AEPD (Spain) - PS-00393-2022: Difference between revisions
No edit summary |
|||
Line 63: | Line 63: | ||
}} | }} | ||
The Spanish Data Protection Agency (AEPD) | The Spanish Data Protection Agency (AEPD) fined a controller €10,000 for the lack of information provided on their privacy policy which therefore breached [[Article 13 GDPR|Article 13 GDPR]]. | ||
== English Summary == | == English Summary == |
Latest revision as of 10:51, 10 January 2024
AEPD - PS-00393-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22.2 LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | 21.12.2021 |
Decided: | |
Published: | |
Fine: | 10,000 EUR |
Parties: | INFINITY ECOM S.L |
National Case Number/Name: | PS-00393-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | magdalena04 |
The Spanish Data Protection Agency (AEPD) fined a controller €10,000 for the lack of information provided on their privacy policy which therefore breached Article 13 GDPR.
English Summary
Facts
On 21 December 2021 a claim against INFINITY ECOM S.L. (the controller) was filed with the Spanish DPA, claiming that the company's privacy and cookie policy was not compliant. The Spanish DPA launched an investigation and confirmed the following facts:
Firstly, the Privacy Policy of the company informed data subjects about their rights to access, alter, delete data and request information about processing and existence of data transfers to third countries. An email address to request this information was also provided. However, the privacy policy lacked information identifying the controller and did not inform data subjects about the possibility to file complaints.
Secondly, the website imposed unnecessary performance and targeting cookies without the consent of the data subject. There was no Cookie Policy. Only an information banner, that the company uses Cookies was provided. It was therefore not possible to reject the use of non-technical cookies.
Holding
The Spanish DPA held the controller to have infringed Article 13 GDPR and Article 22.2 of the Law of Information Society Services and Electronic Commerce (Ley de Servicios de la Sociedad de la Información y Comercio Electrónico – LSSI).
First, the Spanish DPA found that the Privacy Policy to be insufficient and therefore violate Article 13 GDPR. The policy did not adequately inform data subjects on the processing of their data nor provide proper identification of the controller.
Second, the Spanish DPA held that information banner on cookies infringed Article 22.2. of the LSSI. There was no possibility for data subjects to reject the non-essential cookies and insufficient information about their use was provided.
The Spanish DPA imposed a fine of €5,000 for each infringment, resulting in an overall fine of €10,000. The controller was given a month to adapt the website and bring it into compliance.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: EXP202201704 (PS/00393/2022) RESOLUTION OF THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: BACKGROUND FIRST: On 12/21/21, Ms. A.A.A. (hereinafter, the complaining party) filed claim before the Spanish Data Protection Agency. The claim is directed against the entity INFINITY ECOM S.L. with CIF B42993956, owner of the page website ***URL.1 (hereinafter, the claimed party), for the alleged violation of the data protection regulations: Regulation (EU) 2016/679, of the Parliament European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons regarding the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law 34/2002, of July 11, on Information Society Services and Commerce Electronic (LSSI), and taking into account the following: The reasons on which the claim was based were the following: “The website has NO Legal Notice or tax information about the business: tax identification, CIF or DNI that are essential for any page website created by a company. The Privacy Policy of the page is not correct and there is no Cookies Policy”. SECOND: On 02/11/22, this Agency transferred the claim to the PETCONFORT.SHOP entity to respond to it, so in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). This request for information was notified on 02/18/22, THIRD: On 03/21/22, by the Director of the Spanish Agency for Data Protection agreement is issued to admit the claim processing presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible rational indications of a violation of the rules in the field of competences of the Spanish Data Protection Agency FOURTH: On 05/09/22, this Agency accessed the website ***URL.1, verifying the following characteristics regarding its “Policy of Privacy” and about its “Cookies Policy”: a).- About the “Privacy Policy”: If you access the “Privacy Policy” through the link located in the bottom of the main page, you access a new page ***URL.2, where you can provides information about: PERSONAL INFORMATION WE COLLECT C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, zone time and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products you view, which websites or terms of search referred you to the Site and information about how you interact with the Site Place. We refer to this automatically collected information as "Device Information". We collect device information using the following technologies: - "Cookies" are data files that are placed on your device or computer and often include an anonymous unique identifier. For For more information about cookies and how to disable them, visit ***URL.3 - "Log files" track actions that occur on the Site and collect data, including your IP address, browser type, Internet service provider, referring/exit pages and trademarks date hour. - "Web beacons", "tags" and "pixels" are files electronic devices that are used to record information about how you browse the place. Additionally, when you make a purchase or attempt to make a purchase through the Site, we collect certain information from you, including