AEPD (Spain) - PS-00393-2022: Difference between revisions

From GDPRhub
No edit summary
 
Line 63: Line 63:
}}
}}


The Spanish Data Protection Agency (AEPD) held that the lack of information provided on a controller's privacy policy breached [[Article 13 GDPR|Article 13 GDPR]].  
The Spanish Data Protection Agency (AEPD) fined a controller €10,000 for the lack of information provided on their privacy policy which therefore breached [[Article 13 GDPR|Article 13 GDPR]].  


== English Summary ==
== English Summary ==

Latest revision as of 10:51, 10 January 2024

AEPD - PS-00393-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 22.2 LSSI
Type: Complaint
Outcome: Upheld
Started: 21.12.2021
Decided:
Published:
Fine: 10,000 EUR
Parties: INFINITY ECOM S.L
National Case Number/Name: PS-00393-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: magdalena04

The Spanish Data Protection Agency (AEPD) fined a controller €10,000 for the lack of information provided on their privacy policy which therefore breached Article 13 GDPR.

English Summary

Facts

On 21 December 2021 a claim against INFINITY ECOM S.L. (the controller) was filed with the Spanish DPA, claiming that the company's privacy and cookie policy was not compliant. The Spanish DPA launched an investigation and confirmed the following facts:

Firstly, the Privacy Policy of the company informed data subjects about their rights to access, alter, delete data and request information about processing and existence of data transfers to third countries. An email address to request this information was also provided. However, the privacy policy lacked information identifying the controller and did not inform data subjects about the possibility to file complaints.

Secondly, the website imposed unnecessary performance and targeting cookies without the consent of the data subject. There was no Cookie Policy. Only an information banner, that the company uses Cookies was provided. It was therefore not possible to reject the use of non-technical cookies.

Holding

The Spanish DPA held the controller to have infringed Article 13 GDPR and Article 22.2 of the Law of Information Society Services and Electronic Commerce (Ley de Servicios de la Sociedad de la Información y Comercio Electrónico – LSSI).

First, the Spanish DPA found that the Privacy Policy to be insufficient and therefore violate Article 13 GDPR. The policy did not adequately inform data subjects on the processing of their data nor provide proper identification of the controller.

Second, the Spanish DPA held that information banner on cookies infringed Article 22.2. of the LSSI. There was no possibility for data subjects to reject the non-essential cookies and insufficient information about their use was provided.

The Spanish DPA imposed a fine of €5,000 for each infringment, resulting in an overall fine of €10,000. The controller was given a month to adapt the website and bring it into compliance.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/18








     File No.: EXP202201704 (PS/00393/2022)

               RESOLUTION OF THE SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
                                  BACKGROUND

FIRST: On 12/21/21, Ms. A.A.A. (hereinafter, the complaining party) filed

claim before the Spanish Data Protection Agency. The claim is
directed against the entity INFINITY ECOM S.L. with CIF B42993956, owner of the page
website ***URL.1 (hereinafter, the claimed party), for the alleged violation of the
data protection regulations: Regulation (EU) 2016/679, of the Parliament
European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons

regarding the Processing of Personal Data and the Free Circulation of
these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI), and taking into account the following:


The reasons on which the claim was based were the following:

       “The website has NO Legal Notice or tax information about the business:
       tax identification, CIF or DNI that are essential for any page
       website created by a company. The Privacy Policy of the page is not

       correct and there is no Cookies Policy”.

SECOND: On 02/11/22, this Agency transferred the claim
to the PETCONFORT.SHOP entity to respond to it, so
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and Guarantee of Digital Rights
(LOPDGDD). This request for information was notified on 02/18/22,

THIRD: On 03/21/22, by the Director of the Spanish Agency for
Data Protection agreement is issued to admit the claim processing
presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible

rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency

FOURTH: On 05/09/22, this Agency accessed the website
***URL.1, verifying the following characteristics regarding its “Policy of

Privacy” and about its “Cookies Policy”:

       a).- About the “Privacy Policy”:

If you access the “Privacy Policy” through the link located in the

bottom of the main page, you access a new page ***URL.2, where you can
provides information about:

       PERSONAL INFORMATION WE COLLECT

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18









       When you visit the Site, we automatically collect certain information about
       your device, including information about your web browser, IP address, zone
       time and some of the cookies that are installed on your device.
       Additionally, as you browse the Site, we collect information about the

       individual web pages or products you view, which websites or terms of
       search referred you to the Site and information about how you interact with the Site
       Place. We refer to this automatically collected information as
       "Device Information". We collect device information using
       the following technologies:


       - "Cookies" are data files that are placed on your device or
       computer and often include an anonymous unique identifier. For
       For more information about cookies and how to disable them, visit
       ***URL.3 - "Log files" track actions that occur on the
       Site and collect data, including your IP address, browser type,

       Internet service provider, referring/exit pages and trademarks
       date hour. - "Web beacons", "tags" and "pixels" are files
       electronic devices that are used to record information about how you browse
       the place.

