AEPD (Spain) - PS/00032/2020
AEPD (Spain) - PS/00032/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(3) e-Privacy Directive Article 22(2) LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.10.2020 |
Published: | 26.07.2021 |
Fine: | 30000 EUR |
Parties: | IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL |
National Case Number/Name: | PS/00032/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined an airline €30,000 for not allowing their website's users to exercise a choice regarding cookies before placing them, as well as for not offering enough information about cookies and not allowing users to reject all cookies at once.
English Summary
Facts
A user of the website of Iberia, an airline, lodged a complaint before the Spanish DPA (AEPD) saying that they had not been given an option to reject the cookies when using the website, and that they had been obliged to accept them to keep browsing.
During the investigation, the AEPD also found that cookies were placed before obtaining consent. Additionally, they found that the information about cookies was incomplete and misleading.
Holding
The AEPD concluded that Iberia had infringed the Spanish law on cookies (LSSI), as transposed from the e-Privacy Directive. The DPA considered that the airline should had allowed users to reject cookies in the second layer at once, instead of granularly, and that it should not had installed cookies without allowing users to exercise their choice.
The airline should had also informed users about third party cookies and the storage period, as well as more clear information about the purpose of cookies.
For this, the Spanish DPA fined Iberia €30,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24 Procedure Nº: PS / 00032/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00032/2020, instructed by the Spanish Agency for Data Protection, to the entity IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPE- RADORA UNIPERSONAL (IBERIA) with CIF: A85850394, owner of the website: *** URL.1, (hereinafter, “the claimed entity”), by virtue of the complaint filed by Dª. A.A.A., (hereinafter, “the claimant”), and based on the following, BACKGROUND FIRST: On 10/23/19, you had a written entry in this Agency, presented by the claimant, in which it stated, among others, the following: “I denounce the company Iberia since when looking for a trip it does not give me the option to reject cookies and it tells me I have to accept them to continue browsing ”. SECOND: In view of the facts presented in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). A) Yes, dated 11/29/19, an informative request was addressed to the claimed entity. THIRD: On 01/28/20, the claimed entity sends this Agency written in which, among others, reports the following: "Prior to receiving the letter requesting information, my client had working since June 2019 on the design of the policy adaptation solution of cookies to the requirements of the General Data Protection Regulation and the New Organic Law on Data Protection and Guarantee of Digital Rights following, in addition, the guides of good practices issued by the authorities of control and very especially the one issued by the Agency last November 2019. At the time the claim was received, Iberia was carrying out final tests on the web page (*** URL.1) to put into operation the new information functionality and self-management of cookies trying to ensure the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/24 optimal compliance with the recommendations on this matter made by the Agency in the Guide that has been published in this regard since November 2019. It should be noted that since mid-January the Iberia website complies with the current regulations and with the recommendations published by the Agency. As already indicated above, at the time of receipt of the letter from the Mr. Inspector, Iberia had been working with different suppliers for months to carry out carry out the design and implementation of the ideal technical solution. Once the Guide for the use of cookies has been published by the Agency and verified the necessary adaptations in the design that had been prepared for comply with the recommendations contained therein, the operation of the new cookie banner with your configurator. Despite having had the Christmas and New Years holidays in the middle, thanks to the efforts made the new information and cookie configuration tool on the web Iberia has been in operation since the middle of this month of January 2020. Currently, a banner is implemented that, in addition to informing about the responsibility for the use of cookies on the page, which corresponds to Iberia, allows configure the types of cookies found on the web, or accept all of them. The web cookies are always activated and are configurable, being a exception to this configuration those cookies of a technical nature that are used for the performance of the web and that allow the user a correct visualization of the herself. In addition, as seen on the website itself, no cookie is loaded, Except for the technical ones, without the user having accepted all the cookies or he has opposed those that he himself deems appropriate ”. FOURTH: On 01/31/20 and 02/06/20, in the course of the investigation carried out by the General Subdirectorate of Data Inspection of this Agency, accessed by Internet to the URL: *** URL.1, verifying that: Cookies are loaded in the browser when accessing the web page in question: (DoubleClick, Google, and among those of Iberia, Google analytics: _ga, _gid). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/24 The first layer cookie notice has the following content: “Iberia L.A.E informs you that it stores cookies on your device to guarantee the proper functioning and security of our websites, and offer you the best browsing experience possible. Click Accept Cookies if you agree to the use of these cookies, or change the settings whenever you want in Settings cookies. For more information, read the Iberia Cookies Policy ”. In the same banner there is the option to "Accept cookies" and a link to the page of "Cookie Settings". a) .- If the "Cookies Policy" is accessed, information is offered on: - How and what are cookies used for. - What are cookies. - The types of cookies on the web and their purposes. - How to manage cookies. - To which recipients the data will be communicated. - Policy updates. - Cookies used. b) .