your name, email address, billing, shipping address, payment information (including credit card, email address and phone number). this information such as "Order Information". When we talk about "Information personal" in this Privacy Policy, we are talking about both the Device Information and Order Information. HOW DO WE USE YOUR PERSONAL INFORMATION? We use the order information that we collect generally to fulfill the orders placed through the Site (including the processing of your payment information, arranging shipping and providing invoices and/or order confirmations). Additionally, we use this order information to: - Communicate with you; - Review our orders for potential risk or fraud; and - When you agree with the preferences you have shared with us, provide you with information or advertising related to our products or services. We use the device information we collect to help us detect possible risks and fraud (in particular, your IP address) and, in generally, to improve and optimize our site (for example, by generating analysis about how our customers navigate and interact) the Site, and to evaluate the success of our marketing and advertising campaigns). SHARING YOUR PERSONAL INFORMATION We share your personal information with third parties to help us use your information staff, as described above. For example, we use Shopify to boost our online store - you can read more about how Shopify uses their personal information here: ***URL.4. We also use Google Analytics to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 help us understand how our customers use the Site. You can read more about how Google uses your Personal Information here: ***URL.5. Also You can opt out of Google Analytics here: ***URL.6. Finally, we may also share your personal information to comply with applicable laws and regulations, to respond to a subpoena, order search or other lawful request for information we receive, or to protect our rights. BEHAVIORAL ADVERTISING As described above, We use your personal information to provide you with targeted advertisements or marketing communications that we believe may be of interest to you. For Learn more about how targeted advertising works, you can visit the Network Advertising Initiative ("NAI") educational page at ***URL.7. You can opt out of targeted advertising by using the links to continuation: - Facebook: ***URL.8 - Google: ***URL.9 - Bing: ***URL.10 . Additionally, you may opt out of some of these services by visiting the Digital Advertising Alliance opt-out portal at: ***URL.11. DO NOT TRACK Please note that we do not alter the practices of collection and use of data from our Site when we see a No sign Track from your browser. YOUR RIGHTS If you are a European resident, you have the right to access the personal information we hold about you and to request that your information personnel is corrected, updated or deleted. If you wish to exercise this right, Please contact us via the contact information below. Additionally, if you are a European resident, we note that we are processing your information to fulfill any contracts we may have with you (for example, if you place an order through the Site), or otherwise to pursue our legitimate business interests mentioned previously. Additionally, please note that your information will be transferred outside Europe, including to Canada and the United States. DATA RETENTION When you place an order through the Site, We will maintain your Order Information for our records unless and until you ask us to delete this information. CHANGES We may update this privacy policy from time to time to reflect, for example, changes in our practices or for other reasons operational, legal or regulatory. MINORS The Site is not intended for persons under 18 years of age. CONTACT US For more information about our privacy practices privacy, if you have questions or would like to file a complaint, please contact with us by email at ***EMAIL.1 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 If you access the contact form, <<contact>>, located at the bottom of the main page, the website redirects the user to a new page ***URL.12 where it exists the next information: “You can contact us by email: ***EMAIL.1. Or you can put in Contact us using the form that appears at the bottom. b).- About the Cookies Policy: 1.- When entering the website for the first time, once the history of the terminal equipment has been cleaned navigation and cookies, without accepting new cookies or performing any action on the website, it has been verified that cookies are used that are not technical or necessary, with the following characteristics: A).- Performance cookies (8) COOKIE DOMAIN DESCRIPTION _landing_page ***DOMAIN.1 Used to track, report and analyze in the landing pages. shopify_sa_t ***DOMAIN.1 Associated with the Shopify analytics suite about marketing and referrals. _shopify_y ***DOMAIN.1 Associated with the Shopify analytics suite. _shopify_s ***DOMAIN.1 Associated with the Shopify analytics suite. _shopify_sa_p ***DOMAIN.1 Associated with the Shopify analytics suite about marketing and referrals. _y ***DOMAIN.1 Associated with the Shopify analytics suite. _s ***DOMAIN.1 Associated with the Shopify analytics suite. __kla_id ***DOMAIN.1 Tracks when someone clicks through a Klaviyo email to your website B).- Targeting cookies (5) COOKIE DOMAIN DESCRIPTION _pin_unauth ***DOMAIN.1 Registers a unique ID that identifies and recognizes the user. It is used for advertising directed. test_cookie ***DOMAIN.2 Set by DoubleClick (which is owned by Google) to determine if the browser website visitor accepts cookies. IDEMore ***DOMAIN.2 This cookie is set by Doubleclick and carries information about how the end user uses the site website and any advertising that the end user has seen before visiting said website. _gcl_au ***DOMAIN.1 Used by Google AdSense to experiment with the efficiency of advertising on websites that they use their services. _fbp ***DOMAIN.1 Used by Meta to offer a series of advertising products, such as real-time offers C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 from external advertisers. 