AEPD (Spain) - EXP202301323

From GDPRhub
Revision as of 10:23, 27 March 2024 by Lm (talk | contribs)
AEPD - EXP202301323
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Spanish ePrivacy Law)
Type: Complaint
Outcome: Rejected
Started: 10.08.2021
Decided: 15.03.2024
Published:
Fine: n/a
Parties: Turner Broadcasting System España
National Case Number/Name: EXP202301323
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
AEPD - Internal Appeal
[1]
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA dismissed an internal appeal challenging its decision that it was not necessary for a controller to provide a reject button on its webpage, finding that the question arose under Spain’s ePrivacy Law rather than the GDPR.

English Summary

Facts

A data subject attempted to access one of Turner Broadcasting System España’s (controller’s) websites but was redirected to a new webpage that did not offer an option to reject cookies. Once cookies were accepted on this webpage, it was not possible to access the cookie control panel to revoke consent. Instead, consent could only be revoked by taking a number of additional steps, including entering an English-language portal and sending the controller an email requesting to withdraw consent.

The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA. On 26 January 2023, the Austrian DPA communicated the case to the Spanish DPA (AEPD) pursuant to the Internal Market Information System.

The AEPD initiated an investigation. Through its own investigation of the webpage, the AEPD confirmed that on the redirected page, only technical or necessary cookies were used. Additionally, it noted that the information noted in the Cookie Policy was accurate. The AEPD concluded that it was not necessary to provide a ‘Reject’ button under these circumstances.

The data subject filed an internal appeal focusing on three claims. First, the data subject argued that the Austrian DPA, as the authority to whom the complaint was submitted, failed to notify the data subject of the AEPD’s decision in violation of Article 60(8) GDPR. Second, the data subject argued that the AEPD failed to consider the data subject’s complaint and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner, Google Analytics cookies which are not strictly necessary are installed. Such cookies can only be installed where valid consent has been obtained – the cookie banner, however, offered no permanently visible option to withdraw consent and required multiple steps (as discussed above) in violation of Article 7(3) GDPR.

Holding

The AEPD dismissed the appeal, concluding that only the Spanish ePrivacy Law is relevant to the case, not the GDPR.

First, the AEPD rejected the data subject’s argument that the complaint should have been heard by the Austrian DPA. The AEPD noted that the Spanish ePrivacy Law regulates information society services established in Spain. Since the controller’s headquarters and website domain were in Spanish territory, the ePrivacy Law applied and the AEPD was competent to hear the case. Further, the AEPD concluded that only the ePrivacy Law, not the GDPR, applied in this case because it was more specific to the facts at issue.

The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and it was insufficient to do so.

Finally, the DPA dismissed the third argument because it was not raised in the initial claim.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/8








     Procedure No.: EXP202301323 (AI/00057/2023)

                     Replacement Appeal No. RR/00111/2024


Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION
EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria),
against the resolution issued by the Director of the Spanish Agency for the Protection of
Data in the procedure AI/00057/2023, for violation of the provisions of the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI) and based on the following:


                                       FACTS

FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of
Data issued Resolution to File Actions in procedure AI/00057/2023,
open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:

B82320227, owner of the website https://www.canaltnt.es, for the alleged
violation of article 22 of the LSSI.

The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF
INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded
on the record.


SECOND: As proven facts of the aforementioned procedure, there was evidence of
the following:

    - When trying to enter the website that is the subject of the claim, https://www.canaltnt.es,

       It was found that this no longer existed, redirecting the user to a new page
       website, https://www.warnertv.es whose owner is the entity Discovery Networks SL,
       with CIF B-86815560, different from the entity initially claimed, (Turner
       Broadcasting System España, with CIF.: B82320227).

THIRD: On 02/14/24, this Agency has received a written appeal for

replacement presented by the appellant, in which it stated the following:

       FIRST – Lack of notification by the DSB

       1. On January 24, 2024, the AEPD adopted its resolution, which was notified
       to this part on January 29, 2024. However, according to the

       article 60(8) GDPR is the supervisory authority to which the
       claim, i.e. the DSB, who should have adopted and notified the
       resolution to the person interested in this case.

