AEPD (Spain) - PS/00524/2023: Difference between revisions
m (Changed sentence structure) |
m (Edited short summary) |
||
Line 59: | Line 59: | ||
}} | }} | ||
The DPA fined a | The DPA fined a website provider €90,000 for setting unnecessary cookies without users’ consent and for not informing about the existence and function of these cookies. | ||
== English Summary == | == English Summary == |
Revision as of 08:28, 6 November 2024
AEPD - PS/00524/2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 22.2 LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.12.2023 |
Decided: | 28.02.2024 |
Published: | 22.10.2024 |
Fine: | 90,000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00524/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA fined a website provider €90,000 for setting unnecessary cookies without users’ consent and for not informing about the existence and function of these cookies.
English Summary
Facts
On the 29 December 2023, the data subject filed a complaint against the controller, Techpump solutions, to the Spanish DPA (AEPD). The controller is a digital services provider and runs several websites.
The AEPD had already launched an investigation into the controller on the 27 December 2023 and found the following issues with three URLs:
1. Even though, no consent to cookies was given, third party cookies were placed. The cookie “uvt” was used for statistical analysis but the AEPD could not determine the purpose of the “upt” cookie.
2. The banner gave information on third party cookies but the two cookies mentioned above did not feature in at all in the banner.
3. Withdrawing consent was only possible through visiting the cookie policy page again. However, once consent was revoked by adjusting cursors or hitting “reject all”, the third party cookies continued to function and were not deleted.
The controller argued that on one website the cookie had been placed temporarily due to a technical error. In regard to two of the examined websites, the controller claimed that the cookies were placed as they are working on establishing a payment system which would need to identify a user even if the cookies were not accepted in order to block access by minors. During the proceedings however the controller admitted that this payment system had not yet been implemented.
Holding
1. The AEPD held that the use of cookies which are not technically necessary when the data subject did not consent to this violated Article 22.2 of the Spanish transposition of the e-privacy Directive (Ley 34/2002 de Servicios de la Sociedad de la Información y Comercio Electrónico – LSSI) .
2. The lack of information provided on the third party cookies within the cookie banner or policy also showed a violation of Article 22.2 LSSI.
3. Pointing out that revoking consent was practically impossible, the AEPD also found a violation of Article 22.2 due to continued functioning of the third party cookies after rejecting their use.
The AEPD sanctioned the violation with a total fine of €90,000, made up of three separate fines of €30,000 for each URL.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/31 Procedure No: PS/00524/2023 SANCTIONING PROCEDURE RESOLUTION From the actions carried out ex officio by the Spanish Data Protection Agency before the entity, TECHPUMP SOLUTIONS S.L. (TECHPUMP), CIF.: B33950338, owner of the web pages: ***URL.1; ***URL.2, ***URL.3, ***URL.4; ***URL.5, for the alleged violation of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI), and taking into account the following: BACKGROUND FIRST: On 12/22/23, the Director of the Spanish Data Protection Agency agreed to open preliminary investigation proceedings against the entity, TECHPUMP SOLUTIONS S.L. in accordance with the investigative powers that the control authority may have for this purpose, established in section 1) of article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27/04/16, on the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of such Data (RGPD), and in relation to the “Cookie Policy” followed on the websites indicated above. SECOND: On 12/27/23, the Inspection Subdirectorate of the Spanish Data Protection Agency carried out the following diligence regarding the “Cookie Policy” of the websites mentioned above, obtained through the “inspect application” tool of the Google Chrome browser and after having cleared the cache of the web browser and its cookies, and after having forced the browser to download the latest version of the website hosted on the remote server: a).- Regarding the installation of cookies without the user's prior consent: In the checks carried out on the websites in question, it was found that when entering them for the first time, once the terminal equipment had been cleared of browsing history and cookies, without accepting new cookies or performing any action on them, the following own cookies were used: - On the website ***URL.2, a own cookie was used, “OptanonConsent”, detected as technical in nature. - On the website ***URL.1, a proprietary cookie “OptanonConsent” was used, detected as technical in nature and the proprietary cookies, “usuario_país”; “stop_redirect”; “país” and “redirect_es” whose mission could not be identified, although according to the information provided in the website's “Cookie Policy”, these cookies were “necessary for the site to function…” - On the website ***URL.4, a proprietary cookie was used: “stop_redirect”, whose mission could not be identified, although according to the information provided in the website's “Cookie Policy”, it was a necessary cookie, used to redirect the user to the area of the country of origin. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/31 - When trying to access the websites ***URL.3 and ***URL.5, it was observed that the user was redirected to the website ***URL.6. b).- Regarding consent to the installation of cookies on the terminal equipment: It was found that, if the user did not give consent in the cookie control panel for the websites to use cookies that were not of a technical nature, through the “reject all” option, and started browsing any of them, these began to use two third-party cookies, “__uvt” and “__upt”, whose domain belongs to “.magsrv.com”. The domain “magsrv.com” is classified on the Internet as a distributor of “adware”, which is software that displays unwanted ads on the user’s device, which can interrupt the user experience, slow down systems and compromise privacy by collecting data for targeted advertising. It was possible to detect that the mission of the “__uvt” cookie was to perform statistical operations on user preferences to offer targeted advertising, but regarding the “__upt” cookie, its mission could not be identified. There was also no information about it in the “Cookie Policy” of the investigated websites. c).- Regarding the cookie information banner existing in the first layer and in the “Cookie Policy”: The cookie information banner existing in the first layer of the websites in question informed that they used their own and third-party cookies and informed how the user could accept, configure or reject the use of cookies. It is also indicated that the purposes for which the cookies will be used were “for analytical purposes and to show personalized content based on a profile created from browsing habits (…)”. However, it was found that, of the two third-party cookies installed when web browsing began (“__uvt” and “_upt”), there was no information about them in the “Cookie Policy”. d).- Regarding the possibility of withdrawing consent once given. It was found that, if the user had given their consent for the use of cookies that were not of a technical nature through the option existing in the initial information banner or through consent given in the control panel and wanted to modify it later, there was the possibility of accessing the control panel again through the link existing in the “Cookie Policy” of the websites. However, if the user now wanted to reject all cookies by clicking on the <<Reject all>> option or moving the cursors of the cookie groups to the “OFF” position and clicking on <<Confirm my preferences>> , in the control panel, it was verified that the websites continued to use the installed third-party cookies. That is, it did not delete the cookies in question, so this tool, present on the websites, was not operational. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/31 THIRD: On 29/12/23, Mr. A.A.A. filed a complaint with the Spanish Data Protection Agency. The complaint was directed against the entity TECHPUMP SOLUTIONS S.L. with CIF: B33950338, owner of the aforementioned websites, for the alleged violation of LSSI and in its letter it stated that after it had been indicated that an age verification system had been installed for the indicated porn pages, it had entered some of them to see how they were configured, since almost two years had passed since the start of the procedure that gave rise to the previous sanctioning file (PS/00555/2021), opened in this Agency, verifying that the provisions of the cookie policy regulation were still being breached. FOURTH: On 02/28/24, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity TECHPUMP SOLUTIONS S.L. with CIF: B33950338, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), for the alleged violation of article 22.2 of the LSSI, regarding the “Cookie Policy” of the websites owned by it. The opening agreement determined that the possible violations of the provisions of article 22.2 of the LSSI were as a consequence of the use of third-party cookies without the prior consent of the user and the impossibility of rejecting them; the lack of information in the “Cookie Policy” on the purpose of these cookies and the impossibility of withdrawing consent if it was previously given. In the opening agreement it was determined that the sanction that could correspond, considering the evidence existing at the time of the opening and without prejudice to what results from the instruction, would amount to 30,000 euros for the deficiencies detected in the “Cookie Policy” of the website ***URL.2, 30,000 euros for the deficiencies detected in the “Cookie Policy” of the website ***URL.1 and 30,000 euros for the deficiencies detected in the “Cookie Policy” of the website ***URL.4 FIFTH: After the initiation agreement was notified in accordance with the rules established in the LPACAP, the respondent party submitted a written statement of allegations on 03/25/24, based on the following arguments: - The violation of the principle “non bis in idem”, arguing that the facts that are dealt with in this file (PS/524/2023), have subjective, factual and causal identity with those already analyzed in file PS/555/2021. - The contentious-administrative prejudiciality due to the existence of a prejudicial