AEPD - AI/00289/2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 60 GDPR Artículo 22 LSSI |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | 11.10.2023 |
Published: | |
Fine: | n/a |
Parties: | CaixaBank S.A. |
National Case Number/Name: | AI/00289/2023 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | co |
The Spanish DPA (AEPD) issued a decision on the processing of personal data by CaixaBank S.A., the controller, holding that the design of a cookie banner respected its “Guidelines on the use of cookies” of 2020.
English Summary
Facts
A data subject visited the website of the controller, and a cookie banner displayed, showing the options “accept” and “configure or reject use of cookies” the first being included in a button, written in white against a blue background and the latter option is designed as a link in the text of the banner. By accepting cookies, several cookies were installed on the complainant’s device and unique identifiers about the data subject were stored on the controller’s servers and transmitted to third parties; by clicking on “configure or reject use of cookies”, the data subject was redirected to a second layer showing the different categories of non-necessary cookies that one can tick and accept or leave unticked and thus reject, and save the settings. The option to reject cookies is thus only available in the second layer of the banner. In light of these features, the data subject claimed that the way in which the cookie banner was designed violated the GDPR and the consent given through such a banner cannot be considered a valid consent under Article 6(1)(a) GDPR and Article 4(11) GDPR.
Further, upon accepting, there appears to be no easy way for withdrawing one’s consent, since this can only be done by clicking on a link at the bottom of the webpage, “cookie policy”, which leads to the second layer of the banner where the cookie settings were displayed and where there is an option to untick cookies and save settings. This, according to the complainant, constitutes a violation of Article 7(3) GDPR.
Accordingly, the data subject, represented by noyb (European Centre for Digital Rights) filed a complaint with the Austrian DPA (DSB) against the controller and asked the DSB to order the controller to stop all processing operations and delete the complainant’s personal data and inform the third party service providers about the deletion, as per Article 17 GDPR and Article 19 GDPR. The DSB forwarded the complaint to the AEPD as the Lead Supervisory Authority in this case, which handled the case in line with Article 60 GDPR.
Holding
The AEPD considered all the facts and submissions by both parties and assessed the legality of the cookie banner showed on the webpage based on its own visit of the site.
First of all, the AEPD noted that the new version of the Guidelines on the use of cookies of July 2023 is meant to integrate the principles set out by the EDPB in its “Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them”, specifically, as regards the fact that the option to reject cookies should be included in the first layer of a cookie banner, so that it results as easy to grant as to reject consent. However, the AEPD stated that the new Guidelines will only be enforced from January 2024, at the latest, in order to allow for a transition period in which website operators will have time to adapt to them. In the meantime, the AEPD would continue to apply its Guidelines of 2020 .
As regards the fact that there was no reject button in the first layer of the cookie banner, the AEPD considered it lawful that the option to reject cookies is given in the second layer of the banner, since the “configure cookies” link leads to a layer where users have the chance to granularly choose the cookies to allow. This, the AEPD held, is in line with the provisions of the LSSI (Law of Information Society Services and Electronic Commerce). Also, the fact that the reject and accept options are presented, respectively, as a link and a button with higher contrast background, was not considered to be an issue by the AEPD, because, as submitted by the controller, these are accepted as valid design options in the 2020 Guidelines.
With respect to the possibility to withdraw one’s consent, the AEPD held that it is sufficient that the user of a webpage has access to a link redirecting to the cookie settings, in order for it to be compliant with Article 22 LSSI.