2.- There is an information banner about cookies on the main page with the next message: “This website uses cookies to ensure you get the best experience on our website.” <<More>> <<Okay>> If you click on the <<More>> link, the website displays the “Privacy Policy” page. Privacy” ***URL.13 indicated above. There is no “Cookie Policy”. The only information about cookies provided by The website is located on the “Privacy Policy” page: “(…) We collect device information using the following technologies: - "Cookies" are data files that are placed on your device or computer and often include a unique identifier anonymous. For more information about cookies and how disable them, visit ***URL.14 (…)”. There is no mechanism that makes it possible to reject cookies or manage them differently. granularly through a control panel. FIFTH: On 05/11/22 SHOPIFY INTERNATIONAL LIMITED was required to (platform where the web page in question is hosted), information about the data of identification and contact of the owner of the petconfort.shop domain referring to date 17 December 2021, by virtue of the investigative powers granted to the control authorities in article 58.1 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD) and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD. SIXTH: On 05/25/22, the entity SHOPIFY INTERNATIONAL LIMITED, sends to this Agency information about the ownership of the website in question, providing the contact information of the owner of the website in question indicating that said page is associated with the phone number ***PHONE.1. SEVENTH: On 06/06/22, the entity VODAFONE ESPAÑA SAU was requested. information on the identification and contact data of the owner of the number telephone ***PHONE.1, referring to the date December 17, 2021. EIGHTH: On 06/29/22, the company VODAFONE ESPAÑA SAU, sends a written response to the request made by this Agency in which it states: “After making the relevant queries in my internal systems, it becomes informing this Agency that, during the requested period, the line telephone number ***TELÉFONO.1 is registered in the name of INFINTY E COME SL with CIF B42993956 and address ***ADDRESS.1”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 NINTH: On 10/17/22, by the Directorate of the Spanish Agency for Data Protection, a sanctioning procedure is initiated against the claimed entity, appreciate reasonable indications of violation of the provisions of the articles: - For violation of article 13 of the RGPD, due to the lack of necessary information in the “Privacy Policy”, as established in the aforementioned article, with a initial penalty of 5,000 euros (five thousand euros). - For violation of article 22.2 of the LSSI, due to the irregularities detected on its website regarding the “Cookie Policy”, with an initial sanction of 5,000 euros (five thousand euros). Along with this and in accordance with article 58.2 of the RGPD, it was proposed as corrective measures to be imposed on the defendant: - That it implements, within a period of one month, the necessary corrective measures to adapt their actions to the personal data protection regulations, with the inclusion of the necessary information that must be provided to users of the website of its ownership, in accordance with the provisions of article 13 of the RGPD, as well as to inform this Agency within the same period about the measures taken. According to a certificate from the State Postal and Telegraph Company, the initiation document of file sent to the claimed party, on 10/25/22 through the postal notifications from the Post Office, was returned to origin on 10/28/22, with the “unknown” message. TENTH: On 11/03/22, notification of the initiation agreement was made through announcement on the single Edictal Board of the Official State Gazette, in accordance with the article 44 of LPACAP. Having been notified of the initiation of the file, as of today, there is no evidence that the claimed has made allegations to the agreement to initiate the procedure. In this sense, the article 64.2.f) of the LPACAP - provision of which the complainant was informed in the agreement to open the procedure - establishes that, if no allegations are made within the period provided for the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a motion for a resolution. In the present case, the agreement to start the sanctioning file determined the facts in which the imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be impose Therefore, taking into consideration that the defendant has not formulated allegations to the agreement to initiate the file and in accordance with what is established in the article 64.2.f) LPACAP, the aforementioned initiation agreement is considered herein case proposed resolution. PROVEN FACTS. Of the actions carried out in this procedure and the information and The documentation presented has proven the following facts: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 First: On 05/09/22, this Agency confirmed the following characteristics about its “Privacy Policy” and about its “Cookies Policy”: a).- About the “Privacy Policy”: If you access the “Privacy Policy” through the link located in the bottom of the main page, you access a new page https://petconfort.shop/pages/politica-de-privacidad, where information is provided about: the personal information they collect; how they use such personal information; how they share that information; about the rights that assist the user and how Contact the person responsible for the website. b).- About the Cookies Policy: 1.