AEPD (Spain) - PS/00264/2020

From GDPRhub
Revision as of 15:42, 5 February 2021 by Mh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00264/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 22(2) Law on Services of the Information Society and Electronic Commerce
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.01.2021
Published: 01.02.2021
Fine: None
Parties: FACUA - Asociación de Consumidores y Usuarios en Acción
Asociación de Afectados por las Asociaciones de Consumidores
National Case Number/Name: PS/00264/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that Asociación de Afectados por las Asociaciones de Consumidores (ASOCAPAC) breached Article 22(2) LSSI as a result of the cookie banner and policy on their website. The first layer of the cookie banner and the cookie policy did not contain sufficient information and a "refuse all cookies" option was absent.

English Summary

Facts

FACUA - Asociación de Consumidores y Usuarios en Acción (FACUA) filed a complaint against Asociación de Afectados por las Asociaciones de Consumidores (ASOCAPAC). The complaint concerned ASOCAPAC's cookie banner.

The Spanish DPA (AEPD) identified the following proven facts. Firstly, the cookie banner on ASOCAPAC's website did not provide concise and intelligible information as it only mentions: "This website uses its own and third party cookies to offer you a better experience and service (...)". This undermines the clarity of the message.

The Spanish DPA also established that the cookie policy (in the second layer of the banner or on the Privacy Policy page) provided additional information on what cookies are and first and third party cookies are used for. However, there was no information on the identification and the time that they were active.

Additionally, the DPA found that there was no mechanism to reject all cookies.

Dispute

Is the lack of information and the lack of a possibility to "refuse all cookies" on a cookie banner a breach of Article 22(2) LSSI?

Holding

The Spanish DPA (AEPD) held that:

i) the lack of sufficient information on the first layer of the cookie banner, ii) the lack of information as to the type of cookie and the time it remained active, iii) as well as the absence of a "refuse all cookie" option

constituted a breach of Article 22(2) of the Spanish Law on Services of the Information Society and Electronic Commerce (LSSI).

The Spanish DPA therefore imposed a warning sanction on the defendant, ASOCAPAC. The DPA also outlined that the defendant had a month to modify the cookie banner and introduce a new cookie policy.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/4








     Procedure No.: PS / 00264/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE

In the sanctioning procedure PS / 00264/2020, instructed by the Spanish Agency for

Data Protection for the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS
DE CONSUMIDORES, with CIF .: G88568985, owner of the website, www.asocapa-
c.com, (hereinafter, "the claimed association"), by virtue of a complaint filed by
the association, FACUA - ASSOCIATION OF CONSUMERS AND USERS IN AC-
TION, (hereinafter, “the claimant association”), and based on the following,


                                   BACKGROUND

FIRST: On 01/09/20, you have an entry in this Agency, a complaint filed
by the claimant association in which it indicated, among others, the following:


"That from this association we have been able to verify how on the website www.a-
socapac.com does not collect "legal notice" (or similar section) or information related to
processing of personal data of any kind, which may be contrary, by a
hand, to the content of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce and, on the other hand, the current regulations on

ria of data protection.

Likewise, from FACUA we have been able to verify that the Association of Consumed-
affected by the Consumers Associations (ASOCAPAC), which they assume
This web page actually belongs, it is not registered, contrary to what

It is indicated on this website, in any public registry, as we have been informed
directly from the General Ministry of Health, Consumption and Social Welfare and,
more specifically, from the general sub-directorate of arbitration (who owns the
requests in the register of consumer and user associations). Said with others
In words, everything seems to indicate that we are facing a non-existent association and

to a web page with some kind of malicious intent with respect to those
the people who accessed it.

We have been able to observe how the website https://www.asocapac.com/ is done
use of cookie files without notifying the user of said website in any way about the use of
lization of this class of files. Likewise, this website advertises two email addresses

electronic mail that are intended for users of this platform to write to
the same which, consequently, must imply the processing of personal data-
(at least, the treatment of the email address of the person who sends the
corresponding communication) ”.


SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the SG of Data Inspection proceeded to carry out actions
tions for its clarification, in accordance with article 65.4 of the Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of rights
chos digital (hereinafter LOPDGDD). Thus, dated 02/27/20 and 03/12/20 he addressed

two written requests for information to the claimed entity.

According to the certificate of the Electronic Notifications and Electronic Address Service
Enabled, the request sent to the claimed association on 02/27/20, through
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/4








NOTIFIC @ service, was automatically rejected in the direction of des-
tino on 03/10/20.


According to a certificate from the State Postal and Telegraph Society, the request to send
from the claimed association on 03/12/20, through the SICER service, was collected
at destination on 06/03/20, by D. A.A.A .. *** NIF. 1.

THIRD: On 09/16/20, by this Agency, the website is consulted
reported, verifying the following aspects of the privacy policy and

the cookie policy implemented on said page:

    A) Regarding the Privacy Policy:

On the website https://www.asocapac.com/, through the tab, <<contact>>,

located at the top of the page, a form is displayed where they are collected
Users' personal data, such as name and email address.

