AEPD (Spain) - EXP202211953
From GDPRhub
| AEPD - PS-00080-2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 13 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 30.09.2022 |
| Decided: | |
| Published: | 20.09.2023 |
| Fine: | 5000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00080-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Paola Leon |
The Spanish DPA imposed a fine against a website operator for failing to provide adequate information under Article 13 GDPR, and for the processing of personal data in a manner contrary to Article 5(1)(a) of the GDPR.
English Summary
Facts
A data subject submitted a complaint to the AEPD indicating that the website operator Chatwith.IO infringed GDPR by implementing dark patterns, specifically overloading and skipping when users try to object to the processing of their personal data by third parties. Users are prompted with a pop-up which contains a list of service providers, 1.522 in total, in which 338 of those have the selection box toggled on. If users want to object, they need to toggle off each box individually. The data subject submitted that there should be an option to object to ALL of the legitimate interests at once. Moreover, these selection boxes are shown in a light grey colour which can be easily confused with the white background of the website and it requires an additional visual effort on the parts of users to distinguish the options. Further, the data subject submitted that the legitimate interest of third parties is not explained in a manner that can be easily comprehended and found in the privacy policy unless they have to access to each of the third parties' privacy policies.
Holding
Upon reviewing the data subject's complaint, the AEPD confirmed the following:
1. The purposes of the processing for which the personal data are intended and the legal basis for the processing have ambiguous wording, or lack of required clarity.
2. The legitimate interests of third parties to whom the controller is referred to in the information banner on the main page are unclear and it is necessary to access the information individually different privacy policies of each of the more than 1,000 companies that appear in the providers list.
3. No reference is made to the controller's intention to transfer personal data to a third country or international organization outside the European Union, all this despite the fact that some of the companies that appear in the providers list are located outside the EU.
4. In terms of dark patterns, the AEPD confirmed that the dark pattern of overloading and skipping is observed when accessing the providers list. Once there, the users find a list of about 130 companies, of which, more than half have the default marked “Accept data processing for legitimate interest” box, which requires, in the case of objection to the processing marking one by one throughout the entire list, without the option of being able to object by indicating it only once or a number of times that is reasonable and does not generate fatigue in the affected person.
5. In regards to cookies, those that are not technical or necessary are deployed before obtaining consent from users.
6. The cookie management panel shows that the groups of Cookies are divided into two options, accept the cookies by “Consent” that are pre-marked in the “not accepted” option and accept the cookies by “Legitimate Interest” which pre-marked in the “accepted” option. However, if all the options marked “accepted” are unchecked, the website still continues to use the same cookies detected when entering on the web without having given consent.
7. There is no information about cookies in the second layer or link that enable the user to be redirected to the “Cookie Policy” of the website. The information about cookies appears dispersed in each of the options of the cookie management panel.
The DPA resolved to impose a fine of 2000 euro for infringement of Article 13 GDPR and required compliance with this article within one month. This infringement was considered as medium. It also Imposed a fine of 5000 euro for infringement of Article 5 (1)(a) as well as one month to bring its processing into compliance. This infringement was considered very gave
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/31
File No.: EXP202211953 (PS/00080/2023)
RESOLUTION OF THE SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
BACKGROUND
FIRST: On 09/30/22, Mr. A.A.A. (hereinafter, the complaining party) filed
claim before the Spanish Data Protection Agency. The claim is
directed against the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239,
owner of the website ***URL.1 (the claimed party), for the alleged violation of
data protection regulations: Regulation (EU) 2016/679, of Parliament
European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons
regarding the Processing of Personal Data and the Free Circulation of
these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI).
The reasons on which the claim was based are:
“The company IURIS MARKETING S.L. (current CHATWITH.IO WORLDWIDE
S.L.) is the owner of the website ***URL.1.
The claimed company processes the personal data of visitors
who access the website, obtaining them both directly from the interested parties
through requests for information when they try to contact the
lawyers who advertise on the page, such as through the use of cookies
that are installed on the visitor's computer equipment when consulting the website.
This is reported by the data controller himself through a message that
appears when accessing iurisnow.com, in a pop-up window that appears
superimposes the main window and that under the title “Privacy and
Transparency” informs the user that both the owner of the website and
its partners process the personal data of the
interested.
Specifically, it is indicated in the first part of the informative text, that
“We and our partners use cookies to Store or access
information on a device. We and our partners use data to
Personalized ads and content, ad and content measurement,
information about the public and product development”, at the same time, towards
half of the text, you can read, that “Some of our partners may
process your data as part of our legitimate business interest without requesting your
consent. To see the purposes that they believe have legitimate interest or
object to this data processing, please use the link in the list of
suppliers below.” A copy of the pop-up window is attached (Doc.
evidentiary 4).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/31
The controller uses dark overload patterns
overloading and skipping in user interface design
through which the privacy options to be applied are configured
to the processing of the website visitor's data, specifically
when the interested party expresses his opposition to data processing based
in the legitimate interest of the person responsible and of third parties, whom he calls
“partners”.
The dark overload pattern is clearly observed when accessing the
section of the “Supplier List” pop-up window, once there, the
interested party finds a list of 1,522 companies, of which, according to
the estimate made by the claimant, 338 have the default marked
"Legitimate interest" box, which requires, in the case of wanting to show the
opposition to the treatment of marking one by one throughout the entire list, each one
of the 338 boxes, without there being the option of being able to object by indicating it
only once or a number of times that is reasonable and does not generate fatigue in the
affected. To the previous 338 boxes, we must add another nine that are
found in the “Manage settings” section.
Upon accessing, you can see that a set of nine purposes appear
of treatment under the title of “Purposes”, each of them, with its box
corresponding marked with the default option in favor of the treatment
based on legitimate interest, it being necessary to select one by one the
boxes to be able to oppose each of the purposes established by the
responsible. As in the previous situation, there is no option in the
window that allows you to oppose all of them at the same time, or a number
reasonable of times.
A copy of the “List of suppliers” section is provided for evidentiary purposes.
(Exhibit document 5), copy of the “Manage configuration” section for purposes
evidence (Evidence Doc. 6) and the formulas used to calculate
List companies and estimate boxes with privacy options
affected (evidence document 17). On the other hand, the dark concealment pattern is
used in the “Supplier List”. If you access this section, you can
observe with some difficulty that there is an estimated set of 32 companies
who have the consent box checked with the option blocked, without
that the interested party can revoke it.
