AEPD (Spain) - EXP202103886
AEPD - PS/00032/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 22.2 Law 34/2002, of July 11 LSSI Article 22.1 Law 34/2002, of July 11 LSSI |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 01.04.2019 |
Decided: | 06.10.2019 |
Published: | 24.10.2019 |
Fine: | €18,000 EUR |
Parties: | D.A.A.A Vueling Airlines S.A. |
National Case Number/Name: | PS/00032/2019 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEDP (in ES) |
Initial Contributor: | Samuel Uzoigwe |
The Spanish DPA fined the airline Vueling €18,000 for relying on pre-checked consent boxes for non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."
English Summary
Facts
The data subject complained to the DPA that it was impossible to purchase an airline ticket from the controller's website without accepting cookies and consenting to receive advertisements. The controller, Vueling Airlines S.A., had a box in its checkout procedure indicating consent to receive ads, but, contrary to the data subject's complaint, it was possible to purchase a ticket without checking the box.
The controller's cookie policy allowed users to revoke consent to non-essential cookies by unchecking two pre-ticked boxes, one for "performance cookies" and one for "targeted cookies." However, some third-party cookies were incorrectly categorized as essential, so even when users unchecked the relevant boxes or clicked "reject all," non-essential cookies remained.
Holding
The DPA found that the controller's consent banner violated Article 22.2 of the Spanish Law on Services of the Information Society and Electronic Commerce (Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico - LSSI) which requires service providers to obtain consent before installing non-essential cookies. The use of pre-ticked boxes is not a valid basis for consent, and the impossibility to reject cookies miscategorized as essential is not legal either.
For these violations, the DPA ultimately fined the controller €18,000; an inital €30,000 fine was reduced by 40% because the controller voluntarily acknowledged responsibility for the infractions and agreed to pay the fine before final resolution of the sanctioning procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 File No.: EXP202103886 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On March 28, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against VUELING AIRLINES, S.A. (hereinafter, the claimed party), through the Agreement that is transcribed: << Procedure No.: PS/00032/2022 (EXP202103886) AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency before the entity VUELING AIRLINES, S.A., with CIF.: A63422141 owner of the website ***URL.1 (hereinafter “the party complained against”), by virtue of the claim presented by D. A.A.A., for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of these Data (RGPD) and the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of the Digital Rights (LOPDGDD), and against Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI), and attending to the following: FACTS FIRST: On 08/22/21, he entered this Agency, a brief presented by the claimant, in which he indicated, among others, the following: “When buying a ticket through the ***URL.1 website, not only is it not allows you to delete cookies when accessing the web, but it is impossible to buy a airline ticket without accepting the sending of commercial data and promotions. because if not check the box, the purchase is not continued”. SECOND: Dated 11/04/21, in accordance with the provisions of article 65.4 of the LOPDGDD Law, said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/17 THIRD: On 12/21/21, the claimed entity files with this Agency, written response to the request made where, among others, indicates the following: “Therefore, Vueling has proceeded to carry out a review of the following aspects of its website: The ticket purchase process and cookies used, and where appropriate, installed on visitor devices. A The conclusions of the reviews that have been carried out are presented below. cape. 1) Review of the ticket purchase process.- As has been verified, the user who buys tickets through the website, ***URL.1 can accept or not a box with the following text: “Yes, I want to be updated of Vueling offers and news. See conditions”. Users who do not check this box do not receive commercial communications. A Despite what the complaining party indicates, it is possible to complete the process of ticket purchase without checking this box. Additionally, there are two mandatory check boxes, in which the user declares to have read and accept the privacy policy and the transport contract. Document No. 1 includes screenshots of the entire purchase process, and that show that the user can purchase a ticket without accepting the sending of commercial communications. In the privacy policy of the website, which is accessible at all moment during navigation, and which is divided into drop-down sections for greater ease of access to the contents, it is indicated that the personal data of the affected may be used, among others, for the following purposes: “To carry out surveys related to the experience on board Vueling. Based on the consent you have previously given us, we may contact you so that you can participate in surveys related to the experience on board Vueling flights, as well as to offer you the opportunity to participate in market research carried out by Vueling or by a third party. To carry out marketing activities and keep you informed about the products and Vueling services. Based on the consent that you have previously given us granted, we may send you information about our products