       Additionally, when you make a purchase or attempt to make a purchase through the

       Site, we collect certain information from you, including your name, email address,
       billing, shipping address, payment information (including
       credit card, email address and phone number). this
       information such as "Order Information". When we talk about "Information
       personal" in this Privacy Policy, we are talking about both the
       Device Information and Order Information.


       HOW DO WE USE YOUR PERSONAL INFORMATION? We use the
       order information that we collect generally to fulfill the
       orders placed through the Site (including the processing of your
       payment information, arranging shipping and providing invoices and/or
       order confirmations). Additionally, we use this order information

       to: - Communicate with you; - Review our orders for potential risk
       or fraud; and - When you agree with the preferences you have shared
       with us, provide you with information or advertising related to our
       products or services.

       We use the device information we collect to help us

       detect possible risks and fraud (in particular, your IP address) and, in
       generally, to improve and optimize our site (for example, by generating analysis
       about how our customers navigate and interact) the Site, and to evaluate the
       success of our marketing and advertising campaigns).


       SHARING YOUR PERSONAL INFORMATION We share your
       personal information with third parties to help us use your information
       staff, as described above. For example, we use Shopify to
       boost our online store - you can read more about how Shopify uses their
       personal information here: ***URL.4. We also use Google Analytics to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18








       help us understand how our customers use the Site. You can read more
       about how Google uses your Personal Information here: ***URL.5. Also
       You can opt out of Google Analytics here: ***URL.6.


       Finally, we may also share your personal information to comply
       with applicable laws and regulations, to respond to a subpoena, order
       search or other lawful request for information we receive, or to
       protect our rights.


       BEHAVIORAL ADVERTISING As described above,
       We use your personal information to provide you with targeted advertisements or
       marketing communications that we believe may be of interest to you. For
       Learn more about how targeted advertising works, you can
       visit the Network Advertising Initiative ("NAI") educational page at ***URL.7.


       You can opt out of targeted advertising by using the links to
       continuation: - Facebook: ***URL.8 - Google: ***URL.9 - Bing: ***URL.10 .
       Additionally, you may opt out of some of these services by visiting
       the Digital Advertising Alliance opt-out portal at: ***URL.11.


       DO NOT TRACK Please note that we do not alter the practices of
       collection and use of data from our Site when we see a No sign
       Track from your browser.

       YOUR RIGHTS If you are a European resident, you have the right to access the

       personal information we hold about you and to request that your information
       personnel is corrected, updated or deleted. If you wish to exercise this right,
       Please contact us via the contact information below.

       Additionally, if you are a European resident, we note that we are processing

       your information to fulfill any contracts we may have with you
       (for example, if you place an order through the Site), or otherwise to
       pursue our legitimate business interests mentioned
       previously. Additionally, please note that your information will be transferred
       outside Europe, including to Canada and the United States.


       DATA RETENTION When you place an order through the Site,
       We will maintain your Order Information for our records unless and
       until you ask us to delete this information.

       CHANGES We may update this privacy policy from time to time

       to reflect, for example, changes in our practices or for other reasons
       operational, legal or regulatory.

       MINORS The Site is not intended for persons under 18 years of age.


       CONTACT US For more information about our privacy practices
       privacy, if you have questions or would like to file a complaint, please contact
       with us by email at ***EMAIL.1


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18








If you access the contact form, <<contact>>, located at the bottom of the
main page, the website redirects the user to a new page ***URL.12 where it exists
the next information:

       “You can contact us by email: ***EMAIL.1. Or you can put in

       Contact us using the form that appears at the bottom.

       b).- About the Cookies Policy:

1.- When entering the website for the first time, once the history of the terminal equipment has been cleaned
navigation and cookies, without accepting new cookies or performing any action

on the website, it has been verified that cookies are used that are not technical or
necessary, with the following characteristics:

A).- Performance cookies (8)


     COOKIE DOMAIN DESCRIPTION
 _landing_page ***DOMAIN.1 Used to track, report and analyze in the
                                       landing pages.
 shopify_sa_t ***DOMAIN.1 Associated with the Shopify analytics suite

                                       about marketing and referrals.
 _shopify_y ***DOMAIN.1 Associated with the Shopify analytics suite.
 _shopify_s ***DOMAIN.1 Associated with the Shopify analytics suite.