These boxes appear in a grayish color that blends in with white.
used as the background of the screen, which makes it difficult to locate and serves as
camouflage mechanism, avoiding detection if no effort is made
increased visual (Exhibits 5 and 17). The information that
provided by the person responsible, relating to the legitimate interests of third parties and the purposes
of the processing to which personal data is intended is not
transparent.
The legitimate interests of third parties and the purposes of the processing are not
determine or explain in a clear or understandable manner in the information
offered to interested parties. Within the privacy policy of the person responsible,
The purposes for which the processing is carried out are not indicated, not even in the title
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/31
“Provenance, purpose and legitimacy of the data offered”, can be
find any reference to the purposes for which the data is collected.
Nor can you find information about the legitimate interests of
third parties in the title “Recipients of the data or transfer to third parties”, nor in other
parts of the privacy policy, being necessary to access
individually to the different privacy policies of each of the 1,522
companies that appear in the so-called “List of suppliers”, for which
if a URL link appears within the dropdown information of each
"supplier". The only information that can apparently refer to both
purposes, such as the legitimate interests of third parties, can be found in
unclear form in the text that appears within the pop-up window, in
which mentions that the data is used for “ads and content
personalized, ad and content measurement, information about the
public and product development”, without providing more information. (Documents
evidence 2 and 4).
The person responsible for the treatment does not make any mention in the information that
facilitates the interested party, both in the pop-up window and in the policy of
privacy, the intention or possibility of transfers of
data to third countries, outside the European Union, nor to the existence or
absence of an adequacy decision from the Commission, nor to the guarantees
adequate or appropriate measures that can be adopted so that the interested party can
exercise their rights regardless of the international transfer.
All this despite the fact that a relevant part of the companies that appear
in the “List of suppliers”, if they inform in their respective policies of
privacy, that the data collected by them may be transferred outside
of the European Union.
SECOND: On 11/15/22, in accordance with the provisions of article 65.4
of the LOPDGDD, by this Agency, said claim was transferred to the
claimed party, so that it could proceed with its analysis and report, within a period of one
month, about what was stated in the statement of claim.
According to a certificate from the Electronic Notifications and Electronic Address Service, the
request letter sent to the claimed party, on 11/18/22, through the service
of electronic notifications “NOTIFIC@”, was rejected at destination on 11/29/22.
Although the notification was validly carried out by electronic means, it was deemed
the procedure has been carried out in accordance with the provisions of article 41.5 of the LPACAP, as
informative, an attempt was made to send it by postal mail, which was returned to its destination with the date
12/14/22 with the message “unknown”.
THIRD: On 12/30/22, by the Director of the Spanish Agency for
Data Protection agreement is issued to admit the claim processing
presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible
rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/31
FOURTH: On 02/08/23, this Agency accessed the page
web***URL.1, verifying the following characteristics on its “Policy of
Privacy” and about its “Cookies Policy”:
a).- Regarding the processing of personal data:
a.1.- It is verified how, on the website, personal data can be obtained through
through the <<contact>> link, located at the top of the main page,
where you can enter personal data such as name, telephone, email
email and subject.
Before submitting the form, the user must check the box:
“_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>”
a.2.- Personal data can also be entered when registering in the
website, through the link at the top right of the main page
<<private area>>, from which a form is displayed ***FORM.1
where personal data such as name, surname, address must be entered
phone, email. There is also the possibility of attaching a photo.
Before submitting the form, the user must check the box:
“_ I have read and accept the <<Privacy Policy>> and the <<Terms of Use>>”
a.3.- On the pages of the two previous forms there is a banner with the following
information:
By virtue of the provisions of the L.O. 3/18 Iuris NOW informs you that the data of
personal nature that you may offer us are part of data processing
The following applies to you:
Responsible: IURIS MARKETING S.L.
Purpose: Register on the platform to be listed as a professional and
receive customer contacts
Legitimation: Consent of the interested party or his legal representative.
Recipients: Iuris Marketing S.L. and the contracted services.
Rights: Access, rectify and delete data, as explained in our
Privacy Policy
b).- About the “Privacy Policy”:
If you access the “Privacy Policy” through the existing links in the
previous forms or through the link at the bottom of the page
main page, the website redirects the user to a new page ***URL.2 where
provides the following information:
b.1.- Regarding the “legal notice” information is provided on:
- The person responsible for the website
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/31
- Conditions of access and use of the portal
- Third party content
- Use of links
- Disclaimer
- Applicable legislation and jurisdiction
b.2.- Regarding the Privacy Policy, you are informed of:
RESPONSIBLE FOR DATA PROCESSING
The ownership of this website, with domain ***DOMINIO.1, is Iuris
Marketing S.L., hereinafter “Iuris NOW”, and address at ***ADDRESS.1, with
contact email ***EMAIL.1
All of the above, as Data Controller you are informed that:
DATA PROTECTION RIGHTS:
Iuris NOW users can direct any communication, either by
written to the address provided previously, or by mail
electronic (***EMAIL.1), communication via email being faster and more effective.
electronics. The user can always exercise the following rights:
Right of access: Iuris NOW users may request access to the
personal data that we have about them.
Right to request rectification: In cases where the data is
incorrect or need to be updated, for the relevant reason, you may request
its rectification.
Right of deletion: The interested party may request Iuris NOW to delete
at any time, the deletion of any personal data that you
concerns.
Right to request the limitation of your treatment: You may request Iuris
NOW the limitation of the data obtained either because the data is not needed
personal data for the purposes of the processing, but are necessary for the
interested.
Right to oppose the processing: Iuris NOW will stop processing the data that
have been provided by the user, unless legitimate reasons are proven and
imperative to be able to continue with the treatment.
Right to portability of the data offered: In the event that you want us to
your data is processed by another company or person, Iuris NOW will
undertakes to facilitate said data portability to the new controller
whenever requested. In application of the aforementioned legislation that we have
mentioned at the beginning of this text, we offer users the model,
form and other interesting information offered by the Spanish Agency for
Data Protection in the following link
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/31
Likewise, within the rights of users, we offer the possibility of
withdraw the consent that has been granted by any of the means that
was obtained, since the user of the website has the right to withdraw in
consent granted at any time, without alleging just cause, not
However, the withdrawal of the consent granted will not invalidate the treatment.
based on consent prior to its withdrawal.