- If you access the "Cookies Configuration" through the link in the first layer, information is provided in sections: "User Privacy" section. It is reported that they can store or retrieve browser information, mainly in the form of cookies. This information it can be about the user, their preferences or their device and is mainly used to make the site work as expected. Information is generally not identifies directly, but can give you a more web experience personalized. You can accept or reject the use of cookies for each category by moving the selector that you will find at the end of each of the lines of down. Every time you are offered to accept or reject the use of certain cookies. If you click on "More Information" below, which leads to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/24 "Cookie policy", verifying that a series of cookies are installed without have formally accepted them. Section "Technical Cookies". It is reported that they are necessary for the website works and cannot be disabled (they are not configurable). "Performance Cookies" section. It is reported that they allow counting visits and traffic sources in order to evaluate the performance of our site and improve it. It allows deactivating them by clicking on the blue switch located in the corner Upper right. Section "Targeted Cookies" (for targeted advertising). It is reported that they may be established through the site by advertising partners. They can be used by those companies to create a profile of their interests and show relevant ads. It allows deactivate them by clicking on the blue switch located in the upper corner right. Section "Functionality Cookies". They are reported to allow the site to offer a better functionality and customization. They can be established by the holder of the page or by third parties whose services they have added to the page. Indicates that if these cookies are not allowed, some of your services will not work correctly. FIFTH: In view of the facts denounced, the documentation provided by the parties and in accordance with the evidence available, the Data Inspection of this Spanish Data Protection Agency considered that the performance of the The claimed entity did not meet the conditions imposed by the regulations in force, therefore that the opening of a sanctioning procedure proceeds. Thus, on 06/01/20, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the claimed entity, by virtue of the established powers, for failing to comply with the provisions of article 22.2) of the LSSI, sanctioning nable in accordance with the provisions of art. 39.1.c) and 40) of the aforementioned Law, regarding its Cookies Policy, imposing an initial penalty of 30,000 euros, arguing that: a) .- When accessing the page *** URL.1, in the first layer, the banner about cookies, provides information that is not very concise, transparent or intelligible, using the expression “(…) Stores cookies on your device to ensure proper functioning and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/24 security of our websites, and offer you the best possible browsing experience. ble (…) ”, since they induce confusion, distorting the clarity of the message, (point 3.1.2.1 of the guide). b) .- In the first layer, it is indicated that to "Accept" all cookies must be done click on “accept”, or if you want to change the cookie settings you must do- Click on "Cookie settings", but it is not reported that when you access the page, without having performed any other action, cookies are loaded without having them accepted. Nor is it reported whether the cookies are own or third-party, nor is it reported information on the type of data to be collected in the event of profiling (behavioral advertising cookies). If the “accept” button or the button is not pressed ton of "cookie settings", it is not allowed to continue browsing, so it is not gives the user the option to reject the use of cookies (eg 2, from point 3.1.2.2. guide). c) .- Entering the second layer, through the link, "cookie settings" or the "Cookies policy" page, it allows the configuration of cookies in a granular way. But third-party cookies are not identified and the period of con- cookies in the browser (except for those used to balance brar the load on the website infrastructure). SEVENTH: Notified the initiation agreement, the claimed entity, by writing of dated 06/15/20, made, in summary, the following allegations: "The facts on which the sanctioning procedure is initiated are not the same due to those who sent the request in file E / 11207/2019. In the previous requirement indicated, we were given a transfer of a claim and we were required information in relation to our cookie policy on the website www.ibe- ria.com, and the use made of said cookies, as well as not including sion of an option of opposition to the processing of personal data that is carried out by through them. In response to said request, sent to the Agency on January 28, since the change and implementation of the new functionality and the banner infor- mative and self-configuring. It is clear and confirmed, in view of the terms of the communication letter of the mentioned sanctioning procedure, that the information provided by IBERIA was correct and true and that everything that was said on January 28 was true. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/24 Instead of parsing the terms of the functionality configuration tool, information and self-management banner and, where appropriate, submit a new request In order to request clarifications or modifications to the design of the same, the Agency has erroneously proceeded to initiate a sanctioning procedure when the facts that motivate the request sent at the end of November in the file E / 11207/2019 are significantly different from those that serve as the basis for this new dossier, which focuses on very specific aspects of the new functionality put into operation in January of this year without erasing the fact that di- cha functionality, in general terms, complies with the provisions of article 22 LSSI whose violation is invoked in the legal bases of the file initiated. Regarding each of the items indicated in the communication at the beginning of the experiment, sanctioning tooth: a) Regarding the First Layer: a.1.) When accessing the initial page and without having done- After no action, it is verified that non-necessary cookies such as the ana- Google policies: _ga, _gid), without any warning of said installation. The aforementioned cookies that are loaded when accessing the iberia website (“Tag Mana- gers ”) because they are necessary to manage the relationship between Iberia and travel and plane ticket metasearch engines (eg: *** URL.2). Thanks to these cookies (which do not store information about the IP from which you browse, but rather determine They only mine if the origin of the session is in any of the websites of said meta- search engines) the reference (“referal”) is obtained that allows to know if a session that nally ends up in purchase had its origin in a metasearch engine, so that it It allows both the metasearch engine and Iberia to carry out the correct billing between them lative to the generation of business / online sales. Tag Managers work in a similar way for what are called affair networks. liaison, which is also in charge of bringing qualified traffic to the Iberia website and has They use the same Cost Per Acquisition (CPA) mode as metasearch engines. If these cookies were inactive from the first moment, the information would be lost. relational relationship and it would not be possible to manage and maintain the relationship between Iberia and the metasearch engines / affiliate networks. However, although they are active from the beginning At the moment they do not send information of any kind until the user gives their feeling. The existence of this type of cookies and the exchange of this type of information Training is included in our privacy policy in the third party section. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/24 Therefore, the relevant data for these purposes are: To fulfill its mission it is It is necessary that the aforementioned cookies are active from the moment you access the web for the correct treatment and identification of the session (not of the team from where you navigate); and - These cookies do not contain personal data. Cookies can be rejected, and only send information when it is they consent. This information would have been provided if instead of initiating procedures The sanctioner would have sent an informative request. a.2.) "The banner about cookies that is displayed, when accessing the page, provides information that is not very concise or intelligible. By using expressions such as “(…) offer you the best possible browsing experience (…) ”lead to confusion…” In addition to the fact that the assertion is totally subjective and evaluative, the truth is that the phrase used as example is the only phrase in all texts of the functionality that could be the subject of that assessment. In any case, the structure and language of the all of the self-management functionality is descriptive and intuitive enough to that from an objective point of view the exact opposite is interpreted: that it is sufficiently clear and informative. In any case, the indicated phrase has already been modified, and if instead of having received a communication of the initiation procedure sanction if a request for information or modification had been received from the text the same result would have been obtained. a.3.) It does not inform that the installed cookies are its own and that of third parties (point 3.1.2.2. c) of the guide), informing only that, “Iberia LAE informs you that it stores cookies on your device (…) ”, checking that they install both their own and from third parties even without taking any action. On the last point of the statement, a due answer has already been given in the section a.1.) above. Although it is true that the first layer of information did not specify the existence of both Iberia's own and third-party cookies (a circumstance that has already been specified in the text, just as if a request had been received instead of an initial procedure of sanctioning procedure), it is no less true that this information since was evident and notorious with the texts of the second layer, as for example in the case of "Targeted Cookies", which are described as "These cookies can be this- established through our site by our advertising partners. It can be used- given by those companies to create a profile of your interests and show you advertisements on other places…" C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/24 With all due respect, the Agency must not forget that the guides are indicative, not regulations, and that although they are useful for the administered, they are not the only co means to comply with the true regulation that they intend to put into practice. a.3). "It is indicated that to accept all cookies you must click" accept ", or well if you want to change the cookie settings you must click on "settings- creation of cookies ”, but if you do not press the“ accept ”button or the“ configuration cookies ", the user is not allowed to continue browsing ..." Once again, at this point the guide is confirmed not only as a possible form or pro- in order to comply with the regulations, but as one that does not necessarily respects the most common criterion or shared by the majority of European organizations worst regulators. It is not allowed to continue browsing because that is precisely the recommendation from the European Data Protection Board (EDPB) published on last May (it is true, after the date of issuance of the communication) initiation of the sanctioning file which is from March). In any case, the configuration as it was established on January 31, 2020 makes precisely use of example 2 section 3.1.2.2 of the guide, which includes only an acceptance button and later the possibility of configuring cookies so that the user can accept or reject them as they consider, or even reject- all with one click. “To facilitate the selection, two buttons can be implemented on the panel, one for accept all cookies and another to reject them all, this option being recommended The higher the different number of cookies used, the greater the variable. If you use the modality of "continue browsing" as a way of obtaining consent, you must- A button will be included in the panel to reject all cookies, in order to respect the I want it to be as easy to withdraw consent as it is to give it. " The Iberia website has had a configuration panel since January 2020 of cookies for acceptance and / or rejection. In addition, it is not allowed to continue browsing if there has been no acceptance of the configuration, complete or customized by the client, or complete rejection of all cookies. It is impossible to "continue browsing" without further ado, for- It is not a valid option as indicated in the EDPB guide (page 21). To pe- All in all, the text has been modified to give it a little more clarity. One time moreover, it does not seem that this reason serves to initiate a sanctioning proceeding instead having given rise to a request for information or modification. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/24 b) Regarding the Second layer (cookie settings) "Accessing through the link, "cookie settings", it is allowed to accept or reject the use of certain mined categories of cookies such as: performance cookies, targeted cookies and functionality cookies. Once the preferences on cookies, the page allows you to continue browsing, and it is only then, when You can access the "Cookies Policy" through the link located at the bottom of the website." It is true that, for technical reasons, in some browsers the policy ca cookies could not be accessed without previously accepting, configuring or rejecting the cookies. However, this problem has been solved / will be solved in the pr- next update scheduled for the end of this month of June. Again, this cir- This situation could also have been solved if instead of initiating a procedure sanctioning action, the Agency would have issued a request for information or identification of the Iberia website. c) Regarding the Second layer, when accessing the page where information is provided on the Cookies policy, it is verified that it gives information about: what are cookies; types of cookies on the IBERIA website and its purposes; how to manage cookies; to what recipients will communicate your data; Policy updates and cookies using zadas on iberia.com. Effectively, that's right. But it is equally true that the greatest Some of the same information is contained in the texts of the functionality of Self-management of cookies that precedes the text of the Cookies Policy itself. cho. c.2.) About the cookies used in iberia.com the own cookies that are installed, but not those of third parties, nor the time they remain active on the computer terminal, (with the exception of those used to balance the load in