Consequently, the AEPD did not adopt any measures against the controller and archived the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 NOYB - EUROPEAN CENTER FOR DIGITAL RIGHTS (XXXXXXXX) XXXXXXXXXXXXXXXXXX XXXXXXXX On October 11, 2023, the Director of the Spanish Data Protection Agency has issued the following resolution signed electronically: File No.: EXP202307481 (AI/00289/2023) RESOLUTION OF FILE OF ACTIONS Of the actions carried out by the Spanish Data Protection Agency and having as a basis the following: FACTS FIRST: On 06/02/23 this Agency received a written claim for XXXXXXXXXXXXXXXXXXXX, through the EUROPEAN COMMISSION EXCHANGE SYSTEMS INTERNAL MARKET (IMI- Austria). The claim was directed against the entity CAIXABANK, S.A., XXXXXXXXXXXXXXXXXXXXXX, owner of the website, URL1., (hereinafter, the part claimed), for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, relating to Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and against Law 34/2002, of July 11, Information Society Services and Electronic Commerce (LSSI). The reasons on which the claim was based were, with respect to the breaches in the Cookies Policy of the page in question, the following: - The “Reject Cookies” option only in the second layer: While the banner provides a button to accept all activities of relevant processing and a button that allows the interested party to access other options, the controller deliberately concealed the option of refuse relevant treatment activities. To refuse treatment, the complainant had to click on the button that gives place to the second layer. In other words: the complainant can accept the relevant treatment activities with one click on the first layer, but you need two (or more) clicks to deactivate and reject the relevant processing activities in the second layer. The person responsible has deliberately decided to hide a rejection option in the first layer of the banner. There is no logical, technical or ethical reason to hide the option of rejection beyond confusing the interested parties or making the denials are more burdensome and unlikely. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 - Design in the link: The button that gives rise to the option to reject processing activities relevant uses a link design (for example, bold text, underlined or underlined), while the “ok” button uses a typical layout (context box in it). Accept and continue browsing is a blue button with white text, while “configure or decline” is just a link in the banner text, away from the button "accept". - Withdrawal of consent is not as easy as granting consent: The option to accept relevant treatment activities occupies a place featured on the banner; However, the complainant could not easily find the option to withdraw consent. There was no prominent banner of "withdrawal" or any similar option. SECOND: On 07/05/23, in accordance with the provisions of article 65.4 of the LOPDGDD, on behalf of this Agency, transferred said claim to the party claimed, so that it could proceed with its analysis and report, within a period of one month, on what was set out in the statement of claim. THIRD: On 07/18/23, the claimed party sends a written response to this Agency in which it states, among others, the following: “This claim is based on the fact that the banner about consent to the use of cookiesdoes not include a right cookie reject button on the first layer, but is included a link to configure or reject the use of cookies in a second layer. In relation to this claim, we would like to inform you that, in our opinion, the configuration of the cookie banner of the aforementioned website is aligned with the requirements and criteria established by the Spanish Data Protection Agency and more specifically with the so-called “third option” identified in the Guide on the use of cookies, issued by the Agency in June 2022, which is defined as the possibility of offering the user two options, one to expressly accept the cookies used and another to configure or reject the use of cookies (page 21 of the referred Guide). Below is a detail of the banner format on the use of cookies. to which we are referring: If the user clicks on “MORE INFORMATION” or on “CONFIGURE OR REJECT ITS USE” (note that these links are included in capital letters, underlined and with another color highlighting them), the user is directed to the second layer, the cookie policy, in which you can configure the use of cookies to your liking own criteria (URL1.). By default, all unnecessary cookies appear unchecked, so that the user individually select the ones you want to install. If you do not select any, understand that all non-necessary cookies are rejected (by clicking on the “Save” button and continue"). In relation to the above, please inform us additionally that the banner above and the configuration on the use of cookies was reviewed by Autocontrol in May 2023, within its “Cookie advice” service, in which it was highlighted that this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 configuration of the cookie banner and the acceptance and acceptance mechanisms configure/reject the use of cookies were aligned with the applicable criteria aforementioned. For all of the above, we consider that there is no basis for the claim made before CaixaBank, since the banner on the use of cookies and their configuration is are aligned with the applicable criteria defined by the Spanish Agency for Data Protection. The configuration on the use of cookies has been reviewed and adapted to the criteria published by the Spanish Data Protection Agency as they have been been updating. The latest relevant adaptation of the cookie banner and policy of cookies was carried out in 2022 on the occasion of the adaptation to the Guide on the use of cookies from June 2022, having carried out periodic reviews also with Self-control, the last of them in May 2023, as indicated before.” FOURTH: Dated 08/23/23, by the Director of the Spanish Protection Agency of Data, an agreement is issued to admit the processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when appreciating possible rational indications of a violation of the rules within the scope of the powers of the Spanish Agency for Data Protection. FOURTH: On 09/19/23, this Agency accessed the website, URL1., filling out the following characteristics about its “Cookies Policy”: 1.