At the bottom of the web page there is a link, << Privacy Policy >>, through
through which, it is redirected to the page, https://www.asocapac.com/politica-de-privacidad/,
where it is informed of: the identity of the person in charge; The principles applied in the treatment

data storage; Obtaining personal data; How to object to the treatment
to; the purpose of the processing of personal data; the security of personal data-
them; the content of other websites; the Cookies Policy; the legitimation for the
data storage; the categories of personal data; recipients of personal data
sonal; the acceptance and consent and the revocability of the consent.


    B) About the Cookies Policy:

b.1.) When accessing the main page of the reported website, (first layer), there is a
information banner about cookies at the bottom of it, with the following

legend:

 "This website uses its own and third party cookies to offer you a better experience and
 service. By browsing or using our services, the user accepts the use we make
                 of cookies ”. << Cookie settings >> - <<ACCEPT>>


b.2.) If the cookie policy is accessed, (second layer), through the link << Cookie
Settings >>, or through the link on the privacy policy page << Po-
Cookies policy >>, it is redirected to the page displays a page https: //www.asocapa-
c.com/politica-de-cookies/, where information is provided on: what are the
cookies and the types of cookies used.


On the process to deactivate cookies, the web refers the user to configure
the browser installed on your terminal equipment.

FOURTH: In view of the facts denounced from the verifications carried out by

this Agency, the Director of the Spanish Agency for Data Protection, dated
09/22/20, agreed to initiate a sanctioning procedure against the claimed person, in
under the established powers, for failing to comply with the provisions of article 22.2 of the
LSSI, regarding the cookie policy of its website.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/4









FIFTH: Notified the initiation of the file on 10/03/20, to date, no
It is clear that any response has been given to the initiation of the file within the

period granted for this, for the appropriate legal purposes by the claimed entity.

Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:

                                 PROVEN FACTS

1º.- When accessing the home page there is a banner about cookies, which provides information
not very concise or intelligible, since when using the expression: “This website uses

own and third party cookies to offer you a better experience and service (…) ”, in
lead to confusion, undermining the clarity that the message should have at this point.
2nd.- If the cookie policy is accessed, (second layer), through the link << Cookie

Settings >>, or through the link on the privacy policy page << Po-
Cookies policy >>, information is provided on: what are cookies or what for
use their own and third-party cookies, but identification information is missing
and the time they will be active. Nor is there a mechanism to reject
all cookies.

                            FOUNDATIONS OF LAW
                                             I
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph
second, from the LSSI.

                                             II
The joint assessment of the documentary evidence in the procedure brings to the conclusion
knowledge of the AEPD a vision of the denounced action that has been reflected
It gives in the facts declared proven above related.

Of the actions carried out, in relation to the "Cookies Policy", of the page

claimed web, https://www.asocapac.com/, the following aspects have been verified:

When accessing the home page there is a banner about cookies, which provides
not very concise or intelligible information, since when using the expression: “This website uses
own and third-party cookies to offer you a better experience and service (…) ”,

They induce confusion, undermining the clarity that the message should have.

In the second layer, (cookie policy), information is provided about what they are
cookies or what they use cookies for, but information about the
identification and the time they will be active. There is also no mechanism that

allow the user to reject all cookies.

The exposed facts suppose on the part of the claimed entity, the commission of a
violation of article 22.2 of the LSSI. This offense is classified as "minor" in the
Article 38.4 g), of the aforementioned Law, which considers as such: “Use al-
data storage and recovery when the information has not been provided

or obtained the consent of the recipient of the service in the terms required by
Article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, according to
with article 39 of the aforementioned LSSI.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/4









Based on these criteria, it is deemed appropriate to impose on the claimed entity
a sanction of “APERCIBIMIENTO”, for the infraction of article 22.2 of the LSSI, res-

pect of the cookie policy carried out on the website of its ownership.

Therefore, in accordance with the foregoing, by the Director of the Spanish Agency
Data Protection Policy,

                                      RESOLVES

SEE: the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS OF
CONSUMERS, with CIF .: G88568985, owner of the website, www.asocapac.-
com, for the violation of article 22.2) of the LSSI, regarding its cookie policy
on the website of its ownership.

REQUIRE: the ASSOCIATION OF AFFECTED BY THE ASSOCIATIONS OF
CONSUMERS so that, within a month from this act of notification,
proceed to take the appropriate measures to adapt the website of your ownership,
adapting the cookie policy, modifying the banner of the first layer, introducing

providing information with clear and simple language, avoiding the use of phrases that
lead to confusion or detract from the clarity of the message and expanding the information
existing in the second layer identifying the cookies and the time they remain
active. In addition, you must implement a mechanism that allows the rejection of all
the cookies.

NOTIFY: this resolution to the ASSOCIATION OF AFFECTED BY THE
CONSUMER ASSOCIATIONS.

In accordance with the provisions of article 50 of the LOPDPGDD, this Re-
solution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the
The parties may optionally file an appeal for reconsideration before the Director

of the Spanish Agency for Data Protection within a month from
the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within two months from the day after the notification

tion of this act, as provided in article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection.












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es