AEPD (Spain) - PS/00132/2022

From GDPRhub
Revision as of 13:19, 13 July 2022 by 84.113.103.211 (talk)
AEPD - PS-00132-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 13 GDPR
Recital 25 ePrivacy Directive (2002/58/EC)
Article 22.2 LSSI
Type: Complaint
Outcome: Upheld
Started: 07.04.2022
Decided: 26.04.2022
Published: 28.06.2022
Fine: 1,800 EUR
Parties: n/a
National Case Number/Name: PS-00132-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined the owner of a commercial website €3,000 (reduced to €1,800) for the processing of personal data and the use of cookies without a legal basis and for not providing sufficient information to the data subject under Article 13 GDPR.

English Summary

Facts

On 7 April 2022, the data subject, Mr. B.B.B., filed a complaint with the Spanish DPA (AEPD) stating that the owner of a commercial website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law).

The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy.

The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (name and email address, a.o.).

The website’s Privacy Policy did not disclose all the relevant information mentioned in Article 13 GDPR to the data subject, hence the controller did not fulfill his obligation to inform.

The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use.

The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website.

The data subject did not have the possibility to withdraw their consent regarding the cookies either. In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies.

Holding

The Spanish DPA imposed a fine on the controller amounting to €3.000.

The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of Article 6 GDPR - was fined with €1,000.

The violation of Article 13 GDPR was also fined with €1,000.

The use of cookies without expressed consent of the data subject – which violated Spanish national law, LSSI, and GDPR – was fined with €1,000 as well. In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR.

On 26 April 2022, the controller, paid the fine which was reduced to €1,800.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1 / 14
 File No.: PS/00132/2022
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: Dated 7...