the infrastructure of the website, which expire at the end of the session) As already indicated, the information on the existence of both own and third-party cookies it was already enough- detailed in the information made available to the user in the second layer of the self-management functionality. Users have been deprived of information or nor have they been misled in relation to the existence of third-party cookies. Lack of materiality for the initiation of a sanctioning file We understand, therefore, that in light of the explanations provided, of the small modifications carried out in the texts of the functionality and corrections techniques committed / carried out, depending on the case of each of the items in those that are intended to substantiate the initiation of the disciplinary proceedings have been shown, on the one hand, that there is no such foundation and that the legal purpose and good co protected by art. 22 LSSI has not been violated. In our opinion, it is not appropriate to enforcement of disciplinary proceedings against Iberia and should proceed to its ar- Billy Goat. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/24 We request from the Inspector in charge of this File that he has received this written together with the documentation that accompanies it, admits it and by virtue of it has for having made the allegations contained therein, it deems them and by virtue of it proceed to the archive of the disciplinary proceedings initiated against Iberia ”. EIGHTH: On 06/24/20, the test practice period began, agreeing- be: a) .- to consider reproduced for evidentiary purposes the complaint filed by the advertiser and its documentation, the documents obtained and generated that form part of file E / 11207/2019 and b) .- consider reproduced for evidentiary purposes, the allegations to the agreement to initiate PS / 00032/2020, presented by the entity- announced. NINTH: On 07/24/20, the claimed entity is notified of the proposed reorganization solution in which it is proposed that, by the Director of the Spanish Protection Agency tion of Data, the claimed entity, owner of the web page, is sanctioned: *** URL.1, for infringement of article 22.2 of the LSSI, with a fine of 30,000 euros. TENTH: After notification of the proposed resolution, dated 08/07/20, the in- The claimed entity presents a brief of allegations, in which, among others, it indicates: “The reasons for this sanctioning procedure are not related to the fact that It is stated in the complaint that it supposedly originates it and that it was corrected since January 2020. The reasons for the alleged infringement alleged in this investigation phase have reduced to two and yet the same proposal for a resolution is maintained. tion and the amount of the fine. The sanction proposal is not properly founded mentioned and is inconsistent with the instruction practiced. The dis- put in articles 39bis and 40 LSSI neither by the Agency nor by Mr. Instructor Of all the points that were indicated in the communication of initiation of this file sanctioner, following the allegations presented by IBERIA on June 15 and the new verifications that the instructor would have carried out on July 22 of 2020, the proposed sanctioning resolution has been limited in its foundations ment, exclusively, to two unique alleged breaches with respect to each one of which we briefly advance our: First, we transcribe section “b)” on page 15 of the communication from proposed resolution: “b.- Regarding the information provided on the policy of cookies, the banner now provides concise and intelligible information, having modified After the message that was used, as of 01/31/20, “(…) stores cookies on your dis- positive to ensure the proper functioning and security of our websites, and offer you the best possible browsing experience (…) ”, for the message used, as of 07/20/20: “(…) We use analytical, personalization and advertising cookies (own and third parties) to make profiles based on browsing habits and show bring you useful content (…) ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/24 In this layer, it is indicated that to "Accept" all cookies you must click on "Accept" and thus makes it possible to continue browsing. But, if the user wants to reject all cookies must access the "cookie settings" page and choose the option de, << reject all cookies >>, allowing only, from then on, to follow na- browsing the different pages of the web. It continues, therefore, without adjusting to the commended in example 2, of point 3.1.2.2. of the AEPD cookie guide. " However, as we will explain later in these allegations, the tool acceptance, rejection and / or configuration of cookies according to their typology that Iberia established during the month of January 2020 it fulfilled in this regard already by then with art. 22.2 LSSI and with the criteria of the European Data Protection Board (EDPB), which the Spanish Agency itself has endorsed in the latest update. tion of its Interpretive Guide published this past July. - Second, we transcribe the resolution proposal on page 16. C: “c.- Regarding the configuration of cookies, it is verified that the configuration of tion of cookies in a granular way or the rejection of all cookies in a single time, in the second layer, but, although there is information about own cookies and from third parties, there is not enough information about the time they remain active on the terminal equipment. " As we will explain later and following the fully collaborative spirit of IBERIA with the Agency, as of the date of presentation of this brief of allegations, has been incorporated into the cookie management tool by the interested parties, through the information provided in the Iberia Cookies Policy, information detailed information on the time of active permanence of each of the cookies in the Web. We must focus on three fundamental ideas: - The complaint of the claimant that his- it actually gives rise to this sanctioning procedure, it deals with a very concrete (“I denounce the Iberia company since when looking for a trip it does not give me the option to reject cookies and it tells me that I have to accept them to continue browsing ”). - The cookie management tools implemented by Iberia on its website since January 2020, as was previously reported to this Agency, they correct for complete the denounced fact since they give the option to accept all cookies or al- alternatively to configure them according to their typology; and in this second step, in addition, the option is provided either of rejecting them all, or of saving the personal configuration finalized for each type of cookie as indicated by the in- teresado. Choose between any of these three options (accept all cookies, re- select them all, or customize their configuration) is necessary to be able to follow na- browsing on the Iberia website. Therefore, from the first requirement, the following was corrected situation raised by the complainant, complying not only with art. 22.2 LSSI but C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/24 also with the criteria of the European Data Protection Board (EDPB), that the Spanish Agency has