 _shopify_sa_p ***DOMAIN.1 Associated with the Shopify analytics suite
                                       about marketing and referrals.
 _y ***DOMAIN.1 Associated with the Shopify analytics suite.
 _s ***DOMAIN.1 Associated with the Shopify analytics suite.

 __kla_id ***DOMAIN.1 Tracks when someone clicks through a
                                       Klaviyo email to your website

B).- Targeting cookies (5)


     COOKIE DOMAIN DESCRIPTION
 _pin_unauth ***DOMAIN.1 Registers a unique ID that identifies and
                                       recognizes the user. It is used for advertising

                                       directed.
 test_cookie ***DOMAIN.2 Set by DoubleClick (which is owned by
                                       Google) to determine if the browser
                                       website visitor accepts cookies.

 IDEMore ***DOMAIN.2 This cookie is set by Doubleclick and carries
                                       information about how the end user uses the site
                                       website and any advertising that the end user has
                                       seen before visiting said website.

 _gcl_au ***DOMAIN.1 Used by Google AdSense to experiment with
                                       the efficiency of advertising on websites that
                                       they use their services.
 _fbp ***DOMAIN.1 Used by Meta to offer a series of

                                       advertising products, such as real-time offers
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18








                                     from external advertisers.

2.- There is an information banner about cookies on the main page with the

next message:

  “This website uses cookies to ensure you get the best experience on
                    our website.” <<More>> <<Okay>>


If you click on the <<More>> link, the website displays the “Privacy Policy” page.
Privacy” ***URL.13 indicated above.

There is no “Cookie Policy”. The only information about cookies provided by
The website is located on the “Privacy Policy” page:


       “(…) We collect device information using the following
       technologies: - "Cookies" are data files that are placed on your
       device or computer and often include a unique identifier
       anonymous. For more information about cookies and how
       disable them, visit ***URL.14 (…)”.


There is no mechanism that makes it possible to reject cookies or manage them differently.
granularly through a control panel.

FIFTH: On 05/11/22 SHOPIFY INTERNATIONAL LIMITED was required to

(platform where the web page in question is hosted), information about the data of
identification and contact of the owner of the petconfort.shop domain referring to date 17
December 2021, by virtue of the investigative powers granted to the
control authorities in article 58.1 of Regulation (EU) 2016/679, of the
European Parliament and of the Council, of 04/27/16, regarding the Protection of

Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of these Data (RGPD) and in accordance with the provisions of the Title
VII, Chapter I, Second Section, of the LOPDGDD.

SIXTH: On 05/25/22, the entity SHOPIFY INTERNATIONAL LIMITED, sends
to this Agency information about the ownership of the website in question, providing

the contact information of the owner of the website in question indicating that said
page is associated with the phone number ***PHONE.1.

SEVENTH: On 06/06/22, the entity VODAFONE ESPAÑA SAU was requested.
information on the identification and contact data of the owner of the number

telephone ***PHONE.1, referring to the date December 17, 2021.

EIGHTH: On 06/29/22, the company VODAFONE ESPAÑA SAU, sends a written
response to the request made by this Agency in which it states:


       “After making the relevant queries in my internal systems, it becomes
       informing this Agency that, during the requested period, the line
       telephone number ***TELÉFONO.1 is registered in the name of INFINTY E COME SL with CIF
       B42993956 and address ***ADDRESS.1”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18








NINTH: On 10/17/22, by the Directorate of the Spanish Agency for
Data Protection, a sanctioning procedure is initiated against the claimed entity,
appreciate reasonable indications of violation of the provisions of the articles:


    - For violation of article 13 of the RGPD, due to the lack of necessary information
       in the “Privacy Policy”, as established in the aforementioned article, with a
       initial penalty of 5,000 euros (five thousand euros).

    - For violation of article 22.2 of the LSSI, due to the irregularities detected

       on its website regarding the “Cookie Policy”, with an initial sanction
       of 5,000 euros (five thousand euros).

Along with this and in accordance with article 58.2 of the RGPD, it was proposed as
corrective measures to be imposed on the defendant:


    - That it implements, within a period of one month, the necessary corrective measures to
       adapt their actions to the personal data protection regulations, with the
       inclusion of the necessary information that must be provided to users of
       the website of its ownership, in accordance with the provisions of article 13
       of the RGPD, as well as to inform this Agency within the same period about the

       measures taken.

