AEPD (Spain) - EXP202211953

From GDPRhub
Revision as of 08:12, 11 October 2023 by Sh (talk | contribs)
AEPD - PS-00080-2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started: 30.09.2022
Decided:
Published: 20.09.2023
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: PS-00080-2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Paola Leon

The Spanish DPA imposed a fine against a website operator for failing to provide adequate information in its privacy policy according to the requirements of Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR.

English Summary

Facts

A data subject submitted a complaint to the AEPD indicating that the website operator Chatwith.IO infringed GDPR by implementing dark patterns, specifically overloading and skipping when users try to object to the processing of their personal data by third parties. Users are prompted with a pop-up which contains a list of service providers, 1.522 in total, in which 338 of those have the selection box toggled on. If users want to object, they need to toggle off each box individually. The data subject submitted that there should be an option to object to ALL of the legitimate interests at once. Moreover, these selection boxes are shown in a light grey colour which can be easily confused with the white background of the website and it requires an additional visual effort on the parts of users to distinguish the options.

Further, the data subject submitted that the legitimate interest of third parties is not explained in a manner that can be easily comprehended and found in the privacy policy unless they have to access to each of the third parties' privacy policies.

Holding

Upon reviewing the data subject's complaint, the AEPD confirmed the following:

1. The purposes of the processing for which the personal data are intended and the legal basis for the processing have ambiguous wording, or lack of required clarity.

2. The legitimate interests of third parties to whom the controller is referred to in the information banner on the main page are unclear and it is necessary to access the information individually different privacy policies of each of the more than 1,000 companies that appear in the providers list.

3. No reference is made to the controller's intention to transfer personal data to a third country or international organization outside the European Union, all this despite the fact that some of the companies that appear in the providers list are located outside the EU.

4. In terms of dark patterns, the AEPD confirmed that the dark pattern of overloading and skipping is observed when accessing the providers list. Once there, the users find a list of about 130 companies, of which, more than half have the default marked “Accept data processing for legitimate interest” box, which requires, in the case of objection to the processing marking one by one throughout the entire list, without the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected person.

5. In regards to cookies, those that are not technical or necessary are deployed before obtaining consent from users.

6. The cookie management panel shows that the groups of Cookies are divided into two options, accept the cookies by “Consent” that are pre-marked in the “not accepted” option and accept the cookies by “Legitimate Interest” which pre-marked in the “accepted” option. However, if all the options marked “accepted” are unchecked, the website still continues to use the same cookies detected when entering on the web without having given consent.

7. There is no information about cookies in the second layer or link that enable the user to be redirected to the “Cookie Policy” of the website. The information about cookies appears dispersed in each of the options of the cookie management panel.

The DPA resolved to impose a fine of 2000 euro for infringement of Article 13 GDPR and required compliance with this article within one month. This infringement was considered as medium.

It also Imposed a fine of 5000 euro for infringement of Article 5 (1)(a) as well as one month to bring its processing into compliance. This infringement was considered very gave

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/31








     File No.: EXP202211953 (PS/00080/2023)

               RESOLUTION OF THE SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
                                  BACKGROUND

FIRST: On 09/30/22, Mr. A.A.A. (hereinafter, the complaining party) filed

claim before the Spanish Data Protection Agency. The claim is
directed against the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239,
owner of the website ***URL.1 (the claimed party), for the alleged violation of
data protection regulations: Regulation (EU) 2016/679, of Parliament
European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons

regarding the Processing of Personal Data and the Free Circulation of
these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI).


The reasons on which the claim was based are:

       “The company IURIS MARKETING S.L. (current CHATWITH.IO WORLDWIDE
       S.L.) is the owner of the website ***URL.1.


       The claimed company processes the personal data of visitors
       who access the website, obtaining them both directly from the interested parties
       through requests for information when they try to contact the
       lawyers who advertise on the page, such as through the use of cookies
       that are installed on the visitor's computer equipment when consulting the website.

       This is reported by the data controller himself through a message that
       appears when accessing iurisnow.com, in a pop-up window that appears
       superimposes the main window and that under the title “Privacy and
       Transparency” informs the user that both the owner of the website and
       its partners process the personal data of the
       interested.


       Specifically, it is indicated in the first part of the informative text, that
       “We and our partners use cookies to Store or access
       information on a device. We and our partners use data to
       Personalized ads and content, ad and content measurement,

       information about the public and product development”, at the same time, towards
       half of the text, you can read, that “Some of our partners may
       process your data as part of our legitimate business interest without requesting your
       consent. To see the purposes that they believe have legitimate interest or
       object to this data processing, please use the link in the list of

       suppliers below.” A copy of the pop-up window is attached (Doc.
       evidentiary 4).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/31








       The controller uses dark overload patterns
       overloading and skipping in user interface design
       through which the privacy options to be applied are configured

       to the processing of the website visitor's data, specifically
       when the interested party expresses his opposition to data processing based
       in the legitimate interest of the person responsible and of third parties, whom he calls
       “partners”.

       The dark overload pattern is clearly observed when accessing the

       section of the “Supplier List” pop-up window, once there, the
       interested party finds a list of 1,522 companies, of which, according to
       the estimate made by the claimant, 338 have the default marked
       "Legitimate interest" box, which requires, in the case of wanting to show the
       opposition to the treatment of marking one by one throughout the entire list, each one

       of the 338 boxes, without there being the option of being able to object by indicating it
       only once or a number of times that is reasonable and does not generate fatigue in the
       affected. To the previous 338 boxes, we must add another nine that are
       found in the “Manage settings” section.

       Upon accessing, you can see that a set of nine purposes appear

       of treatment under the title of “Purposes”, each of them, with its box
       corresponding marked with the default option in favor of the treatment
       based on legitimate interest, it being necessary to select one by one the
       boxes to be able to oppose each of the purposes established by the
       responsible. As in the previous situation, there is no option in the

       window that allows you to oppose all of them at the same time, or a number
       reasonable of times.

       A copy of the “List of suppliers” section is provided for evidentiary purposes.
       (Exhibit document 5), copy of the “Manage configuration” section for purposes

       evidence (Evidence Doc. 6) and the formulas used to calculate
       List companies and estimate boxes with privacy options
       affected (evidence document 17). On the other hand, the dark concealment pattern is
       used in the “Supplier List”. If you access this section, you can
       observe with some difficulty that there is an estimated set of 32 companies
       who have the consent box checked with the option blocked, without

       that the interested party can revoke it.

       These boxes appear in a grayish color that blends in with white.
       used as the background of the screen, which makes it difficult to locate and serves as
       camouflage mechanism, avoiding detection if no effort is made

       increased visual (Exhibits 5 and 17). The information that
       provided by the person responsible, relating to the legitimate interests of third parties and the purposes
       of the processing to which personal data is intended is not
       transparent.