and services by email, push messages from our app or text message. We may also send you personalized communications after identifying those products and services that may interest you. This means that we will create a profile yours to get to know you better as a customer and personalize communications that we send. To learn what is relevant to you, we use tools that analyze data we obtain from information provided by you (via surveys), your browsing, your shopping preferences or services provided in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/17 past to create profiles that allow you to be identified with customer segments with similar characteristics to yours and send you promotions or personalized offers that we think may interest you. You have the right to revoke your consent to the processing of data for the purpose of carrying out said marketing activities in any time, as well as in every communication.” In addition, there is a section called "Consent" in which the mechanism enabled for the revocation of consent: "If the basis of the treatment of your personal data outside your consent, you can revoke it in any time, by contacting us through the address Data Protection Officer, Vueling Airlines, S.A., Plaza Pla de l'Estany, 5, 08820, El Prat de Llobregat, Barcelona, Spain or by email ***EMAIL.1.” Finally, all commercial communications sent to those affected by e-mail (and which constitute the preferred means of contact with clients and possible clients, since other options such as postal mail or calls telephone lines are not part of the tools normally used by the area marketing) include a simple and free unsubscribe mechanism. 2) Review of the cookies used on the website. When accessing the ***URL.1 website for the first time, an informative message appears first level with the following text: “We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on a profile created from your browsing habits. For more information you can read our Privacy Policy cookies. <<CONFIGURE COOKIES>> <<ACCEPT COOKIES>> If the user chooses the option to configure cookies, a panel opens where they can select your preferences. Cookies have been classified, according to their purpose, into the following categories: “Technical cookies (strictly necessary). These cookies are strictly necessary for the correct functioning and navigation of the user through the website, as well as to remember cookie preferences and therefore it is not possible turn them off. They do not store any personally identifiable information. Performance cookies. Performance cookies allow us to know the level of recurrence of our visitors and perform the measurement and statistical analysis of the use of our service in order to improve its performance. All the information collected by these cookies is aggregated and therefore anonymous. Targeted cookies. Vueling may use its own or third-party advertising cookies, that store information about your behavior obtained through your browsing habits. navigation to create a profile. This information allows us to display advertising C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/17 more personalized and according to your tastes on our website or on other websites of third parties (for example, destination searches or pages visited).” Vueling uses the Ensighten consent management platform (***URL.2) to guarantee that only the cookies selected by the user will be used. Document No. 2 includes screenshots showing the process described. Likewise, you can see how the text of the cookie policy includes a link to the complete list of cookies used on the web, as well as information to configure the user's browser to reject these devices. From the cookie policy, it is possible to return at any time to the configuration panel initial, and revoke consents given. The option to revoke consent is one of the reasons why select the Ensighten consent manager. For this option to be possible, Ensighten installs the deactivated cookie in the user's browser. Although it can be viewed in the user's browser because it is “installed”, it remains inoperative if the user does not consent to the category in which said cookie has been classified. That is, if the category is not accepted corresponding, it does not activate or generate any type of trace. The cookie cannot be used since Ensighten applies a filter that prevents its use. We understand that this could have been the reason why the complainant considers that the appropriate consent for the use of cookies has not been obtained. However, as indicated, this system does not allow the use of cookies. unauthorized and facilitate the user the revocation of consent in a more effective than your browser settings: At any time you can change your preferences without affecting the installation of technical cookies. In this In this sense, we must point out that a high percentage of passengers buy their tickets at through registered users, so technical cookies must be installed in their computers, and certain browser settings may hinder or prevent the normal access to the registry options. The use of the Ensighten platform is reflected in the internal process called “ENSIGHTEN_Client-side website security workflows” (Document No. 3). The approval of the installation of cookies and their classification within the categories established is a manual process, not automated through the platform of consent management. Upon receipt of the transfer of the claim filed against Vueling, a a list of all the cookies currently used on the Vueling website Doc. No. 4, where it is indicated to which category it belonged at the time of the revision each. It has been verified that some cookies were erroneously found classified as functional cookies, and must be subject to consent. The list attached as Doc. No. 5 contains the corrected classification, which, as indicated later, it will be implemented in the web ***URL.1. 