Finally, we want to emphasize the importance of the exercise of these rights, and
any problem or disagreement that may occur with Iuris NOW in the
processing of the data, claims may be submitted that may be
right suits the corresponding data protection authority,
being in Spain the Spanish Data Protection Agency
CONSERVATION OF THE DATA OFFERED
The disaggregated data will be kept without a deletion period.
User data: The retention period of the data of people who
offered to Iuris NOW will vary depending on the service that the user contracts
with Iuris NOW, however, data retention will be minimal
required for the specific case, in general:
Clients: From the moment the service provision relationship begins with the
client, until 4 years have passed since the end of the provision of
services
Blog comments: From the moment the user leaves their comment on the blog until
requesting its deletion
Newsletter subscribers: Since the user subscribes to the newsletter
until you withdraw your consent
Contact form: Since the user accepts the sending of their data
through the contact form until you withdraw your consent.
Download a document: Since the user downloads the document and
you consent to send you communications.
PRINCIPLES OF APPLICATION TO PERSONAL INFORMATION
In the processing of personal data that you offer through the media
established, Iuris NOW will apply the following principles required by the
applicable legislation:
Principle of legality, loyalty and transparency: In order to carry out treatment
of your data, I will always require express, unequivocal consent,
informed and prior to the treatment, the information and treatment thereof
It will be specifically intended for the purpose you have requested.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/31
Data minimization principle: I will only require the information from you
necessary for the specific case, I do not want to handle more information than the
necessary, but rather that which is essential to be able to respond.
Principle of limitation of the conservation period: The data you offer me,
will be maintained in the file owned by Iuris NOW for the period
essential and necessary.
Principle of integrity and confidentiality: The data will be treated in a
way that guarantees their security and confidentiality,
taking the necessary precautions to access them, only
authorized persons or authorized third parties.
ORIGIN, PURPOSE AND LEGITIMACY OF THE DATA OFFERED
Based on all of the above, the category of data requested from the
users is a basic category, it is not a data category
specially protected.
Web hosting: The Iuris NOW page is hosted at OVH (OVH
HISPANO SL NIF: B-83834747) Company based in Madrid, being
application of the provisions of the RGPD and LOPDyGDD
Data collected through the website: The data collected through the
web page, will be incorporated into the corresponding file, in addition to the
information provided, the IP address is also collected, which in the large
Most of the time this information is not used.
Social networks: Iuris NOW has a presence on different social networks,
recognizing us as responsible for the data that users process
through social networks privately with Iuris NOW, in order to be
extracted to provide the requested information.
The purpose and legitimacy of the data processing that Iuris NOW carries out
on social networks, will be the one permitted by the social network
DATA COLLECT
The user guarantees that the personal data that has been provided by different
means offered and mentioned above are accurate and truthful,
being responsible for communicating to Iuris NOW any type of modification
that arises in personal data.
If the data that has been offered belongs to a third party, the user guarantees
that has obtained the consent of said third party in order to facilitate the
data.
When providing the data, the user declares and accepts having read the
this privacy policy, expressly consenting to the treatment
of personal data in accordance with what is established on this page.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/31
Likewise, when a user requests information, they are providing a minimum
personal information for which Iuris NOW will be responsible.
When requesting information, information is collected from the IP address, name,
email address, phone number and other information. Be
managed and used by Iuris NOW.
RECIPIENTS OF THE DATA OR TRANSFER TO THIRD PARTIES
For the correct development of the activity carried out by Iuris NOW, it is necessary
have different professionals or tools with which you can
develop the activities described above, therefore, Iuris NOW
share strictly necessary data under their corresponding
privacy conditions with the following providers:
Google Analytics: The Iuris NOW website uses a service system
analytics offered by the company Google Inc, is a company located in the
1600 Amphithreare Parkway, Mountain View (California), CA 94043,
USA. This program uses “cookies” which are text files
located on your computer when visiting the website, the purpose is to help Iuris
NOW to know what users who visit your website do. The information that
offered by Google Analytics includes the IP address of the visitor who will be
transmitted and archived by Google on its services located in the United States
Joined.
The Iuris NOW page is hosted on OVH. The Iuris NOW website
It has SSL encryption that allows the secure sending of your data
personal through the different means that we collect data in our
web, website developed using WordPress, more information at Automattic.
Google Adsense: The previous company mentioned Google Inc, offers services
of advertising that are being used on this website, for this,
uses a cookie that publishes a series of advertisements on our website. He
user can disable the use of these cookies by following the instructions
that are indicated in the Google section itself.
For this advertising system, Google offers a platform to different
partner companies to publish ads through their platform, so
that, certain information is used to provide advertisements about products and
services that are of interest, but at no time is the name collected,
address, email address or telephone number - If you would like more
information about this practice and to know your different options, consult the
next link
Google Maps: It is a map display service provided by Google
Inc, which allows us to provide an interactive map to our website –
Google Privacy Policy
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/31
Lawyers: As an object of our main activity, when you leave us your
data and request advice, we will offer your data to the best lawyer or the
lawyer that you have requested from us.
CONFIDENTIALITY
Iuris NOW is committed to the use and processing of personal data that
are collected through the website, respecting at all times the
confidentiality and to use them for the purpose for which they were collected.
We undertake to carry out all necessary actions regarding
of data protection.
ACCEPTANCE AND CONSENT
The user accepts having been informed of the conditions regarding protection of
data inherent to the legislation that is applicable, accepting and
consenting to their processing by Iuris NOW.
SECURITY MEASURES
This website includes an SSL certificate, it is a security protocol that
causes the data between the user and Iuris NOW, a transmission to occur
sure of it, we also have a specific security service
and we constantly update all the technologies we use in
our page.
Likewise, Iuris NOW will keep updated and apply all measures
necessary to be able to offer the greatest possible security to users, not
However, absolute impregnability on the Internet does not exist,
committing ourselves that any incident that may affect the
users, will be communicated as established in the legislation.
Security measures will be reviewed periodically to verify
that are still useful for the purpose for which they were collected.
CHANGES IN THE PRIVACY POLICY
Iuris NOW reserves the right to modify this policy to adapt it
to future legislative or jurisprudential modifications, as well as changes that
are made in the Iuris NOW services. Iuris NOW will announce the changes that
occur and are essential.
c).- About the Cookies Policy:
1.- About the use of cookies before the user gives their consent:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the website, it has been verified that cookies that are not technical or
necessary, with the following characteristics:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/31
Performance cookies (3): These cookies allow us to quantify the number of visits.
tas and traffic sources to be able to evaluate the performance of the site. They help us know
which pages are the most or least visited and how visitors navigate
gan for the site.
cookies Domain Description
_gid ***DOMAIN.1 This cookie is set by
Google Analytics. Store and access
sets a unique value for each
visited page and is used to con-
tar and track page views.