       The legitimate interests of third parties and the purposes of the processing are not
       determine or explain in a clear or understandable manner in the information
       offered to interested parties. Within the privacy policy of the person responsible,
       The purposes for which the processing is carried out are not indicated, not even in the title

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/31








       “Provenance, purpose and legitimacy of the data offered”, can be
       find any reference to the purposes for which the data is collected.
       Nor can you find information about the legitimate interests of

       third parties in the title “Recipients of the data or transfer to third parties”, nor in other
       parts of the privacy policy, being necessary to access
       individually to the different privacy policies of each of the 1,522
       companies that appear in the so-called “List of suppliers”, for which
       if a URL link appears within the dropdown information of each
       "supplier". The only information that can apparently refer to both

       purposes, such as the legitimate interests of third parties, can be found in
       unclear form in the text that appears within the pop-up window, in
       which mentions that the data is used for “ads and content
       personalized, ad and content measurement, information about the
       public and product development”, without providing more information. (Documents

       evidence 2 and 4).

       The person responsible for the treatment does not make any mention in the information that
       facilitates the interested party, both in the pop-up window and in the policy of
       privacy, the intention or possibility of transfers of
       data to third countries, outside the European Union, nor to the existence or

       absence of an adequacy decision from the Commission, nor to the guarantees
       adequate or appropriate measures that can be adopted so that the interested party can
       exercise their rights regardless of the international transfer.
       All this despite the fact that a relevant part of the companies that appear
       in the “List of suppliers”, if they inform in their respective policies of

       privacy, that the data collected by them may be transferred outside
       of the European Union.

SECOND: On 11/15/22, in accordance with the provisions of article 65.4
of the LOPDGDD, by this Agency, said claim was transferred to the

claimed party, so that it could proceed with its analysis and report, within a period of one
month, about what was stated in the statement of claim.

According to a certificate from the Electronic Notifications and Electronic Address Service, the
request letter sent to the claimed party, on 11/18/22, through the service
of electronic notifications “NOTIFIC@”, was rejected at destination on 11/29/22.


Although the notification was validly carried out by electronic means, it was deemed
the procedure has been carried out in accordance with the provisions of article 41.5 of the LPACAP, as
informative, an attempt was made to send it by postal mail, which was returned to its destination with the date
12/14/22 with the message “unknown”.


THIRD: On 12/30/22, by the Director of the Spanish Agency for
Data Protection agreement is issued to admit the claim processing
presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible
rational indications of a violation of the rules in the field of competences

of the Spanish Data Protection Agency.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/31








FOURTH: On 02/08/23, this Agency accessed the page
web***URL.1, verifying the following characteristics on its “Policy of
Privacy” and about its “Cookies Policy”:


        a).- Regarding the processing of personal data:

a.1.- It is verified how, on the website, personal data can be obtained through
through the <<contact>> link, located at the top of the main page,
where you can enter personal data such as name, telephone, email

email and subject.

Before submitting the form, the user must check the box:

“_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>”


a.2.- Personal data can also be entered when registering in the
website, through the link at the top right of the main page
<<private area>>, from which a form is displayed ***FORM.1
where personal data such as name, surname, address must be entered
phone, email. There is also the possibility of attaching a photo.


Before submitting the form, the user must check the box:

“_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>”


a.3.- On the pages of the two previous forms there is a banner with the following
information:

 By virtue of the provisions of the L.O. 3/18 Iuris NOW informs you that the data of

 personal nature that you may offer us are part of data processing
 The following applies to you:

 Responsible: IURIS MARKETING S.L.
 Purpose: Register on the platform to be listed as a professional and
 receive customer contacts

 Legitimation: Consent of the interested party or his legal representative.
 Recipients: Iuris Marketing S.L. and the contracted services.
 Rights: Access, rectify and delete data, as explained in our
 Privacy Policy


        b).- About the “Privacy Policy”:

If you access the “Privacy Policy” through the existing links in the
previous forms or through the link at the bottom of the page
main page, the website redirects the user to a new page ***URL.2 where

provides the following information:

b.1.- Regarding the “legal notice” information is provided on:

    - The person responsible for the website

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/31








    - Conditions of access and use of the portal
    - Third party content
    - Use of links

    -   Disclaimer
    - Applicable legislation and jurisdiction

b.2.- Regarding the Privacy Policy, you are informed of:

       RESPONSIBLE FOR DATA PROCESSING


       The ownership of this website, with domain ***DOMINIO.1, is Iuris
       Marketing S.L., hereinafter “Iuris NOW”, and address at ***ADDRESS.1, with
       contact email ***EMAIL.1


       All of the above, as Data Controller you are informed that:

       DATA PROTECTION RIGHTS:

       Iuris NOW users can direct any communication, either by
       written to the address provided previously, or by mail

       electronic (***EMAIL.1), communication via email being faster and more effective.
       electronics. The user can always exercise the following rights:

       Right of access: Iuris NOW users may request access to the
       personal data that we have about them.


       Right to request rectification: In cases where the data is
       incorrect or need to be updated, for the relevant reason, you may request
       its rectification.


       Right of deletion: The interested party may request Iuris NOW to delete
       at any time, the deletion of any personal data that you
       concerns.

       Right to request the limitation of your treatment: You may request Iuris
       NOW the limitation of the data obtained either because the data is not needed

       personal data for the purposes of the processing, but are necessary for the
       interested.

       Right to oppose the processing: Iuris NOW will stop processing the data that
       have been provided by the user, unless legitimate reasons are proven and

       imperative to be able to continue with the treatment.

       Right to portability of the data offered: In the event that you want us to
       your data is processed by another company or person, Iuris NOW will
       undertakes to facilitate said data portability to the new controller

       whenever requested. In application of the aforementioned legislation that we have
       mentioned at the beginning of this text, we offer users the model,
       form and other interesting information offered by the Spanish Agency for
       Data Protection in the following link

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/31









       Likewise, within the rights of users, we offer the possibility of
       withdraw the consent that has been granted by any of the means that

       was obtained, since the user of the website has the right to withdraw in
       consent granted at any time, without alleging just cause, not
       However, the withdrawal of the consent granted will not invalidate the treatment.
       based on consent prior to its withdrawal.

       Finally, we want to emphasize the importance of the exercise of these rights, and

       any problem or disagreement that may occur with Iuris NOW in the
       processing of the data, claims may be submitted that may be
       right suits the corresponding data protection authority,
       being in Spain the Spanish Data Protection Agency


       CONSERVATION OF THE DATA OFFERED

       The disaggregated data will be kept without a deletion period.

