AEPD (Spain) - PS/00132/2022
AEPD - PS-00132-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 13 GDPR Recital 25 ePrivacy Directive (2002/58/EC) Article 22.2 LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | 07.04.2022 |
Decided: | 26.04.2022 |
Published: | 28.06.2022 |
Fine: | 1,800 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00132-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined the owner of a commercial website €3,000 (reduced to €1,800) for the processing of personal data and the use of cookies without a valid legal basis – violating Article 6 GDPR - and for not providing sufficient information to the data subject under Article 13 GDPR.
English Summary
Facts
On 7 April 2022, the data subject, Mr. B.B.B., filed a complaint with the Spanish DPA (AEPD) stating that the owner of a commercial website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law). The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy.
The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (name and email address, a.o.). The website’s Privacy Policy did not disclose all the relevant information mentioned in Article 13 GDPR to the data subject, hence the controller did not fulfill his obligation to inform. The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. The data subject did not have the possibility to withdraw their consent regarding the cookies either. In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies.
Holding
The Spanish DPA imposed a fine on the controller amounting to an overall of €3.000.
The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of Article 6 GDPR - was fined with €1,000. The violation of Article 13 GDPR was also fined with €1,000. The use of cookies without expressed consent of the data subject – which violated Spanish national law, the LSSI, and the GDPR – was fined with €1,000 as well. In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR.
On 26 April 2022, the controller, paid the fine which was reduced to €1,800.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1 / 14 File No.: PS/00132/2022 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Dated 7...