AEPD (Spain) - PS/00151/2021
AEPD (Spain) - PS/00151/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 28(3) GDPR 34/2002 3/2018 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 23.06.2021 |
Published: | 02.07.2021 |
Fine: | 7000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00151/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mohamed Siddibeh Kurubally |
The Spanish DPA fined a controller, Marbella Resorts, €7000 (reduced to €4200) for not having a data processing agreement with the processor and for infringing the Spanish Law regulating cookies by, among other things, placing unnecessary cookies without obtaining user consent.
English Summary
Facts
The decision is the consequence of a complaint submitted by a data subject with the Spanish DPA (AEPD) stating that, after being a guest in a hotel, they they were warned about their ID card having been found, along with their personal information, on an adults website.
Also, the data subject addressed an access request access to the hotel, that informed them that the day the data subject checked in, the reception desk was closed and the person who scanned their ID card was an employee of the building's owners association, that managed the entry/exit of the guests outside opening hours.
Additionally, the DPA, while verifying the controller's website, found that its cookie banner did not have a link to the cookie policy not sufficient information, and used unnecessary cookies before obtaining consent, as well as did not allow to reject consent only for the unwanted cookies.
Holding
The AEPD concluded that the defendant had infringed Article 28(3) of the GDPR, since the controller did not have a data processing agreement with the processor (building's owners association) to govern the processing of personal data. Consequently, the AEPD fined the controller €5000 for the infringement of Article 28(3) GDPR.
Besides that, AEPD fined the controller €2000 for infringing Article 22 of the Spanish Law implementing the e-Privacy Directive (LSSI), for not properly informing the users about the use of cookies and for placing unnecessary cookies without consent, without the possibility of individually rejecting them.
In total, the AEPD fined the controller €7000, that were reduced to €4200 due to early and voluntary payment and recognizing its responsibility.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 Procedure No.: PS / 00151/2021 RESOLUTION R / 00479/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00151/2021, instructed by the Spanish Agency for Data Protection to MARBELLA RESORTS, S.L., considering the complaint presented by A.A.A., and based on the following, BACKGROUND FIRST: On June 9, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against MARBELLA RESORTS, S.L. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00151/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection before the entity, MARBELLA RESORTS, S.L. with CIF .: B93169076, (hereinafter, “the part claimed ”), by virtue of the complaint filed by Ms. A.A.A., (hereinafter,“ the party claimant ”), and based on the following: FACTS FIRST: On 11/23/20, you entered this Agency, written by the claimant, in which it indicated, among others, the following: “A reservation was made through the *** URL.1 portal, at the Marbella establishment Resorts S.L. (XXXXXXXXX Suites). After leaving the establishment you receive WhatsApp, where they warn you that they have found your ID along with information your personal, on an adult content page. A complaint is filed with the General Directorate of the *** LOCALIDAD.1 Police and draws up minutes before the Notary on the different publications and their content in the Web page Access request is addressed to the person responsible for the processing of the data of the hotel establishment, who reports the following: "On the day of the incident, when you check in, outside of opening hours establishment, the reception was closed and whoever performs the Scanning of the identity card of the affected person is the concierge of the company hired by the community of neighbors of the building to manage the entrance / exit outside the opening hours. The company contracted for this service is JUBASER DE CONTROL, S.L. This company has no connection with the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/18 hotel establishment (Marbella Resorts SL- XXXXXXXXX Suites), only with the community of neighbors of the building ”. On the other hand, trying to verify that the person responsible for the treatment had guaranteed the confidentiality of the data, and applied the technical measures and organizational to ensure compliance with data protection regulations, it was found that data protection did not seem to be a priority, as is reflected in its web page *** URL.2, where the previous Law continues to appear Organic 15/99, and where the information required by Law 34/2002 is not contained, of July 11, services of the information society and electronic commerce. The same happens with the forms that do not have any clause of Data Protection. Likewise, cookies are available without the proper configuration. and cookies that allow an international transfer of data, such as those of Facebook and Google ”. SECOND: On 02/04/21, this Agency sent a request informative to the claimed party, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, on the protection of personal data and guarantee of digital rights, ("LOPDGDD"). THIRD: On 03/04/21, the entity claims, sends a reply to the requirement made by this Agency, in which, among others, it indicates: “On June 23, 2020, we received an email from the claimant to the entity's administration email *** EMAIL.1 in which it informs us that the On June 6, 2020, he stayed at our establishment for one night and arrived about 20:00. You tell us that you have discovered that the image of your ID along with disparaging remarks about him have been posted on a website of pornographic content (of which you send us as proof, a screenshot of said publication) and informs us that you have made a complaint to the police station *** LOCALITY. 