       User data: The retention period of the data of people who
       offered to Iuris NOW will vary depending on the service that the user contracts

       with Iuris NOW, however, data retention will be minimal
       required for the specific case, in general:

       Clients: From the moment the service provision relationship begins with the
       client, until 4 years have passed since the end of the provision of

       services
       Blog comments: From the moment the user leaves their comment on the blog until
       requesting its deletion

       Newsletter subscribers: Since the user subscribes to the newsletter

       until you withdraw your consent

       Contact form: Since the user accepts the sending of their data
       through the contact form until you withdraw your consent.

       Download a document: Since the user downloads the document and

       you consent to send you communications.

       PRINCIPLES OF APPLICATION TO PERSONAL INFORMATION

       In the processing of personal data that you offer through the media

       established, Iuris NOW will apply the following principles required by the
       applicable legislation:

       Principle of legality, loyalty and transparency: In order to carry out treatment
       of your data, I will always require express, unequivocal consent,

       informed and prior to the treatment, the information and treatment thereof
       It will be specifically intended for the purpose you have requested.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/31








       Data minimization principle: I will only require the information from you
       necessary for the specific case, I do not want to handle more information than the
       necessary, but rather that which is essential to be able to respond.


       Principle of limitation of the conservation period: The data you offer me,
       will be maintained in the file owned by Iuris NOW for the period
       essential and necessary.

       Principle of integrity and confidentiality: The data will be treated in a

       way that guarantees their security and confidentiality,
       taking the necessary precautions to access them, only
       authorized persons or authorized third parties.

       ORIGIN, PURPOSE AND LEGITIMACY OF THE DATA OFFERED


       Based on all of the above, the category of data requested from the
       users is a basic category, it is not a data category
       specially protected.

       Web hosting: The Iuris NOW page is hosted at OVH (OVH

       HISPANO SL NIF: B-83834747) Company based in Madrid, being
       application of the provisions of the RGPD and LOPDyGDD

       Data collected through the website: The data collected through the
       web page, will be incorporated into the corresponding file, in addition to the

       information provided, the IP address is also collected, which in the large
       Most of the time this information is not used.

       Social networks: Iuris NOW has a presence on different social networks,
       recognizing us as responsible for the data that users process

       through social networks privately with Iuris NOW, in order to be
       extracted to provide the requested information.

       The purpose and legitimacy of the data processing that Iuris NOW carries out
       on social networks, will be the one permitted by the social network


       DATA COLLECT

       The user guarantees that the personal data that has been provided by different
       means offered and mentioned above are accurate and truthful,
       being responsible for communicating to Iuris NOW any type of modification

       that arises in personal data.

       If the data that has been offered belongs to a third party, the user guarantees
       that has obtained the consent of said third party in order to facilitate the
       data.


       When providing the data, the user declares and accepts having read the
       this privacy policy, expressly consenting to the treatment
       of personal data in accordance with what is established on this page.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/31









       Likewise, when a user requests information, they are providing a minimum
       personal information for which Iuris NOW will be responsible.


       When requesting information, information is collected from the IP address, name,
       email address, phone number and other information. Be
       managed and used by Iuris NOW.

       RECIPIENTS OF THE DATA OR TRANSFER TO THIRD PARTIES


       For the correct development of the activity carried out by Iuris NOW, it is necessary
       have different professionals or tools with which you can
       develop the activities described above, therefore, Iuris NOW
       share strictly necessary data under their corresponding

       privacy conditions with the following providers:

       Google Analytics: The Iuris NOW website uses a service system
       analytics offered by the company Google Inc, is a company located in the
       1600 Amphithreare Parkway, Mountain View (California), CA 94043,
       USA. This program uses “cookies” which are text files

       located on your computer when visiting the website, the purpose is to help Iuris
       NOW to know what users who visit your website do. The information that
       offered by Google Analytics includes the IP address of the visitor who will be
       transmitted and archived by Google on its services located in the United States
       Joined.


       The Iuris NOW page is hosted on OVH. The Iuris NOW website
       It has SSL encryption that allows the secure sending of your data
       personal through the different means that we collect data in our
       web, website developed using WordPress, more information at Automattic.


       Google Adsense: The previous company mentioned Google Inc, offers services
       of advertising that are being used on this website, for this,
       uses a cookie that publishes a series of advertisements on our website. He
       user can disable the use of these cookies by following the instructions
       that are indicated in the Google section itself.


       For this advertising system, Google offers a platform to different
       partner companies to publish ads through their platform, so
       that, certain information is used to provide advertisements about products and
       services that are of interest, but at no time is the name collected,

       address, email address or telephone number - If you would like more
       information about this practice and to know your different options, consult the
       next link

       Google Maps: It is a map display service provided by Google

       Inc, which allows us to provide an interactive map to our website –
       Google Privacy Policy



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/31








       Lawyers: As an object of our main activity, when you leave us your
       data and request advice, we will offer your data to the best lawyer or the
       lawyer that you have requested from us.


       CONFIDENTIALITY

       Iuris NOW is committed to the use and processing of personal data that
       are collected through the website, respecting at all times the
       confidentiality and to use them for the purpose for which they were collected.


       We undertake to carry out all necessary actions regarding
       of data protection.
       ACCEPTANCE AND CONSENT


       The user accepts having been informed of the conditions regarding protection of
       data inherent to the legislation that is applicable, accepting and
       consenting to their processing by Iuris NOW.

       SECURITY MEASURES


       This website includes an SSL certificate, it is a security protocol that
       causes the data between the user and Iuris NOW, a transmission to occur
       sure of it, we also have a specific security service
       and we constantly update all the technologies we use in
       our page.


       Likewise, Iuris NOW will keep updated and apply all measures
       necessary to be able to offer the greatest possible security to users, not
       However, absolute impregnability on the Internet does not exist,
       committing ourselves that any incident that may affect the

       users, will be communicated as established in the legislation.

       Security measures will be reviewed periodically to verify
       that are still useful for the purpose for which they were collected.

       CHANGES IN THE PRIVACY POLICY


       Iuris NOW reserves the right to modify this policy to adapt it
       to future legislative or jurisprudential modifications, as well as changes that
       are made in the Iuris NOW services. Iuris NOW will announce the changes that
       occur and are essential.


       c).- About the Cookies Policy:

1.- About the use of cookies before the user gives their consent:


When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the website, it has been verified that cookies that are not technical or
necessary, with the following characteristics:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/31









Performance cookies (3): These cookies allow us to quantify the number of visits.
tas and traffic sources to be able to evaluate the performance of the site. They help us know
which pages are the most or least visited and how visitors navigate
gan for the site.


        cookies Domain Description



          _gid ***DOMAIN.1 This cookie is set by
                                                 Google Analytics. Store and access
                                                 sets a unique value for each
                                                 visited page and is used to con-
                                                 tar and track page views.



   _ga_BHX4LX8C4J ***DOMAIN.1 Google Analytics uses this
                                                 cookie to maintain state

                                                 of the session.