question, with the added circumstance that without having been procedurally answered, this new sanctioning file is opened, with identical characteristics and on the same subject matter as the previous ones. - That, in view of the aforementioned administrative litigation procedure, as well as in relation to file PS/00523/2023, the document was submitted C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/31 review of Techpump cookies, external audit of measures implemented on the company's adult content websites (N REF. 21B 7), where all the indicated issues have been resolved and rectified. - The disproportion in relation to the files initiated by the AEPD regarding other companies competing in adult content. SIXTH: On 03/26/24, this Agency received a new letter of allegations in which the following is stated: That as a complement to the letter presented this morning, the present one prepared by the technical department of the company is added regarding the reasons why this file has been initiated in view of the following: Summary of cookies __uvt and __upt 1. Cookies Involved: The company ExoClick manages two specific cookies, called __uvt and __upt. 2. Status in December: During December, when the data protection agency evaluated the cookies, there were no measures implemented to block these specific cookies since ExoClick had no option to block them. 3. February Fix: In February, ExoClick introduced a fix that allows __uvt and __upt cookies to be blocked when users choose to block all cookies on the site. 4. Partial Implementation: This fix has been implemented on only two websites, XXXXXXX and XXXXXXX. It is still pending implementation on XXXXXXXX. 5. Impact of Cookie Blocking: When blocking these cookies, it is observed that no advertising appears on websites. 6. ExoClick Pending Fix: ExoClick still needs to develop a fix that allows advertising to be displayed on websites even when these cookies are blocked. Please note: To address this issue, ExoClick introduced a fix in February that allows users to block these cookies. However, this fix has been implemented in a limited way, being active on only two of its main websites, XXXXXXX and XXXXXX, while sites such as XXXXXXX are still pending implementation. It is important to note that blocking these cookies has a significant impact on the display of advertising on websites. When a user chooses to block the __uvt and __upt cookies, no advertising is displayed. This situation poses a challenge for ExoClick, which must still find a way to display advertising without the use of these cookies. For all the reasons set forth above, I REQUEST that you comply in a timely manner C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/31 with the request made in File 00524/2023, proceeding to the archiving of the present proceedings without further proceedings. SEVENTH: On 05/22/24, a resolution proposal was made to the effect that the Director of the AEPD would sanction the respondent party, for the violation of article 22.2 of the LSSI, regarding the “Cookie Policy” of the web pages in question, with 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.2, 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the web page ***URL.1 and 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.4. The resolution proposal was made in accordance with the deficiencies detected in the “Cookie Policy” of the websites in question and which were, in essence, the following: - Even if the user did not give consent to use cookies that were not of a technical nature, and started browsing any of the indicated web pages, these began to use two third-party cookies: “__uvt” and “__upt”, whose domain belongs to “.magsrv.com”, being able to verify that the “__uvt” cookie was used to perform statistical operations on user preferences and show targeted advertising and regarding the “__upt” cookie, its mission could not be identified. Nor was there any information about them in the “Cookie Policy” of the websites. - Regarding the possibility of modifying consent, even if there was the possibility of accessing the control panel again through the link existing in the “Cookie Policy” of the websites and the consent given was withdrawn, the websites continued to use the installed third-party cookies. That is, the installed cookies were not deleted, so this tool, present on the websites, was not operational. EIGHTH: On 06/13/24, the entity TECHPUMP presents a written statement of allegations to the proposed resolution where it states the following: Note: Only section C) and D) of the written statement of allegations are transcribed, since it corresponds to the allegations presented regarding the events that are being discussed in this file, PS/00524/2023, omitting the allegations presented in sections A) and B) for procedural economy, when referring to the events discussed in files PS/00555/2021 and PS/00523/2023 respectively and which will be resolved, if applicable, within said files: “PREVIOUS QUESTION: This representation makes a joint allegation in relation to the various sanctioning procedures opened by the SPANISH DATA PROTECTION AGENCY TECHPUMP as a result of the existence of various sanctioning proceedings related to the current regulations on the protection of personal data. By means of this written statement of allegations, the request made in Procedure PS524/2023 is also fulfilled, in a timely and legal manner, derived from the Resolution Proposal of the aforementioned Sanctioning Procedure dated May 22, 2024. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/31 This written statement of allegations maintains references that it reproduces from previous responses and includes updates and new allegations in relation to them. It also contains references (REF) that help with the traceability of documents in accordance with the internal system used for continuous improvement in the protection of personal data. Likewise, whenever Techpump is mentioned, we refer to Techpump Solutions, S.L. And when referring to Techpump web pages, we will refer in most cases to pages with exclusive content for adults, which does not mean that Techpump has other web pages, and as an example www.padresprotegen.com which is an educational website for parents and guardians precisely to protect minors. A). IN RELATION TO PS 55/2021: (…) B). PROCEDURE PS 523/2023: (…) C) CASE 524/2023 Finally, Procedure PS524/2023 was initiated against my client, with the following allegations being made in this regard. FIRST. VIOLATION OF THE NON BIS IN IDEM PRINCIPLE. Firstly, this party again alleged the violation of the principle non bis in idem, since the facts that are being judged in file 00555/2021, have, as will be seen later, a subjective, factual and causal identity, with those analyzed in the present file 524/2023, there being no difference between both administrative sanctioning procedures. But there is also another sanctioning file that was initiated and with reference 523/2023 to which a response was given, even complementary briefs were submitted regarding the different measures that were adopted both at the presentation of the brief and afterwards. We understood with all this that the AEPD was initiating different proceedings, also very repetitive over time, and that they deal with the same matters and that they have already been resolved. All this without responding to the briefs that TECHPUMP SOLUTIONS S.L. had been submitting. and where an absolute and sincere willingness to collaborate on the part of this company is demonstrated, with the Agency, thereby generating a clear lack of defense. To make matters worse, all this when through the media TECHPUMP SOLUTIONS S.L. showed an absolute willingness to collaborate with the AEPD, and when it has even requested a meeting, which has been denied by this authority in an incomprehensible way, given that the objective was to address this issue of social importance in the most constructive way possible, more than even the sanctioning procedures initiated, which in practice are not going to solve the problems, to which my client is putting all its efforts to give a constructive solution, and assumed both by the regulator in question, as well as by my own client. As regards the qualification and application of the concept of “non bis idem” to the present case, we considered reproduced everything that had already been indicated in the response to the initiation of case PS 253/2023 regarding the scope of the subjective, factual and casual identities of the principle invoked, as well as the legal basis of legality and typicality and proportionality. All in all, the sanction sought in this new procedure has the same legal cause as the previous ones, and for this reason my client is already being sanctioned three times for the same facts, thereby injuring the rights that must protect her against irregular and/or excessive actions against the Administration itself, as is the case in the present case, especially taking into consideration that the actions taken on the basis of file 00555/2021 were expressly challenged before Section 1 of the Administrative Litigation Chamber of the National Court, and consequently, they did not have a firm character at the present time, and a claim was also filed that was admitted by means of an order dated February 13, 2024, which was substantiated in Ordinary Procedure number 1794/2022, as indicated, before Section One of the Administrative Litigation Chamber. Administrative Litigation of the National Court, and with the new developments known by the parties, including the pronouncement made by the State Attorney. This once again highlights the failure in this case of the aforementioned principle of non bis in idem, with the consequent violation of article 25 of the Spanish Constitution, where the principle of legality in the actions of the Administration is expressly recognized. In this sense, the doctrine of the European Court of Human Rights has been violated, e.g. in Judgment 15963/90, of October 23, 1995, Case of Gradinger v. Austria [ECLI: EC: ECHR:1995:1023JUD001596390], where the ECHR considers that the fine imposed by the administrative authority after a conviction for the same facts constitutes a genuine penalty, which violates the principle of non bis in idem. There has been a violation of Article 4 of Protocol 7 of the European Convention on Human Rights. Also, it is necessary to take into account Judgment 38237/1997, of 6 June 2002, Sailer v. Austria [ECLI: EC: ECHR:2002:0606JUD003823797], in which the ECHR considers that Article 4 of Protocol No. 7 of the European Convention on Human Rights must be understood in the sense that it prohibits the initiation of proceedings or the prosecution of a second infringement, as long as it derives from identical or substantially the same