_ga_BHX4LX8C4J ***DOMAIN.1 Google Analytics uses this
cookie to maintain state
of the session.
_ga ***DOMAIN.1 This cookie name is associated
ciated with Google Universal Analy-
ytics, which is an im-
analysis service carrier
most used on Google. This
cookie is used to distinguish
unique users by assigning
nation of a generated number
randomly as identifier
of client. It is included in each so-
page legality on a site and
used to calculate life data
visitors, sessions and campaigns
for analysis reports
sites.
Targeting Cookies (1): These include social media cookies that are placed on sites
to track users across the web and serve them ads.
cookies Domain Description
_gat_gtag_UA_ ***DOMAIN.1 This cookie is part of Google
181162822_9 Analytics and is used to limit
applications (application fee
acceleration).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/31
2.- About the cookie information banner in the first layer:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without performing any action on the web page, a
cookie information banner at the bottom of the main page with the
next message:
We welcome you to iurisnow.com
iurisnow.com requests your consent to use your personal data with these
goals:
Personalized ads and content, ad and content measurement,
information about the public and product development devices.
Store or access information on a device
More information
Your personal data will be processed and the information on your device (cookies,
unique identifiers and other device data) may be stored,
consulted and shared with <<external providers>> or used specifically
through this website or application.
Some providers may process your personal data under a
legitimate interest, something you can object to by managing your options
continuation. Look for a link at the bottom of this page or in our privacy policy.
privacy to revoke consent.
<<Manage Options>> <<Consent>>
a).- If you access the list of suppliers, a new page appears with the following
information:
Which third-party providers can access my data?
These third party providers may use your data to provide services:
Exponential Interactive, Inc d/b/a VDX.tv
….
Index Exchange, Inc.
….
Vodafone
…
netfix
…
> 200
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/31
<<close>>
b).- If you access the control panel, through the <<Manage Options>> option, the
The website displays a new page with the following information:
Data preferences. Manage your data
You can choose how your personal data is used. Suppliers request
so your permission to do the following:
Store or access information on a device
Cookies, device identifiers or other information may be stored or accessed.
mation on your device for the purposes presented. See details
OFF Consent
Select basic ads
Ads can be displayed based on the content being viewed, the
application being used, its approximate location or its type of device.
vo. See details
OFF Consent
Legitimate interest ON
Create a custom advertising profile
We may create a profile about you and your interests to show you personalized ads.
nalized that are relevant to you. See details
OFF Consent
Legitimate interest ON
Select personalized ads
Personalized ads may be displayed based on your profile. See details
OFF Consent
Create a profile for content customization
A profile can be created about you and your interests to show you personalized content.
finalized that was relevant to you. See details
OFF Consent
Legitimate interest ON
Select custom content
Custom content can be displayed based on your profile. See details
OFF Consent
Legitimate interest ON
Measure ad performance
You can measure the performance and effectiveness of the ads you see or deal with.
interacts. See details
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/31
OFF Consent
Legitimate interest ON
Measure content performance
You can measure the performance and effectiveness of the content you view or interact with.
you See details
OFF Consent
Legitimate interest ON
Use market research to generate information about the public
Market research can be used to obtain more information about the
audience that visits websites/applications and views ads. See details
OFF Consent
Legitimate interest ON
Develop and improve products
Your data may be used to improve existing systems and/or software, as well
as to develop new products. See details
OFF Consent
Legitimate interest ON
Ensure security, prevent fraud and debug errors
Your data may be used to monitor and prevent fraudulent activities, and to
Ensure systems and processes operate correctly and safely. See details-
lles
Technically serve ads or content
Your device may receive and send information that allows you to view and interact with
ads and content. See details
Collate and combine offline data sources
Data obtained from offline data sources can be combined with your activity
online to support one or more purposes. See details
Link different devices
You can determine which devices belong to you or your home to
one or more purposes. See details
Receive and use for identification the characteristics of the device that is
send automatically
Your device can be distinguished from other devices based on the information it contains.
sent automatically, such as the IP address or browser type. See details
Use precise geographic location data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/31
Your precise geographic location data may be used for one or more purposes.
facts. This means that your location can be accurate to within several meters.
tros. See details
OFF Consent
<<Supplier preferences>>
If you access the supplier control panel, a new page appears:
Accept our suppliers
Providers may use your data to offer you services. If you reject a
provider, they will no longer be able to use the data you have shared with them.
Exponential Interactive, Inc d/b/a VDX.tv
Cookie duration: 90 days. Cookie duration is reset after
each session. See details
OFF Consent
Legitimate Interest ON
Roq.ad Inc.
Cookie duration: 365 (days). Cookie duration is reset after
of each session.
OFF Consent
…
…
…
<<Accept All>> <<Confirm Options>>
3º.- About the information provided in the “Cookies Policy”:
There is no page or link that redirects the user to the “Cookies Policy”. The
The only existing information about cookies is that provided in the banner of the
main page when accessed for the first time and the information offered to
via control panel
4º.- About how to withdraw consent to the use of cookies after
having offered:
There is a link at the bottom of the web page <<Privacy Settings and
Cookies>> through which you can access the control panel at any
moment of web browsing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/31
FIFTH: On 04/14/23, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the defendant, for the alleged
violations of:
a).- Violation of article 13 of the RGPD, due to the deficiencies observed in its
“Privacy Policy”, with an initial penalty of 2,000 euros, without prejudice to
what results from the instruction. Likewise, it was noted that the violations
charged, if confirmed, may lead to the imposition of measures, according to
the aforementioned article 58.2 d) of the RGPD.
b).- Violation of article 5.1.a) of the RGPD, due to the use of patterns
dark sources of overloading and skipping, with a
initial penalty of 5,000 euros, without prejudice to what results from the investigation.
Likewise, it was warned that the alleged infractions, if confirmed, may
lead to the imposition of measures, according to the aforementioned article 58.2 d) of the RGPD.
c).- Violation of article 22.2 of the LSSI, due to the deficiencies detected in its
web page regarding the “Cookies Policy”, with an initial penalty of
5,000 euros, without prejudice to what results from the instruction
Notification of the initiation agreement was attempted in accordance with the standards set forth in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (LPACAP). According to State Company Certificate
Correos y Telégrafos, S.A., the letter initiating the file sent to the
address CHATWITH.IO WORLDWIDE, S.L. C/ ***ADDRESS.1, was returned to
origin by Leftover (Not withdrawn in office) on 05/03/23. Having the following
associated information, (Unit: XXXXXXXX):
- 1st delivery attempt on 04/21/23 at 12:05, by employee 282402 ha
result 03 “Absent”.