According to a certificate from the State Postal and Telegraph Company, the initiation document
of file sent to the claimed party, on 10/25/22 through the
postal notifications from the Post Office, was returned to origin on 10/28/22, with the

“unknown” message.

TENTH: On 11/03/22, notification of the initiation agreement was made through
announcement on the single Edictal Board of the Official State Gazette, in accordance with the
article 44 of LPACAP.


Having been notified of the initiation of the file, as of today, there is no evidence that the claimed
has made allegations to the agreement to initiate the procedure. In this sense, the
article 64.2.f) of the LPACAP - provision of which the complainant was informed in the
agreement to open the procedure - establishes that, if no allegations are made
within the period provided for the content of the initiation agreement, when it

contains a precise statement about the imputed responsibility, may
be considered a motion for a resolution. In the present case, the agreement to start the
sanctioning file determined the facts in which the
imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be
impose Therefore, taking into consideration that the defendant has not formulated

allegations to the agreement to initiate the file and in accordance with what is established in the
article 64.2.f) LPACAP, the aforementioned initiation agreement is considered herein
case proposed resolution.
                                PROVEN FACTS.


Of the actions carried out in this procedure and the information and
The documentation presented has proven the following facts:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18








First: On 05/09/22, this Agency confirmed the following
characteristics about its “Privacy Policy” and about its “Cookies Policy”:

a).- About the “Privacy Policy”:


If you access the “Privacy Policy” through the link located in the
bottom of the main page, you access a new page
https://petconfort.shop/pages/politica-de-privacidad, where information is provided
about: the personal information they collect; how they use such personal information;
how they share that information; about the rights that assist the user and how
Contact the person responsible for the website.


b).- About the Cookies Policy:

1.- When entering the website for the first time, once the history of the terminal equipment has been cleaned
navigation and cookies, without accepting new cookies or performing any action

on the website, it has been verified that cookies are used that are not technical or
necessary:

       A).- Performance cookies:

       _landing_page

       shopify_sa_t
       _shopify_y
       _shopify_s
       _shopify_sa_p .
       _and
       _s

       __kla_id

       B).- Targeting cookies:

       _pin_unauth
       test_cookie

       IDEMore
       _gcl_au
       _fbp


2.- There is an information banner about cookies on the main page with the

next message:

“This website uses cookies to ensure you get the best experience on
our website.” <<More>> <<Okay>>


If you click on the <<More>> link, the website displays the “Privacy Policy” page.
Privacy” ***URL.12 indicated above.

There is no “Cookie Policy”. The only information about cookies provided by
The website is located on the “Privacy Policy” page:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18









       “(…) We collect device information using the following
       technologies: - "Cookies" are data files that are placed on your

       device or computer and often include a unique identifier
       anonymous. For more information about cookies and how
       disable them, visit ***URL.13 (…)”.

There is no mechanism that makes it possible to reject cookies or manage them differently.
granularly through a control panel.


                           FOUNDATIONS OF LAW

                                           YO.-
                                     Competence:


    - About the processing of personal data and the “Privacy Policy” in the
       Web page:

The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to

each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
LOPDGDD.

    - About the “Cookies Policy” on the website:


The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, in accordance with the provisions of art. 43.1, paragraph
second, of Law 34/2002, of July 11, on Society Services of the
Information and Electronic Commerce (LSSI),


                                          II.-
                      About the “Privacy Policy” on the website:

If you access the “Privacy Policy” through the link located in the
bottom of the main page, <<Privacy Policy>> you access a new
page where information is provided about the personal information they collect;

how they use information; how they share personal information; as
They develop behavioral advertising or data retention.

Regarding the rights that assist users, regarding their personal data,
reports the following:


       If you are a European resident, you have the right to access the personal information you
       we have about you and to request that your personal information be corrected,
       updated or deleted. If you wish to exercise this right, please contact us through
       from the contact information below.


       Additionally, if you are a European resident, we note that we are processing
       your information to fulfill any contracts we may have with you
       (for example, if you place an order through the Site), or otherwise to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18








       pursue our legitimate business interests mentioned
       previously. Also, please note that your information will be transferred
       outside Europe, including to Canada and the United States.


