.


       Second.- Therefore, within the process of continuous improvement in accreditation
       compliance and out of concern for the user, my client has
       implemented a technological solution so that cookies rejected
       are deleted/expired from the cookie storage system of the
       browser.


       This technological improvement solution is applied (i) to own or third-party cookies.
       first part, and (ii) on third party cookies, in the latter case always
       that there are no technical limitations that prevent the elimination of cookies.


       Specifically, in section “3. “Cookie deletion/expiration model”
       document “Cookie System” that is incorporated as Annex I, is explicit and
       details that a model has been implemented by which they are eliminated / expire from the
       browser all cookies that have not been accepted by the user.

       Specifically, if a user rejects cookies, none of the cookies that are

       integrated through Google Tag Manager will be used. Therefore,
       None of the cookies indicated in the following list will be used:
       (…).

       Third.- Additionally, and also within the same improvement process

       continues in the accreditation of compliance and for the concern for the
       user, my client has implemented a change in the Cookies Policy
       (accessible from the cookies banner or from the footer of the Site).

       The change in the Cookies Policy is aimed at improving the information and

       transparency in the event that the management or configuration system of the
       cookies do not allow cookies to be deleted once accepted by the user, for
       which provides information on the tools provided by the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/24








       browsers, warning that if the user accepts third-party cookies and
       later you want to delete them, you can do so from your own browser.


       The information in this sense has been incorporated in the second paragraphs,
       third and fourth of point “4. How can I manage the use of Cookies in
       this Platform?” of the Cookies Policy.

       For all of the above, through these Allegations, I come to REQUEST
       that this document is considered presented and the previous ones formulated

       Allegations in the Reference File, and prior to the appropriate procedures,
       Resolution is issued estimating the non-existence of any infringement
       attributable to MASSIMO DUTTI in relation to the events described and the
       indicated regulations, proceeding to file the actions.


ELEVENTH: On 06/06/23, this Agency accesses,
new, to the website ***URL.1, verifying the following characteristics about the
its “Cookies Policy”:

A.- About the cookies detected when accessing the website:


When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the web page in question and using the cookie detection tool of the
Google Chrome browser (<right mouse button> inspections application
cookies) it has been verified that the following cookies are used:


 Cookies detected as Necessary Cookies according to Unclassified Cookies that
 technical or necessary. the “Cookies Policy” of the GRUPO entity
                              Akamai Technologies, Inc. MASSIMO DUTTI
                                                           states that they are

                                                           necessary in its “Policy
                                                           of Cookies”

 _abck AKA_A2 ITXSESSIONID
 bm_sz RT MDSESSION

 OptanonConsent bm_mi
 ak_bmsc bm_sv


B.- About the existing information regarding cookies on the home page and about the

management of these:

When you enter the website for the first time, a banner appears on the main page
of information about cookies, with the following message:


      We use our own and third-party cookies for analytical purposes and to show you
  advertising related to your preferences based on your browsing habits and your profile.
    You can configure or reject cookies by clicking on “Cookie settings”.
   You can also accept all cookies by clicking the “Accept all cookies” button.
          For more information you can visit our. <<Cookie Policy>>

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/24









          <<Cookie settings>> <<Accept all cookies>>


If you wish to manage the use of cookies through the link <<Settings
cookies>> existing in the information banner, the website displays a control panel
where the different groups of pre-marked cookies appear in the position of
“OFF”:



       Technical or necessary cookies <<Always active>>

       Functionality or personalization cookies OFF ON

                                                     <<Cookie information>>


       Analysis cookies OFF ON

                                                     <<Cookie information>>

       Cookies for advertising OFF ON


                                                     <<Cookie information>>

       Social network cookies OFF  ON

                                                     <<Cookie information>>


       <<Confirm my preferences>> <<Reject all>> <<Allow all>>

If you choose <<Confirm my preferences>> without having modified any of the
boxes from the “OFF” position to the “ON” position, or by clicking on the option
<<Reject all>> with the intention of rejecting cookies that are not technical or

necessary in both cases, it is checked how the website continues to use the same
cookies detected at the beginning.

C).- About the possibility of withdrawing consent to the use of cookies once
borrowed.


Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties:

MUID .clarity.ms /__Secure-1PAPISID .google.es /

APISID .google.es /__Secure-3PSID .google.es /
SSID A .google.es /__Secure-1PSID .google.es /
__Secure-3PAPISID .google.com /SAPISID .google.com /
SSID .google.com /HSID A .google.com /
SID .google.es /__Secure-1PSID .google.com /
SIDCC .google.com /SID .google.com /

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/24








__Secure-3PSID .google.com /__Secure-3PAPISID .google.es /
MUID 3 .bing.com /__Secure-1PSIDCC .google.com /
APISID .google.com /__Secure-3PSIDCC .google.com /
SAPISID .google.es /__Secure-1PAPISID .google.com /
ANONCHK .c.clarity.ms /CLID .clarity.ms /
NID .google.es /SEARCH_E .google.com /

MR .c.clarity.ms /ts .creativecdn.com/
_RwBf .bing.com /ACLUSR .bing.com /
ACL .bing.com /OIDR .bing.com /
SM .c.clarity.ms /BFB .bing.com /
BFBUSR .bing.com /SRCHUSR .bing.com /
SRCHD .bing.com /_ttp .tiktok.com /
1P_JAR .google.com /AID .google.com /

tt_viewer .teads.tv /AEC .google.com /
CONSENT .google.com /SOCS .google.com /
NID .google.com /OTZ .google.com /
u .creativecdn.com /OID .bing.com /
OIDI .bing.com /_pinterest_ct_ua .ct.pinterest.com
MR .c.bing.com /SRCHHPGUSR .bing.com /

SRCHUID .bing.com /SRM_B .c.bing.com /

There is a link to the control panel at the bottom of the website
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting
all cookies) groups are pre-checked “ON”.


If you wish to reject the use of cookies by clicking on the option <<reject
all>> or moving the cursor from the “ON” position to the “OFF” position of the
different groups of cookies, and clicking on <<confirm my preferences>>,
Note that the website NO longer uses the cookies that were consented, using only
the technical or necessary cookies detected at the beginning.


D.- About the information provided in the “Cookies Policy:

If you access the “Cookies Policy”, through the link in the banner
about cookies of the first layer or through the link at the bottom of
The main page, the website displays a document:


***URL.7

where information is provided on what cookies are; the different types of cookies that
They exist and information is provided on the type of cookies used on the website and their purpose.
It also provides information on how to update the terminal equipment's browser to
manage cookies.


If you want to know the list of cookies that the website says it uses, you must access
through the existing links in the control panel (<<Information of the
cookies>>), where the list of cookies used by the website and their purpose appear.

                               PROVEN FACTS.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/24









Of the actions carried out in this procedure, it has been accredited
the following facts:


First: In the verification carried out by this Agency on 03/16/23 on the page
***URL.1 website has verified the following characteristics in its “Cookies Policy”:

a).- About the use of non-necessary cookies without the prior consent of
user it was verified that, upon entering the main page and without performing any action

about them, nor accept the cookies, it has been found that they were used
cookies, including two performance cookies (“AKA_A2” and “RT”)
that although they appear with the domain “***DOMAIN.1” they are used by Akamai
Technologies, Inc. (computing platform for global content delivery
of Internet of client companies) to optimize the response time between the

visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform
that stores the content of the server of a client company (Massimo Dutti) on its
own servers) these cookies are necessary because they allow us to count visits and
circulation sources in order to improve the performance of the website. According to them,
All the information collected by these cookies is aggregated and, therefore, is
anonymous.


Four cookies have also been detected that could not be classified
(ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page
website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the
control panel as strictly necessary cookies.


When consent is given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties MUID; ts; CONSEND; SOCS; CLID; _ga; _gid; ttp; or; NID; AEC;

_pinterest_ct_ua and 1P_JAR. Therefore, it can be considered that the website does not use
cookies that are not technical or necessary until the user provides the
consent to it.

b).- On the cookie information banner existing in the first layer,
considered that it did not provide “clear and complete” information on the purposes of the

treatment, since it was limited to stating that cookies would be used “to improve
site navigation, analyze its use and collaborate with our studies
for marketing”,

c).- Regarding the withdrawal of consent once given, it was found that it did not exist

no mechanism or access to the permanent control panel that would later allow
having given consent to withdraw it.

Second: In the verification carried out by this Agency on 04/19/23 on the page
website ***URL.1, the following characteristics were verified in its “Cookies Policy”:


a).- About the use of non-necessary cookies without the prior consent of
user it was verified that, upon entering the main page and without performing any action
about them, nor accept the cookies, it has been found that they were used

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/24








cookies, including two performance cookies (“AKA_A2” and “RT”)
that although they appear with the domain “***DOMAIN.1” they are used by Akamai
Technologies, Inc. (computing platform for global content delivery

of Internet of client companies) to optimize the response time between the
visitor and the website. According to the entity Akamai Technologies, Inc. of a (platform
that stores the content of the server of a client company (Massimo Dutti) on its
own servers) these cookies are necessary because they allow us to count visits and
circulation sources in order to improve the performance of the website. According to them,
All the information collected by these cookies is aggregated and, therefore, is

anonymous.