endorsed in the latest update of its Interpretive Guide published this past July. - Apart from what is indicated in section b) of the sanctioning -although Mr. Instructor completely errs in his assertion as I have- explained above and later we will prove- none of the irregularities indicated by the Agency later, in the communication of initiation of proceedings. sanctioner and throughout his instruction until now has nothing to do with with the fact that appears in the complaint that originates this procedure. In another vein and independently of the above, the instructor himself acknowledged ce the effort made by IBERIA to comply with all the indicated indications by the Agency to comply with art. 22.2 LSSI in light of the successive updates zations of the Agency's Interpretive Guide on cookies. Despite having been drastically reduced in number and importance, the certain aspects contrary to the regulations revealed by the Agency and the recognition of the willingness shown by IBERIA to collaborate and correct all those aspects that - in the opinion of the Agency - required it, the sanction finally proposed by the Instructor is exactly the same as at the beginning of the procedure, which is to say that for the Agency both one thing and the other have been totally irrelevant for the purpose of assessing the infraction and setting the amount of the sanction that it was to carry. Clearly, the proposal raised by Mr. Instructor in this case is contrary to law, and especially contrary to what the The Law of Services of the Information Society (LSSI) establishes in the matter of information fractions and penalties: - The instructor proposes a penalty of 30,000 euros, which is the maximum amount maximum contemplated at the beginning of the file. - However, the only two points have two finally into account would constitute in the worst case, for the purposes of the article 38.4.g) LSSI, a single minor offense (however, in the defenselessness of IBERIA, the motion for a resolution says nothing at all in this regard). - Article 39.1.c) LSSI provides that minor offenses are punishable by a fine of "up to 30,000 euros ”. - The instructor has not applied any type of reduction in the amount of the penalty for placed despite the fact that Iberia has met all the criteria of article 40 LSSI: i) has not had intentionality in the facts (on the contrary, has observed will to comply before and after receiving even the first communication at the end of 2019); ii) the alleged infractions would have been committed during only a few weeks; iii) does not record in his record any type of recidivism in matters of cookies (this is the first incident recorded); iv) neither the nature of the za or the damages caused to the interested parties with their activity / alleged non-compliance I lie - because in reality there have been no such damages-; v) none have been obtained C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/24 some type of benefit for the infringement; and vi) the business volume corresponding to the alleged offense committed is zero. - Finally, both the Agency and the instructor respectively, considering that we are in any case - before and after the motion for a resolution issued- before the alleged commission of a SLIGHT infraction, they have not complied with the provided in article 39.bis LSSI (“Moderation of sanctions”), sections .1 (apply the amount of the sanction from the scale of the preceding class of offenses) or .2 (no even initiate sanctioning procedure and replace it with a warning with ac- tions to be fulfilled within a certain term), despite the fact that: i) IBERIA complies with all two the requirements of art. 40 ("Graduation of sanctions") mentioned above, to the application of said article 39bis; and ii) IBERIA has diligently regularized, one by one, all the alleged deficiencies reported by the Agency (without prejudice of what will be said later in this writing regarding the lack of information on on the time of active permanence of cookies and on what conditions are allowed whether or not to continue browsing the Iberia website); Therefore, as a starting point for these allegations, we understand that: - The proposal sanction is not properly substantiated, since it does not indicate what type of infringement has been committed according to the corresponding legal precept, nor does it enter evaluate the graduation criteria of the applicable sanction but is limited to applying it in its maximum degree; - In line with the foregoing, the sanction proposal is inconsistent- you with the allegations, inquiries and proven facts in the investigation phase, as well as against the own acts of the Agency and Mr. Instructor; - The proposal of The sanction goes against the provisions of the LSSI itself with regard to the mation of the amount of the proposed sanction, in view of the instruction carried out; Y - As we have maintained from the outset, the initial sanctioning procedure cted in itself goes against the provisions of art. 39.bis.2 and -except that in this specific case in the spirit of the Agency, the collection spirit prevails through sanctioning powers - should never have been initiated since: i) the only alleged non-compliance alleged in the instruction that really corresponds to the complaint that would have originated it in no case is such a breach since since January 2020 a user is not obliged to accept cookies to be able to se- continue browsing, but has to choose between accepting them all, rejecting them all, or figure them according to their typology at your convenience; and ii) since all other assumptions are manifestly different breaches and, in the best of cases, accessories to the main default and never susceptible as a whole to a higher rating Beyond a minor violation of the LSSI, a request for correction would have been more sufficient to obtain the correction of the alleged situation contrary to the LSSI but, in the best of cases, to the criteria of the Interpretative Guide on the use of cookies promulgated by the Agency, which on the other hand has been recent- subject to updating by the Agency itself. The cookie management tool existing on the Iberia website since January 2020 complies with art. 22.2 LSSI and with the criteria of the European Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/24 Board (EDPB), which the Spanish Agency itself has endorsed in the latest update. tion of its Interpretive Guide published this past July Indeed, when accessing *** URL.1 for the first time, the following message was obtained: The browser allowed (and allows) to scroll up and down but does not allow clicking so- Open any action button or navigate within the page. To this day the only difference is that this sandwich now comes out at the bottom of the screen: In this way, the user can find out about the cookie policy, and either accept all of them or proceed to customize your settings, in which case you get the following screen: That is: - With just one click the interested party can accept all cookies, - With just two clicks can reject them all; - Customizing them would take one to three more clicks only. The foregoing is fully consistent with what is