- When entering the website for the first time, once the history of the terminal equipment has been cleaned navigation and cookies, without accepting new cookies or performing any action on the website, it has been verified that cookies are used that are not technical or necessary: A).- Performance cookies: _landing_page shopify_sa_t _shopify_y _shopify_s _shopify_sa_p . _and _s __kla_id B).- Targeting cookies: _pin_unauth test_cookie IDEMore _gcl_au _fbp 2.- There is an information banner about cookies on the main page with the next message: “This website uses cookies to ensure you get the best experience on our website.” <<More>> <<Okay>> If you click on the <<More>> link, the website displays the “Privacy Policy” page. Privacy” ***URL.12 indicated above. There is no “Cookie Policy”. The only information about cookies provided by The website is located on the “Privacy Policy” page: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 “(…) We collect device information using the following technologies: - "Cookies" are data files that are placed on your device or computer and often include a unique identifier anonymous. For more information about cookies and how disable them, visit ***URL.13 (…)”. There is no mechanism that makes it possible to reject cookies or manage them differently. granularly through a control panel. FOUNDATIONS OF LAW YO.- Competence: - About the processing of personal data and the “Privacy Policy” in the Web page: The Director of the Spanish Agency is competent to resolve this procedure. of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law LOPDGDD. - About the “Cookies Policy” on the website: The Director of the Spanish Agency is competent to resolve this procedure. of Data Protection, in accordance with the provisions of art. 43.1, paragraph second, of Law 34/2002, of July 11, on Society Services of the Information and Electronic Commerce (LSSI), II.- About the “Privacy Policy” on the website: If you access the “Privacy Policy” through the link located in the bottom of the main page, <<Privacy Policy>> you access a new page where information is provided about the personal information they collect; how they use information; how they share personal information; as They develop behavioral advertising or data retention. Regarding the rights that assist users, regarding their personal data, reports the following: If you are a European resident, you have the right to access the personal information you we have about you and to request that your personal information be corrected, updated or deleted. If you wish to exercise this right, please contact us through from the contact information below. Additionally, if you are a European resident, we note that we are processing your information to fulfill any contracts we may have with you (for example, if you place an order through the Site), or otherwise to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 pursue our legitimate business interests mentioned previously. Also, please note that your information will be transferred outside Europe, including to Canada and the United States. Regarding the identification of the person responsible for the processing of the personal data of the website, the following is reported For more information about our privacy practices, if you have questions or if you would like to file a complaint, please contact us at email to ***EMAIL.1 If you access the contact page, located at the bottom of the main page, the website redirects the user to a new page ***URL.11 where the following exists information: You can contact us by email: ***EMAIL.1 Or you can contact Contact us using the form at the bottom. II.-1 Administrative violation Recital 61) of the GDPR indicates that: “Information on the treatment of their personal data at the time it is obtained from them or, if obtained from another source, within a reasonable period of time, depending on the circumstances of the case. Whether personal data can legitimately be communicated to another recipient, the interested party must be informed at the time the communicated to the recipient for the first time. The person responsible for the treatment plans to process the data for a purpose other than that for which it was collected must provide the interested party, before said further processing, information about that other purpose and other necessary information. When the origin of the personal data cannot be provided to the interested party because it has been used several sources, general information should be provided. For its part, article 13 of the RGPD, details the information that must be facilitate the interested party when the data is collected directly from him, establishing the following: “1.When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide: a) the identity and contact details of the person responsible and, where applicable, of your representative; b) the contact details of the protection delegate data, if applicable; c) the purposes of the processing for which the data are intended personal and the legal basis of the treatment; d) when the treatment is based in Article 6(1)(f), the legitimate interests of the controller or a third; e) the recipients or categories of recipients of the data personal, if applicable; f) where applicable, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision from the Commission, or, in the case of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/18 transfers indicated in Articles 46 or 47 or Article 49(1), second paragraph, reference to adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been provided. 