Regarding the identification of the person responsible for the processing of the personal data of the
website, the following is reported

       For more information about our privacy practices, if you have
       questions or if you would like to file a complaint, please contact us at

       email to ***EMAIL.1

If you access the contact page, located at the bottom of the main page,
the website redirects the user to a new page ***URL.11 where the following exists
information:


       You can contact us by email: ***EMAIL.1 Or you can contact
       Contact us using the form at the bottom.

                                          II.-1
                                Administrative violation


Recital 61) of the GDPR indicates that:

       “Information on the treatment of their
       personal data at the time it is obtained from them or, if obtained

       from another source, within a reasonable period of time, depending on the circumstances of the
       case. Whether personal data can legitimately be communicated to another
       recipient, the interested party must be informed at the time the
       communicated to the recipient for the first time. The person responsible for the treatment
       plans to process the data for a purpose other than that for which it was collected

       must provide the interested party, before said further processing,
       information about that other purpose and other necessary information. When the origin
       of the personal data cannot be provided to the interested party because it has been used
       several sources, general information should be provided.

For its part, article 13 of the RGPD, details the information that must be

facilitate the interested party when the data is collected directly from him,
establishing the following:

       “1.When personal data relating to him is obtained from an interested party, the
       responsible for the treatment, at the time these are obtained,

       will provide: a) the identity and contact details of the person responsible and, where applicable,
       of your representative; b) the contact details of the protection delegate
       data, if applicable; c) the purposes of the processing for which the data are intended
       personal and the legal basis of the treatment; d) when the treatment is based
       in Article 6(1)(f), the legitimate interests of the controller or

       a third; e) the recipients or categories of recipients of the data
       personal, if applicable; f) where applicable, the intention of the person responsible to transfer
       personal data to a third country or international organization and the existence or
       absence of an adequacy decision from the Commission, or, in the case of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18








       transfers indicated in Articles 46 or 47 or Article 49(1),
       second paragraph, reference to adequate or appropriate guarantees and the
       means to obtain a copy of these or the fact that they have been provided.


       2.In addition to the information mentioned in section 1, the person responsible for the
       treatment will provide the interested party, at the moment in which the
       personal data, the following information necessary to guarantee a
       fair and transparent data processing: a) the period during which
       will retain personal data or, when this is not possible, the criteria

       used to determine this term; b) the existence of the right to request the
       responsible for the processing of access to personal data relating to the
       interested party, and its rectification or deletion, or the limitation of its processing, or to
       oppose the processing, as well as the right to data portability; c)
       when the processing is based on Article 6(1)(a) or the

       Article 9, paragraph 2, letter a), the existence of the right to withdraw the
       consent at any time, without affecting the legality of the
       treatment based on consent prior to its withdrawal; d) the right to
       file a claim with a supervisory authority; e) if the communication
       of personal data is a legal or contractual requirement, or a requirement
       necessary to sign a contract, and if the interested party is obliged to provide

       personal data and is informed of the possible consequences of
       not provide such data; f) the existence of automated decisions, including the
       profiling, referred to in article 22, paragraphs 1 and 4, and,
       least in such cases, significant information about the logic applied, as well
       as the importance and anticipated consequences of such treatment for the

       interested".

                                          II.-2
                                        Sanction


Therefore, the fact that the rights that
assist website users regarding the processing of their data
personal or who have the right to file a claim, in this case, before the
AEPD, nor is the person responsible for processing the data conveniently identified.
personal data on the web, constitutes a violation of article 13 of the RGPD.


This violation can be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5.b) of the RGPD.


In this sense, article 72.1.h) of the LOPDGDD considers it very serious, for the purposes
of prescription, “the omission of the duty to inform the affected person about the treatment
of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD”

For the purposes of setting the amount of the penalty to be imposed in the present case, it is appropriate

graduate the sanction according to the following criteria established in the article
83.2 of the GDPR:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18








       "2. Administrative fines will be imposed, depending on the circumstances
       of each individual case, as an additional or substitute for the measures
       referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the

       imposition of an administrative fine and its amount in each individual case is
       will take due account of: a) the nature, severity and duration of the
       infringement, taking into account the nature, scope or purpose of the
       processing operation in question as well as the number of interested parties
       affected and the level of damages they have suffered; b) the
       intentionality or negligence in the infringement; c) any measure taken by

       the person responsible or in charge of the treatment to alleviate the damages and losses
       suffered by the interested parties; d) the degree of responsibility of the person responsible or
       of the person in charge of the treatment, taking into account the technical measures or
       organizational measures that have applied under articles 25 and 32; e) all
       previous infringement committed by the controller or processor;

       f) the degree of cooperation with the supervisory authority in order to put
       remedy the infringement and mitigate the possible adverse effects of the infringement;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in
       particular whether the person responsible or the person in charge notified the infringement and, in that case,
       what extent; i) when the measures indicated in Article 58(2)

       have been previously ordered against the person responsible or in charge of
       that is dealt with in relation to the same matter, compliance with said
       measures; j) adherence to codes of conduct under Article 40 or
       certification mechanisms approved in accordance with article 42, k) any
       other aggravating or mitigating factor applicable to the circumstances of the case, such as

       the financial benefits obtained or the losses avoided, direct or
       indirectly, through infringement.”