recommended in the “Guide on the use of cookies ”published by the Agency itself, in its recent update. of July 2020, which on pages 20 and 21 indicates the following: … Another valid example of a first layer, with the same type of cookies, would be the following: tea: As in the previous example, if the “Accept” button is not pressed, the user is not auto- curing the use of cookies (therefore, the use of cookies is not legitimized if the user Rio does not press the button to accept cookies). It will be necessary for the user to perform an action that can be qualified as a clear affirmative action for consent to be considered validly granted. Obtaining consent through user behavior other than a acceptance button, but consisting of a clear affirmative action, will be admissible provided that the conditions in which the behavior occurs offer sufficient certainty that informed and unequivocal consent is given and that it can be proven that such conduct has been carried out. In any case, the mere fact of staying alive scrolling, scrolling or browsing the website will not be considered a clear affirmative action under any circumstances. It will be necessary that the information of the first layer is completed with a system or configuration panel in which the user can choose whether or not to accept cookies in granular form, or a link that leads to said system or panel. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/24 The user can also be given a third option, consisting of including two buttons. nes, to accept or configure / reject cookies: A paragraph later, the guide says verbatim (shading is added by no- sotros): The link or button to manage preferences must take the user directly- the configuration panel, without having to scroll through large amounts of text messages looking for the information, which must remain accessible in a permanent. The panel can be integrated into the second informational layer. To facilitate the selection, two buttons can be implemented on the panel, one for accept all cookies and another to reject them all, this option being recommended The higher the different number of cookies used, the greater the variable. If you use the second or third example as a way of obtaining consent, must include- There is a button on the panel to reject all cookies, to respect the requirement of that it is as easy to withdraw consent as it is to give it. The configuration of the first layer implanted by Iberia since January 2020 continues the "Example number 3" indicated in the Guide: allows you to choose between "accept all cookies "or" configure "them to the user's taste; and the button "configuration Cookies ”leads directly to what the Guide refers to as the“ configuration panel ”. And finally, in addition, in said configuration panel a button is clearly visible to "Reject all" - once again complying with what is recommended in the guide - and another to "Confirm my preferences" once the user has established them. Therefore, the fact denounced by “the claimant” originally remained complete. completely corrected with the implantations carried out in January 2020 and THERE IS NO IN- COMPLIANCE with art. 22.2 LSSI in this sense by IBERIA, since the implemented cookie management tool then strictly complies with the requirements recommendations issued in its Guide updated by the Agency itself, which must obviously extended retroactively to last January. As has been said, with the only exception related to being able to view the Iberia cookies in compliance with the duty of information required by both art. 22.2 LSSI such as the NLOPD and GDPR, by reference, the user must necessarily choose between any of the three options made available to you (accept all cookies, reject them all, or configure them) in order to continue browsing the web. This ensures - in accordance with the most recent recommendations of the project pia Spanish Data Protection Agency- the requirement that the client provide a duly informed and unconditional consent, having therefore sub- healed since January 2020 the reason for the complaint by “the claimant” (as as this has been defined in the motion for a resolution). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/24 As of the date of presentation of this brief of allegations, it has already been incorporated into the cookie management tool, through the information provided in the Policy of Iberia Cookies, detailed information on the time of active permanence of each of the cookies on the Iberia website In the first place we must insist once again that the lack of information on the time of active permanence of cookies was not the subject of the complaint that originated this sanctioning procedure. In any case, we are pleased to inform the Agency that at the time of presentation- tion of this brief of allegations has been incorporated into the information policy on About the cookies on the iberia.com website, in section “6. Cookies used in ibe- ria.com ”, a detailed breakdown of the different subgroups of cookies and the time of active permanence of each one of them in the user's computer: BY WAY OF CONCLUSIONS: - It has been verified according to the indications contained in the Second Allegation of this writing that since January 2020 that the way in which they are offered of the month of January 2020 to the user of the web www.iberia.com the different cookie configuration possibilities (in accept all mode, reject zar all, or confirm custom settings) conforms to the criteria most recent published by the Agency. - The reason for the complaint of the claimant that causes the initiation of this experience sanctioning tooth (we rewrite it: “I denounce the Iberia company and that when looking for a trip it does not give me the option to reject cookies and tells me I have to accept them to continue browsing ") had already been dili- people remedied by IBERIA. - All other considerations and alleged breaches of the indications of the Agency Guide as a whole were not covered in the complaint. presented by “the claimant” and they were not contemplated in the complaint issued by the Agency at the end of 2019, and those that do not constitute would have as a whole and in the worst case more than a SINGLE INFRACTION- LEVE TION of the LSSI regulations. - Meeting the requirements established in art. 39bis.2 LSSI (constituent facts minor infringement guidelines and the existence of a clean historical record by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/24 IBERIA regarding cookies and LSSI offenses) diligent action by part of the Agency would have consisted in issuing a warning, rather than initiate sanctioning procedure, in similar terms and grant a period of correction to the warn proceeded Having accredited, the mino of article 39bis.2 LSSI. - Having raised this same allegation in the brief presented at the ment in which the Agency communicated the initiation of the sanctioning procedure, the The Agency has not been able to provide a reasoned answer to why it started the procedure. sanctioning instead of opting for this other route, just as effective and much less burdensome for my represented. - It has been accredited in the instruction phase