facts. This provision contains a guarantee against prosecution in a new procedure, as is improperly occurring in the present case. At the domestic level, the Spanish Constitutional Court serves as a reference, among many other rulings, in STC 177/1999, dated 11 October, Appeal for protection 3657-94. Filed against the rulings of the Provincial Court C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/31 and of the Criminal Court No. 22 of Barcelona, which convicted the appellant as the author of a crime against the environment. Violation of the right to criminal legality. The High Court expresses the doctrine about the principle non bis in idem, indicating that, taking into account the above, it should be noted that we are not in the hypothesis that the Courts of the criminal jurisdictional order appreciate diversity of conducts or facts, or that the foundation or protected legal asset protected by the administrative norm and that preserved by the applicable criminal type are not identical and, in the absence of such identity, they understand the prohibition of bis in idem or duality of punitive reproach to be inapplicable, but rather in a case that presents the peculiarity that the judicial bodies start, as an initial premise, that the aforementioned identifying elements of the principle that is alleged to be violated, that is, the triple identity of subject, fact and foundation, concur, and that, nevertheless, they do not conclude in an acquittal pronouncement for the sole and only reason, explained in the condemnatory sentences, of the rule or criterion of prevalence of the criminal jurisdiction over the administrative power to sanction, understanding that this, due to its subordinate rank, must yield in its exercise or manifestation to the ius puniendi of the former, which leads to the criminal incrimination and consequent conviction sentence considering that the conduct of the accused is constitutive of a crime, and this despite the fact that the same conduct has been previously sanctioned by the Administration. It can therefore be stated that the contested Sentences establish the material violation of non bis in idem, but consider the subsequent imposition of punishment to be unavoidable in application of the indicated rule of prevalence. The principle of non bis in idem is configured as a fundamental right of the citizen against the decision of a public power to punish him for acts that were already subject to sanction, as a consequence of the previous exercise of the ius puniendi of the State. It is essentially aimed not only at preventing the prohibited result of double incrimination and punishment for the same facts, but also at avoiding possible pronouncements of a contradictory nature, in the event of allowing the parallel or simultaneous prosecution of two procedures --criminal and administrative sanctioning-- attributed to authorities of different orders. To prevent such results is aimed the priority attribution to the criminal jurisdictional bodies of the prosecution of facts that appear, prima facie, as crimes or misdemeanors. We must conclude that, once a sanction has been imposed, be it of a criminal or administrative nature, it is not possible, without violating the aforementioned fundamental right, to superimpose or add another different one, provided that the oft-repeated identities of subject, facts and basis concur. It is this essential core that must be respected in the field of the generic punitive power, considered, to avoid a single conduct receiving a double reproach. All this leads to the conclusion that, as occurs in the present case, a double sanction is being imposed in the administrative sanctioning order, which presents and has the same characteristics as the criminal jurisdiction itself, for acts analogous to those already sanctioned C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/31 previously, with the corresponding subjective, factual and casual identities existing between both procedures, which determines, precisely, the application of the principle “non bis in idem” now invoked, as well as the same legal basis relative to legality, typicality and the requirement of proportionality, which must exist in the use of administrative sanctioning powers. SECOND. PREJUDICIALITY IN ADMINISTRATIVE LITIGATION. In order to avoid argumentative repetitions, it is appropriate to consider as reproduced the statements made in file 523/2023, to which it is appropriate to refer in order to take into consideration the existence of a preliminary question of a contentious-administrative nature, with identical characteristics and on the same subject matter as the previous ones. THIRD. SUBSIDIARY TO THE PREVIOUS SECTIONS AND IN RELATION TO THE CONSIDERATIONS MADE BY THE AEPD. It should be noted that, in the aforementioned procedure before the Contentious-Administrative Chamber, as well as in relation to the previous file 523/2023, the REVIEW DOCUMENT OF TECHPUMP COOKIES was submitted. EXTERNAL AUDIT OF MEASURES IMPLEMENTED IN THE COMPANY'S ADULT CONTENT WEBSITES (REF. No. 21B 7) for which the documentary evidence is not attached for the sake of procedural economy, since it has been provided in the aforementioned proceedings, to which it is appropriate to refer for the purposes of justifying this written statement of allegations, as the typical case of justification by referral, for the purposes of the motivation of these allegations. We understand that all those issues indicated by the regulator have been openly resolved and corrected by my representative, and, consequently, therefore, the initiation of a new sanctioning procedure is not appropriate, without prejudice to the fact that in this new procedure an inspection was carried out. We conclude that this cookie was indeed temporarily placed due to a technical error on the part of the advertising provider Exoclick, without being active at the time the external audit was carried out (January 2024), and without being active at present. Therefore, it was only a temporary error within a technical process. For these purposes, the advertising provider was asked to issue a report, which we are waiting to receive, and currently, in the event of consenting to cookies, advertising is managed independently of the cookies, which implies full compliance on the part of my client. And not only that, but also the Techpump Solutions S.L. websites related to adult content, such as those for which a file has been opened, are in a clear process of mitigating errors in the aforementioned transition to payment sites, as well as the possible establishment of a payment system also in the event that cookies are not accepted, which would mean an identification of the user of the websites, with what this entails C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/31 in terms of adult privacy but also establishing a better control system to prevent access by minors, which as we have already indicated and demonstrated through documents, we have no evidence that it has occurred on the adult websites of Techpump Solutions, S.L. Neither from the access statistics already mentioned, nor from any claim through the DPO or compliance systems. A COOKIE REVIEW DOCUMENT carried out by TECHPUMP SOLUTIONS, S.L. was submitted, which constituted an EXTERNAL AUDIT OF MEASURES IMPLEMENTED ON THE COMPANY'S ADULT CONTENT WEBSITES, dated January 24, 2024. (REF. No. 21 B 7). In addition to the above, and due to its close relationship, and having also been provided in the previous sanctioning files, a complete review of the onboarding procedure for the protection of minors was carried out, placing TECHPUMP SOLUTIONS S.L. with certainty as the currently safest site in the field of its sector of activity, that is, in this aspect that is known and within open adult content pages. It was accompanied as DOCUMENT NUMBER 2, DOCUMENT OF REVIEW OF THE TECHPUMP ONBOARDING PROCESS AND MECHANISM TO PREVENT ACCESS BY MINORS. EXTERNAL AUDIT OF MEASURES IMPLEMENTED ON THE COMPANY'S ADULT CONTENT WEBSITES. (N REF. 21 F 1 4). However, since then a new Compliance procedure has also been implemented (N REF. 21 C 0) called TECHPUMP'S CHILD AND ADOLESCENCE PROTECTION POLICY and which was accompanied as DOCUMENT NUMBER. There is no doubt about the intention of TECHPUMP SOLUTIONS S.L. which places it on a plane of absolute priority. FOURTH. DISPROPORTION IN RELATION TO THE PROCEEDINGS INITIATED BY THE AEPD AGAINST OTHER COMPANIES COMPETITORS IN ADULT CONTENT. We must finally indicate, and as a continuation of everything already stated in the previous allegations, as well as in the previous ones presented in the administrative sanctioning proceedings presented against my representative, and all the changes that are being made within this more than demonstrable willingness to collaborate, which is perceived by the same, carries with it a more than evident disproportion in terms of the treatment that these competing companies are receiving from the Spanish Agency for Data Protection, whose web pages are receiving much more traffic even than those of TECHPUMP SOLUTIONS S.L. These websites, which have never been restricted from accessing traffic in Spain, although they may do so if that is a concern, and which have much fewer guarantees than those of TECHPUMP SOLUTIONS S.L., and at the same time, present circumstances that may put the processing of your data in relation to minors and/or third parties at risk, not to mention that, in many cases, they lack any type of guarantee. In this regard, see the comparables that are included in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/31 documents as an example, and not to go into real nonsense, which are freely accessed without any restriction of any kind from Spain. And not only that, but only the website generated by my client TECHPUMP SOLUTIONS S.L. in 2023 ***URL.7 is a reference in terms of the education of parents and guardians in safe navigation, when even in educational institutions dependent on the State and the Autonomous Communities there have been complaints of very inappropriate and precocious educational practices for minors in relation to sexual education and not only that, but even the viewing of pornography by minors has been encouraged, as well as inappropriate sexual practices for minors, which is far from all the efforts that have been made by TECHPUMP SOLUTIOS S.L. and in this case it is the administration itself that tolerates them. With all this experience, TECHPUMP SOLUTIONS S.L. has approached this AEPD to try to contribute to the development of appropriate policies that involve education, given the technological evolution and the knowledge that minors have and that makes the controls not work, in addition to the clash of rights between the freedom of the adult to access and the restriction to minors. We regret that this attempt to approach the AEPD by TECHPUMP SOLUTIONS has resulted in a new initiation of sanctioning proceedings, which we understand to be disproportionate and out of place for all the reasons stated, and that in the case at hand the measures have already been implemented. In any case, my client doubts that other similar websites have shown such an evident willingness to collaborate as it is doing, with the intensity, seriousness and commitment to defending the same values that the Spanish Data Protection Agency tries to defend. D). ALLEGATIONS REGARDING ALL OF THE FILES INITIATED AGAINST MY REPRESENTATIVE, INCLUDING THOSE CORRESPONDING TO PS 524/2023 In conjunction with all the files initiated by the SPANISH DATA PROTECTION AGENCY in relation to my representative, the following explanatory allegations are made below. FIRST. In the case at hand, as can be seen from the set of allegations made by my client in the FILES PS 00555/2021, PS00523/2023 PS524/2023, the existence of breaches carried out by my client is certainly evident, which are recognized as such, as it is also evident that all the activity aimed at efficiently and effectively correcting said anomalies has been deployed by the client, making the deficiencies identified by the SPANISH DATA PROTECTION AGENCY disappear in practice. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/31 This mitigating circumstance developed by my client is nothing more than the reflection that on the part of the same, there has been no doubt at any time in the need to protect the privacy of the people who approach this type of web pages, and at the same time, with a fundamental character, to protect the rights of minors so that they do not have any access to said web pages. The public communication made by my client has tried to bring to the attention of the general public the need and to effectively raise awareness of the need to establish the appropriate protection measures that guarantee that said minors did not have nor could have access to the aforementioned web pages, having achieved this purpose. In this regard, it is important to emphasize in detail the important investments made by my client in the sense of trying to transmit in a holistic and global way to everyone the need to raise awareness about the necessary protection of minors. This has been achieved through the creation of specific websites, as indicated in the allegations included in this document, for training and raising awareness among parents, so that they can exercise the proper control over their minor children and said websites. Likewise, it should be noted that my client has developed systems, in collaboration with the companies that provide Internet services, in order to try to prevent unauthorized access by said minors to the indicated websites. This effort to raise awareness and mitigate the hypothetical damage that these pages could cause has also been attempted to mitigate, not only by actively correcting and stopping all the irregularities revealed in its actions by the SPANISH DATA PROTECTION AGENCY, but the position of my client has gone further, in the sense of offering, given the experience acquired, its legal and sincere collaboration both to the governmental plans carried out for this purpose by the GOVERNMENT OF SPAIN, as well as by the SPANISH DATA PROTECTION AGENCY, with the purpose of collaborating in the legal and technological regulation of the sector, so that the typology of these pages stops being a factor of conflict in relation to minors. In addition to all this, it cannot be ignored that my client, TECHPUMP SOLUTIONS S.L., in proof of its conviction to mitigate this type of risks, has placed itself at the forefront of the sector of this type of web pages, both nationally and internationally, developing effective and convincing technical means for the purposes of protecting and preserving the legitimate rights of minors in relation to this type of web pages. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/31 These circumstances are sufficiently and principally proven in the allegations made in relation to File PS00555/2021, and are equally verifiable in relation to PS523/2023 and PS524/2023 SECOND: This representation expressly requests the accumulation of procedures PS00555/2021, PS00523/2023 and PS524/2023, as they deal with identical issues, and in any case analogous to the technical conditions that these web pages must meet, in order to comply with the privacy requirements required by current legislation. The accumulation in the administrative field is configured as an act of procedure that is adopted as an incident within a main procedure by the body that has initiated or processed it for the purposes of accumulating it to others with which it has a substantial identity or close connection, provided that it is the same body that must process and resolve the procedure. We will analyze its legal configuration below. In general, article 57 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading of Accumulation, provides that "the administrative body that initiates or processes a procedure, whatever the form of its initiation, may order, ex officio or at the request of a party, its accumulation to others with which it has a substantial identity or close connection, provided that it is the same body that must process and resolve the procedure" and that "no appeal shall proceed against the agreement of accumulation". This accumulation of files is caused in the present case by the substantial identity that occurs between the various files initiated against my client to which reference has been made, having between them a close connection, since as has been stated This decision is adopted with respect to a procedure that forms an administrative file. By administrative procedure we must understand the succession of actions carried out by the Administration subject to the general rules of initiation and procedure provided for in Title VI of the cited LPACAP and which end through any of the forms provided for in Chapter V of the aforementioned Title. The procedures are documented in the files. The accumulation may be agreed upon at the time of initiating the procedure or it may be agreed upon regarding procedures already initiated, and it may be done ex officio or at the request of a party. Article 57 LPACAP establishes the requirement that the body that decides the accumulation be the same one that must process and resolve the procedure. In this sense, the jurisprudence already understood that the decision to accumulate is discretionary and that the body that orders the accumulation must have the authority to decide on the matters to which the accumulated procedures refer, speaking for this purpose of "body with more specific competence" (cf. judgment of the Supreme Court of December 26, 1989). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/31 As regards the content of the decision itself, as has been said, the jurisprudence understands that it is a discretionary decision, but it cannot be forgotten that article 57 LPACAP requires that between the procedures that are accumulated there must be the logical "close connection" or "substantial identity", these indeterminate legal concepts that must be integrated by the authority that decides to accumulate, which makes it possible for it to be challenged not in isolation as has been seen - but with respect to the resolution that ends the procedure; in this sense the idea of discretion must be qualified and not identified with the non-appealability of the decision to accumulate. On the other hand, it is not necessary to hear the interested parties, hence the jurisprudence understands that there is no vice of defenselessness. As can be deduced from the above, the effect produced by the accumulation is to resolve in a single procedure and in a single resolution all the issues raised, which is basically what is requested in this document. THIRD. This representation as it can be deduced from the allegations, and from the documentary evidence provided in sections A), B), and C) of this document of allegations, shows to the SPANISH DATA PROTECTION AGENCY the appropriateness of considering the factors of mitigation of the administrative liability to be imposed on my representative. This must begin with the aforementioned accumulation of sanctioning files, in order not to repeat the same sanction for the same facts, or for facts that are a consequence of the previous ones. Next, this representation highlights the need to weigh the circumstances expressly provided for in section 2 of article 83 of Regulation 2016/679 General Data Protection of the EU, in order to adequately quantify the fines imposed as a result of alleged administrative infringements. In this sense, the intentionality or negligence in the infringement must be brought to attention, where in relation to it, it must be made clear that the situation for which my client was sanctioned or the sanction was proposed was the common one existing in the market, both from a national and international perspective, where it must be highlighted, as has been made clear, the level of reaction of my client in the implementation of mitigating measures that are truly effective, as has occurred in an effective manner, guaranteeing the rights and freedoms of the owners of the compromised data, and preventing access by minors to said web pages. In relation to article 83.2.c., any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties must be taken into account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/31 In this case, the set of measures referred to in this statement of allegations represents the real and effective adoption of said measures, to mitigate the damages and losses that may occur to this effect, with the aim of ensuring that these are non-existent when the controls carried out voluntarily by my representative function adequately. It is important to highlight at the same time, the capacity of reaction of my representative to mitigate or avoid the production of injuries to the rights of users, proceeding to correct in an active and immediate manner the irregularities that have been detected to this effect. Likewise, the degree of cooperation of my client with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement must be highlighted, as evidenced by the measures adopted as noted in the various written allegations incorporated in this document. It is also important to highlight, as has been done, the position that my client has assumed, who has not hesitated publicly through various media to assume without hesitation or ambiguity, the positions of the government and/or the Spanish Data Protection Agency, trying to raise awareness and educate users in order to respect, first of