For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in
its article 76, “Sanctions and corrective measures”, provides:


       "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
       Regulation (EU) 2016/679 will be applied taking into account the criteria of
       graduation established in section 2 of the aforementioned article. 2. According to
       provided for in article 83.2.k) of Regulation (EU) 2016/679 may also
       take into account: a) The continuous nature of the infringement. b) The link

       of the offender's activity with the performance of data processing
       personal. c) The benefits obtained as a consequence of the commission of
       the infringement. d) The possibility that the conduct of the affected person could have
       induce the commission of the infraction. e) The existence of a merger process
       by absorption after the commission of the infraction, which cannot be attributed

       to the absorbing entity. f) The impact on the rights of minors. g)
       Have, when not mandatory, a data protection officer.
       h) Submission by the person responsible or in charge, with character
       voluntary, to alternative conflict resolution mechanisms, in those
       cases in which there are disputes between them and any

       interested"

In accordance with the transcribed precepts, in order to set the amount of the sanction to
impose in the present case for the infraction classified in article 83.5.a),

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18








The following factors that are considered circumstances are considered concurrent:
aggravating factors as established in section 2 of article 76 of the LOPDGDD:


    - The linking of the offender's activity with the performance of treatment
        personal data, since it is a website for the online sale of products
        for pets, they process a high number of clients' personal data.
        (Article 76.2.b)

The balance of the circumstances contemplated, with respect to the infraction committed,

By violating the provisions of article 13 of the RGPD, it allows setting a penalty of
5,000 euros (five thousand euros).
                                           II.-3
                                        Measures


In this case, the person responsible for the website ***DOMAIN.1/ is required to,
Within one month, take the necessary measures to adapt your website
ownership to current regulations, with the inclusion of the necessary information that
must provide its users, in accordance with the provisions of the article
13 of the GDPR.


Please note that failure to comply with the requirements of this organization may be considered
classified as an administrative offense in accordance with the provisions of the RGPD, classifying
considered an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by the openness
ra of a subsequent administrative sanctioning procedure.


                                           III.-
                     About the Cookies Policy of the website:

       a).- About the installation of cookies on the terminal equipment prior to
       consent:


Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, about the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.


Therefore, when the use of a cookie involves processing that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.


However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.


In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies
“User input Cookies would be excepted” (those used to
fill out forms, or manage a shopping cart); cookies
user (session) authentication or identification; user security cookies

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18








(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.


These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about its
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before using any other type of cookies, both first and
third-party, session or persistent.


In the verification carried out by this Agency on the claimed website, it was possible
note that, upon entering the main page and without performing any action on the
mime or accept cookies, the following non-necessary cookies were used:

When entering the website for the first time, without accepting cookies or performing any action

on the page, it has been verified that the following cookies are used that are not
technical or necessary:

A).- Performance cookies (8)

 COOKIE DOMAIN DESCRIPTION

 _landing_page ***DOMAIN.1 Used to track, report and analyze in
                                      the destination pages.
 shopify_sa_t ***DOMAIN.1 Associated with the Shopify analytics suite
                                      about marketing and referrals.
 _shopify_y ***DOMAIN.1 Associated with the Shopify analytics suite.

 _shopify_s ***DOMAIN.1 Associated with the Shopify analytics suite.
 _shopify_sa_p ***DOMAIN.1 Associated with the Shopify analytics suite
                                      about marketing and referrals.
 _y ***DOMAIN.1 Associated with the Shopify analytics suite.
 _s ***DOMAIN.1 Associated with the Shopify analytics suite.