2.In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the moment in which the personal data, the following information necessary to guarantee a fair and transparent data processing: a) the period during which will retain personal data or, when this is not possible, the criteria used to determine this term; b) the existence of the right to request the responsible for the processing of access to personal data relating to the interested party, and its rectification or deletion, or the limitation of its processing, or to oppose the processing, as well as the right to data portability; c) when the processing is based on Article 6(1)(a) or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a requirement necessary to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including the profiling, referred to in article 22, paragraphs 1 and 4, and, least in such cases, significant information about the logic applied, as well as the importance and anticipated consequences of such treatment for the interested". II.-2 Sanction Therefore, the fact that the rights that assist website users regarding the processing of their data personal or who have the right to file a claim, in this case, before the AEPD, nor is the person responsible for processing the data conveniently identified. personal data on the web, constitutes a violation of article 13 of the RGPD. This violation can be punished with a fine of a maximum of €20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.5.b) of the RGPD. In this sense, article 72.1.h) of the LOPDGDD considers it very serious, for the purposes of prescription, “the omission of the duty to inform the affected person about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD” For the purposes of setting the amount of the penalty to be imposed in the present case, it is appropriate graduate the sanction according to the following criteria established in the article 83.2 of the GDPR: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each individual case is will take due account of: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) the intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or of the person in charge of the treatment, taking into account the technical measures or organizational measures that have applied under articles 25 and 32; e) all previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or in charge of that is dealt with in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through infringement.” For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the criteria of graduation established in section 2 of the aforementioned article. 2. According to provided for in article 83.2.k) of Regulation (EU) 2016/679 may also take into account: a) The continuous nature of the infringement. b) The link of the offender's activity with the performance of data processing personal. c) The benefits obtained as a consequence of the commission of the infringement. d) The possibility that the conduct of the affected person could have induce the commission of the infraction. e) The existence of a merger process by absorption after the commission of the infraction, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested" In accordance with the transcribed precepts, in order to set the amount of the sanction to impose in the present case for the infraction classified in article 83.5.a), C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 The following factors that are considered circumstances are considered concurrent: aggravating factors as established in section 2 of article 76 of the LOPDGDD: - The linking of the offender's activity with the performance of treatment personal data, since it is a website for the online sale of products for pets, they process a high number of clients' personal data. (Article 76.2.b) The balance of the circumstances contemplated, with respect to the infraction committed, By violating the provisions of article 13 of the RGPD, it allows setting a penalty of 5,000 euros (five thousand euros). II.-3 Measures In this case, the person responsible for the website ***DOMAIN.1/ is required to, Within one month, take the necessary measures to adapt your website ownership to current regulations, with the inclusion of the necessary information that must provide its users, in accordance with the provisions of the article 13 of the GDPR. Please note that failure to comply with the requirements of this organization may be considered classified as an administrative offense in accordance with the provisions of the RGPD, classifying considered an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by the openness ra of a subsequent administrative sanctioning procedure. III.- About the Cookies Policy of the website: a).- About the installation of cookies on the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, about the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie involves processing that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies “User input Cookies would be excepted” (those used to fill out forms, or manage a shopping cart); cookies user (session) authentication or identification; user security cookies C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of complement (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before using any other type of cookies, both first and third-party, session or persistent. In the verification carried out by this Agency on the claimed website, it was possible note that, upon entering the main page and without performing any action on the mime or accept cookies, the following non-necessary cookies were used: When entering the website for the first time, without accepting cookies or performing any action on the page, it has been verified that the following cookies are used that are not technical or necessary: A).- Performance cookies (8) COOKIE DOMAIN DESCRIPTION _landing_page ***DOMAIN.1 Used to track, report and analyze in the destination pages. shopify_sa_t ***DOMAIN.1 Associated with the Shopify analytics suite about marketing and referrals. _shopify_y ***DOMAIN.1 Associated with the Shopify analytics suite. _shopify_s ***DOMAIN.1 Associated with the Shopify analytics suite. _shopify_sa_p ***DOMAIN.1 Associated with the Shopify analytics suite about marketing and referrals. _y ***DOMAIN.1 Associated with the Shopify analytics suite. _s ***DOMAIN.1 Associated with the Shopify analytics suite. __kla_id ***DOMAIN.1 Tracks when someone clicks through a Klaviyo email to your website B).