- 2nd delivery attempt on 04/24/23 at 8:20 p.m., by employee 186402 ha
result 03 “Absent”. (Notice was left in mailbox).
On 05/09/23, notification of the initiation agreement was made through an announcement in
the single Edictal Board of the Official State Gazette, in accordance with article 44 of
the LPACAP. In said announcement the claimed party is informed about the possibility of
obtain a copy of the opening agreement.
SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been
verified that no allegation has been received from the claimed party.
Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,
may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/31
imputation, the infraction attributed to the person complained of and the sanction that could be imposed.
Therefore, taking into consideration that the claimed party has not formulated
allegations to the agreement to initiate the file and in accordance with what is established in the
article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the
present case proposed resolution.
In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:
PROVEN FACTS.
First: The information provided in the “Privacy Policy” ***URL.2, and
In relation to the provisions of article 13 GDPR cited, the person responsible for the
processing of personal data obtained through the website does not offer
information on or at least not detailed on the following points:
- The purposes of the processing for which the personal data are intended and the legal basis
dica of the treatment, has ambiguous wording, or lacks the required clarity.
- The legitimate interests of third parties to whom the
responsible for the treatment referred to in the existing information banner.
try on the main page, it is necessary to access the pages individually.
different privacy policies of each of the more than 1,000 companies
that appear in the “List of suppliers”, then the information appears.
unclearly in the text of each provider's pop-up window.
dor.
- No reference is made to the intention of the person responsible to transfer personal data.
nals to a third country or international organization outside the European Union,
all this despite the fact that a part of the companies (suppliers) that appear
cen in the “Supplier List”, are located outside the EU.
Second: On the use of dark overloading patterns and
skipping, in the case at hand, the dark overload pattern
loading) and hiding (skipping), is observed when accessing the “List of
suppliers”, once there, the interested party finds a list of about 130 companies.
prey (suppliers), of which, more than half have the default marked
“Accept data processing for legitimate interest” box, which requires, in the case
from wanting to show opposition to the treatment to marking one by one throughout the entire
list, without the option of being able to object by indicating it only once or a number
of times that is reasonable and does not generate fatigue in the affected person.
Third: Regarding the Cookies Policy on the website in question, cookies have been detected
the following irregularities:
- When entering the website for the first time, without accepting cookies or performing any actions.
tion on the page, it has been verified that non-technical cookies are used.
unique or necessary: 3 Performance cookies: _gid; _ga_BHX4LX8C4J and _ga and
a Targeting Cookie: _gat_gtag_UA_181162822_9
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/31
- In the cookie control panel it has been detected that the groups of
cookies are divided into two options, accept cookies by “Consent”
ment” that are pre-marked in the “not accepted” option and accept the
cookies for “Legitimate Interest” that are pre-marked in the “accept” option.
you give". However, if all the options marked “accepted” are unchecked
It is verified that they continue using the same cookies detected when entering
on the web without having given consent.
- There is no information about cookies in the second layer or link that
Enable the user to be redirected to the “Cookie Policy” of the website. The informs-
Information about cookies appears dispersed in each of the options of the
control Panel.
FOUNDATIONS OF LAW
YO.-
Competence:
- About the processing of personal data and the “Privacy Policy”:
The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to
each Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
LOPDGDD.
- About the “Cookie Policy”:
The Director of the Spanish Agency is competent to resolve this procedure.
of Data Protection, in accordance with the provisions of art. 43.1, paragraph
second, that of the LSSI Law.
II.-1
About the processing of personal data on the website and the “Privacy Policy”
In the verification carried out on the website, ***URL.1, it is confirmed that there
Personal data can be obtained through the <<contact>> link, intended for
make queries and you can also enter personal data when doing so.
registration on the website, through the link at the top right of the page
main page <<Private area>>.
The “Privacy Policy” can be accessed through the existing links in
the forms mentioned above or through the link at the bottom
from the main page, <<Privacy Policy and Legal Notice>>.
Well, article 13 of the RGPD details the information that must be provided to the
interested party when the data is collected directly from him, establishing that:
“1.When personal data relating to him is obtained from an interested party, the
responsible for the treatment, at the time these are obtained,
will provide: a) the identity and contact details of the person responsible and, where applicable,
of your representative; b) the contact details of the protection delegate
data, if applicable; c) the purposes of the processing for which the data are intended
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/31
personal and the legal basis of the treatment; d) when the treatment is based
in Article 6(1)(f), the legitimate interests of the controller or
a third; e) the recipients or categories of recipients of the data
personal, if applicable; f) where applicable, the intention of the person responsible to transfer
personal data to a third country or international organization and the existence or
absence of an adequacy decision from the Commission, or, in the case of
transfers indicated in Articles 46 or 47 or Article 49(1),
second paragraph, reference to adequate or appropriate guarantees and the
means to obtain a copy of these or the fact that they have been provided.
2.In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the moment in which the
personal data, the following information necessary to guarantee a
fair and transparent data processing: a) the period during which
will retain personal data or, when this is not possible, the criteria
used to determine this term; b) the existence of the right to request the
responsible for the processing of access to personal data relating to the
interested party, and its rectification or deletion, or the limitation of its processing, or to
oppose the processing, as well as the right to data portability; c)
when the processing is based on Article 6(1)(a) or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw the
consent at any time, without affecting the legality of the
treatment based on consent prior to its withdrawal; d) the right to
file a claim with a supervisory authority; e) if the communication
of personal data is a legal or contractual requirement, or a requirement
necessary to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of
not provide such data; f) the existence of automated decisions, including the
profiling, referred to in article 22, paragraphs 1 and 4, and,
least in such cases, significant information about the logic applied, as well
as the importance and anticipated consequences of such treatment for the
interested".
In the case at hand, the information provided in the “Policy of
Privacy” ***URL.1 and in relation to the provisions of article 13 GDPR cited,
notes that it does not offer information on the following points:
- The purposes of the processing for which the personal data are intended and the basis
legal treatment, has ambiguous wording, or lack of clarity and
required precision.