          _ga ***DOMAIN.1 This cookie name is associated
                                                 ciated with Google Universal Analy-
                                                 ytics, which is an im-
                                                 analysis service carrier
                                                 most used on Google. This
                                                 cookie is used to distinguish

                                                 unique users by assigning
                                                 nation of a generated number
                                                 randomly as identifier
                                                 of client. It is included in each so-
                                                 page legality on a site and
                                                 used to calculate life data

                                                 visitors, sessions and campaigns
                                                 for analysis reports
                                                 sites.



Targeting Cookies (1): These include social media cookies that are placed on sites
to track users across the web and serve them ads.


        cookies Domain Description


    _gat_gtag_UA_ ***DOMAIN.1 This cookie is part of Google
     181162822_9 Analytics and is used to limit
                                                 applications (application fee

                                                 acceleration).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/31










2.- About the cookie information banner in the first layer:

When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without performing any action on the web page, a

cookie information banner at the bottom of the main page with the
next message:

                       We welcome you to iurisnow.com


 iurisnow.com requests your consent to use your personal data with these
 goals:

 Personalized ads and content, ad and content measurement,
 information about the public and product development devices.


 Store or access information on a device

 More information 


 Your personal data will be processed and the information on your device (cookies,
 unique identifiers and other device data) may be stored,
 consulted and shared with <<external providers>> or used specifically
 through this website or application.


 Some providers may process your personal data under a
 legitimate interest, something you can object to by managing your options
 continuation. Look for a link at the bottom of this page or in our privacy policy.
 privacy to revoke consent.

 <<Manage Options>> <<Consent>>



a).- If you access the list of suppliers, a new page appears with the following
information:


 Which third-party providers can access my data?

 These third party providers may use your data to provide services:


 Exponential Interactive, Inc d/b/a VDX.tv
 ….
 Index Exchange, Inc.
 ….
 Vodafone

 …
 netfix
 …
 > 200

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/31









        <<close>>


b).- If you access the control panel, through the <<Manage Options>> option, the
The website displays a new page with the following information:

                 Data preferences. Manage your data

You can choose how your personal data is used. Suppliers request
                         so your permission to do the following:

Store or access information on a device
Cookies, device identifiers or other information may be stored or accessed.

mation on your device for the purposes presented. See details
OFF Consent

Select basic ads
Ads can be displayed based on the content being viewed, the

application being used, its approximate location or its type of device.
vo. See details
OFF Consent
Legitimate interest ON

Create a custom advertising profile


We may create a profile about you and your interests to show you personalized ads.
nalized that are relevant to you. See details
OFF Consent
Legitimate interest ON


Select personalized ads

Personalized ads may be displayed based on your profile. See details
OFF Consent


Create a profile for content customization
A profile can be created about you and your interests to show you personalized content.
finalized that was relevant to you. See details
OFF Consent
Legitimate interest ON


Select custom content

Custom content can be displayed based on your profile. See details
OFF Consent

Legitimate interest ON

Measure ad performance

You can measure the performance and effectiveness of the ads you see or deal with.

interacts. See details
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/31








OFF Consent
Legitimate interest ON


Measure content performance

You can measure the performance and effectiveness of the content you view or interact with.
you See details
OFF Consent

Legitimate interest ON

Use market research to generate information about the public

Market research can be used to obtain more information about the

audience that visits websites/applications and views ads. See details
OFF Consent
Legitimate interest ON

Develop and improve products


Your data may be used to improve existing systems and/or software, as well
as to develop new products. See details
OFF Consent
Legitimate interest ON


Ensure security, prevent fraud and debug errors

Your data may be used to monitor and prevent fraudulent activities, and to
Ensure systems and processes operate correctly and safely. See details-
lles

Technically serve ads or content
Your device may receive and send information that allows you to view and interact with
ads and content. See details

Collate and combine offline data sources


Data obtained from offline data sources can be combined with your activity
online to support one or more purposes. See details

Link different devices


You can determine which devices belong to you or your home to
one or more purposes. See details

Receive and use for identification the characteristics of the device that is
send automatically


Your device can be distinguished from other devices based on the information it contains.
sent automatically, such as the IP address or browser type. See details

Use precise geographic location data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/31









Your precise geographic location data may be used for one or more purposes.

facts. This means that your location can be accurate to within several meters.
tros. See details
OFF Consent

                        <<Supplier preferences>>


If you access the supplier control panel, a new page appears:


                           Accept our suppliers
 Providers may use your data to offer you services. If you reject a

 provider, they will no longer be able to use the data you have shared with them.


 Exponential Interactive, Inc d/b/a VDX.tv


 Cookie duration: 90 days. Cookie duration is reset after
 each session. See details
 OFF Consent
 Legitimate Interest ON


 Roq.ad Inc.

 Cookie duration: 365 (days). Cookie duration is reset after

 of each session.

 OFF Consent

 …

 …
 …

        <<Accept All>> <<Confirm Options>>



3º.- About the information provided in the “Cookies Policy”:

There is no page or link that redirects the user to the “Cookies Policy”. The
The only existing information about cookies is that provided in the banner of the

main page when accessed for the first time and the information offered to
via control panel

4º.- About how to withdraw consent to the use of cookies after
having offered:


There is a link at the bottom of the web page <<Privacy Settings and
Cookies>> through which you can access the control panel at any
moment of web browsing.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/31









FIFTH: On 04/14/23, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the defendant, for the alleged

violations of:

       a).- Violation of article 13 of the RGPD, due to the deficiencies observed in its
       “Privacy Policy”, with an initial penalty of 2,000 euros, without prejudice to
       what results from the instruction. Likewise, it was noted that the violations
       charged, if confirmed, may lead to the imposition of measures, according to

       the aforementioned article 58.2 d) of the RGPD.

       b).- Violation of article 5.1.a) of the RGPD, due to the use of patterns
       dark sources of overloading and skipping, with a
       initial penalty of 5,000 euros, without prejudice to what results from the investigation.

       Likewise, it was warned that the alleged infractions, if confirmed, may
       lead to the imposition of measures, according to the aforementioned article 58.2 d) of the RGPD.

       c).- Violation of article 22.2 of the LSSI, due to the deficiencies detected in its
       web page regarding the “Cookies Policy”, with an initial penalty of
       5,000 euros, without prejudice to what results from the instruction


Notification of the initiation agreement was attempted in accordance with the standards set forth in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (LPACAP). According to State Company Certificate
Correos y Telégrafos, S.A., the letter initiating the file sent to the

address CHATWITH.IO WORLDWIDE, S.L. C/ ***ADDRESS.1, was returned to
origin by Leftover (Not withdrawn in office) on 05/03/23. Having the following
associated information, (Unit: XXXXXXXX):

    - 1st delivery attempt on 04/21/23 at 12:05, by employee 282402 ha

        result 03 “Absent”.