Four cookies have also been detected that could not be classified
(ITXSESSIONID; MDSESSION; bm_mi; bm_sv) although the person responsible for the page
website (GRUPO MASSIMO DUTTI, S.A) classifies them in the list that appears in the

control panel as strictly necessary cookies.

When consent is given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control <<Accept all>>, it is verified that the following cookies are installed
third parties, whose providers are: Google, Bing.com; Clarity.ms; .teads.tv and

creativecdn.com.

b).- On the cookie information banner existing in the first layer,
You can read the following message:


       We use our own and third-party cookies for analytical purposes and to
       show you advertising related to your preferences based on your browsing habits
       navigation and your profile. You can configure or reject cookies by clicking
       in “Cookie settings”. You can also accept all cookies
       by clicking the “Accept all cookies” button. For more information you can

       visit our

c).- Regarding the withdrawal of consent once given, it was found that now
there is mechanism or access to the permanent control panel at the bottom of the
<<cookie settings>> page that allows access to the control panel for the
cookie management.


However, if you wish to reject the use of cookies by clicking on the option
<<reject all>> or moving the cursor from the “ON” position to the
“OFF” and clicking on <<confirm my preferences>>, you can see that the website is still
using third-party cookies installed when initially accepted.


Third: In the verification carried out by this Agency on 06/06/23 on the page
website ***URL.1, it was verified, regarding the deficiencies detected in the
cookies that, once consent has been given for the use of cookies through
of the existing option in the initial banner or through consent given in the

control panel <<Accept all>>, if you wish to withdraw the consent given,
There is a link to the control panel at the bottom of the web page
<<cookie configuration>> that allows the user to manage the groups of
cookies through the control panel. It is observed that now, (after accepting

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/24








all cookies) the groups are pre-marked in the “ON” option and if desired
reject the use of cookies by clicking on the option <<reject all>> or
moving the course from the “ON” position to the “OFF” position of the different

groups of cookies, and clicking on <<confirm my preferences>>, it is observed that the
website NO longer uses the cookies that were consented to at the beginning, reusing
only the technical or necessary cookies detected at the beginning.

                            FOUNDATIONS OF LAW


                                           YO.-
                                      Competence:

The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection, in accordance with the provisions of art. 43.1,

second paragraph, of Law 34/2002, of July 11, on Society Services
of Information and Electronic Commerce (LSSI),

                                           II.-
    About the cookie information banner existing in the first layer (page
                                        major):


In its transparency guidelines, WG29 recommends the use of declarations
or privacy notices by levels, that is, they contain the information in layers, of
so that the user is permitted to go to those aspects of the statement or notice that
are of greater interest to him, thus avoiding information fatigue, and this without prejudice to

that all the information is available in a single place or in a
complete document that can be easily accessed if the interested party wishes
consult it in its entirety.

This system may consist of displaying the essential information in a first layer,

when the page or application is accessed, and complete it in a second layer
through a page that offers more detailed and specific information
about cookies.

The first layer cookie banner must include a generic identification
of the purposes of the cookies that will be used, without it being necessary to identify them.


In the case at hand, this Agency has verified the existence of two banners
successive ones, whose existence and content have been incorporated into the file:

First of all, dated 09/23/22, the informative text of the banner was as follows:


       “We use our own and third-party cookies for analytical purposes and to
       show you advertising related to your preferences based on your browsing habits
       navigation and your profile. You can configure or reject cookies by clicking
       in “Cookie settings”. You can also accept all cookies

       by clicking the “Accept all cookies” button. For more information you can
       visit our Cookies Policy. Cookies policy.

Dated 03/16/23, the banner text was as follows:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/24









       “By clicking “Accept all cookies”, you agree that cookies are
       saved to your device to improve site navigation, analyze usage

       of the same, and collaborate with our marketing studies. <<Policy
       Cookies>>”

Sanctioning procedure initiated when considering that this second banner did not
provided “clear and complete” information about the purposes of the treatment, the
claimed entity stated that both wordings provided a total

equivalence in terms of information on the generic purposes that must be
provide in the initial banner, comparing both texts:

       Text published on 09/23/2022 Text published on 03/16/2023


 “…analytical purposes…” “…to improve site navigation,
                                            analyze its use…”


 “...to show you related advertising “...collaborate with our studies to
 with your preferences based on your marketing habits…”
 navigation and your profile…”



Providing complete information about the purposes of the cookies used in the
“Cookie policy” of the website,

***URL.7


Therefore, based on the evidence available, it is considered that the banner
of generic information about cookies included on the main page of the website in
issue, dated 03/16/23, does not contradict the provisions of article 22.2 of the
LSSI, by including a generic identification of the purposes of the cookies that are

they will use.