1 (Málaga) that was already in process in the court of the same locality, and that he is also writing a complaint to the AEPD. Us requests then, to speak with the director or manager to address the issue in a personal. On the same day, June 23, 2020, the claimant is answered from the administration email of the entity, informing you that we are investigating what occurred and that the manager or, failing that, the company's lawyer contacted him. Within a few hours of that same day, June 23, 2020, the claimant responds asking us to identify the person who gave him the keys to the apartment and made a copy of his documentation and reiterates his desire to speak with the responsible for the entity. At the time of receiving the first email from of the claimant, we began to investigate what happened, and as soon as we started we discovered the following; We collect the information from the lady's reservation, specifically we check; to through which channel your reservation arrived, means of payment for this, the invoice for accommodation, which Suite the lady stayed in, etc. - The claimant stayed in our apartments, specifically in Suite *** SUITE.1 the night of June 6, 2020 (Saturday) and that the claimant's arrival time was around 20:00, as she herself informs us. - At the time of the claimant's arrival the receipt of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/18 our apartments were closed, so the person who attended the claimant or not a worker of our entity, but of the concierge service hired by the community of owners of the building. On June 25, 2020, the lawyer hired by our entity, sends you a e-mail to the claimant informing her that an investigation has been carried out if some member of our entity has had something to do with the matter with effects negative, since the person who attended you does not belong to our entity, but, He is a member of the concierge service hired by the community of owners. The entity's willingness to collaborate is reiterated to be able to clarify such unpleasant affair. On July 30, 2020, we received a burofax from the claimant requesting the right of access, and in which you request certain information (…). Our worker contacts the security manager of the concierge company and informs you of the incident that occurred with the claimant and requests that you Please confirm the identity of the janitor who worked that night. The head of security for the concierge company confirms the identity of the concierge (providing us simply a name) and tells us that he would try to find out what happened, question this of which we have no record. Having the name of the janitor who worked that night, you call the concierge and asks him to tell him if he remembers any special incidents that occurred that night and specifically with the clients staying in Suite *** SUITE.1, to which he he answers reminding him that that night he himself called to convey the complaints from the rest of the surrounding clients due to noise coming from the Suite *** SUITE.1, but does not tell us anything in particular about the claimant and does not remember anything else about that night. On August 25, 2020, the claimant is sent the response to her request for right of access, as well as the result of the internal investigation carried out by the company through reliable electronic communication. There is no direct contractual relationship between the concierge company and our entity. The concierge company is hired by the Community of Owners of the building, and therefore responsible for its operation. The legal relationship between the apartment owner and our entity is based on a contract in the It is specified that the concierge functions will be carried out by the contracted concierge by the Community of Owners. In this case we provide a copy of the original contract for rent with the owner of the Suite *** SUITE.1 in which the lady stayed. In accordance with art. 13 RGPD, regarding the information that must be provided when the personal data is obtained from the interested party, the information to the interested parties, when the information is received directly from them, both the identity and contact details of the Data Controller, the purposes of the treatment, the recipients, the period of conservation of the data, the rights that they can exercise (access, rectification, deletion, limitation, opposition and portability), the right to withdraw consent at any time, the right to file a claim with the Control Authority, if the communication of data C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/18 personal is a legal or contractual requirement, or a necessary requirement to subscribe a contract and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data and if there are automated decisions. In particular with regard to the information provided to users about the use of cookies and the purposes of data processing, as well as the way to collect, reject or withdraw consent for its use. Dates are also requested implementation and controls carried out to verify its effectiveness We have proceeded to the update on our website *** URL.2 regarding the information provided to users about the use of cookies and the purposes of the treatment of data, as well as the way to collect, reject or withdraw consent for its use so that they are in accordance with the provisions of article 22.2 of the LSS). Has been implanted dated February 12, 2021, and has been reviewed by our specialist lawyer in data protection. We have decided that