    - 2nd delivery attempt on 04/24/23 at 8:20 p.m., by employee 186402 ha
        result 03 “Absent”. (Notice was left in mailbox).

On 05/09/23, notification of the initiation agreement was made through an announcement in

the single Edictal Board of the Official State Gazette, in accordance with article 44 of
the LPACAP. In said announcement the claimed party is informed about the possibility of
obtain a copy of the opening agreement.

SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in

the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been
verified that no allegation has been received from the claimed party.

Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no

allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/31








imputation, the infraction attributed to the person complained of and the sanction that could be imposed.
Therefore, taking into consideration that the claimed party has not formulated
allegations to the agreement to initiate the file and in accordance with what is established in the

article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the
present case proposed resolution.
In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                 PROVEN FACTS.


First: The information provided in the “Privacy Policy” ***URL.2, and
In relation to the provisions of article 13 GDPR cited, the person responsible for the
processing of personal data obtained through the website does not offer
information on or at least not detailed on the following points:


    - The purposes of the processing for which the personal data are intended and the legal basis
        dica of the treatment, has ambiguous wording, or lacks the required clarity.

    - The legitimate interests of third parties to whom the
        responsible for the treatment referred to in the existing information banner.

        try on the main page, it is necessary to access the pages individually.
        different privacy policies of each of the more than 1,000 companies
        that appear in the “List of suppliers”, then the information appears.
        unclearly in the text of each provider's pop-up window.
        dor.


    - No reference is made to the intention of the person responsible to transfer personal data.
        nals to a third country or international organization outside the European Union,
        all this despite the fact that a part of the companies (suppliers) that appear
        cen in the “Supplier List”, are located outside the EU.


Second: On the use of dark overloading patterns and
skipping, in the case at hand, the dark overload pattern
loading) and hiding (skipping), is observed when accessing the “List of
suppliers”, once there, the interested party finds a list of about 130 companies.
prey (suppliers), of which, more than half have the default marked

“Accept data processing for legitimate interest” box, which requires, in the case
from wanting to show opposition to the treatment to marking one by one throughout the entire
list, without the option of being able to object by indicating it only once or a number
of times that is reasonable and does not generate fatigue in the affected person.


Third: Regarding the Cookies Policy on the website in question, cookies have been detected
the following irregularities:

    - When entering the website for the first time, without accepting cookies or performing any actions.
        tion on the page, it has been verified that non-technical cookies are used.

        unique or necessary: 3 Performance cookies: _gid; _ga_BHX4LX8C4J and _ga and
        a Targeting Cookie: _gat_gtag_UA_181162822_9



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/31








    - In the cookie control panel it has been detected that the groups of
       cookies are divided into two options, accept cookies by “Consent”
       ment” that are pre-marked in the “not accepted” option and accept the

       cookies for “Legitimate Interest” that are pre-marked in the “accept” option.
       you give". However, if all the options marked “accepted” are unchecked
       It is verified that they continue using the same cookies detected when entering
       on the web without having given consent.

    - There is no information about cookies in the second layer or link that

       Enable the user to be redirected to the “Cookie Policy” of the website. The informs-
       Information about cookies appears dispersed in each of the options of the
       control Panel.
                           FOUNDATIONS OF LAW


                                           YO.-
                                     Competence:

    - About the processing of personal data and the “Privacy Policy”:

The Director of the Spanish Agency is competent to resolve this procedure.

of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to
each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
LOPDGDD.

    - About the “Cookie Policy”:


The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, in accordance with the provisions of art. 43.1, paragraph
second, that of the LSSI Law.
                                          II.-1

  About the processing of personal data on the website and the “Privacy Policy”

In the verification carried out on the website, ***URL.1, it is confirmed that there
Personal data can be obtained through the <<contact>> link, intended for
make queries and you can also enter personal data when doing so.
registration on the website, through the link at the top right of the page

main page <<Private area>>.

The “Privacy Policy” can be accessed through the existing links in
the forms mentioned above or through the link at the bottom
from the main page, <<Privacy Policy and Legal Notice>>.


Well, article 13 of the RGPD details the information that must be provided to the
interested party when the data is collected directly from him, establishing that:

       “1.When personal data relating to him is obtained from an interested party, the

       responsible for the treatment, at the time these are obtained,
       will provide: a) the identity and contact details of the person responsible and, where applicable,
       of your representative; b) the contact details of the protection delegate
       data, if applicable; c) the purposes of the processing for which the data are intended

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/31








       personal and the legal basis of the treatment; d) when the treatment is based
       in Article 6(1)(f), the legitimate interests of the controller or
       a third; e) the recipients or categories of recipients of the data

       personal, if applicable; f) where applicable, the intention of the person responsible to transfer
       personal data to a third country or international organization and the existence or
       absence of an adequacy decision from the Commission, or, in the case of
       transfers indicated in Articles 46 or 47 or Article 49(1),
       second paragraph, reference to adequate or appropriate guarantees and the
       means to obtain a copy of these or the fact that they have been provided.


       2.In addition to the information mentioned in section 1, the person responsible for the
       treatment will provide the interested party, at the moment in which the
       personal data, the following information necessary to guarantee a
       fair and transparent data processing: a) the period during which

       will retain personal data or, when this is not possible, the criteria
       used to determine this term; b) the existence of the right to request the
       responsible for the processing of access to personal data relating to the
       interested party, and its rectification or deletion, or the limitation of its processing, or to
       oppose the processing, as well as the right to data portability; c)
       when the processing is based on Article 6(1)(a) or the

       Article 9, paragraph 2, letter a), the existence of the right to withdraw the
       consent at any time, without affecting the legality of the
       treatment based on consent prior to its withdrawal; d) the right to
       file a claim with a supervisory authority; e) if the communication
       of personal data is a legal or contractual requirement, or a requirement

       necessary to sign a contract, and if the interested party is obliged to provide
       personal data and is informed of the possible consequences of
       not provide such data; f) the existence of automated decisions, including the
       profiling, referred to in article 22, paragraphs 1 and 4, and,
       least in such cases, significant information about the logic applied, as well

       as the importance and anticipated consequences of such treatment for the
       interested".

In the case at hand, the information provided in the “Policy of
Privacy” ***URL.1 and in relation to the provisions of article 13 GDPR cited,
notes that it does not offer information on the following points:


    - The purposes of the processing for which the personal data are intended and the basis
        legal treatment, has ambiguous wording, or lack of clarity and
        required precision.