2. Report, if applicable, on the measures adopted to adapt your “Privacy Policy” Privacy” to article 13 of Regulation (EU) 2016/679 of the European Parliament and of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/17 Council of April 27, 2016 (RGPD), implementation dates and controls carried out to check its effectiveness. Based on what is explained in section 1 of this document, we understand that It is appropriate to carry out any action to adapt the privacy policy of the Vueling's website or the ticket purchase process. 3. Report, if applicable, on the measures adopted to adapt the use of cookies to the provisions of article 22.2 of Law 34/2002, of July 11, of information society services and electronic commerce (LSSI), in particularly with regard to the information provided to users on the use of cookies and the purposes of data processing, as well as how to collect, refuse or withdraw consent to its use. Dates are also required. implementation and controls carried out to verify its effectiveness. Based on what is indicated in section 1 of this document, in relation to the policy of cookies, the following measures will be implemented: 1st. Cookie categories will be redefined, to align terminology used with the one that appears in the Cookies Guide of the Spanish Agency for Data Protection. Although we consider that the classification made is correct, and an average user understands the purpose of each type of cookie with the explanation provided, the name of these categories has been modified to align it with the terminology used in the Guide on the use of cookies prepared by this Agency. In this way, performance cookies will be renamed "cookies analytics” and targeted cookies will be referred to as “advertising cookies”. 2nd. In the cookie configurator, the categories of cookies will be unchecked by default. cookies that are not strictly necessary. 3rd. Some cookies have been misclassified in a category that is not corresponded. Therefore, Doc. No. 5 will be reclassified. 4th. The full text of the Cookies Policy of the website will be reviewed once carried out the above actions. We have not had access to the identification of the complaining party, nor to captures of screen that, if any, has been presented. Therefore, out of the actions already explained in this writing, we cannot take any additional measures, such as send a detailed explanation to the affected party about the treatment that is carried out of their data, block your email for the purpose of commercial communications or verify if you have exercised your right to object and have not been attended to satisfaction". FOURTH: On 01/20/22, by the Director of the Spanish Agency for Data Protection agreement is issued for the admission of processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when assessing possible reasonable indications of a violation of the rules in the field of competences of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/17 FIFTH: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 57.1 of the RGPD and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following ends: a).- On obtaining the personal data of users: 1º.- Through the link <<register>>, located at the top of the page main page, the website redirects to a new page "Registration in Vueling Club" where you can can enter personal data of users such as name, surname and mail address. Before being able to send the registration form, the user must click the option: _ I accept the <<terms and conditions of Vueling Club y avíos>> and the << Vueling Privacy Policy >>. There is the possibility of registering, voluntarily, in the following option, to receive commercial communications: _I want to find out about the best promotions from Vueling and its partners. <<See conditions>> 2º.- In the ticket purchase option, before being able to send the purchase form, the user must click the option: _ I have read and accept the <<Privacy Policy>>. There is the possibility of registering, voluntarily, in the following option, to receive commercial communications: _Yes, I want to keep up to date with Vueling offers and news. <<View conditions>> b).- About the “Privacy Policy”: 1º.- If you access the "Privacy Policy" of the web, through the links existing in the forms indicated above, or through the existing link on the main page, the web redirects the user to a new page ***URL.3, where The following questions are answered: Responsible for Data Processing personal; When the privacy policy is applicable; How can you protect your personal information; When we collect your personal data; what types of data information we collect and keep; When and why we collect "data" sensitive personal; What we use your personal data for; When we will send commercial communications; How can you change the type of commercial communications to receive and how to receive them; What is the legal basis to process your personal data; How long we keep the data personal; Performance of a contract with you; Legitimate interests; Compliance C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/17 of legal obligations; To protect your vital interests or those of third parties; Consent; With whom we share your personal data; to which countries will send your personal data; What rights you have and how you can exercise them. c).- About the Cookies Policy: 1.