                                           III-1
   About the withdrawal of consent for the use of cookies once given.


Users must be able to withdraw the consent previously granted in
any moment. To this end, the publisher must ensure that it provides information to
users in their cookie policy on how they can withdraw consent and
delete cookies.

The user must be able to revoke consent easily. The system that

offer to withdraw consent should be as easy as that used when
presto. This facility will be considered to exist, for example, when the user has
simple and permanent access to the cookie management or configuration system.

In the present case, in the verification carried out by this Agency of the website

in question, on 03/16/23 that, once consent was given for the use of the
cookies that were not technical or necessary, through the existing option in the
initial banner or through consent given in the control panel <<Accept
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/24








all>>, it was found that third-party cookies were installed, whose suppliers
were. Google, Bing.com; Clarity.ms; .teads.tv and creativecdn.com.


However, it was found that there was no mechanism or access to the control panel.
control that would later allow the consent given to be withdrawn and reject these
cookies that had previously been accepted.

This sanctioning procedure has been initiated, and in view of the allegations presented
by the claimed party, a check of the website was carried out again with

date 04/19/23, in which it was detected that the website had been modified
including a mechanism or permanent control panel access at the bottom
from the <<cookie settings>> page that allowed access to the control panel
for cookie management. However, if you wanted to reject the use of
non-technical or necessary cookies allowed in advance, by clicking on the option

<<reject all>> or moving the cursor from the “ON” position to the
“OFF” and clicking on <<confirm my preferences>>, it was observed that the website
was still using the third-party cookies installed when they were initially accepted.

After the allegations regarding the proposed resolution, a third
verification of the website in question dated 06/06/23, in which it was detected,

by this Agency that, once consent has been given for the use of the
cookies that are not technical or necessary, if you wish to withdraw consent
provided, the website NO longer uses the cookies that were consented, using again
only the technical or necessary cookies detected at the beginning, disappearing
third party cookies.


In this sense, although it is noted that the person responsible for the website has modified the
cookie policy adapting it to current regulations, that does not make it disappear
the non-compliance that has been proven, since this Agency carried out the first
checking the website on 03/16/23.

                                          III-2
                Typification and qualification of the administrative offense

The deficiencies detected in the cookie policy, since the verification carried out
on 04/19/23 until the last one, dated 06/06/23 on the website in question, regarding the
impossibility of rejecting non-technical or necessary third-party cookies, once

given the initial consent, constitutes a violation of the provisions of the
article 22.2 of the LSSI, as it establishes that:

       “Service providers may use storage devices and
       data recovery on recipients' terminal equipment, provided

       that they have given their consent after they have been
       provided clear and complete information on its use, in particular on
       the purposes of data processing, in accordance with the provisions of the Law
       Organic 15/1999, protection of personal data.


       Where technically possible and effective, the consent of the recipient
       to accept the processing of the data may be facilitated through the use of the
       appropriate settings of the browser or other applications.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/24








       The above will not prevent possible storage or access of a technical nature
       for the sole purpose of carrying out the transmission of a communication over a network of
       electronic communications or, to the extent strictly necessary

       necessary, for the provision of an information society service
       expressly requested by the recipient.”

                                         III-3.
                                       Sanction


This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned

LSSI.

Considering the factors exposed, the value reached by the fine, for the
violation of article 22.2, is 5,000 euros (five thousand euros).

Therefore, in accordance with the applicable legislation and evaluated the criteria of

graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency,

                                     RESOLVES:


FIRST: IMPOSE THE MASSIMO DUTTI GROUP, S.A. with NIE.: A78115201,
responsible for the website ***URL.1, for a violation of article 22.2 of the LSSI,
classified as “mild” in article 38.4 g), a fine of 5,000 euros (five thousand
euros).


SECOND: NOTIFY this resolution to GRUPO MASSIMO DUTTI, S.A.

Warn the sanctioned person that he must make the sanction imposed effective once the
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period

established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:

CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A..

Otherwise, it will be collected during the executive period. Received the
notification and once executive, if the date of execution is between the days

1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be
until the 20th of the following or immediately following business month, and if it is between
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th
of the second following or immediately following business month. In accordance with what

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/24








established in article 50 of the LOPDGDD, this Resolution will be made public
once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to

count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution may be provisionally suspended administratively
If the interested party expresses his intention to file a contentious appeal.
administrative.


If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious appeal.
administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.


Sea Spain Martí
Director of the Spanish Data Protection Agency

























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es