- The legitimate interests of third parties to whom the
responsible for the treatment referred to in the information banner
existing on the main page, requiring individual access to
the different privacy policies of each of the more than 1,000
companies that appear in the “List of suppliers”, then the
information unclearly in the text of the pop-up window of each
supplier.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/31
- No reference is made to the intention of the person responsible to transfer data
personnel to a third country or international organization outside the Union
European Union, all this despite the fact that a part of the companies (suppliers)
that appear in the “List of suppliers”, are located outside the EU.
II.-2
Sanction
The irregularities detected in the “Privacy Policy” of the website
***URL.1 may constitute a violation of article 13 RGPD.
This violation can be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5.b) of the RGPD.
In this sense, article 74.a) of the LOPDGDD, on the infractions considered
mild, indicates that:
The remaining infractions of a nature are considered minor and will be subject to a one-year statute of limitations.
merely formal of the articles mentioned in sections 4 and 5 of the
article 83 of Regulation (EU) 2016/679 and, in particular, the following:
a) Failure to comply with the principle of transparency of information or the
right to information of the affected person for not providing all the required information
by articles 13 and 14 of Regulation (EU) 2016/679.
In accordance with the above, it is considered appropriate to impose a penalty of 2,000 euros,
(two thousand euros), for the violation of article 13 RGPD.
II.-3.
Measures
Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose
responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….” The imposition of this
measure is compatible with the sanction consisting of an administrative fine, as established
provided in art. 83.2 of the GDPR.
The text of this agreement establishes what the infractions have been.
allegedly committed and the facts that give rise to the violation of the regulations
of data protection, from which it is clearly inferred what are the measures to be
adopt, without prejudice to the type of procedures, mechanisms or instruments
specifics to implement them corresponds to the sanctioned party, since it is the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/31
responsible for the treatment who fully knows your organization and must decide,
based on proactive responsibility and the risk approach, how to comply with the
RGPD and the LOPDGDD.
However, in this case, regardless of the above, it is appropriate to require the
responsible entity so that, within the period indicated in the operative part, it adapts
the “Privacy Policy” of your website to the current regulations, specifically to what
stipulated in article 13 of the GDPR.
Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
III.-1
On the use of dark overloading and hiding patterns
(skipping)
According to the complainant, the data controller uses the dark patterns of
overloading and skipping in user interface design
through which you configure the privacy options that are going to be applied to the
processing of the data of the visitor to the website, specifically when the
interested party expresses his opposition to data processing based on interest
legitimate interest of the person responsible and third parties, whom he calls “partners”.
The term “dark patterns” refers to the interfaces or implementations of
user experience intended to influence behavior and
people's decisions in their interaction with websites, apps and social networks,
way that they make decisions potentially detrimental to the protection of their
personal information.
According to recital (39) of the GDPR:
All processing of personal data must be lawful and fair. For the people
physical data must be completely clear that they are being collected, used,
consulting or otherwise processing personal data that concerns them,
as well as the extent to which said data is or will be processed.
The principle of transparency requires that all information and communication
regarding the processing of said data is easily accessible and easy to
understand, and that simple and clear language is used. This principle refers
in particular to the information of the interested parties about the identity of the
responsible for the treatment and its purposes and the added information
to ensure fair and transparent treatment of people
affected physical bodies and their right to obtain confirmation and communication of the
personal data that concerns them that are subject to processing, (…)”.
In this regard, article 5 RGDP includes the "Principles relating to processing" and
in section 1.a) establishes that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/31
Personal data will be processed in a lawful, fair and transparent manner in
relationship with the interested party "lawfulness, loyalty and transparency."
Well, in application of the principle of loyalty established in article 5.1.a, the
Data controllers must ensure that dark patterns are not used,
at least, in relation to decisions regarding the processing of your data
personal.
The European Data Protection Board (EDPB) adopted for public consultation its
‘Guidelines on dark patterns in social media interfaces,
How to recognize and avoid them. These guidelines, like the AEPD guide,
They take article 5.1.a of the GDPR as a starting point to evaluate when a
Design pattern in a user interface corresponds to a dark pattern.
Dark patterns can be presented to the user in data processing operations.
of various kinds, such as during the registration or registration process on a social network, when starting
session or also in other scenarios such as configuring the
privacy, in cookie banners, during the process of exercising rights, in
the content of a communication reporting a personal data breach or
even when trying to unsubscribe from the platform.
According to the EDPB Guidelines, dark patterns can be classified into the
following categories:
Overloading: consists of presenting too many possibilities to the
person who has to make the decisions, which ends up generating fatigue on the
user, who ends up sharing more personal information than desired. The
The most common techniques to produce this fatigue due to overload are to show
questions repeatedly, creating privacy labyrinths and showing too many
options.
Hiding (skipping): consists of designing the interface or user experience in such a way
so that the user does not think about some aspects related to protection
of your data, or forget it.
Stirring: the users' emotions are appealed to or nudges are used
visuals in the form of effects to influence decisions.
Hindering: attempts to create obstacles so that the user cannot
easily perform certain actions. This is done through techniques such as
put privacy settings in areas that cannot be accessed, make it very
complicated to reach them or providing misleading information about the
effects of some actions.
Inconsistency (fickle): the interface has an unstable and inconsistent design that does not
allows the user to perform the actions desired.
Left in the dark: The information or configuration options of the
privacy are hidden or presented in an unclear way using language
erratic, contradictory or ambiguous information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/31
In the case at hand, the dark pattern of overloading and
concealment (skipping), is observed when accessing the “List of
suppliers”, once there, the interested party finds a list of about 130
companies (suppliers), of which, more than half have the default marked
“Accept data processing for legitimate interest” box, which requires, in the case
from wanting to show opposition to the treatment to marking one by one throughout the entire
list, without the option of being able to object by indicating it only once or a number
of times that is reasonable and does not generate fatigue in the affected person.
Taking, for example, the provider “Amazon Advertising” we see that in its section
the following information appears:
Cookie duration: 396 (days). Cookie duration is reset after
of each session. Use other forms of storage.
<<View details>> |<< Storage details>> | <<Privacy Policy>>
Consent (OFF)
Legitimate interest (ON)
If we display the information <<see details>>, the following information appears:
Amazon Advertising requests the following:
By Consent:
Store or access information on a device
Select basic ads
Create a custom advertising profile
Select personalized ads
Measure ad performance
Use market research to generate information about the public
Develop and improve products
For legitimate interest:
Ensure security, prevent fraud and debug errors
Technically serve ads or content
Checking that, in this particular example, legitimate interest is indicated as both
the “Ensure security, prevent fraud and debug errors” as “Serve
technically advertisements or content”, a situation that is repeated for the more than 200
suppliers that appear on the web.