- When entering the web for the first time, once the history terminal equipment has been cleaned navigation and cookies, without accepting cookies or performing any action on the web page ***URL.1, has been verified, through the tool “inspectGoogle Chrome browser application, which are used the following third-party cookies that are not technical or necessary: Cookie Provider Cookie Provider MUID .bing.com / IDE .doubleclick.net AEC .google.com / uid .criteo.com / CONSENT .google.com / _kuid_ .krxd.net / IDSYNC .analytics.yahoo.com A3 .yahoo.com / pxrc.rlcdn.com/uid.adform.net/ ab .agkn.com / uid .criteo.com / ruds.rfihub.com / ruds.rfihub.com / rlas3.rlcdn.com/C.adform.net/ eud .rfihub.com / IDE .doubleclick.net _kuid_ .krxd.net / CONSENT .google.com / NID .google.com / AEC .google.com / IDE .doubleclick.net 2.- There is an information banner about cookies on the main page with the following message: We use our own and third-party cookies for analytical purposes and to show you advertising related to your preferences based on a profile created from your browsing habits. For more information you can read our <<Cookie Policy>>. <<Configure your cookies>> <<Accept all cookies>>. 3.- If you access the cookie control panel through the link <<Configure your cookies>>, the website displays a page or control panel checking that the performance cookies and targeted cookies are pre-marked in the “accepted” option: X Technical cookies (strictly necessary) X Performance Cookies X Targeted Cookies <<Confirm my preferences>> <<Reject all cookies>> C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/17 If you choose "Reject all cookies" it is checked how the web continues using third-party cookies that are not technical or necessary: Cookie Provider Cookie Provider MUID .bing.com / CONSENT .google.com / IDE .doubleclick.net NID .google.com / _kuid_ .krxd.net / AEC .google.com / 4.- If you access the "Cookies Policy", through the existing link in the banner about cookies of the first layer or through the existing link at the bottom of the main page, the web redirects to a new page, ***URL.4 where the user is informed user of what cookies are, what types of cookies exist; cookies are identified that uses the website, its functionality and the time of activity (***URL.5), in addition how to manage cookies through the browsers installed on the computer user terminal. FOUNDATIONS OF LAW I.- Competition: - Regarding the processing of personal data and the "Privacy Policy": It is competent to initiate and resolve this procedure, the Director of the Agency Spanish Data Protection, by virtue of the powers that article 58.2 of the RGPD recognizes each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the LOPDGDD Law. - About the "Cookies Policy": It is competent to initiate and resolve this procedure, the Director of the Agency Spanish Data Protection, in accordance with the provisions of art. 43.1, second paragraph, of the LSSI Law. II.- On the processing of personal data and the "Privacy Policy" of the website ***URL.1 : It has been found that personal data can be obtained on the web from users who want to register on the web or buy a plane ticket, through the corresponding links. Before being able to submit either of the two forms, the user must click obligatorily in the box of having read and accepted its privacy policy. There is also the possibility of registering, voluntarily, to receive commercial or promotional communications of the company. Regarding this, article 6.1 of the RGPD, establishes, on the legality of the treatment of personal data, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/17 “The processing of personal data will be lawful if it meets one of the following conditions: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; (...). On the other hand, if the "Privacy Policy" is accessed through the links existing in the forms or through the existing link at the bottom of the main page, the website provides information on the identity of the person responsible for the page; where they obtain the personal data, the purpose of the treatment of said data, the time of conservation of the same and the rights that attend to users regarding their personal data, to whom to do it and how do so, as well as the possibility of filing a claim with the authority national control. In this sense, article 13 of the RGPD establishes the information that must be provide the interested party at the time of obtaining their personal data: “1. When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide you with: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection delegate, if any; c) the purposes of the treatment to which the personal data is destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate of the person in charge or of a third party; e) the recipients or the categories of recipients of the personal data, in their case; f) where appropriate, the intention of the controller to transfer personal data to a third party country or international organization and the existence or absence of a decision to adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person in charge of the treatment will facilitate the interested party, at the moment in which the data is obtained personal, the following information necessary to guarantee data processing fair and transparent C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/17 a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; b) the existence of the right to request from the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which referred to in article 22, sections 1 and 4, and, at least in such cases, information about applied logic, as well as the importance and consequences provisions of said treatment for the interested party”. Therefore, in this case, based on the evidence available in this moment, it is considered that the management of personal data carried out by the page web, ***URL.1 does not contradict the provisions of the RGPD regarding the consent to the processing of personal data to send you commercial communications and regarding the information provided to the interested when their personal data is obtained from them. III.