all, their rights and freedoms in the area of privacy, but also to reinforce the educational measures, and the consequent control that they entail, in order to guarantee at all times the rights of minors, as the main concern of my client, as he has been publicly stating, said position and attitude having to be valued as a more than important mitigating factor any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. The express implementation of a website aimed at parents, with the investment that this has entailed, must be interpreted as a sign of institutional loyalty on the part of my client, as well as the fact that it has implemented means that have meant a more than evident reduction in its income, in order to guarantee the rights of users and above all, taking into account the technical and organizational measures in order to preserve access for minors. Consequently, the implementation of significant economic means by my client in order to align itself with the same position indicated, in this case, by the SPANISH DATA PROTECTION AGENCY must be brought to the fore. With this, TECHPUMP SOLUTIONS, S.L. not only does it have these websites for adults against which these recurring disciplinary proceedings have been initiated, but also an educational website like no other known and which has already been demonstrated to be serving as an effective aid for parents and guardians who may even contact my representative in the event of technical issues. FOURTH. In line with what has been set out in the previous section, it is necessary to additionally but systematically take into account the actions undertaken by my representative in order to mitigate, in a responsible manner and in full collaboration with the SPANISH DATA PROTECTION AGENCY, certain measures that have guaranteed the rights of the data owners, and especially, as has been pointed out with a certain reiteration, the specific protection of minors. Among these measures to which special reference must be made, the following stand out for their importance, and are those that are set out below: 1). The generation of a Compliance procedure in relation to minors. “TECHPUMP CHILD AND ADOLESCENT PROTECTION POLICY” already submitted to the AEPD and the appointment of an external Compliance Office. 2). The generation, as has been repeatedly referred to in this written statement of allegations of the website www.padresprotegen.com by TECHPUMP SOLUTIONS S.L. so that through them both parents and guardians can manage and limit access and the safety of minors. A unique initiative by a provider and within realistic standards using education as a basis. 3). The carrying out of the appropriate communications with the AEPD with the purpose of collaborating both with the Agency and with other administrations and with the Government of Spain in this area of activity, in order to provide effective and efficient solutions, based on the experience acquired by my representative, as an expert in this specific sector of activity, which can help and provide this Agency with ideas and data that may be important in view of the declared urgency of the situation. Furthermore, when TECHPUMP SOLUTIONS S.L. is surely the one that best performs in the sector and when its market share is minimal in relation to foreign operators in Spain. All of this is exhaustively documented in the documents presented. This help is offered voluntarily and with all generosity to the Agency to which I have the honor of addressing myself, and your contribution is once again interested, since it may prove to be very constructive. 4). Hiring an external legal team to resolve the incidents: Techpump has hired external specialists in order not to hide the problem but to address it with solutions and approaches based on ethics, which has meant an important change particularly in onboarding processes and in education. 5). As has also been repeatedly stated, my client has launched various information campaigns in the press on the website www.padresprotegen.org and the desire to collaborate with the AEPD and the Government of Spain. With this, TECHPUMP SOLUTIONS S.L. has publicly acknowledged at all times its desire to contribute and ultimately correct breaches. 6). The implementation and continuous review of a more complete onboarding process of open adult pages existing in Spain in the protection of minors and respecting adult access in accordance with the data minimization processes and the demanding “balance”: Including date of birth, access to educational websites, dark backgrounds up to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/31 the acceptance of cookies, session cookies, among other technical and organizational measures implemented for this purpose. 7). The implementation of a migration project to payment pages in the coming months without open content and making registration necessary. Faced with foreign competitors and with what this implies in terms of loss of market share. In addition, Techpump will implement the payment system in the case of non-acceptance of cookies, which means more access control as user registration becomes necessary. All of this, ignoring the economic cost that the adoption of these technical measures represents for me. 8). The configuration of a contact process with mobile telephone operators to restrict access to subscribers under the age of 18. In this regard, TECHPUMP SOLUTIONS S.L. is studying the implementation of an access control in relation to the age of the owners of mobile terminals, restricting access in the event that the owner is a minor. To this end, my client has sought contact and the involvement of the AEPD itself, although the process is already beginning with the operators. In this regard, TECHPUMP SOLUTIONS S.L. TECHPUMP SOLUTIONS S.L. would also support initiatives that have not yet been addressed by the AEPD, as far as we know, but which are aimed at banning smartphones from children under 14 years of age, as teachers have already indicated, which is necessary for the protection of minors and for the problems that the early use of these technologies poses in the development and relationships with others. TECHPUMP SOLUTIONS S.L. already has internal studies in this regard. 9). The contracting and linking of Compliance with the RTA (Restricted to Adults) https://www.rtalabel.org/ following the international standards of the Association of Sites Advocating Child Protection (ASACP). As a culmination of all this, it should be noted that TECHPUMP SOLUTIONS S.L. has demonstrated and demonstrates every day in a palpable and evident way its absolute commitment to this AEPD and other state agencies, aimed at resolutely supporting the public policies and commitments of the Spanish Data Protection Agency, thereby protecting those measures that are necessary to guarantee the rights of users. The aim is to provide protection independently of any ideological or political approach, but rather to defend society without leaving aside any kind of recommendations aimed at greater protection, in particular, of minors. Finally, the fact of this loyal, committed and sincere collaboration in this area of activity must be valued, far from the image that third parties have tried to project of some companies in this area or sector, since operators such as TECHPUMP only aim within their business to do things as well as possible and collaborate in education. FIFTH. Consequently, this representation expressly requests that these sanctioning processes be accumulated, first of all, and that in any case, the sanctions imposed on my representative be moderated, based on the activity of compliance and orthodoxy intended, which is not only exemplary, but constitutes a reference for the entire sector of activity of these web pages, in the sense of the more than patent and evident will to adapt to the regulations in force in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/31 the matter of data protection and privacy, guaranteeing the rights of users and minors. For all the above, I REQUEST FROM THE DATA PROTECTION AGENCY that it considers this document to be submitted, and that the allegations contained therein be made. And consequently with the same: a). That the required procedure for allegations corresponding to procedure PS524/2023 be considered to have been completed in a timely and legal manner. b). That procedures PS00555/2021, PS00523/2023 and PS524/2023 be combined as they are closely connected, and should be dealt with in a single administrative procedure. c). Given the special situation of procedure PS00555/2021, that it be archived without further processing. d). That, in any case, the mitigating circumstances of liability be applied, for the purposes of imposing the fine, in accordance with the circumstances of weighing liability provided for in article 83 of Regulation (EU) 2016/679, General Data Protection, to which reference has been made, reducing the monetary fines imposed on my representative in the files to which reference has been made in this written statement of allegations. NINTH: On 07/04/24, the entity submitted a new written statement of allegations in which it states the following: First.- That as has already been stated before this AEPD, in the event of the onboarding system published in the Press Release being approved, TECHPUMP will adopt it immediately, without prejudice to the measures that have already been implemented, demonstrating that there is no mandatory onboarding procedure established to date for adult pages, as is made clear by the accompanying note from the Ministry itself. Second.- That the publication of the aforementioned press release therefore demonstrates that to date there was no established onboarding system for adult pages, and therefore it is not admissible that the AEPD seeks to sanction Techpump, when it has an onboarding system, more guaranteeing than that of its competitors, and there was no other mandatory one. Third.- That the onboarding system that is intended to be established according to the aforementioned press release, includes personal data that in our understanding constitutes a significant violation of the rights of people, in this case of adults, and is an onboarding system outside the framework of the GDPR and consequently of the LOPD. Without prejudice to the above, and in the event of not migrating to "paid" pages for when this regulation is applicable, it will be applied, despite the fact that it is considered not to be in accordance with the law. In relation to the legality of the ministerial proposal, we understand that the AEPD will issue a report before its implementation. Fourth.