 __kla_id ***DOMAIN.1 Tracks when someone clicks through a
                                      Klaviyo email to your website

B).- Targeting cookies (5)


 COOKIE DOMAIN DESCRIPTION
 _pin_unauth ***DOMAIN.1 Registers a unique ID that identifies and
                                      recognizes the user. It is used for advertising
                                      directed.
 test_cookie ***DOMAIN.2 Set by DoubleClick (which is owned by

                                      Google) to determine if the browser
                                      website visitor accepts cookies.
 IDEMore ***DOMAIN.2 This cookie is set by Doubleclick and carries
                                      information about how the end user uses the
                                      website and any advertising that the user

                                      final you have seen before visiting said website.
 _gcl_au ***DOMAIN.1 Used by Google AdSense to
                                      experiment with advertising efficiency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18








                                      on the websites that use their services.

       b).- Regarding consent to the installation of cookies on the terminal equipment:


To use non-excepted cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
by clicking on, “accept” or inferring it from an unequivocal action carried out by the
user that denotes that consent has been unequivocally produced. By

Therefore, the mere inactivity of the user, scrolling or browsing the website, is not
will consider for these purposes a clear affirmative action under no circumstances and will not
will involve the provision of consent itself. Likewise, access to
the second layer if the information is presented in layers, as well as navigation
necessary for the user to manage their preferences in relation to cookies in
the control panel, it is not considered an active behavior that can

derive the acceptance of cookies.

The existence of “Cookie Walls” is also not permitted, that is, windows
pop-ups that block content and access to the website, forcing the user to
accept the use of cookies to access the page and continue browsing without

offer the user any type of alternative that allows them to freely manage their
preferences regarding the use of cookies.

If the option is to go to a second layer or cookie control panel, the link
should take the user directly to said configuration panel. To facilitate the

selection, in the panel it can be implemented, in addition to a management system
granular cookies, two more buttons, one to accept all cookies and another to
reject them all. If the user saves his choice without having selected any
cookie, it will be understood that you have rejected all cookies. In relation to this second
possibility, in no case are pre-marked boxes in favor of accepting
cookies.


If for the configuration of cookies, the website refers to the browser configuration
installed on the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the editor
opts for this option, it must also offer, and in any case, a mechanism that

allow you to reject the use of cookies and/or do so on a granular basis.

On the other hand, the withdrawal of the consent previously given by the user
It must be able to be done at any time. To this end, the editor must offer a
mechanism that makes it possible to easily withdraw consent at any time.

moment. That facility will be considered to exist, for example, when the user
have simple and permanent access to the management or configuration system of the
cookies.

If the editor's cookie management or configuration system does not allow you to avoid the
use of third-party cookies, once accepted by the user, will be provided

information about tools provided by the browser and third parties,
must warn that, if the user accepts third-party cookies and subsequently wishes
delete them, you must do so from your own browser or the system enabled by the
third parties for this.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18









In the case at hand, the banner of the first layer makes it possible to accept all the
cookies, but there is no other mechanism that makes it possible to reject all

cookies that are not technical or necessary, neither in the first layer nor through a
Second layer. It is also not possible to manage cookies in any way.
granular or by groups through a control panel.

       c).- About the cookie information banner existing in the first layer
       (Homepage):


The cookie banner of the first layer must include information regarding the
identification of the editor responsible for the website, in the event that its data identifies
catives do not appear in other sections of the page or that their identity cannot be
become obviously attached to the site itself. You must also include an Identification

generic description of the purposes of the cookies that will be used and whether they are their own or
also from third parties, without it being necessary to identify them in this first layer. Ade-
Furthermore, it must include generic information about the type of data to be collected
and used in the event that user profiles are created and must include information
tion and the way in which the user can accept, configure and reject the use of
cookies, with the warning, if applicable, that, if a certain action is performed,

It will be understood that the user accepts the use of cookies.

Apart from the generic information about cookies, in this banner there must be an en-
clearly visible link aimed at a second informative layer on the use of the
cookies. This same link can be used to direct the user to the configuration panel.

cookie settings, as long as access to the configuration panel is direct, this
That is, the user does not have to navigate within the second layer to locate it.

In the case at hand, in the information banner about cookies existing in the
first layer of the web (“This website uses cookies to guarantee that you obtain the

better experience on our website”), the purposes for which they are used are not identified.
cookies will be used and whether they are our own or also from third parties.

       d).- About the information provided in the second layer (cookie policy):

In the second layer or “cookie policy” more detailed information must be provided.

detailed information about the characteristics of cookies, including information about, the definition
tion and generic function of cookies (what are cookies); about the type of cookies
which are used and their purpose (what types of cookies are used on the website); the
identification of who uses the cookies, that is, if the information obtained by the cookies
Cookies are processed only by the editor and/or also by third parties with identification of this

last coughs; the retention period of cookies on the terminal equipment; and if it is him
case, information on data transfers to third countries and the processing
of profiles that involve automated decision making.