- Regarding the use of non-necessary cookies, before the user provides their consent: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without accepting new cookies or performing any action on the page website in question, the use of the following cookies is detected: utag_main Tealium storing an id unique, records a timestamp of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 When the user visits the site, the better user experience. userAgentlnfo different devices. 2.- About the cookie information banner in the first layer: When entering the website for the first time, once the terminal equipment has been cleaned of history navigation and cookies, without performing any action on the website, a banner appears information about cookies at the bottom of the main page with the following message: statistical, personalization (e.g., language) and advertising, including showing you Personalized advertising based on a profile created based on your browsing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 Click to have <<MORE INFORMATION>> or to <<CONFIGURE OR REJECT ITS USE>>. You can also accept all cookies by clicking the “Accept and continue browsing” button. <<accept and continue browsing>> a.-If you choose to accept cookies that are not necessary techniques by clicking on the option <<Accept and Continue Browsing>>, check how the website begins to use the following own and third-party cookies that are not technical or necessary: b.- If you wish to continue browsing without authorizing the use of cookies that are not technical or necessary, you must first access the second layer, clicking on the <<CONFIGURE option ORDEJECTUSSO>>, through which, the website displays a control panel where it appears, among other information, the following legend: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 URL2. “(…) OWN COOKIES: These are those with respect to which CaixaBank S.A. is responsible for the information that is being treated. On this website we use our own cookies with the following purposes: _ Personalization: allow you to customize some features of the site website to differentiate the experience of one user from that of others (for example For example, define the navigation language and wallpaper, remember the last searches performed in the search engine, etc.). _ Analysis: collect information about user behavior during the navigation (most visited pages, time spent on the website, etc.) to, based on the analysis of that information, introduce improvements in the contents and services offered (for example, optimizing response times in the most visited in CaixaBankNow). THIRD PARTY COOKIES: These are those with respect to which third parties other than CaixaBank S.A. are responsible for the information being processed. Below are details of both the third parties such as the purposes for which the information is used: _Personalization: allow you to customize some features of the website to differentiate the experience of one user from that of others (for example, defining the language of navigation, remember the last searches performed in the search engine, etc.). • Adobe Target More information • YouTube More information • Adobe More information • Adobe Audience Manager More information • Trade Desk More information • Sizmek More information _ Analysis: collect information about user behavior during the navigation (most visited pages, time spent on the website, etc.) to, at based on the analysis of this information, introduce improvements in content and services offered • Adobe Target More information • YouTube More information • Adobe More information • Facebook More information • Adobe Audience Manage More information • Trade Desk More information • Sizmek More information • Adobe Analytics More information _ Behavioral advertising: they store information about the behavior of the user, obtained by observing their browsing habits (for example, what pages visited), to develop a specific profile that allows you to show advertising personalized based on your tastes and interests. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 • Doubleclick More information • Google More information • Facebook More information • Adobe Audience Manager More information • Linkedin More information • Trade DeskMore information • Sizmek More information It is verified that the groups of cookies (own and third parties) that are not technical or necessary are not pre-marked when accessing the control panel. For granular cookie management, the user can mark cookie groups you want to allow or not check any. Then the website offers the following box to continue browsing once the user has decided which cookies you allow or not: - If you wish to reject all cookies that are not technical or necessary, you must click directly in the option <<Save and Continue>> - If you wish to allow the use of a certain group of cookies other than technical or necessary, once you accept the group of cookies, you must also click in the <<Save and Continue>> option. - There is also the possibility of accepting all cookies that are not technical or necessary by clicking on the option <<Enable all and continue browsing>> (…)”. 3º.- About the information provided in the “Cookies Policy”: If you access the “Cookie Policy” through the existing link in the information banner about cookies <<More information>> or through the link at the bottom of the page main page, the website redirects the user to a new page URL3. where provided information about: what cookies are; What is the purpose of the information collected through the cookies; What type of cookies exist and what cookies the website uses. Also provides information on how to manage cookies through existing mechanisms in the browser installed on the terminal equipment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 Along with this information, the cookie control panel indicated in point also appears. above where you can manage, in a granular way, the different groups of cookies. 4º.