- Targeting cookies (5) COOKIE DOMAIN DESCRIPTION _pin_unauth ***DOMAIN.1 Registers a unique ID that identifies and recognizes the user. It is used for advertising directed. test_cookie ***DOMAIN.2 Set by DoubleClick (which is owned by Google) to determine if the browser website visitor accepts cookies. IDEMore ***DOMAIN.2 This cookie is set by Doubleclick and carries information about how the end user uses the website and any advertising that the user final you have seen before visiting said website. _gcl_au ***DOMAIN.1 Used by Google AdSense to experiment with advertising efficiency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 on the websites that use their services. b).- Regarding consent to the installation of cookies on the terminal equipment: To use non-excepted cookies, it will be necessary to obtain the express consent of the user. This consent can be obtained by clicking on, “accept” or inferring it from an unequivocal action carried out by the user that denotes that consent has been unequivocally produced. By Therefore, the mere inactivity of the user, scrolling or browsing the website, is not will consider for these purposes a clear affirmative action under no circumstances and will not will involve the provision of consent itself. Likewise, access to the second layer if the information is presented in layers, as well as navigation necessary for the user to manage their preferences in relation to cookies in the control panel, it is not considered an active behavior that can derive the acceptance of cookies. The existence of “Cookie Walls” is also not permitted, that is, windows pop-ups that block content and access to the website, forcing the user to accept the use of cookies to access the page and continue browsing without offer the user any type of alternative that allows them to freely manage their preferences regarding the use of cookies. If the option is to go to a second layer or cookie control panel, the link should take the user directly to said configuration panel. To facilitate the selection, in the panel it can be implemented, in addition to a management system granular cookies, two more buttons, one to accept all cookies and another to reject them all. If the user saves his choice without having selected any cookie, it will be understood that you have rejected all cookies. In relation to this second possibility, in no case are pre-marked boxes in favor of accepting cookies. If for the configuration of cookies, the website refers to the browser configuration installed on the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the editor opts for this option, it must also offer, and in any case, a mechanism that allow you to reject the use of cookies and/or do so on a granular basis. On the other hand, the withdrawal of the consent previously given by the user It must be able to be done at any time. To this end, the editor must offer a mechanism that makes it possible to easily withdraw consent at any time. moment. That facility will be considered to exist, for example, when the user have simple and permanent access to the management or configuration system of the cookies. If the editor's cookie management or configuration system does not allow you to avoid the use of third-party cookies, once accepted by the user, will be provided information about tools provided by the browser and third parties, must warn that, if the user accepts third-party cookies and subsequently wishes delete them, you must do so from your own browser or the system enabled by the third parties for this. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 In the case at hand, the banner of the first layer makes it possible to accept all the cookies, but there is no other mechanism that makes it possible to reject all cookies that are not technical or necessary, neither in the first layer nor through a Second layer. It is also not possible to manage cookies in any way. granular or by groups through a control panel. c).- About the cookie information banner existing in the first layer (Homepage): The cookie banner of the first layer must include information regarding the identification of the editor responsible for the website, in the event that its data identifies catives do not appear in other sections of the page or that their identity cannot be become obviously attached to the site itself. You must also include an Identification generic description of the purposes of the cookies that will be used and whether they are their own or also from third parties, without it being necessary to identify them in this first layer. Ade- Furthermore, it must include generic information about the type of data to be collected and used in the event that user profiles are created and must include information tion and the way in which the user can accept, configure and reject the use of cookies, with the warning, if applicable, that, if a certain action is performed, It will be understood that the user accepts the use of cookies. Apart from the generic information about cookies, in this banner there must be an en- clearly visible link aimed at a second informative layer on the use of the cookies. This same link can be used to direct the user to the configuration panel. cookie settings, as long as access to the configuration panel is direct, this That is, the user does not have to navigate within the second layer to locate it. In the case at hand, in the information banner about cookies existing in the first layer of the web (“This website uses cookies to guarantee that you obtain the better experience on our website”), the purposes for which they are used are not identified. cookies will be used and whether they are our own or also from third parties. d).