- About the Cookies Policy of the website ***URL.1. a).- Regarding the installation of cookies in the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with information clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie entails a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those necessary cookies C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/17 for the intercommunication of the terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies excepted would be the user input Cookies” (those used to filling in forms, or managing a shopping cart); cookies from user authentication or identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; user interface customization cookies and some of plugin (plug-in) to exchange social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent about your use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before the use of any other type of cookies, both first and third-party, session or persistent. In the verification carried out by this Agency on the claimed website, it was possible verify that, when entering the main page and without performing any action on the pamper or accept cookies, the following non-necessary cookies were used: When entering the web for the first time, without accepting cookies or performing any action on the page, it has been verified that third-party cookies are used that are not technical or necessary, whose suppliers are: .bing.com; .doubleclick.net; .Google com; .criteo.com; .krxd.net; .analytics.yah oo.com; .yahoo.com; .rlcdn.com; .adform.net; .agkn.com; .criteo.com; .rfihub.co m; .adform.net b).- About the consent to the installation of cookies in the terminal equipment: For the use of non-excepted cookies, it will be necessary to obtain the express consent of the user. This consent can be obtained clicking on, “accept” or inferring it from an unequivocal action performed by the user that denotes that the consent has occurred unequivocally. By Therefore, the mere inactivity of the user, scrolling or browsing the website, is not be considered for these purposes, a clear affirmative action in any circumstance and not will imply the provision of consent by itself. Similarly, access to the second layer if the information is presented in layers, as well as the navigation necessary for the user to manage their preferences in relation to cookies in the control panel, it is also not considered an active behavior that can be derive the acceptance of cookies. The existence of "Cookie Walls" is not allowed either, that is, windows pop-ups that block the content and access to the web, forcing the user to accept the use of cookies to be able to access the page and continue browsing without offer the user any type of alternative that allows him to freely manage his preferences about the use of cookies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/17 If the option is to go to a second layer or cookie control panel, the link it should take the user directly to that configuration panel. To facilitate selection, the panel can be implemented, in addition to a management system granular cookies, two more buttons, one to accept all cookies and one to reject them all. If the user saves his choice without having selected any cookie, it will be understood that you have rejected all cookies. Regarding this second possibility, in no case are pre-marked boxes admissible in favor of accepting cookies. If for the configuration of cookies, the web refers to the browser configuration installed in the terminal equipment, this option could be considered complementary to obtain consent, but not as the only mechanism. Therefore, if the publisher opts for this option, it must also offer, and in any case, a mechanism that allows you to reject the use of cookies and/or do it in a granular way. On the other hand, the withdrawal of the consent previously given by the user It should be possible to do it at any time. To this end, the publisher must offer a mechanism that makes it possible to withdraw consent easily at any moment. This facility will be considered to exist, for example, when the user have simple and permanent access to the management or configuration system of the cookies. If the editor's cookie management or configuration system does not allow to avoid the use of third-party cookies once accepted by the user, it will be provided information about the tools provided by the browser and third parties, It must be noted that, if the user accepts third-party cookies and subsequently wishes to delete them, you must do it from your own browser or the system enabled by the third parties for it. In the case that concerns us, the banner of the first layer makes it possible to accept all the cookies or manage them in the control panel. However, if you access the dashboard control is checked as performance cookies and targeted cookies are They are pre-marked in the “accepted” option. If you choose to "reject all cookies", in the existing option in the control panel control is verified as the web continues to use third-party cookies that are not technical or necessary, whose providers are: bing.com; Google com; doubleclick.net and krxd.net. IV.