    - The legitimate interests of third parties to whom the
        responsible for the treatment referred to in the information banner
        existing on the main page, requiring individual access to
        the different privacy policies of each of the more than 1,000
        companies that appear in the “List of suppliers”, then the

        information unclearly in the text of the pop-up window of each
        supplier.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/31








    - No reference is made to the intention of the person responsible to transfer data
       personnel to a third country or international organization outside the Union
       European Union, all this despite the fact that a part of the companies (suppliers)

       that appear in the “List of suppliers”, are located outside the EU.



                                         II.-2

                                       Sanction

The irregularities detected in the “Privacy Policy” of the website
***URL.1 may constitute a violation of article 13 RGPD.


This violation can be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5.b) of the RGPD.

In this sense, article 74.a) of the LOPDGDD, on the infractions considered

mild, indicates that:

       The remaining infractions of a nature are considered minor and will be subject to a one-year statute of limitations.
       merely formal of the articles mentioned in sections 4 and 5 of the
       article 83 of Regulation (EU) 2016/679 and, in particular, the following:


       a) Failure to comply with the principle of transparency of information or the
       right to information of the affected person for not providing all the required information
       by articles 13 and 14 of Regulation (EU) 2016/679.


In accordance with the above, it is considered appropriate to impose a penalty of 2,000 euros,
(two thousand euros), for the violation of article 13 RGPD.

                                         II.-3.
                                       Measures

Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose

responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner

certain manner and within a specified period….” The imposition of this
measure is compatible with the sanction consisting of an administrative fine, as established
provided in art. 83.2 of the GDPR.

The text of this agreement establishes what the infractions have been.
allegedly committed and the facts that give rise to the violation of the regulations

of data protection, from which it is clearly inferred what are the measures to be
adopt, without prejudice to the type of procedures, mechanisms or instruments
specifics to implement them corresponds to the sanctioned party, since it is the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/31








responsible for the treatment who fully knows your organization and must decide,
based on proactive responsibility and the risk approach, how to comply with the
RGPD and the LOPDGDD.


However, in this case, regardless of the above, it is appropriate to require the
responsible entity so that, within the period indicated in the operative part, it adapts
the “Privacy Policy” of your website to the current regulations, specifically to what
stipulated in article 13 of the GDPR.


Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


                                          III.-1
 On the use of dark overloading and hiding patterns
                                       (skipping)

According to the complainant, the data controller uses the dark patterns of
overloading and skipping in user interface design

through which you configure the privacy options that are going to be applied to the
processing of the data of the visitor to the website, specifically when the
interested party expresses his opposition to data processing based on interest
legitimate interest of the person responsible and third parties, whom he calls “partners”.


The term “dark patterns” refers to the interfaces or implementations of
user experience intended to influence behavior and
people's decisions in their interaction with websites, apps and social networks,
way that they make decisions potentially detrimental to the protection of their
personal information.


According to recital (39) of the GDPR:

       All processing of personal data must be lawful and fair. For the people
       physical data must be completely clear that they are being collected, used,
       consulting or otherwise processing personal data that concerns them,

       as well as the extent to which said data is or will be processed.

       The principle of transparency requires that all information and communication
       regarding the processing of said data is easily accessible and easy to
       understand, and that simple and clear language is used. This principle refers

       in particular to the information of the interested parties about the identity of the
       responsible for the treatment and its purposes and the added information
       to ensure fair and transparent treatment of people
       affected physical bodies and their right to obtain confirmation and communication of the
       personal data that concerns them that are subject to processing, (…)”.


In this regard, article 5 RGDP includes the "Principles relating to processing" and
in section 1.a) establishes that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/31








       Personal data will be processed in a lawful, fair and transparent manner in
       relationship with the interested party "lawfulness, loyalty and transparency."


Well, in application of the principle of loyalty established in article 5.1.a, the
Data controllers must ensure that dark patterns are not used,
at least, in relation to decisions regarding the processing of your data
personal.

The European Data Protection Board (EDPB) adopted for public consultation its

‘Guidelines on dark patterns in social media interfaces,
How to recognize and avoid them. These guidelines, like the AEPD guide,
They take article 5.1.a of the GDPR as a starting point to evaluate when a
Design pattern in a user interface corresponds to a dark pattern.


Dark patterns can be presented to the user in data processing operations.
of various kinds, such as during the registration or registration process on a social network, when starting
session or also in other scenarios such as configuring the
privacy, in cookie banners, during the process of exercising rights, in
the content of a communication reporting a personal data breach or
even when trying to unsubscribe from the platform.


According to the EDPB Guidelines, dark patterns can be classified into the
following categories:

Overloading: consists of presenting too many possibilities to the

person who has to make the decisions, which ends up generating fatigue on the
user, who ends up sharing more personal information than desired. The
The most common techniques to produce this fatigue due to overload are to show
questions repeatedly, creating privacy labyrinths and showing too many
options.


Hiding (skipping): consists of designing the interface or user experience in such a way
so that the user does not think about some aspects related to protection
of your data, or forget it.

Stirring: the users' emotions are appealed to or nudges are used

visuals in the form of effects to influence decisions.

Hindering: attempts to create obstacles so that the user cannot
easily perform certain actions. This is done through techniques such as
put privacy settings in areas that cannot be accessed, make it very

complicated to reach them or providing misleading information about the
effects of some actions.

Inconsistency (fickle): the interface has an unstable and inconsistent design that does not
allows the user to perform the actions desired.


Left in the dark: The information or configuration options of the
privacy are hidden or presented in an unclear way using language
erratic, contradictory or ambiguous information.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/31









In the case at hand, the dark pattern of overloading and
concealment (skipping), is observed when accessing the “List of

suppliers”, once there, the interested party finds a list of about 130
companies (suppliers), of which, more than half have the default marked
“Accept data processing for legitimate interest” box, which requires, in the case
from wanting to show opposition to the treatment to marking one by one throughout the entire
list, without the option of being able to object by indicating it only once or a number
of times that is reasonable and does not generate fatigue in the affected person.


Taking, for example, the provider “Amazon Advertising” we see that in its section
the following information appears:


 Cookie duration: 396 (days). Cookie duration is reset after
 of each session. Use other forms of storage.

 <<View details>> |<< Storage details>> | <<Privacy Policy>>

 Consent (OFF)


 Legitimate interest (ON)



If we display the information <<see details>>, the following information appears:

 Amazon Advertising requests the following:

 By Consent:


 Store or access information on a device
 Select basic ads
 Create a custom advertising profile
 Select personalized ads

 Measure ad performance
 Use market research to generate information about the public
 Develop and improve products

 For legitimate interest:


 Ensure security, prevent fraud and debug errors
 Technically serve ads or content

Checking that, in this particular example, legitimate interest is indicated as both

the “Ensure security, prevent fraud and debug errors” as “Serve
technically advertisements or content”, a situation that is repeated for the more than 200
suppliers that appear on the web.