that each and every one of the su- posts breaches of the recommendations of the Cookie Guide of the Agency had already been corrected by IBERIA before even having issued the sanction proposal, except for the display of information about the period of active permanence of cookies that required a greater technical and analytical effort and that, in light of the circumstances We have been suffering since last March due to the pandemic mia COVID19 and the state of alarm decreed and finalized in the month of June It has not been possible to correct with more advance, although today the website of IBERIA also complies with the Agency's Cookie Guide. For all the above, WE REQUEST: - Declare ex officio the NULLITY of the disciplinary proceedings initiated for being based on a previous requirement of the Agency to IBERIA that has would have been attended to in a timely manner, having corrected the reason for the complaint on which said requirement was based. - Failing that, declare ex officio the NULLITY of the sanctioning file initiated due to non-compliance with the provisions of article 39.bis.2 in relation to the rest of the alleged breaches cited in the initiation communication of said sanctioning file - Failing that, proceed to file said file without imposing a penalty. responsibility of IBERIA for: i) it has been proven that the reason for the complaint that gives rise to the sanctioning procedure had already been corrected prior to its start; and ii) the rest of the alleged breaches by parties of IBERIA, totally unrelated to the aforementioned complaint, would have also already been C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/24 paid by IBERIA, without there being, therefore, a reason for such experience. tooth. PROVEN FACTS 1.- On 10/23/19, the claimant denounces that, on the web *** URL.1, “if you like continue browsing the cookie policy must be accepted by not giving no option to reject them ”, therefore, on 11/29/19, said announces to the claimed entity, indicating in the letter that, “In the IBE web portal- RIA does not provide the option to object or not consent to the treatment. to personal data made by means of "cookies", these being installed from the moment moment that the visit to the home page occurs ”and requiring the company to enter form of the decision taken regarding the claim; the measures taken to avoid similar incidents, implementation dates and the consequences trolls performed to check their effectiveness. 2.- On 01/28/20, the claimed entity, in response to the request of this Agency, acknowledges that, “it had been working since June 2019 on the design of the solution to adapt the cookie policy to the requirements of the RGPD and the LO- PDGDD; and that since mid-January the Iberia website complied with the norm valid policy and with the recommendations published by the Agency, (guide on cookies, published in November 2019) ”. 3.- However, on 01/31/20 and 02/06/20, in the course of the actual investigation by the Subdirectorate General for Data Inspection of this Agency, it is proved that the first layer cookie banner provided information not very concise, not very transparent and intelligible, contrary to what is recommended in point 3.1.2.1 of the AEPD guide. Furthermore, if the “accept” button or the button was not pressed ton of "cookie settings", it was not allowed to continue browsing, so it was not gives the user the option to reject the use of cookies, as recommended in the Example 2, from point 3.1.2.2. of the AEPD guide. On the other hand, if the second layer was entered, through the link, "configuration of cookies ”or on the“ cookie policy ”page, the configuration of the cookies in a granular way but the rejection of all cookies was not allowed at the time. In this second layer, third-party cookies were not identified, nor were they Maba of the period of conservation of cookies in the user's browser, (ex- of those used to balance the load on the website infrastructure), such as and as recommended in point 3.1.1 of the guide published by the AEPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/24 3.- However, after initiating the sanctioning file PS / 0032/2020 for the facts indicated above, dated 07/22/20, it has been verified, by the General Subdirectorate of Data Inspection of this Agency that, the policy on website cookies *** URL.1, is the following: 3.1.- In the first layer (initial page) a banner about cookies appears, in the part central page, with the legend: "Cookies are important to you, they influence your browsing experience. Uses- We use analytical, personalization and advertising cookies (own and third-party) to make profiles based on browsing habits and show you useful content. You can accept this type of cookies by pressing the "Accept" button or configure them or reject their use in Cookie Settings ”. For more information, << read Iberia's Cookies Policy >> << Accept all cookies >> 3.2.- If you access the "cookie settings" page, through the link corresponding, a new page is displayed with different sections: - 3.2.1.- "User Privacy" section. It is reported: “Because we respect your privacy, you can accept or reject our use of cookies for each category of cookies by moving the selector that you will find at the end of each of the lines below. Every time you are offered to accept or reject the use of certain categories of cookies, we will provide you with the information essential you need to know to make your choice. However, if you block some types of cookies, your experience of using the web may be affected and also the services we can offer you. For more information on the management of cookies carried out by Iberia, access our policy. More information". If you click on "More Information", the website redirects to "cookie policy". In the bottom of the section there are two options: << Confirm my preferences >> << Reject them all >> C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/24 - 3.2.2.- Section "Technical and Necessary Cookies". They are reported to be active you always go and that: “These cookies are necessary for the website to function and cannot be deactivated. var in our systems. They are configured in response to your actions taken by bid services, such as setting your privacy preferences, logging in, or compiling fill out forms. You can configure your browser to block or alert about these cookies, but some areas of the site will not work. These cookies do not store any guna personally identifiable information ”. At the bottom there are two options: << Confirm my preferences >> << Reject them all >> - 3.2.3.- Section "Performance Cookies". It is reported that they allow counting visits and traffic sources to be able to evaluate the performance of our site and improve it. It allows deactivating them by clicking on the blue switch located in the upper corner. upper right. At the bottom of the section there are two options: << Confirm my preferences >> << Reject them all >> - 3.2.4.