       2. Therefore, the resolution adopted by the AEPD must be considered null
       of right, as provided in article 47(1)(b) LPACAP.


       SECOND – The AEPD did not consider the facts or the petition of the claim

       3. The AEPD did not consider the specific circumstances of the visit of the
       website of this party, set forth in the claim in detail. In fact,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








       It seems that the AEPD decided based on the banner that appeared on the
       website of the controller during your own visit.

       4. However, the control authority must provide an effective response to the
       individual situation of the interested party, taking into account the circumstances

       individuals and the facts about which the claim presented by the
       interested. This follows from Considering 141 GDPR, from Article 77.
       RGPD and Article 65(3)(b) of the LOPDGDD.

       5. In addition, this party requested in its complaint various measures to be adopted
       by the AEPD (see First Fact). The formulated petitum determines

       specifically requested and underlines the need for an evaluation of the
       individual situation of this part. In particular, the person responsible continues to try
       the personal data of this party unlawfully.

       6. In light of the configuration of the claim ex article 77(1) GDPR that

       “is conceived as a mechanism capable of effectively protecting the
       rights and interests of the interested parties” it is beyond any doubt that the
       AEPD should have responded to what was requested by this party. It
       directly agrees with the provisions of article 88(2) LPACAP. No
       However, the AEPD resolution does not provide a concrete response to this petition.
       part.


       7. Therefore, the resolution must be annulled in accordance with art 48(1)
       LPACAP.

       B. MATERIAL ASPECTS


       THIRD – The AEPD applies an erroneous criterion

       8. As stated above, this party visited the website of the controller and,
       in addition to not having an equivalent option to reject the use of the
       cookies in the first layer of the banner (violation type A, C, D, E), checked
       that there was no easy possibility to withdraw consent

       awarded (type K violation).

       9. On the other hand, in the appealed resolution the AEPD states that during its own
       visit the person responsible only installed strictly necessary cookies, so no
       It was not necessary to offer an option to reject cookies, nor an option
       to withdraw consent.


       10. However, upon checking this part again on the website
       https://www.warnertv.es/, it is observed that after selecting “Accept” in the
       banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed
       Analytics. These are cookies that can only be installed in the case of

       have obtained valid consent (Annex 1).

       11. Although the person responsible has implemented two equivalent options in
       its banner cookie, does not offer a permanently visible option that allows
       withdrawal of consent. At the bottom of the main page there is only one link

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8








       to the privacy policy, in which there is a link to the “Portal of
       request for individual rights” (in English). On this portal you can then
       send an email to withdraw consent. This does not represent

       a possibility to “revoke consent easily” and “at any time”
       moment” as required by article 7(3) GDPR and as provided in the
       AEPD in relation to the withdrawal of consent.2

       12. From the above it follows that the AEPD is based on a verification
       which turns out to be wrong. The controller uses Google Analytics cookies that do not

       They are strictly necessary. However, the person responsible still does not offer
       a simple possibility to withdraw consent once given.

       13. From what is stated in this FJ it follows that the criterion adopted in the resolution
       appealed is contrary to the legal system and must be annulled.


       By virtue of what is stated in this writing, and in accordance with the
       mentioned provisions, this part

       REQUESTS: I. That an APPEAL OF
       REPLACEMENT against the resolution of the Director of the Spanish Agency of

       Data Protection of January 24, 2024 within the framework of the procedure
       with file number EXP202301323, and, after admitting it, the
       investigative actions that are necessary, in accordance with the
       applicable procedural and material standards. II. That the nullity be declared
       of the resolution appealed for the reason stated in the

       legal basis first and that the continuation of the
       procedure. III. That, if full nullity is not declared,
       the appealed resolution is annulled for the reasons set out in the grounds.

                            FOUNDATIONS OF LAW


                                            Yo
                                      Competence.