Well, the situation is that there is a button to accept everything (<<Accept All>>) or
to confirm the chosen options (<<Confirm Options>>), but not to

reject everything or oppose everything, which can constitute a dark pattern of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/31








overloading All this without prejudice to the fact that the treatments marked in
the ON position of “legitimate interest” may or may not be justified on this basis of
legitimation, an issue that is not analyzed in this procedure.


                                         III.-2
                                       Sanction

The facts set out above may constitute an infringement of the
established in article 5.1.a) of the RGPD, with the scope expressed in the

Previous Fundamentals of Law.

This violation can be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the

of larger amounts, in accordance with article 83.5.a) of the RGPD.

In this sense, article 72.1.a) considers a “very serious” infraction for the purposes of
prescription “1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
involve a substantial violation of the articles mentioned therein and, in

In particular, the following: a) The processing of personal data that violates the
principles and guarantees established in article 5 of Regulation (EU) 2016/679”.

                                         III.-3
                               Graduation of the Sanction


The determination of the sanction that should be imposed in the present case requires
observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, they provide the following:


       "1. Each supervisory authority will ensure that the imposition of fines
       administrative sanctions under this article for violations of the
       of this Regulation indicated in sections 4, 9 and 6 are in each case
       effective, proportionate and dissuasive individual treatment.

       2. Administrative fines will be imposed, depending on the circumstances

       of each individual case, as an additional or substitute for the measures
       referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the
       imposition of an administrative fine and its amount in each individual case is
       will take due account of: a) the nature, severity and duration of the
       infringement, taking into account the nature, scope or purpose of the

       processing operation in question, as well as the number of interested parties
       affected and the level of damages they have suffered; b) the
       intentionality or negligence in the infringement; c) any measure taken by
       the person responsible or in charge of the treatment to alleviate the damages and losses
       suffered by the interested parties; d) the degree of responsibility of the person responsible or

       of the person in charge of the treatment, taking into account the technical measures or
       organizational measures that have applied under articles 25 and 32; e) all
       previous infringement committed by the controller or processor;
       f) the degree of cooperation with the supervisory authority in order to put

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/31








       remedy the infringement and mitigate the possible adverse effects of the infringement;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in

       particular whether the person responsible or the person in charge notified the infringement and, in that case,
       what extent; i) when the measures indicated in Article 58(2)
       have been previously ordered against the person responsible or in charge of
       that is dealt with in relation to the same matter, compliance with said
       measures; j) adherence to codes of conduct under Article 40 or
       certification mechanisms approved in accordance with article 42, and k)

       any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as financial benefits obtained or losses avoided, direct
       or indirectly, through infringement.”

Within this section, the LOPDGDD contemplates in its article 76, titled

“Sanctions and corrective measures”:

       "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
       Regulation (EU) 2016/679 will be applied taking into account the criteria of
       graduation established in section 2 of the aforementioned article.


       2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
       2016/679 may also be taken into account: a) The continuous nature of the
       infringement. b) The linking of the offender's activity with the performance of
       processing of personal data. c) The benefits obtained as
       consequence of the commission of the infraction. d) The possibility that the

       conduct of the affected party could have induced the commission of the infraction. and)
       The existence of a merger by absorption process subsequent to the commission of
       the infringement, which cannot be attributed to the absorbing entity. f) The impact
       to the rights of minors. g) Have, when it is not mandatory, a
       data protection officer. h) Submission by the person responsible

       or entrusted, on a voluntary basis, to alternative resolution mechanisms
       of conflicts, in those cases in which there are disputes between
       those and anyone interested.

       3. Adoption will be possible, complementary or alternatively, when
       appropriate, of the remaining corrective measures referred to in the article

       83.2 of Regulation (EU) 2016/679.”

In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purposes of setting the amount of the fine sanction
impose on the claimed entity, in an initial assessment, they are considered concurrent in

in this case the following factors, as aggravating factors:

    - The scope or purpose of the data processing operation, as well as the information
        affected teresses, (section a).


It is also considered that the sanction to be imposed should be graduated in accordance with the
following aggravating criteria, established by article 76.2 of the LOPDGDD:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/31








    - The linking of the offender's activity with the performance of treatment
       personal data, (section b), considering that in the activity carried out
       rrolla, the personal data of its clients are involved.


Considering the factors exposed, the value reached by the fine, for the
Violation of article 5.1.a) of the RGPD, it is 5,000 euros (five thousand euros).

                                          III.-4
                                        Measures


Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose
responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the

responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….” The imposition of this
measure is compatible with the sanction consisting of an administrative fine, as established
provided in art. 83.2 of the GDPR.


The text of this agreement establishes what the infractions have been.
allegedly committed and the facts that give rise to the violation of the regulations
of data protection, from which it is clearly inferred what are the measures to be
adopt, without prejudice to the type of procedures, mechanisms or instruments
specifics to implement them corresponds to the sanctioned party, since it is the

responsible for the treatment who fully knows your organization and must decide,
based on proactive responsibility and the risk approach, how to comply with the
RGPD and the LOPDGDD.

However, in this case, regardless of the above, it is appropriate to require the

responsible entity so that, within the period indicated in the operative part, it adapts
the “Privacy Policy” of your website to the current regulations, specifically to what
stipulated in article 5.1.a) of the RGPD.

Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,

classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.

                                          IV.-
                    About the Cookies Policy of the website


a).- Regarding the installation of cookies on the terminal equipment prior to consent:

Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and

data recovery and, in particular, about the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/31








Therefore, when the use of a cookie involves processing that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of

data.

However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.


In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies
“User input Cookies would be excepted” (those used to
fill out forms, or manage a shopping cart); cookies
user (session) authentication or identification; user security cookies

(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.

These cookies would be excluded from the scope of application of article 22.2 of the

LSSI, and, therefore, it would not be necessary to inform or obtain consent about its
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before using any other type of cookies, both first and
third-party, session or persistent.


In the verification carried out by this Agency on the claimed website, it was possible
note that, upon entering the main page and without performing any action on the
mime or accept cookies, the following non-necessary cookies were used:

When entering the website for the first time, without accepting cookies or performing any action

on the page, it has been verified that cookies that are not technical or
necessary:

    - 3 Performance Cookies: _gid; _ga_BHX4LX8C4J and _ga
    - 1 Targeting cookie: _gat_gtag_UA_181162822_9


c).- Regarding consent to the installation of cookies on the terminal equipment:

To use non-excepted cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
by clicking on, “accept” or inferring it from an unequivocal action carried out by the

user that denotes that consent has been unequivocally produced. By
Therefore, the mere inactivity of the user, scrolling or browsing the website, is not
will consider for these purposes a clear affirmative action under no circumstances and will not
will involve the provision of consent itself. Likewise, access to
the second layer if the information is presented in layers, as well as navigation

necessary for the user to manage their preferences in relation to cookies in
the control panel, it is not considered an active behavior that can
derive the acceptance of cookies.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/31








The existence of “Cookie Walls” is also not permitted, that is, windows
pop-ups that block content and access to the website, forcing the user to
accept the use of cookies to access the page and continue browsing without

offer the user any type of alternative that allows them to freely manage their
preferences regarding the use of cookies.