- Qualification and sanctions that may correspond with respect to infractions committed in the Cookies policy: Of the deficiencies detected, regarding the cookie policy, on the website ***URL.1: (The use of third-party cookies that are not technical or necessary; the groups of cookies pre-marked in the "accepted" option in the control panel and the impossibility of rejecting third-party cookies that are not technical or necessary, could suppose by the claimed, the commission of the infraction of article 22.2 of the LSSI, since it establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/17 “Service providers may use storage devices and recovery of data in terminal equipment of the recipients, provided that they have given their consent after they have been provided clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data. Where technically possible and effective, the recipient's consent to Accepting the processing of the data may be facilitated through the use of the parameters from the browser or other applications. The foregoing will not prevent the possible storage or access of a technical nature to the sole purpose of effecting the transmission of a communication over a communications network electronic or, to the extent that is strictly necessary, for the provision of a service of the information society expressly requested by the addressee". This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and retrieval devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2.”, and may be sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigation phase, and without prejudice to whatever results from the investigation, it is considered appropriate to graduate the sanction to impose in accordance with the following aggravating criteria, established by art. 40 of the LSSI: The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Judgment of the Hearing National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the denounced entity the determination of a system for obtaining consent informed that it is in accordance with the mandate of the LSSI. In accordance with these criteria, it is considered appropriate to impose an initial sanction of 30,000 euros, (thirty thousand euros), for the infringement of article 22.2 of the LSSI, regarding of the cookie policy made on the website of its ownership: ***URL.1. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: START: PUNISHMENT PROCEDURE before the entity VUELING AIRLINES, S.A., with CIF.: A63422141 owner of the website ***URL.1 for infraction of the article 22.2 of the LSSI, due to the deficiencies detected on its website regarding the "Cookies policy". APPOINT: Mr. B.B.B. as Instructor, and Secretary, if applicable, Ms. C.C.C., indicating that any of them may be challenged, as the case may be, in accordance with established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/17 INCORPORATE: to the disciplinary file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigations, all of them part of this administrative file. WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond would be 30,000 euros (thirty thousand euros), for the infringement of the Article 22.2 of the LSSI, without prejudice to what results from the instruction of this proceedings. NOTIFY: this agreement to initiate disciplinary proceedings against VUELING AIRLINES, S.A., granting a hearing period of ten business days for formulate the allegations and present the evidence that it deems appropriate. If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the term granted for the formulation of allegations to this initial agreement; it which will entail a reduction of 20% of the sanction to be imposed in this procedure, equivalent in this case to 6,000 euros. with the app of this reduction, the sanction would be established at 24,000 euros, resolving the procedure with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will entail a reduction of 20% of the amount of this, equivalent in this case to 6,000 euros. With the application of this reduction, the sanction would be established in 24,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 18,000 euros (eighteen thousand euros). In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated above, you must make it effective by depositing it in account Nº ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/17 Data in Banco CAIXABANK, S.A., indicating in the concept the number of reference of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of payment to the General Subdirectorate of Inspection to proceed with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea Spain Marti Director of the Spanish Agency for Data Protection. >> SECOND: On April 11, 2022, the claimed party has proceeded to pay the sanction in the amount of 18,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of services of the information society and electronic commerce (hereinafter LSSI) and as established in articles 47 and 48.1 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Agency for Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/17 regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” Finally, the fourth additional provision "Procedure in relation to the competences attributed to the Spanish Data Protection Agency by other laws" establishes that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Agency for the Protection of Data would have to be processed in the exercise of the powers attributed to it by other laws." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure EXP202103886, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to VUELING AIRLINES, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/17 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-240122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es