- We reiterate, once again, that Techpump in this regard maintains an absolutely proactive attitude and proposes alternative systems C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/31 that are more effective and that are in accordance with the privacy of individuals, with the Government of Spain's proposal being, in our opinion, not proportional, violating the principle of data minimization, among others." TENTH: On 07/05/24, the entity submitted a new written statement of allegations in which it states the following: That in relation to the reference files, new allegations are hereby made in addition to our written statement of allegations dated June 13, 2024 and earlier. And in view of the publication last Monday of the Press Release “Digital Beta Wallet, the application that includes the system for verifying the age of majority in access to adult content, will be available at the end of the summer” published by the MINISTRY FOR DIGITAL TRANSFORMATION AND THE PUBLIC FUNCTION. Which is attached as DOCUMENTARY ONE. The following STATEMENTS are made: First.- That as has already been stated before this AEPD, in the event of the onboarding system published in the Press Release being approved, TECHPUMP will adopt it immediately, without prejudice to the measures that have already been implemented, demonstrating that a mandatory onboarding procedure for adult pages has not been established to date, as is made clear by the accompanying Ministry note itself. Second.- That the publication of the aforementioned press release therefore shows that to date there was no established onboarding system for adult pages, and therefore it is not admissible that the AEPD intends to sanction Techpump, when it has an onboarding system, more guaranteeing than that of its competitors, and there was no other mandatory use. Third.- That the onboarding system that is intended to be established according to the aforementioned press release, includes personal data that in our opinion constitutes a significant violation of the rights of people, in this case of adults, and is an onboarding system outside the framework of the General Data Protection Regulation and consequently of the LOPD. Without prejudice to the above, and in the event of not migrating to "paid" pages by the time this regulation is applied, it will be applied, despite the fact that it is considered not to be in accordance with the law. Regarding the legality of the ministerial proposal, we understand that the AEPD will issue a report before its implementation. Fourth.- We reiterate, once again, that Techpump in this regard maintains an absolutely proactive attitude and proposes alternative systems that are more effective and that are in accordance with the privacy of individuals, with the proposal of the Government of Spain being, in our opinion, not proportional, violating the principle of data minimization among others. Therefore, we request the filing of all the complaints imposed on my client, since through what is set forth in the body of this document it is clearly evident that the system that was required of my client did not exist at the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/31 time to severely sanction him for it, the possession of a specific and determined system for this purpose not yet being obligatory. For all the above, I REQUEST THE SPANISH DATA PROTECTION AGENCY that considers this document submitted, to accept it together with the accompanying documentation, considering the previous statements made and DECREING THE ARCHIVE OF ALL THE COMPLAINTS IMPOSED ON MY REPRESENTATIVE. From the actions carried out in this procedure and from the documentation in the file, the following have been proven: PROVEN FACTS Sole: On 27/12/23, the Inspection Subdirectorate of the Spanish Data Protection Agency completed the following characteristics of the "Cookie Policy" of the websites: ***URL.1, ***URL.2, ***URL.3, ***URL.4 and ***URL.5:, a).- Regarding the installation of cookies prior to the user's consent: When entering them, for the first time, once the terminal equipment had been cleared of browsing history and cookies, without accepting new cookies or performing any action on them, the following own cookies were used: - On the website ***URL.2, a own cookie was used, "OptanonConsent", detected as technical or necessary; - On the website ***URL.1, a proprietary cookie is used: “OptanonConsent”, detected as technical or necessary and the proprietary cookies, “user_country”; “stop_redirect”; “country” and “redirect_es” whose purpose could not be identified although according to the information provided in the “Cookie Policy” of the website, these cookies “are necessary for the website to function…”; - On the website ***URL.4 , a proprietary cookie was used: “stop_redirect”, whose purpose could not be identified, although according to the information provided in the “Cookie Policy” of the website it is a necessary cookie, used to redirect the user to the country of origin. It was found that when trying to access the websites ***URL.3 and ***URL.5, they redirect the user to the website ***URL.6. b).- Regarding consent to the installation of cookies on the terminal equipment: It was found that, if the user did not give consent for the websites to use cookies that were not technical or necessary and started browsing any of the websites mentioned, they began to use two third-party cookies: “__uvt” and “__upt”, whose domain belongs to “XXXXXXX”. From these two cookies, it was found that the mission of the “__uvt” cookie is to perform statistical operations on user preferences and regarding the “__upt” cookie, its mission could not be identified. c).- Regarding the cookie information banner in the first layer: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/31 The cookie information banner in the first layer of the websites in question informed that they used their own and third-party cookies and informed them of the way in which the user could accept, configure or reject the use of cookies. It also indicated that the purposes for which the cookies would be used were “for analytical purposes and to show personalized content based on a profile created from browsing habits (…)”. However, it was found that, of the two third-party cookies installed when browsing the web (“__uvt” and “_upt”), there was no information about them in the “Cookie Policy” of the websites. d).- Regarding the possibility of withdrawing consent for the use of cookies once it has been given. It was found that, if the user had given his consent for the use of cookies that were not technical or necessary through the option existing in the initial information banner or through consent given in the control panel and wanted to modify it later, there was the possibility of accessing the control panel again through the link existing in the “Cookie Policy” of the websites. However, if the user now wanted to reject all cookies by clicking on the <<Reject all>> option or by moving the cursors of the cookie groups to the “OFF” position and clicking on the <<Confirm my preferences>> option, in the control panel, it was possible to see how the websites continued to use the installed third-party cookies (“__uvt” and “_upt”). LEGAL BASIS I Competition. In accordance with the provisions of article 43.1 of the LSSI and the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." The fourth additional provision "Procedure in relation to the powers attributed to the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations shall apply to the procedures that the Spanish Data Protection Agency must process in the exercise of the powers attributed to it by other laws." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/31 II Response to the allegations presented to the resolution proposal First: The entity TECHPUMP begins the written allegations indicating that, as a consequence of the existence of various sanctioning files related to the current regulations on personal data protection, it groups the allegations to each one of them in this writing and thus, section A), with the title “IN RELATION TO PS 55/2021” is dedicated to defending its interests in relation to file PS/00555/2021 and section B) with the title “PROCEDURE PS/523/2023” is dedicated to the file opened to the entity with said reference. Well, in order to put into context the situation of the three files to which the TECHPUMP entity refers, let us remember that, in PS/00555/2021, the aforementioned was charged and sanctioned for both violations of the GDPR and the LSSI (although as we will see later, the facts charged in that procedure do not coincide with the facts charged in the present sanctioning procedure; PS/00523/2023 was initiated as a consequence of non-compliance with the corrective measures imposed in PS/00555/2021 in relation only to breaches of the GDPR and the present sanctioning procedure, PS/00524/2024 only refers to breaches of the LSSI, as we have indicated, in relation to facts different from and subsequent to the facts noted in PS/00555/2021. Therefore, to state with respect to the allegations presented in sections A) and B) of the written allegations that they have no relation to the matter being discussed in this file (PS/00524/2023) and that, therefore, they cannot be taken into consideration in this procedure since they will be dealt with and resolved, if appropriate, within each of them. Furthermore, please note that PS/00555/2021 is currently being settled in a contentious administrative judicial procedure (CA/00086/2022) before the NATIONAL COURT (PO 0001794 /2022) and therefore, it will be this Judicial Body that will resolve, where appropriate, the controversies raised in section A), while PS/00523/2023 is following an administrative procedure independent of this one and that it will be within this procedure, if appropriate, where the allegations raised in section B) will be settled. Second: In the “first” point of section C) of the written allegations, the entity TECHPUMP raises the application of the “NON BIS IN IDEM” principle to the present case, alleging that the facts that are being judged in it have the same subjective, factual and causal identity as those judged in file PS/00555/2021, there being no difference between both administrative sanctioning procedures and that therefore, it requests that the present file should be archived. Well, let us remember that the principle of "non bis in idem", applied to administrative law, is a legal principle that establishes that a person cannot be sanctioned twice for the same act, thereby seeking to protect people from being repeatedly prosecuted for the same acts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/31 However, for the principle of "non bis in idem" to apply, there must be a subjective, factual and causal identity between the two causes. Subjective identity refers to the fact that the person accused in both processes is the same. Factual identity refers to the fact that the facts charged in both processes are the same, that is, there must be a coincidence in the description of the facts charged and finally, causal identity refers to the fact that the cause of the action is the same in both processes, that is, there must be a causal relationship between the facts charged and the infringed legal norm. If these three requirements are met, then the principle of "non bis in idem" demanded by the entity could be applied. However, in the case at hand, although it is clear that the subjective identity is fulfilled by the fact that the subject is the same in both proceedings, that is, the entity TECHPUMP SOLUTIONS S.L. and the same causal identity because there is a causal relationship between the facts charged in the two proceedings and the infringed legal norm, article 22.2 of the LSSI, the same does not occur with respect to the factual identity because the facts charged in both proceedings are not identical in their description and relevant circumstances. If we look at the resolution of file PS/0555/2021, dated 09/16/22, we can see that the entity TECHPUMP was sanctioned, among other issues, for violation of article 22.2 of the LSSI based on the following deficiencies observed in the “Cookie Policy” of its web pages (see point XXVII of the FD.