If the option is to go to a second layer or cookie control panel, the link
should take the user directly to said configuration panel. To facilitate the
selection, in the panel it can be implemented, in addition to a management system

granular cookies, two more buttons, one to accept all cookies and another to
reject them all. If the user saves his choice without having selected any
cookie, it will be understood that you have rejected all cookies. In relation to this second
possibility, in no case are pre-checked boxes in favor of accepting
cookies.


If for the configuration of cookies, the website refers to the browser configuration
installed on the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the editor
opts for this option, it must also offer, and in any case, a mechanism that
allow you to reject the use of cookies and/or do so on a granular basis.


On the other hand, the withdrawal of the consent previously given by the user
It must be able to be done at any time. To this end, the editor must offer a
mechanism that makes it possible to easily withdraw consent at any time.
moment. That facility will be considered to exist, for example, when the user

have simple and permanent access to the management or configuration system of the
cookies.

If the editor's cookie management or configuration system does not allow you to avoid the
use of third-party cookies, once accepted by the user, will be provided

information about tools provided by the browser and third parties,
must warn that, if the user accepts third-party cookies and subsequently wishes
delete them, you must do so from your own browser or the system enabled by the
third parties for this.

In the case in question, it is not possible to reject all cookies at once.

To manage cookies it is necessary to access the control panel <<Manage
Options>> where the groups of cookies appear divided into purposes such as
example “Select basic ads”; “Create a personalized advertising profile” or
“Select personalized ads”


The groups are divided into two options, accept cookies by “Consent”
that are pre-marked in the “not accepted” option and accept cookies for “Interest
Legitimate” that are pre-marked in the “accepted” option.

However, if all the options marked “accepted” are unchecked, the

that continue to use the same cookies detected when entering the website without having
consent given.

d).- About the information provided in the second layer (cookie policy):

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/31









In the second layer or “cookie policy” more detailed information must be provided.
detailed information about the characteristics of cookies, including information about, the definition

tion and generic function of cookies (what are cookies); about the type of cookies
which are used and their purpose (what types of cookies are used on the website); the
identification of who uses the cookies, that is, if the information obtained by the cookies
Cookies are processed only by the editor and/or also by third parties with identification of this
last coughs; the retention period of cookies on the terminal equipment; and if it is him
case, information on data transfers to third countries and the processing

of profiles that involve automated decision making.

In the case in question, there is no information about cookies in the second
layer or link that allows the user to be redirected to the “Cookie Policy” of the website.
Information about cookies appears dispersed in each of the options

of the control panel.
                                           IV.-2
                          Classification of the offense committed

Of the deficiencies detected, regarding the cookie policy, on the website in
issue: the use of third-party cookies that are not technical or necessary; the

impossibility of rejecting third-party cookies and the lack of information in the
“cookie policy”, could be assumed by the complainant, the commission of the
violation of article 22.2 of the LSSI, as it establishes that:

       “Service providers may use storage devices and

       data recovery on recipients' terminal equipment, provided
       that they have given their consent after they have been
       provided clear and complete information on its use, in particular on
       the purposes of data processing, in accordance with the provisions of L.
       Organic 15/1999, of December 13, on the protection of personal data

       staff.

       Where technically possible and effective, the consent of the recipient
       to accept the processing of the data may be facilitated through the use of the
       appropriate settings of the browser or other applications.


       The above will not prevent possible storage or access of a technical nature
       for the sole purpose of carrying out the transmission of a communication over a network of
       electronic communications or, to the extent strictly necessary
       necessary, for the provision of an information society service
       expressly requested by the recipient.”


                                           IV.-3
                                         Sanction

This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which

considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/31








sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.


After the evidence obtained in the previous investigation phase, and without prejudice to
what results from the instruction, it is considered that it is appropriate to graduate the sanction to
impose according to the following aggravating criteria, established in art. 40 of
the LSSI: The existence of intentionality, an expression that must be interpreted as
equivalent to degree of guilt according to the Court's Judgment
National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the

reported entity the determination of a system for obtaining consent
informed that it conforms to the mandate of the LSSI.

In accordance with these criteria, it is considered appropriate to impose an initial sanction of
5,000 euros, (five thousand euros), for the violation of article 22.2 of the LSSI, regarding

of the cookie policy made on the website owned by it.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency,


                                    RESOLVES:

FIRST: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of article 13
of the RGPD, typified in article 83.5.b) of the same Regulation, and classified as

“mild” for the purposes of prescription in article 74.a) of the LOPDGDD, a fine of
2,000 euros (two thousand euros).

SECOND: That by the Director of the Spanish Data Protection Agency,
order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of

the web page to web ***URL.1, which within a period of one month from the
notification of this act, adopt the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed
in the Legal Basis II.-3, of this resolution. In the same period indicated, the
entity
must inform and justify compliance with the measures before this Agency

imposed.

THIRD: IMPOSE on the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of the article
5.1.a) of the RGPD, typified in article 83.5.a) of the same Regulation, and qualified

as “very serious” for the purposes of prescription in article 72.1.a) of the LOPDGDD,
a fine of 5,000 euros (five thousand euros).

FOURTH: That by the Director of the Spanish Data Protection Agency,
order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of

the web page to web ***URL.1, which within a period of one month from the
notification of this act, adopt the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/31








in the Legal Basis III.-4, of this resolution. In the same period indicated, the
entity must report and justify compliance with the measures to this Agency.


FIFTH: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of article 22.2
of the LSSI, classified as “mild” for the purposes of prescription in article 38.4.g) of the
cited rule, a fine of 5,000 euros (five thousand euros).

SIXTH: NOTIFY this resolution to the entity CHATWITH.IO WORLDWIDE.


SEVENTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in

the banking entity CAIXABANK, S.A..

Otherwise, it will be collected during the executive period. Received the
notification and once executive, if the date of execution is between the days
1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be

until the 20th of the following or immediately following business month, and if it is between
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th
of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties. Against this
resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD,
and in accordance with the provisions of article 123 of the LPACAP, the interested parties
may optionally file an appeal for reconsideration before the Director of the
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the provision
fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative, within a period of two months from the following day
to the notification of this act, as provided for in article 46.1 of the aforementioned Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/31









39/2015, of October 1. You must also transfer the documentation to the Agency

that proves the effective filing of the contentious-administrative appeal.

If the Agency was not aware of the filing of the contentious appeal-

administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.



Sea Spain Martí
Director of the Spanish Data Protection Agency






















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es