Well, the situation is that there is a button to accept everything (<<Accept All>>) or
to confirm the chosen options (<<Confirm Options>>), but not to
reject everything or oppose everything, which can constitute a dark pattern of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/31
overloading All this without prejudice to the fact that the treatments marked in
the ON position of “legitimate interest” may or may not be justified on this basis of
legitimation, an issue that is not analyzed in this procedure.
III.-2
Sanction
The facts set out above may constitute an infringement of the
established in article 5.1.a) of the RGPD, with the scope expressed in the
Previous Fundamentals of Law.
This violation can be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5.a) of the RGPD.
In this sense, article 72.1.a) considers a “very serious” infraction for the purposes of
prescription “1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
involve a substantial violation of the articles mentioned therein and, in
In particular, the following: a) The processing of personal data that violates the
principles and guarantees established in article 5 of Regulation (EU) 2016/679”.
III.-3
Graduation of the Sanction
The determination of the sanction that should be imposed in the present case requires
observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
respectively, they provide the following:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of the
of this Regulation indicated in sections 4, 9 and 6 are in each case
effective, proportionate and dissuasive individual treatment.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures
referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the
imposition of an administrative fine and its amount in each individual case is
will take due account of: a) the nature, severity and duration of the
infringement, taking into account the nature, scope or purpose of the
processing operation in question, as well as the number of interested parties
affected and the level of damages they have suffered; b) the
intentionality or negligence in the infringement; c) any measure taken by
the person responsible or in charge of the treatment to alleviate the damages and losses
suffered by the interested parties; d) the degree of responsibility of the person responsible or
of the person in charge of the treatment, taking into account the technical measures or
organizational measures that have applied under articles 25 and 32; e) all
previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to put
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/31
remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, in that case,
what extent; i) when the measures indicated in Article 58(2)
have been previously ordered against the person responsible or in charge of
that is dealt with in relation to the same matter, compliance with said
measures; j) adherence to codes of conduct under Article 40 or
certification mechanisms approved in accordance with article 42, and k)
any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through infringement.”
Within this section, the LOPDGDD contemplates in its article 76, titled
“Sanctions and corrective measures”:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679 will be applied taking into account the criteria of
graduation established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account: a) The continuous nature of the
infringement. b) The linking of the offender's activity with the performance of
processing of personal data. c) The benefits obtained as
consequence of the commission of the infraction. d) The possibility that the
conduct of the affected party could have induced the commission of the infraction. and)
The existence of a merger by absorption process subsequent to the commission of
the infringement, which cannot be attributed to the absorbing entity. f) The impact
to the rights of minors. g) Have, when it is not mandatory, a
data protection officer. h) Submission by the person responsible
or entrusted, on a voluntary basis, to alternative resolution mechanisms
of conflicts, in those cases in which there are disputes between
those and anyone interested.
3. Adoption will be possible, complementary or alternatively, when
appropriate, of the remaining corrective measures referred to in the article
83.2 of Regulation (EU) 2016/679.”
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purposes of setting the amount of the fine sanction
impose on the claimed entity, in an initial assessment, they are considered concurrent in
in this case the following factors, as aggravating factors:
- The scope or purpose of the data processing operation, as well as the information
affected teresses, (section a).
It is also considered that the sanction to be imposed should be graduated in accordance with the
following aggravating criteria, established by article 76.2 of the LOPDGDD:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/31
- The linking of the offender's activity with the performance of treatment
personal data, (section b), considering that in the activity carried out
rrolla, the personal data of its clients are involved.
Considering the factors exposed, the value reached by the fine, for the
Violation of article 5.1.a) of the RGPD, it is 5,000 euros (five thousand euros).
III.-4
Measures
Once the infraction is confirmed, it is necessary to determine whether or not it is appropriate to impose
responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….” The imposition of this
measure is compatible with the sanction consisting of an administrative fine, as established
provided in art. 83.2 of the GDPR.
The text of this agreement establishes what the infractions have been.
allegedly committed and the facts that give rise to the violation of the regulations
of data protection, from which it is clearly inferred what are the measures to be
adopt, without prejudice to the type of procedures, mechanisms or instruments
specifics to implement them corresponds to the sanctioned party, since it is the
responsible for the treatment who fully knows your organization and must decide,
based on proactive responsibility and the risk approach, how to comply with the
RGPD and the LOPDGDD.
However, in this case, regardless of the above, it is appropriate to require the
responsible entity so that, within the period indicated in the operative part, it adapts
the “Privacy Policy” of your website to the current regulations, specifically to what
stipulated in article 5.1.a) of the RGPD.
Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
IV.-
About the Cookies Policy of the website
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, about the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/31
Therefore, when the use of a cookie involves processing that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.
However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies
“User input Cookies would be excepted” (those used to
fill out forms, or manage a shopping cart); cookies
user (session) authentication or identification; user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.
These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about its
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before using any other type of cookies, both first and
third-party, session or persistent.
In the verification carried out by this Agency on the claimed website, it was possible
note that, upon entering the main page and without performing any action on the
mime or accept cookies, the following non-necessary cookies were used:
When entering the website for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies that are not technical or
necessary:
- 3 Performance Cookies: _gid; _ga_BHX4LX8C4J and _ga
- 1 Targeting cookie: _gat_gtag_UA_181162822_9
c).- Regarding consent to the installation of cookies on the terminal equipment:
To use non-excepted cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
by clicking on, “accept” or inferring it from an unequivocal action carried out by the
user that denotes that consent has been unequivocally produced. By
Therefore, the mere inactivity of the user, scrolling or browsing the website, is not
will consider for these purposes a clear affirmative action under no circumstances and will not
will involve the provision of consent itself. Likewise, access to
the second layer if the information is presented in layers, as well as navigation
necessary for the user to manage their preferences in relation to cookies in
the control panel, it is not considered an active behavior that can
derive the acceptance of cookies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/31
The existence of “Cookie Walls” is also not permitted, that is, windows
pop-ups that block content and access to the website, forcing the user to
accept the use of cookies to access the page and continue browsing without
offer the user any type of alternative that allows them to freely manage their
preferences regarding the use of cookies.