the custodial staff (which, as noted, is unrelated to our entity) does not make a copy of the clients' documentation, but rather, just check on arrival who is the owner of the reservation to make them delivery of the keys. It is our own staff who always take care of copy / scan the documentation of our clients to be able to carry out the corresponding sending of part of travelers to the police. In addition, we have requested the community of owners of the building the review of the contract that joins the company concierge, and more specifically, the data protection protocol, to guarantee that incidents of this type do not occur in the future and, in any case, preserve the rights and freedoms of the interested parties. On the measures adopted to prevent similar incidents from occurring, implementation dates and controls carried out to verify their effectiveness. We have proceeded to carry out the measures: • Proceed with an update of the contracts that establish the legal relationship with the apartment owners. • That he staff of the entity that has access to personal data (nine, in principle) take an information and training course on data protection personal. In this case we provide a copy of the diplomas that certify the completion of the course. We want to record the full availability of our entity to clarify the incident occurred, the effort and determination that has been implemented to be able to carry out an investigation the fruit of which has revealed direct responsibility of an employee of a company that provides services for the Community of Owners where the rented apartment is located; and that all that information is transferred the person concerned and has been transferred to the Courts and Tribunals where the judicial investigation of what happened is being carried out ”. FOURTH: On 03/30/21, by the Director of the Spanish Agency for Data Protection an agreement is issued for the admission of processing of the claim presented, in accordance with article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LPDGDD), considering that the response given by the claimed party to this C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/18 Agency in relation to the indicated facts does not accredit the legality in the treatment of Personal information. FIFTH: On 06/01/21, this Agency carries out the following Checks on the reported website (*** URL.2): - A) .- On the processing of personal data: 1.- Through the link at the top of the main page, <<contact>>, the web redirects the user to a new page, *** URL.3, displaying a form where you can enter personal data, such as the name and email. Before the form can be submitted, the user must check the box that you have read and accepted the privacy policy and the legal notice. - B) .- About the "Privacy Policy": 1.- Through the link, << Privacy Policy >>, existing in the form and in the bottom of the main page, the web redirects to a new page, *** URL.4, where information is provided, in the privacy policy section, about: the identification of the person responsible for data processing; the purpose of the collection of the data and the legal basis for it; the possible recipients of the data; the rights of users with regard to the processing of their personal data and how to exercise them and about the security measures of the web, all this referred to the new legislation in force (RGPD and LOPDGDD). - C) .- About the Cookies Policy: 1.- When entering the initial page of the web, (first layer), it is verified that without perform any action or accept cookies, unnecessary cookies are used, both own as third parties whose identifiers; domain, description and time of activation are: - _thn_ss: *** URL.5 Sets an identifier for the session that allows the website obtain visitor behavior data for statistical purposes (activation 1 day). - DV: www.google.com. It is used to provide services and extract information about navigation (stay 1 day). - NID: www.google.com The purpose of this cookie is to store information on the preferences of the users (stay 6 months). - CONSENT: www.google.com. Control the acceptance of cookies. (permanent) - _hj: *** URL. 2. Control user behavior when browsing the web (1 year stay). - thn_id: *** URL.6 This cookie is created to identify users with an ID single (stay 2 years). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/18 - 1P_JAR: www.google.com. Cookie used to personalize the ads according to the interests of the user (stay of one month). - IDE: *** URL. 7. It is used to display advertising related to navigation (stay 1 year). - _hjid: *** URL. 2. Used to obtain visitor behavior data for statistical purposes (stay 1 year). - _ga: *** URL. 2. Used to identify users (stay 2 years). - _fbp: *** URL. 2. Used to offer a series of advertising products, as real-time offers from third-party advertisers (stay 1 day). - _gat: *** URL. 2. Used to control the request rate (permanence 1 day). - _gid: *** URL. 2. Used to identify users (stay 2 years). - __thn_ss: *** URL. 6. This cookie allows you to personalize the user experience (session cookie). 2.- The banner about cookies that appears on the main page provides the following information: “Our website uses cookies to improve your browsing experience and to offer content tailored to your needs. By clicking "Allow" you accept the cookie storage. For more information, please see our << privacy policy >> - <<accept>> 3.