- Section "Targeted Cookies" (for targeted advertising). It is reported that can be set through the site by advertising partners. They may be used by those companies to create a profile of their interests and show relevant ads. It allows deactivating them by clicking on the blue switch located in the upper corner. upper right. At the bottom of the section there are two options: << Confirm my preferences >> << Reject them all >> - 3.2.5.-Section "Functionality Cookies". It is reported that they allow the si- tio offer better functionality and customization. They can be established by the owner of the page or by third parties whose services have been added to the page. It is indicated that if these cookies are not allowed, some of their services cios will not work properly. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/24 It allows deactivating them by clicking on the blue switch located in the upper corner. upper right. At the bottom of the section there are two options: << Confirm my preferences >> << Reject them all >> 3.3.- If the "Cookies Policy" is accessed, through the corresponding link, there is a tente on the home page or through the link (more information), existing on the page gina of "cookie settings", the web redirects to a new page where it offers- ce information on: - How and what are cookies used for. - What are cookies. - The types of cookies on the web and their purposes. - To which recipients the data will be communicated. - Policy updates. - Cookies used. - In the option “how to manage cookies” the following information is provided mation: You can allow, block or delete the cookies installed on your computer by using the configuration of your Internet browser options. In case it does not allow After the installation of cookies in your browser, you may not be able to access al- some of the services and that your experience on our website may be less knowledgeable. satisfactory. How do I refuse or do not give my consent for the use of cookies? You can refuse to accept cookies by modifying your browser settings from In- ternet (for example, Internet Explorer, Chrome, or Firefox). Please note that if not allows the use of cookies in some areas of our website, it is possible that the content is not accessible or does not work properly. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/24 In the following links you have at your disposal all the information to configure or disable your cookies in each browser (…): Finally, and in case you have any problem related to the use of the cookies on this Website, or you want to exercise your rights of access, rectification, su- pressure, limitation, opposition and portability you can contact us through the following you email address *** EMAIL. 1. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in the art. 47 of LOPDGDD. II The joint assessment of the documentary evidence in the procedure brings to knowledge of the AEPD, a vision of the denounced action that has been strapped in the facts declared proven above related. However, it is necessary to agree on the factual grounds for which the entity is sanctioned and which are: In October 2019, it was reported that the website of the claimed entity *** URL.1 did not provide the option to reject the cookies that were installed on the ter- minal and that if any user wanted to continue browsing the page, they had to accept It is compulsory to use cookies, which is why it was in breach of current regulations. Due to these facts, in November of said year, information was required from the entity so that it was explained about the denounced facts being the response of the entity, two months later, that is, in January 2020, that: “I had been working since June of 2019 in the design of the solution for adapting the cookie policy to the requirements agencies of the General Data Protection Regulation and the New Organic Law of Data Protection and Guarantee of Digital Rights, also following the guides of good practices issued by the control authorities and very especially the issued by the Agency last November 2019 (…) ”. He also informed this Agency, in January 2020, that: “(…) it was implemented a banner that in addition to informing about the responsibility of the use of cookies in the page, which corresponds to Iberia, allows you to configure the types of cookies that are they can be found on the web, or accept all of them ”. However, a few days later, on 02/06/20, to verify the veracity or not of the information provided by the entity claimed to this Agency, it was found that, on the website *** URL.1, in addition to still not offering the option to reject all cookies, as reported, it was also found that, several points of the The page's cookie policy did not conform to the recommendations made by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/24 this Agency in its Guide on Cookies, thus checking that the entity has not- had complied with what was stated a few days before, so based on this, we proceeded to the opening of this sanctioning file and it is not until the claimed entity receives the initiation of the sanctioning file PS / 0032/2020 for non-compliance with the stipulated in the LSSI Law, with a proposed penalty of 30,000 euros, when proceeds to modify the web page, in relation to the cookie policy and thus verified by this Agency, on 07/22/20. Regarding the latest allegations presented by the claimed entity in which indicates that: “(…) the diligent action by the Agency would have consisted of issue a warning, instead of initiating a sanctioning procedure, in terms millars and grant a period of correction to the warnings, having accrued dited to resume the path of article 39bis.2 LSSI ”would have been the right thing to do if the entity had made or attempted to make the changes you indicated were made in January of 2020 and that this Agency verified, in February, that they were not really made. Therefore, in accordance with the foregoing, By the Director of the Es- data protection cloth, RESOLVES: FIRST: IMPOSE IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPE- RADORA UNIPERSONAL (IBERIA) with CIF: A85850394, owner of the website: *** URL.1 a penalty of 30,000 euros (thirty thousand euros), for violation of the article 22.2. of the LSSI. SECOND: NOTIFY this resolution to the entity IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. UNIPERSONAL OPERATOR (IBERIA) and INFORM the claimant- you about the result of the claim. THIRD: Warn the sanctioned person that the sanction imposed must be effective once this resolution is enforceable, in accordance with the provisions of the Article 98.1.b) of Law 39/2015, of October 1, on the Administrative Procedure Co- of the Public Administrations (LPACAP), within the voluntary payment period that points out article 68 of the General Collection Regulations, approved by Royal De- Creto 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by entering the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at the Bank CAIXABANK, S.A. or otherwise, it will be collected in an exemplary period cultural. Received the notification and once executive, if the date of execution is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/24 In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions set out in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the or two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es