The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the Law

39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI.

                                            II
                             Response to the allegations


In relation to the statements made by the appellant, it is worth noting the
following:

First: The appellant alleges in the section “First, points 1-2”, of the FJ of

his writing that the resolution should have been made by the Austrian supervisory authority,
in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD
must be considered null and void, according to article 47(1)(b) LPACAP.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8








Well, with respect to this allegation, it must be clarified that Spanish Law governs
the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that,
There is a special standard (LSSI) and a general standard (RGPD) that regulate a

concrete fact, the first prevails over the second.

This principle does not mean that, in the event of application of both standards (one
general rule and another special one), the first is repealed, but the
simultaneous validity of both rules, although the special rule will be applied with
preference to the general rule in those cases contemplated in it.


Regarding the case at hand, there is such a coincidence, that is, in the Ordinance
Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and
another of a special nature, such as the LSSI that regulates the same facts.


If we look at what Article 1 of the GDPR establishes, its purpose is the following:

       1.This Regulation establishes the rules relating to the protection of
       natural persons with regard to the processing of personal data and
       rules relating to the free circulation of such data.


       2.This Regulation protects the fundamental rights and freedoms of
       natural persons and, in particular, their right to data protection
       personal.

       3.The free circulation of personal data in the Union may not be

       restricted or prohibited for reasons related to the protection of
       natural persons with regard to the processing of personal data.

While the object of the LSSI, established in its article 1, indicates that:


       1. The object of this Law is the regulation of the legal regime of the
       services of the information society and contracting via
       electronic, regarding the obligations of service providers
       including those who act as intermediaries in the transmission of content
       through telecommunications networks, commercial communications via
       electronic, information before and after the conclusion of contracts

       electronic devices, the conditions relating to their validity and effectiveness and the regime
       sanction applicable to service providers of the society of the
       information.

       2. The provisions contained in this Law will be understood without prejudice to the

       provided in other state or regional regulations outside the regulatory scope
       coordinated, or that have as their purpose the protection of health and safety
       public, including the safeguarding of national defense, the interests of the
       consumer, the tax regime applicable to the services of the society of the
       information, the protection of personal data and the regulations governing

       competition defense.

For its part, article 2 of the aforementioned standard (LSSI) establishes that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








       1. This Law will apply to the service providers of the society of
       the information established in Spain and the services provided by them.


       It will be understood that a service provider is established in Spain
       when your residence or registered office is in Spanish territory,
       as long as these coincide with the place where it is actually
       centralized administrative management and direction of its businesses. In other
       case, the place where said management or direction is carried out will be taken into account.


Therefore, in application of the “Principle of Regulatory Specialty”, the
application of the specific standard, that is, the LSSI, on the general standard, the RGPD,
by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:
B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es).


Regarding the jurisdiction to hear the case, article 43.1 of the LSSI,
establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency
Data on the imposition of sanctions for the commission of infractions classified in the
articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,


While article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


And the fourth additional provision of said standard establishes, with respect to the
powers attributed to the AEPD by other laws, which: "The provisions of Title VIII
and in its development regulations will be applicable to the procedures that the Agency
Spanish Data Protection Agency had to process in exercise of its powers

that were attributed to it by other laws."

Therefore, since the claimed entity has its registered office in Spanish territory, it is
competent to hear the claim, the Spanish Data Protection Agency,
based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and
Fourth additional provision of said rule to the detriment of the control authority

Austrian

Second: The appellant states in the section “Second, points 3-7” of the
FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances
specific to the visit to the appellant's website, based solely,

for the resolution of the file, in the verification that the AEPD itself made of the
information banner that appears on the website, without responding to what was requested
in the claim, forgetting the requests made by the appellant…”

To respond to this allegation, we must start from the principle that governs all

judicial or administrative procedure such as the “Principle of Presumption of
Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not
is based on a previous evidentiary activity on which the body
competent person can base a reasonable judgment of guilt, and entails, among

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8








other demands, that of the Administration proving and, therefore, motivating, not only the
facts constituting the infringement, participation in such facts and the
circumstances that constitute a graduation criterion, but also guilt

that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26;
14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14
February).

Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the
administration that proves guilt because "it is not the interested party who has to

prove lack of guilt."

The presumption of innocence, a fundamental right of citizenship according to art 24.2
of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights,
It is expressly included in our regulations for the procedures

administrative sanctions where among the rights of the interested party in the
disciplinary administrative procedure will have the right "To the presumption of not
existence of administrative responsibility until the contrary is proven."

And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the
right to the presumption of innocence, which applies without exception in the field of

administrative sanctioning procedure, according to the Constitutional Court in
ruling 66/2007, of March 27, means that "no sanction can be imposed
"any that is not based on a previous lawful evidentiary activity", and implies
also the recognition of the right to an administrative sanctioning procedure
due or with all the guarantees, that respects the principle of contradiction and in which the

alleged perpetrator has the opportunity to defend his own positions,
prohibiting the initiation of disciplinary proceedings when it is appreciable
unequivocally or manifests the absence of rational indications that it has been
committed an infringing conduct, or in which illegality or illegality is absent.
culpability"


What the Public Administration cannot is raise administrative responsibility in
the facts presented by the complaining party, without first verifying the veracity of the
themselves. In the case at hand, this verification was based on the review of the
website object of the claim (https://www.canaltnt.es), where it was verified
that it no longer existed, redirecting the user to a new web page

belonging to a different owner.

Third: The appellant states in the section “Third.- points 8 to 13” that at
check the new website https://www.warnertv.es/, it is observed that after
Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed

of Google Analytics, which are not strictly necessary and that there is no
possibility of withdrawing consent once given.

First of all, we must mention that the website https://www.warnertv.es, to which
which the appellant mentions in her appeal for reconsideration, the website was not the object of

initial claim, so its analysis is not appropriate within the scope of this appeal.
replacement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8








However, having said the above, it is worth remembering that, although this new website
(https://www.warnertv.es) comes up due to the fact that when trying to access the
web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the
user to the new page.


Now, the appellant states that, on this new web page
https://www.warnertv.es observes that, when the user gives consent, the
website begins to use two new cookies that are not of a technical nature (“_ga” and
“_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the
possibility of withdrawing consent once given by requesting this Agency
that the investigative actions that are necessary to be carried out

clarify the facts you claim.

Therefore, this is a new fact not mentioned in the initial claim. The
The appellant cannot claim that at the appeal stage the
facts that he did not express in a previous procedural phase.


The LPACAP provides in its article 118 the following procedural rule: “No
account in the resolution of the resources, facts, documents or allegations of the
appellant, when, having been able to provide them in the processing of allegations, he does not
I've done. Nor may the taking of evidence be requested when the lack of
realization in the procedure in which the appealed resolution was issued outside

attributable to the interested party.” This standard contains a rule that is nothing more than the
positive concretion for the common administrative sphere of the general principle that the
The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle
Its purpose, among others, is to prevent the processing of allegations from being useless and
evidence of the application procedures, as would result if the interested parties
could choose, at their discretion, the moment at which to present evidence and allegations,

since this would be contrary to an elementary procedural order.

All of this, without prejudice to the possibility of submitting a new claim if you consider
that such events violate regulations that confer powers on the Spanish Agency
of Data Protection.
                                           III

                                      Conclusion

Consequently, in the present appeal for reconsideration, the appellant has not
provided new facts or legal arguments that allow reconsideration of the validity
of the contested resolution.


Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection
                                     RESOLVES:

FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through

THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS
(IMI- Austria), against the archiving resolution issued by the Director of the Agency
Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023,



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8









SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION
INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the
art. 77.2 of the GDPR.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative route, it may be filed in the

period of two months counting from the day following the notification of this act
as provided in article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the

provided in article 25 and in section 5 of the fourth additional provision of the
referred legal text.



Sea Spain Martí
Director of the Spanish Data Protection Agency.









































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es