- If the "Privacy Policy" is accessed, through the link in the banner or through the link at the bottom of the main page, << policies >>, the web redirects to a new page, *** URL.3, where it is provided information, in the cookies section, about: what are cookies and the types of Cookies that exist but no information is provided or cookies are identified who uses the page. On how to manage cookies, the page refers to the user when configuring the browser installed on your terminal equipment and there is no mechanism that allows rejecting all cookies or managing them in a granular way. SIXTH: In view of the facts denounced and in accordance with the evidence of that is available, the Data Inspection of this Spanish Agency for the Protection of Data considers that the aforementioned does not comply with current regulations, Therefore, the opening of this sanctioning procedure proceeds. FOUNDATIONS OF LAW I.- Competition: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/18 - On the treatment of personal data and on the "Policy of Privacy ”of the website of your ownership: It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Data Protection Agency, by virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, Relating to the Protection of Natural Persons with regard to the Treatment of Personal Data and the Free Circulation of this Data (RGPD) recognizes each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), Sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment of alleged infringements of this Regulation ”and in 2.i), that of: “Impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case.". - About the "Cookies Policy" of the website of your ownership: It is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of the art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the Information Society and Electronic Commerce (LSSI), is competent to initiate and resolve this Penalty Procedure, the Director of the Spanish Agency for Data Protection. II - On the management in the treatment of personal data: In the present case, the complaining party made a reservation for a room, at through the *** URL.1 portal, in the hotel establishment, Marbella Resorts S.L. (XXXXXXXXX Suites). After leaving the establishment he learned that his DNI along with your personal information were included in a page of adult content. For its part, the entity responsible for the hotel establishment alleged that on the day of incident, the "check in" was carried out outside the opening hours of reception of travelers and that the person who scanned the ID of the affected person was the company's concierge hired by the community of neighbors of the building, where the hotel establishment. That this company has no connection with them, only with the community of neighbors of the building and that, from the incident denounced have: “(…) decided that the concierge staff should not make a copy of the customer documentation, but simply check upon arrival that it is the holder of the reservation to hand over the keys (…) ”. Article 4 of the RGPD defines the "person responsible for the processing of personal data" as: “the natural or legal person, public authority, service or other body that, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/18 alone or together with others, determine the purposes and means of the treatment (…) ”; and defines the "Person in charge of the treatment" as: "the natural or legal person, public authority, service or other body that processes personal data on behalf of the person responsible for the treatment". The first section of article 28 of the RGPD establishes that: “1.When a treatment is to be carried out on behalf of a person responsible for the treatment ment, this will only choose a manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment complies with the requirements of this Regulation and guarantees the protection of the rights of the interested party ”. While the third section of the aforementioned article establishes: "3.The treatment by the person in charge will be governed by a contract or other legal act with according to the law of the Union or of the Member States, that binds the person in charge with respect to the person in charge and establish the object, duration, nature and end of nature of the treatment, the type of personal data and categories of interested parties, and the obligations responsibilities and rights of the person in charge. Said contract or legal act shall stipulate, in part, particular, that the person in charge: a) will treat personal data only following instructions documented actions of the controller, including with respect to transfers of personal data to a third country or an international organization, unless it is obliged to do so under the law of the Union or of the Member States that apply to manager; In this case, the person in charge will inform the person responsible for this requirement. legal force prior to the treatment, unless such Law prohibits it for important reasons. public interest factors; b) will guarantee that the persons authorized to process data personnel have committed to respecting confidentiality or are subject to an obligation of confidentiality of a statutory nature; c) take all the measurements necessary days in accordance with article 32; d) will respect the conditions indicated given in sections 2 and 4 to contact another person in charge of the treatment; e) attend the responsible, taking into account the nature of the treatment, through technical measures appropriate and organizational arrangements, whenever possible, so that it can meet with its obligation to respond to requests that are intended to exercise the rights of the interested parties established in chapter III; f) will help the person in charge capable of guaranteeing compliance with the obligations established in articles 32 to 36, taking into account the nature of the treatment and the information available to the in charge; g) at the discretion of the person in charge, it will delete or return all personal data final once the provision of treatment services is completed, and will suppress the existing pias unless the preservation of personal data is required in under the law of the Union or of the Member States; h) make available to the responsible for all the information necessary to demonstrate compliance with the guidelines established in this article, as well as to allow and contribute to the performance of audits, including inspections, by the controller or another auditor authorized by said person in charge. 