- On the “Cookie Policy” of the website): - a).- For the installation of cookies on the terminal equipment prior to the user's consent: It was found that when entering its main pages and without performing any type of action on them, third-party cookies that are not necessary are used, without the user's prior consent: - On the website ***URL.2, the cookies: “_ga_RKCN8YSRSF” “_ga” and “_gid” were used, whose provider is Google. On the website ***URL.1 , the cookies “User_country” were used, whose provider is Addition Technologies GmbH and the cookies “gat_UA-38248820- 52”; “_ga”; “_gid”; “_ga_8WNV1D198Q” were used, whose provider is Google. On the website ***URL.3 , the cookies: “_ga_JREJ5KRZQT”; “_gat_UA- 50005236-1”; “_ga”; and “_gid” were used, whose provider is Google. On the website ***URL.4 , the cookies “_ga_KJ5V9F3XJJ”; “_ga” and “_gid” were used, whose provider is Google and on the website ***URL.5 , the cookies “ga_CKL7S7S25E”; “_ga” and “_gid” whose provider is Google. - b.- There was no type of banner on the main page that informed in a generic way about the cookies they used. - c).- There was no mechanism that made it possible to reject cookies or the possibility of managing them in a granular way through a control panel and, - d).- The information about cookies that was provided in the “Cookie Policy” was written in English, which is not the official language in Spain. While, in the present file, PS/00524/2023 sanctions the following deficiencies in the “Cookie Policies” of its web pages: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/31 - a).- Due to the installation of cookies prior to the user's consent, it has been detected that when entering them, for the first time, once the terminal equipment has been cleared of browsing history and cookies, without accepting new cookies or performing any action on them, the following own cookies were used: On the website ***URL.2 , a proprietary cookie is used, “OptanonConsentimiento”, detected as technical or necessary. On the website ***URL.1 , a proprietary cookie “OptanonConsentimiento” is used, detected as technical or necessary and the proprietary cookies, “usuario_país”; “stop_redirect”; “country” and “redirect_es” whose purpose could not be identified, although according to the information provided in the “Cookie Policy” of the website, these cookies “are necessary for the website to function…”. On the website ***URL.4, a proprietary cookie is used: “stop_redirect”, whose purpose could not be identified, although according to the information provided in the “Cookie Policy” of the website, it is a necessary cookie, used to redirect the user to the country of origin. - b).- If the user does not give consent for the websites to use cookies that are not technical or necessary and starts browsing any of them, they begin to use two third-party cookies: “__uvt” and “__upt”, whose domain belongs to “.magsrv.com”. From these two cookies it has been possible to know that the mission of the “__uvt” cookie is to perform statistical operations on user preferences to show targeted advertising but regarding the “__upt” cookie, its mission has not been able to be identified. There is also no information about these cookies in the “Cookie Policy” of the websites and, - c).- There is no possibility of withdrawing consent for the use of cookies once it has been given. Therefore, it is evident that one of the three identities necessary for the application of the principle "non bis in idem" to be considered, the factual identity is not met in the present case, since the facts charged in both processes are not identical in their description or in their relevant circumstances, and therefore, the request made by the entity TECHPUMP to archive this file based on the principle of non bis in idem cannot be attended to. Third: The entity TECHPUMP states in the "second" point of section C) of its allegations, that it considers the statements made in the file PS/00523/2023 (dated 12/18/23) on the contentious administrative prejudiciality to be reproduced, alleging in said document that the facts that have motivated the sanctions established in the administrative sanctioning file PS/00555/2021, are immersed in the administrative appeal 0001794/2022 before the National Court, and therefore, this Agency cannot open a new administrative file for the same facts on which the file PS/00555/2021 is based. Well, it is necessary to reiterate at this point what was stated in the previous section and that is that between file PS/00555/2021 and the present file PS/00524/2023 although there is the same subjective and causal identity, there is not the same factual identity, that is, the facts charged in each of the files are not the same and therefore both files are totally independent, so that, although PS/00555/2021 is immersed in an administrative dispute, PS/00524/2023, being different in terms of factual identity, can follow its process. Remember that in file PS/00555/2021, the entity TECHPUMP was sanctioned for the use, on its websites, of third-party cookies without the user's prior consent. These cookies were, on the website ***URL.2 : “_ga_RKCN8YSRSF” “_ga” and “_gid” from Google. On the website ***URL.1 : “User_country” from Addition Technologies GmbH and the cookies “gat_UA-38248820-52”; “_ga”; “_gid”; “_ga_8WNV1D198Q” from Google. On the website ***URL.3 , “_ga_JREJ5KRZQT”; “_gat_UA-50005236-1”; “_ga”; and “_gid” from Google. On the website ***URL.4 , the cookies: “_ga_KJ5V9F3XJJ”; “_ga” and “_gid” from Google and on the website ***URL.5 , the cookies: “ga_CKL7S7S25E”; “_ga” and “_gid”, also from Google. It was also sanctioned that there was no type of information banner about cookies in the first or main layer of the websites. It was sanctioned that there was no mechanism that made it possible to reject the aforementioned cookies or the possibility of managing them in a granular way and it was sanctioned that the information provided in the Cookies Policy was written in English, which is not the official language in Spain. However, the present file, PS/00524/2023, is sanctioned for the use of third-party cookies, (“__uvt” and “__upt”), whose domain belongs to “XXXXXXX”, even if the user has not given consent for it. It is sanctioned that there is no possibility of rejecting the use of these cookies, nor the possibility of modifying consent once given. Therefore, it is evident that the facts that the AN is considering in the contentious-administrative appeal 0001794/2022, (PS/0555/2021) are not the same as the reason for which the present sanctioning procedure has been opened and therefore, it is not possible to consider at this point the allegations presented on the possible contentious-administrative prejudice of the facts known in the present procedure PS/00524/2023. Fourth: The entity TECHPUMP states in the “third” point of section C) of its allegations, referring to file PS/00555/2021 that all the issues indicated, regarding the cookie policy, “(…) have been openly resolved and corrected by my representative, and, consequently with this, therefore, the initiation of a new sanctioning file is not appropriate, without prejudice to the fact that in this new procedure an inspection or the corresponding investigative procedures will be carried out…” and that “...this cookie was effectively placed temporarily due to a technical error on the part of the advertising provider Exoclick without being active at the time the external audit was carried out (January 2024), and without being active at present. Therefore, it was only a temporary error within a technical process…” Well, at this point, just remember that it is the TECHPUMP entity itself, in the document submitted to this Agency on 26/03/24, who recognizes that the cookies “__uvt” and “__upt” are managed by the company ExoClick. That during the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/31 month of December 2023, when this Agency evaluated the cookies, there were no measures implemented to block them. That it was not until February 2024, when ExoClick presented a solution that allowed them to be blocked, but it was only implemented in, “XXXXXX” and “XXXXXX”, but not in “XXXXXX” which is still pending a solution. Therefore, it is the TECHPUMP entity itself that recognizes that, when this Agency evaluated the web pages owned by it, in December 2023, they used two third-party cookies (__uvt and __upt); but they lacked measures to block them, so it is not possible to take into consideration the allegations presented in this point regarding the entity having solved the deficiencies detected in the “Cookie Policy” of its web pages because, in Dec-23, this was not true. Fifth: The TECHPUMP entity states in the “fourth” point of section C) of its writing what it considers to be discrimination in relation to the files initiated by the AEPD regarding other companies competing in adult content. To state that these allegations cannot be admitted or taken into consideration since the purpose of this sanctioning procedure is to find out the deficiencies in the “Cookie Policy” of the websites owned by it and, therefore, it is not to deal with the management carried out by this Agency regarding the control over the processing of personal data by entities that are dedicated to disseminating adult content, there being other areas of the Public Administration where, if the entity so wishes, it can raise these issues. Sixth: In section D).