If the option is to go to a second layer or cookie control panel, the link
should take the user directly to said configuration panel. To facilitate the
selection, in the panel it can be implemented, in addition to a management system
granular cookies, two more buttons, one to accept all cookies and another to
reject them all. If the user saves his choice without having selected any
cookie, it will be understood that you have rejected all cookies. In relation to this second
possibility, in no case are pre-checked boxes in favor of accepting
cookies.
If for the configuration of cookies, the website refers to the browser configuration
installed on the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the editor
opts for this option, it must also offer, and in any case, a mechanism that
allow you to reject the use of cookies and/or do so on a granular basis.
On the other hand, the withdrawal of the consent previously given by the user
It must be able to be done at any time. To this end, the editor must offer a
mechanism that makes it possible to easily withdraw consent at any time.
moment. That facility will be considered to exist, for example, when the user
have simple and permanent access to the management or configuration system of the
cookies.
If the editor's cookie management or configuration system does not allow you to avoid the
use of third-party cookies, once accepted by the user, will be provided
information about tools provided by the browser and third parties,
must warn that, if the user accepts third-party cookies and subsequently wishes
delete them, you must do so from your own browser or the system enabled by the
third parties for this.
In the case in question, it is not possible to reject all cookies at once.
To manage cookies it is necessary to access the control panel <<Manage
Options>> where the groups of cookies appear divided into purposes such as
example “Select basic ads”; “Create a personalized advertising profile” or
“Select personalized ads”
The groups are divided into two options, accept cookies by “Consent”
that are pre-marked in the “not accepted” option and accept cookies for “Interest
Legitimate” that are pre-marked in the “accepted” option.
However, if all the options marked “accepted” are unchecked, the
that continue to use the same cookies detected when entering the website without having
consent given.
d).- About the information provided in the second layer (cookie policy):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/31
In the second layer or “cookie policy” more detailed information must be provided.
detailed information about the characteristics of cookies, including information about, the definition
tion and generic function of cookies (what are cookies); about the type of cookies
which are used and their purpose (what types of cookies are used on the website); the
identification of who uses the cookies, that is, if the information obtained by the cookies
Cookies are processed only by the editor and/or also by third parties with identification of this
last coughs; the retention period of cookies on the terminal equipment; and if it is him
case, information on data transfers to third countries and the processing
of profiles that involve automated decision making.
In the case in question, there is no information about cookies in the second
layer or link that allows the user to be redirected to the “Cookie Policy” of the website.
Information about cookies appears dispersed in each of the options
of the control panel.
IV.-2
Classification of the offense committed
Of the deficiencies detected, regarding the cookie policy, on the website in
issue: the use of third-party cookies that are not technical or necessary; the
impossibility of rejecting third-party cookies and the lack of information in the
“cookie policy”, could be assumed by the complainant, the commission of the
violation of article 22.2 of the LSSI, as it establishes that:
“Service providers may use storage devices and
data recovery on recipients' terminal equipment, provided
that they have given their consent after they have been
provided clear and complete information on its use, in particular on
the purposes of data processing, in accordance with the provisions of L.
Organic 15/1999, of December 13, on the protection of personal data
staff.
Where technically possible and effective, the consent of the recipient
to accept the processing of the data may be facilitated through the use of the
appropriate settings of the browser or other applications.
The above will not prevent possible storage or access of a technical nature
for the sole purpose of carrying out the transmission of a communication over a network of
electronic communications or, to the extent strictly necessary
necessary, for the provision of an information society service
expressly requested by the recipient.”
IV.-3
Sanction
This Infraction is classified as “minor” in article 38.4 g) of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/31
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.
After the evidence obtained in the previous investigation phase, and without prejudice to
what results from the instruction, it is considered that it is appropriate to graduate the sanction to
impose according to the following aggravating criteria, established in art. 40 of
the LSSI: The existence of intentionality, an expression that must be interpreted as
equivalent to degree of guilt according to the Court's Judgment
National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the
reported entity the determination of a system for obtaining consent
informed that it conforms to the mandate of the LSSI.
In accordance with these criteria, it is considered appropriate to impose an initial sanction of
5,000 euros, (five thousand euros), for the violation of article 22.2 of the LSSI, regarding
of the cookie policy made on the website owned by it.
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency,
RESOLVES:
FIRST: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of article 13
of the RGPD, typified in article 83.5.b) of the same Regulation, and classified as
“mild” for the purposes of prescription in article 74.a) of the LOPDGDD, a fine of
2,000 euros (two thousand euros).
SECOND: That by the Director of the Spanish Data Protection Agency,
order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of
the web page to web ***URL.1, which within a period of one month from the
notification of this act, adopt the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed
in the Legal Basis II.-3, of this resolution. In the same period indicated, the
entity
must inform and justify compliance with the measures before this Agency
imposed.
THIRD: IMPOSE on the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of the article
5.1.a) of the RGPD, typified in article 83.5.a) of the same Regulation, and qualified
as “very serious” for the purposes of prescription in article 72.1.a) of the LOPDGDD,
a fine of 5,000 euros (five thousand euros).
FOURTH: That by the Director of the Spanish Data Protection Agency,
order the entity CHATWITH.IO WORLDWIDE, S.L. with CIF B88184239, holder of
the web page to web ***URL.1, which within a period of one month from the
notification of this act, adopt the necessary measures to adapt its
action to the personal data protection regulations, with the scope expressed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/31
in the Legal Basis III.-4, of this resolution. In the same period indicated, the
entity must report and justify compliance with the measures to this Agency.
FIFTH: IMPOSE the entity CHATWITH.IO WORLDWIDE, S.L. with CIF
B88184239, owner of the website ***URL.1, for the violation of article 22.2
of the LSSI, classified as “mild” for the purposes of prescription in article 38.4.g) of the
cited rule, a fine of 5,000 euros (five thousand euros).
SIXTH: NOTIFY this resolution to the entity CHATWITH.IO WORLDWIDE.
SEVENTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN No.: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period. Received the
notification and once executive, if the date of execution is between the days
1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be
until the 20th of the following or immediately following business month, and if it is between
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th
of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties. Against this
resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD,
and in accordance with the provisions of article 123 of the LPACAP, the interested parties
may optionally file an appeal for reconsideration before the Director of the
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the provision
fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative, within a period of two months from the following day
to the notification of this act, as provided for in article 46.1 of the aforementioned Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/31
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal.
If the Agency was not aware of the filing of the contentious appeal-
administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