4.5.2016 L 119/49 Official Gazette of the Union European ES In relation to the provisions of letter h) of the first paragraph, the person in charge of do will immediately inform the controller if, in their opinion, an instruction violates this Regulation or other provisions on data protection of the Union or Member States ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/18 Therefore, the known facts could constitute an infringement, attributable to the claimed party, for violation of article 28.3 of the RGPD. Article 73.k) of the LOPDGDD classifies, for prescription purposes, as “serious” the: "Entrusting the processing of data to a third party without the prior formalization of a contra- to or other written legal act with the content required by article 28.3 of the Regulation ment (EU) 2016/679 ". This offense can be sanctioned with a fine of € 10,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.4.a) of the RGPD. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In this case, it is considered that the sanction to be imposed should be adjusted according to with the following aggravating criteria established in article 83.2) of the RGPD: - the seriousness of the infringement, taking into account the level of damages damages caused, (section a); - Negligence in the infringement, when verifying the lack of due diligence of the entity in fulfilling its obligations with respect to the management of the personal data of your customers, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of its article 28.3), of in accordance with the provisions of article 83 of the RGPD, allows setting a sanction initial of 5,000 euros, (five thousand euros). III - About the "Privacy Policy" of the website of its ownership: According to the claim, on the website *** URL.1, the previous Law continues to appear Organic 15/99, does not contain the information required by Law 34/2002, of 11 July, services of the information society and electronic commerce and the The same happens with the forms since they do not have any protection clause of data. In this sense, article 13 of the RGPD establishes the information that must be provide the interested party at the time of collection of their personal data: "1.When personal data relating to him are obtained from an interested party, the Responsible for the treatment, at the time these are obtained, will provide: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, in his / her case; c) the purposes of the treatment to which the personal data are destined and the basis legal treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or the categories of recipients of the personal data, if applicable; f) where appropriate, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/18 intention of the person in charge of transferring personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers indicated in articles 46 or 47 or Article 49 (1), second subparagraph, reference to adequate guarantees or appropriate and the means of obtaining a copy of these or the fact that have borrowed. 2.In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period; b) the existence of the right to request the data controller for access to the data personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to the portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a requirement legal or contractual, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of decisions automated, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of such treatment for the interested party ”. In the present case, this Agency has been able to verify, regarding the policy of privacy of the reported website that, through the link in the part top of the main page, <<contact>>, the web redirects the user to a form where you can enter personal data, such as name, email. Before being able to send the form, the user must check the box that they have read and Accepted the privacy policy and the legal notice. For its part, on the "Privacy Policy" page of the web, it is provided information on the identification of the data controller; the purpose of data collection and the legal basis for it; the possible recipients of the data; the rights of users with regard to the treatment of their personal data and how to exercise them and on the security measures of the web, toto this based on the legislation in force at this time. Therefore, according to the evidence available at this time, according to of initiation of the sanctioning procedure, it is considered that the "Privacy Policy", of the claimed website, does not contradict the provisions of article 13 of the GDPR. IV - About the "Cookies Policy" of the website of your ownership: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/18 a) .