- About the information provided in the second layer (cookie policy): In the second layer or “cookie policy” more detailed information must be provided. detailed information about the characteristics of cookies, including information about, the definition tion and generic function of cookies (what are cookies); about the type of cookies which are used and their purpose (what types of cookies are used on the website); the identification of who uses the cookies, that is, if the information obtained by the cookies Cookies are processed only by the editor and/or also by third parties with identification of this last coughs; the retention period of cookies on the terminal equipment; and if it is him case, information on data transfers to third countries and the processing of profiles that involve automated decision making. In the case at hand, it has been verified that there is no “Cookie Policy” in the Web. The only information about cookies provided by the website is on the page of its “Privacy Policy”: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 (…) We collect device information using the following technologies: - "Cookies" are data files that are placed on your device or computer and often include a unique identifier anonymous. For more information about cookies and how disable them, visit ***URL.13 (…)”. III.-1 Administrative violation Of the deficiencies detected, regarding the cookie policy, on the website in issue: the use of third-party cookies that are not technical or necessary; the impossibility of rejecting third-party cookies and the lack of information in the “cookie policy”, could be assumed by the complainant, the commission of the violation of article 22.2 of the LSSI, as it establishes that: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular on the purposes of data processing, in accordance with the provisions of the Law Organic 15/1999, protection of personal data. Where technically possible and effective, the consent of the recipient to accept the processing of the data may be facilitated through the use of the appropriate settings of the browser or other applications. The above will not prevent possible storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over a network of electronic communications or, to the extent strictly necessary necessary, for the provision of an information society service expressly requested by the recipient.” This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained, it is considered appropriate to graduate the sanction to be imposed. in accordance with the following aggravating criteria, established by art. 40 of the LSSI: The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Judgment of the National Court of 11/12/07 relapsed in Appeal no. 351/2006, corresponding to the reported entity the determination of a system of obtaining informed consent that is appropriate to the mandate of the LSSI. III.-2 Sanction C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 In accordance with these criteria, it is considered appropriate to impose a penalty of 5,000 euros, (five thousand euros), for the violation of article 22.2 of the LSSI, regarding the cookie policy made on the website owned by it. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, SOLVE FIRST: IMPOSE the entity INFINITY ECOM S.L. with CIF B42993956, owner of the website ***DOMINIO.1/, for the violation of article 13 of the RGPD, for the lack of necessary information in the “Privacy Policy” on its website, with a fine of 5,000 euros (five thousand euros). SECOND: IMPOSE the entity INFINITY ECOM S.L. with CIF B42993956, owner of the website ***DOMINIO.1/, for violation of article 22.2 of the LSSI, for the irregularities detected on its website regarding the “Cookie Policy”, a fine of 5,000 euros (five thousand euros). THIRD: ORDER the entity INFINITY ECOM S.L. with CIF B42993956, owner of the website ***DOMINIO.1/, which implements, within a period of one month, the measures necessary corrective measures to adapt their actions to the regulations for the protection of personal data, with respect to article 13 of the RGPD, as well as to inform this Agency in the same period on the measures adopted. FOURTH: NOTIFY this resolution to the entity INFINITY ECOM S.L. FIFTH: Warn the sanctioned person that the sanction imposed must be made effective once this resolution is enforceable, in accordance with the provisions of the article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), within the voluntary payment period which indicates article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it into the restricted account No. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the CAIXABANK Bank, S.A. or otherwise, it will be collected in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 82 of Law 62/2003, of 30 December, of fiscal, administrative and social order measures, the present Resolution will be made public once it has been notified to the interested parties. The Publication will be carried out in accordance with the provisions of Instruction 1/2004, of 22 December, from the Spanish Data Protection Agency on publication of its Resolutions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 Against this resolution, which puts an end to the administrative route, and in accordance with what established in articles 112 and 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution, or directly contentious appeal administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the provision fourth additional to Law 29/1998, of 07/13, regulating the Jurisdiction Contentious-administrative, within a period of two months from the following day to the notification of this act, as provided for in article 46.1 of the aforementioned text legal. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious appeal. administrative within a period of two months from the day following notification of the This resolution would end the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es