In the case at hand, it has been verified that there is no “Cookie Policy” in

the Web. The only information about cookies provided by the website is on the page
of its “Privacy Policy”:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18








       (…) We collect device information using the following
       technologies: - "Cookies" are data files that are placed on your
       device or computer and often include a unique identifier

       anonymous. For more information about cookies and how
       disable them, visit ***URL.13 (…)”.

                                             III.-1
                                   Administrative violation


Of the deficiencies detected, regarding the cookie policy, on the website in
issue: the use of third-party cookies that are not technical or necessary; the
impossibility of rejecting third-party cookies and the lack of information in the
“cookie policy”, could be assumed by the complainant, the commission of the
violation of article 22.2 of the LSSI, as it establishes that:


       “Service providers may use storage devices and
       data recovery on recipients' terminal equipment, provided
       that they have given their consent after they have been
       provided clear and complete information on its use, in particular on
       the purposes of data processing, in accordance with the provisions of the Law

       Organic 15/1999, protection of personal data.

       Where technically possible and effective, the consent of the recipient
       to accept the processing of the data may be facilitated through the use of the
       appropriate settings of the browser or other applications.


       The above will not prevent possible storage or access of a technical nature
       for the sole purpose of carrying out the transmission of a communication over a network of
       electronic communications or, to the extent strictly necessary
       necessary, for the provision of an information society service

       expressly requested by the recipient.”

This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be

sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.

After the evidence obtained, it is considered appropriate to graduate the sanction to be imposed.
in accordance with the following aggravating criteria, established by art. 40 of the LSSI:


       The existence of intentionality, an expression that must be interpreted as
       equivalent to degree of guilt according to the Judgment of the
       National Court of 11/12/07 relapsed in Appeal no. 351/2006,
       corresponding to the reported entity the determination of a system of

       obtaining informed consent that is appropriate to the mandate of the LSSI.
                                          III.-2
                                        Sanction


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18








In accordance with these criteria, it is considered appropriate to impose a penalty of 5,000
euros, (five thousand euros), for the violation of article 22.2 of the LSSI, regarding the
cookie policy made on the website owned by it.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,

                                     SOLVE


FIRST: IMPOSE the entity INFINITY ECOM S.L. with CIF B42993956, owner
of the website ***DOMINIO.1/, for the violation of article 13 of the RGPD, for the
lack of necessary information in the “Privacy Policy” on its website, with
a fine of 5,000 euros (five thousand euros).


SECOND: IMPOSE the entity INFINITY ECOM S.L. with CIF B42993956, owner
of the website ***DOMINIO.1/, for violation of article 22.2 of the LSSI, for the
irregularities detected on its website regarding the “Cookie Policy”, a
fine of 5,000 euros (five thousand euros).

THIRD: ORDER the entity INFINITY ECOM S.L. with CIF B42993956, owner

of the website ***DOMINIO.1/, which implements, within a period of one month, the measures
necessary corrective measures to adapt their actions to the regulations for the protection of
personal data, with respect to article 13 of the RGPD, as well as to inform this
Agency in the same period on the measures adopted.


FOURTH: NOTIFY this resolution to the entity INFINITY ECOM S.L.

FIFTH: Warn the sanctioned person that the sanction imposed must be made effective
once this resolution is enforceable, in accordance with the provisions of the
article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (LPACAP), within the voluntary payment period
which indicates article 68 of the General Collection Regulation, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it into the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the
CAIXABANK Bank, S.A. or otherwise, it will be collected in

executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if

The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 82 of Law 62/2003, of 30
December, of fiscal, administrative and social order measures, the present

Resolution will be made public once it has been notified to the interested parties. The
Publication will be carried out in accordance with the provisions of Instruction 1/2004, of 22
December, from the Spanish Data Protection Agency on publication of its
Resolutions.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18









Against this resolution, which puts an end to the administrative route, and in accordance with what

established in articles 112 and 123 of the LPACAP, interested parties may
optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution, or directly contentious appeal
administrative before the Contentious-administrative Chamber of the National Court,

in accordance with the provisions of article 25 and section 5 of the provision
fourth additional to Law 29/1998, of 07/13, regulating the Jurisdiction
Contentious-administrative, within a period of two months from the following day
to the notification of this act, as provided for in article 46.1 of the aforementioned text
legal.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the

Agency was not aware of the filing of the contentious appeal.
administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.

Sea Spain Martí

Director of the Spanish Data Protection Agency.



























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es