- On the installation of cookies on the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that information must be provided to users clear and complete information on the use of storage devices and data recovery and, in particular, on the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, When the use of a cookie involves a treatment that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by the regulations on the protection of data. However, it is necessary to point out that they are exempt from compliance with the Obligations established in article 22.2 of the LSSI those necessary cookies for the intercommunication of the terminals and the network and those that provide a service expressly requested by the user. In this sense, the GT29, in its Opinion 4/201210, interpreted that among cookies excepted would be the User's input Cookies ”(those used to fill in forms, or as a management of a shopping cart); cookies from authentication or user identification (session); user security cookies (those used to detect erroneous and repeated attempts to connect to a site Web); media player session cookies; session cookies to balance load; cookies for customization of the user interface and some of complement (plug-in) to exchange social content. These cookies would remain excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be necessary to inform or obtain consent on its use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before the use of any other type of cookies, both first and third party, session or persistent. In the verification carried out by this Agency on the claimed website, it was possible to verify that, when entering the main page and without taking any action on the itself and without accepting cookies, unnecessary cookies were used, both own as third parties. b) .- On the cookie information banner existing in the first layer (Homepage): The first layer cookie banner must include information regarding the identification of the editor responsible for the website, in the event that your data identifiers do not appear in other sections of the page or that your identity cannot detach in an obvious way from the site itself. It should also include a Generic identification of the purposes of the cookies that will be used and if they are own or also from third parties, without it being necessary to identify them in this first cap. In addition, it must include generic information about the type of data to be collect and use in the event that user profiles are drawn up and must include information and the way in which the user can accept, configure and reject the use of cookies, with the warning, where appropriate, that, if a certain action, it will be understood that the user accepts the use of cookies. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/18 Apart from the generic information about cookies, in this banner there must be a clearly visible link directed to a second informational layer on the use of the cookies "Cookies Policy". This same link may be used to lead to the user to the "Configuration Panel" of cookies, provided that access to the panel of configuration is direct, that is, the user does not have to navigate within the second layer to locate it. In the case that concerns us, the banner of information on cookies existing in the first layer of the web does not inform that they will use their own cookies and third parties. c) .- On consent to the use of unnecessary cookies: For the use of non-necessary cookies, it will be necessary to obtain the express consent of the user. This consent can be obtained by clicking on, "accept" or inferring it from an unequivocal action performed by the user that denotes that the consent has been unequivocally produced. Therefore, the mere inactivity of the user, scrolling or browsing the website, is not will consider for these purposes, a clear affirmative action in any circumstance and not will imply the provision of consent by itself. Similarly, access to control panel, if the information is presented in layers, as well as the navigation necessary for the user to manage their preferences in relation to cookies in the control panel, it is not considered an active behavior that can derive the acceptance of cookies. If the option is to go to the cookie control panel (second layer) for management of cookies in granular form, there should be two more buttons, one for <<accept>> all cookies or, where appropriate, save the chosen cookie selection and another to <<reject>> all cookies. If the user saves their choice without having selected any group of cookies, the you will understand that you have rejected all cookies. In relation to this possibility, in In no case are the boxes pre-marked in favor of accepting cookies admissible. If for the configuration of cookies, the web refers to the configuration of the browser installed in the terminal equipment, this option is considered complementary to obtain consent, but not as the only mechanism. Therefore, if the publisher opts for this option, it must also offer and in any case, a mechanism that allow you to reject the use of cookies and / or do it in a granular way. The withdrawal of the consent previously given by the user must be able to be done at any time. To this end, the publisher must offer a mechanism that allow permanent access to the management or configuration system of cookies. If the management system or configuration of the publisher's cookies does not allow to avoid the use of third-party cookies once accepted by the user, it will be facilitated information about the tools provided by the browser and third parties, It should be noted that, if the user accepts third-party cookies and subsequently wishes to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/18 delete them, you must do it from your own browser or the system enabled by the third parties for it. In the present case, the banner on the main page redirects the user to the "Cookie policy" (second layer), for more information, but in this second layer, the web refers to the user when configuring the browser installed on their terminal equipment to manage cookies, there being no, on this page, any mechanism that allows rejecting all cookies or managing them in a granular way. d) .