- (points “first” to “fifth”), of the written allegations, the entity defends the need to accumulate the procedures PS00555/2021, PS523/2023 and PS00524/2023, as they deal with identical issues, according to its assessment. Well, let us remember that, in general, article 57 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (LPACAP), under the heading of "Accumulation" provides that: "the administrative body that initiates or processes a procedure, whatever the form of its initiation, may order, ex officio or at the request of a party, its accumulation with others with which it has substantial identity or close connection, provided that it is the same body that must process and resolve the procedure" and that "no appeal shall be filed against the agreement of accumulation." From the aforementioned article 57 LPACAP it follows, and the jurisprudence understands it as such, that the decision to accumulate several files is discretionary and that the body that orders the accumulation must have the competence to decide on the matters to which the accumulated procedures refer, requiring that between the procedures that are accumulated there must exist the logical "close connection" or "substantial identity". In view of the above, and in relation to files PS/00524/2023 and PS/00523/2023, it is evident that among the facts that are being analyzed in each of them, the criterion of substantial identity and close connection that the entity alleges does not exist, since in the present file, PS/00524/2023, the possible violations of the provisions of the LSSI are being analyzed and, on the other hand, in file PS/00523/2023 the objective is to elucidate whether or not there is a violation of the GDPR. Finally, it should be remembered that file PS/00555/2021 is already final in the administrative process and is currently being tried in the National Court under the administrative contentious appeal PO 0001794/2022 and therefore, the bodies in charge of resolving the disputes raised in files PS/00555/2021, which will be the Judge of the AN in charge of the case, and PS/00524/2023, which will be the Director of the AEPD, do not coincide. Therefore, based on the above, it is not possible to comply with the request for accumulation of files as proposed by the entity. Seventh: Within the requests made by the entity, in point d) it requests that the financial fine imposed be reduced by taking into account the circumstances of weighting of liability provided for in article 83 of the RGPD. Well, state that the present sanctioning procedure was initiated due to the irregularities detected in the "Cookie Policy" of the web pages of its ownership, thereby violating the provisions of article 22.2 of the LSSI, and it is in the LSSI where the legal regime relating to infringements is regulated, for the non-compliance with the norm, the sanctions and their weighting, regulating in its art. 40 what is related to the gradation of infringements. Let us remember that article 38.4 g) of the LSSI classifies the facts that give rise to the infraction as “minor”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the LSSI and that to graduate the sanction, the provisions of article 40 of the LSSI must be taken into account, estimating, in this case, that the existence of intention (section a) should be applied as aggravating factors to calculate the sanction to be imposed, an expression that must be interpreted as equivalent to degree of guilt in accordance with the Judgment of the AN 12/11/07 issued in the Appeal 351/2006, and the recidivism for committing infractions of the same nature, when this has been declared by a final resolution (section c), taking into consideration the resolution issued on 16/09/22, file PS/00555/2021. Furthermore, it should be noted that it is not possible to apply article 83.2 of the GDPR to assess the fine imposed under the LSSI, since the GDPR regulates a manifestly different objective, subjective and territorial scope of application. Therefore, in consideration of all the above, the entity's request to reduce the sanction imposed cannot be accepted in this case, as there are two aggravating factors that condition the imposition of the maximum possible sanction. Eighth: Regarding the allegations presented on 04/07/24 and 05/07/24, where reference is made to the press release announcing the approval of the mandatory “onboarding” system for web pages dedicated to disseminating adult content and that the publication of the aforementioned press release shows that to date there was no “onboarding” system for this type of pages and therefore it is not admissible that the AEPD intends to sanction Techpump, when it has an “onboarding” system, more guaranteeing than that of its competitors, requesting the filing of the present file, state the following: The “onboarding” system, to which the entity refers, according to the press release published on July 1, 2024, says verbatim: “The Minister for Digital Transformation and the Civil Service, José Luis Escrivá, has today presented Cartera Digital Beta, the “wallet” (digital document holder) that includes the system for verifying the age of majority in accessing adult content, after completing the design phase of the tool with the publication of the technical specifications….”, while, in the present sanctioning procedure, PS/00524/2023, nothing is being elucidated regarding the systems implemented on adult content web pages regarding age verification for access to the same, but rather aspects related to the “Cookie Policy” of the web pages, so it is not possible to address, in this case, the allegations presented regarding this matter. III Classification of the infringement committed Of the deficiencies detected, with respect to the cookie policy, on the websites ***URL.2; ***URL.1 and ***URL.4, that is, the use of third-party cookies that are not technical or necessary even if the user has not given their consent; the impossibility of rejecting them or being able to manage them in a granular manner; The lack of information in the “Cookie Policy” on the purpose of these third-party cookies and the impossibility of withdrawing consent once given, constitute the commission of an infringement of article 22.2 of the LSSI, as it establishes the following: “Service providers may use data storage and recovery devices on recipients' terminal equipment, provided that they have given their consent after having been provided with clear and complete information on their use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data. When technically possible and effective, the recipient's consent to accept the processing of data may be facilitated by using the appropriate parameters of the browser or other applications. The above shall not prevent possible storage or access of a technical nature for the sole purpose of transmitting a communication over an electronic communications network or, to the extent strictly necessary, for the provision of an information society service expressly requested by the recipient”. IV. Graduation of the Sanction This Infringement is classified as “minor” in article 38.4 g) of the aforementioned Law, which considers as such: “Using data storage and recovery devices when the information has not been provided or the consent of the recipient of the service has not been obtained in the terms required by article 22.2.”, and may be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/31 sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. The LSSI, in its article 40, establishes the “graduation of the amount of the sanctions”, according to the following criteria: a) The existence of intentionality. b) Period of time during which the infringement has been committed. c) Recidivism by committing infringements of the same nature, when this has been declared by a final resolution. d) The nature and amount of the damages caused. e) The benefits obtained by the infringement. f) Volume of turnover affected by the infringement committed. g) Adherence to a code of conduct or a system of self-regulation of advertising applicable with respect to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been favourably reported by the competent body or bodies. After the evidence obtained, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality (section a). Expression that must be interpreted as equivalent to degree of guilt in accordance with the Judgment of the National Court of 12/11/07 issued in Appeal No. 351/2006, corresponding to the entity reported to determine a system of obtaining informed consent that is appropriate to the mandate of the LSSI. - Recidivism for the commission of infractions of the same nature, when this has been declared by a final resolution (section c). In this regard, the resolution issued on 09/16/2022 by the Director of the Spanish Data Protection Agency must be taken into consideration, within the framework of the sanctioning file PS / 00555/2021, opened to the entity TECHPUMP SOLUTIONS S.L., among other issues, for the deficiencies detected in the "Cookie Policies" of the websites in question. In accordance with these criteria, it is considered appropriate to impose, for the violation of article 22.2 of the LSSI, regarding the cookie policy carried out on the websites owned by it, a penalty of 30,000 euros (thirty thousand euros) for the deficiencies detected in the "Cookie Policy" of the website ***URL.2. A penalty of 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.1 and a penalty of 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.4. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/31 RESOLVES: FIRST: TO IMPOSE on the entity TECHPUMP SOLUTIONS S.L. (TECHPUMP), CIF.: B33950338, owner of the web pages: ***URL.1 ; ***URL.2 , ***URL.3 , ***URL.4 ; ***URL.5 , for the infringement of article 22.2 of the LSSI, classified as “minor” in article 38.4 g), the following sanctions: - 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.2. - 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookies Policy” of the website ***URL.1 and - 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookies Policy” of the website ***URL.4. SECOND: NOTIFY this resolution to the entity TECHPUMP SOLUTIONS S.L. (TECHPUMP). Warn the sanctioned party that they must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account Nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability falls between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it falls between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/31 LPACAP, the final decision may be provisionally suspended by administrative means if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by means of a letter addressed to the Spanish Data Protection Agency, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will consider the precautionary suspension to be terminated. Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es