- On the information provided in the second layer (Policy of Cookies): The web pages that use unnecessary cookies must have a page of "Cookies Policy", where more detailed information about the characteristics of cookies, including information on, definition and function generic cookies (what are cookies); about the type of cookies used and its purpose (what types of cookies are used on the website); the identification of who uses cookies, that is, if the information obtained by cookies is processed only by the publisher and / or also by third parties with identification of the latter; the period of conservation of cookies in the terminal equipment; and if it is the case, information on data transfers to third countries and the preparation of profiles that involve automated decision making. In the present case, the privacy policy of the website does not provide information or identification of the cookies that will be used. IV-bis The facts presented could suppose on the part of the claimed entity the commission of the violation of article 22.2 of the LSSI, regarding the cookie policy in its website, according to which: "Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after it has been provided to them clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data. When technically possible and effective, the consent of the recipient to accept the data processing may be facilitated by using the parameters from the browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to only in order to carry out the transmission of a communication over a communication network electronic devices or, to the extent strictly necessary, for the provision of an information society service expressly requested by the addressee". This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and recovery devices C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/18 when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigation phase, and without prejudice to Whatever results from the instruction, it is considered that the sanction should be impose in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Judgment of the National Court of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system of obtaining the informed consent that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, regarding the cookie policy carried out on the website of its ownership. V In accordance with the criteria set out in the previous sections, it is considered appropriate impose on the claimed entity a total initial penalty of 7,000 euros (seven thousand euros): 5,000 euros for the violation of article 28.3 of the RGPD and 2,000 euros for the infringement of article 22.2 of the LSSI. In accordance with the foregoing, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: START: SANCTIONING PROCEDURE against the entity, MARBELLA RESORTS, S.L. with CIF .: B93169076 in accordance with the provisions of articles 63 and 64 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (LPACAP), for the alleged infraction: - Infringement of article 28.3) of the RGPD, due to the lack of diligence demonstrated in the management of the personal data of its clients. - Infringement of article 22.2) of the LSSI, regarding the cookie policy in its Web page. APPOINT: instructor to D. B.B.B. and, as secretary, to Dª C.C.C., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). INCORPORATE: to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/18 generated by the Subdirectorate General for Data Inspection during the research. WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, on Common Administrative Procedure of Public Administrations, the sanction that could correspond would be a fine of - 5,000 euros (five thousand euros), for violation of article 28.3) of the RGPD, without detriment of what results from the instruction. - 2,000 euros (two thousand euros), for violation of article 22.2) of the LSSI, without detriment of what results from the instruction. WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that could to impose itself on the claimed party would consist of ORDERING HIM to take the necessary measures necessary to adapt the cookie policy of the website of your ownership through: - A mechanism that makes it impossible to use cookies that are not necessary before that the user gives their consent. - A mechanism that makes it possible to reject all cookies so that it is as easy to reject them as to accept them. - Detailed information about cookies is included on the website in a second layer or "Cookies Policy". - Information about what is being used in the banner of the main page They will use their own and third-party cookies. NOTIFY: this agreement to the entity, MARBELLA RESORTS, S.L. granting him a hearing period of ten business days to formulate the allegations and present the evidence you deem appropriate. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure, equivalent in this case to 1,400 euros. With the app of this reduction, the penalty would be set at 5,600 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of the amount thereof, equivalent in this case to 1,400 euros. With the application of this reduction, the sanction would be established in 5,600 euros and its payment will imply the termination of the procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/18 The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be established at 4,200 euros (four thousand two hundred euros). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated previously, you must make it effective by entering account No. ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the concept the number of reference to the procedure in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection. >> SECOND: On June 16, 2021, the defendant has proceeded to pay the sanction in the amount of 4,200 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/18 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00151/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to MARBELLA RESORTS, S.L .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/18 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es