- Regarding the possibility of modifying the consent given regarding cookies, in any time of web browsing. If the user has given initial consent for the website to use cookies that are not technical or necessary and wish, at a certain time, to modify said consent, there is the possibility of accessing the cookie control panel permanently located in the bottom of the page <<Cookie Policy>>. If you click on this option, the cookie control panel shown above appears with the groups of cookies that have been allowed to use marked. The user can uncheck all cookie groups, or only those they do not want Use again. Then you must click on the <<Save and Continue>> option, checking that the website stops using cookies that have been rejected. FOUNDATIONS OF LAW YO. Competence. Regarding the “Cookies Policy” of the URL1. website, you are competent to initiate and resolve this Procedure, the Director of the Spanish Data Protection Agency, of in accordance with the provisions of art. 43.1, second paragraph, of the LSSI. The fourth additional provision of the LOPDGDD establishes, on the "Procedure in relation with the powers attributed to the Spanish Data Protection Agency by other laws", that: "The provisions of Title VIII and its implementing regulations will apply to the procedures that the Spanish Data Protection Agency had to process in exercise of the powers attributed to it by other laws." II.- Previous note The Spanish Data Protection Agency has updated the Guide on the use of cookies to adapt it to the Guidelines 03/2022 on misleading patterns of the European Committee of Data Protection (CEPD). The European Data Protection Board published Guidelines 03/2022 in February 2023 on deceptive patterns in social networks. The Agency incorporates the new version of the Guide the criteria of the European Committee, which states that the actions of accepting or rejecting cookies must be presented in a prominent place and format, and both actions must be at the same level, without it being more complicated to reject them than to accept them. The Guide includes new examples on how these options should be displayed offering indications on, among other things, others, the color, size and place in which they appear. The criteria included in the Guide must be implemented no later than January 11, 2024, thus establishing a transitional period of six months to introduce the changes C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 necessary for the use of cookies. In the meantime, the criteria will continue to be applied marked in the Guide on the use of cookies published in 2020. III.- About the “Cookies Policy” of the URL1 website. Establishes article 22 of the LSSI, regarding the “Rights of recipients of services of the information society and electronic commerce” the following: 1. The recipient may revoke at any time the consent given upon receipt of communications com ercials with the simple notification of your will to the sender. To this end, service providers must enable simple and free so that recipients of services can revoke the consent they they would have lent. When the communications have been sent by mail electronic means, said means must necessarily consist of the inclusion of a email address or other valid electronic address where you can exercise this right and it is prohibited to send communications that do not include that address. Likewise, they must provide information accessible by electronic means on said procedures. 2. Service providers may use storage devices and recovery of data on terminal equipment of the recipients, provided that they have given their consent after they have been provided with clear and complete information on its use, in particular, on the purposes of the processing of data, in accordance with the provisions of Organic Law 15/1999, of 13 December, protection of personal data. Where technically possible and effective, the recipient's consent to Accepting data processing may be facilitated by using the parameters browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to the sole purpose of carrying out the transmission of a communication over a communications network electronically or, to the extent strictly necessary, for the provision of an information society service expressly requested by the addressee. Well, in application of the provisions of article 22 of the LSSI and taking into account the established in the Guide on Cookies- 2020, we can verify the following, regarding the “Cookie Policy” of the website, URL1. a).- Regarding the installation of cookies on the terminal equipment prior to consent: Article 22.2 of the LSSI establishes that users must be provided with clear and Complete information on the use of data storage and recovery devices C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 and, in particular, about the purposes of data processing. This information must be provided in accordance with the provisions of the GDPR. Therefore, when the use of a cookie involves processing that enables the identification of the user, those responsible for the treatment must ensure the compliance with the requirements established by data protection regulations. However, it is necessary to point out that they are exempt from compliance with the obligations established in article 22.2 of the LSSI those cookies necessary for the intercommunication of terminals and the network and those that expressly provide a service requested by the user. In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies excepted would be the user input Cookies” (those used to fill out forms, or such as managing a shopping cart); authentication or user identification cookies (session); user security cookies (those used to detect attempts erroneous and repeated connections to a website); player session cookies multimedia; session cookies for load balancing; customization cookies user interface and some plug-ins for exchanging social content. These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore Therefore, it would not be necessary to inform or obtain consent regarding its use. For him Otherwise, it will be necessary to inform and obtain the user's prior consent before the use of any other type of cookies, both first and third party, session or persistent. In the verification carried out by this Agency on the website in question, it was possible to verify that, upon entering the website for the first time, without accepting cookies or performing any action on same, 3 cookies are used, two of which have been detected as strictly necessary (“utag_main” and “userAgentlnfo”) and another (__bg_cxbnk_fpcachecc), whose purpose is not has been able to be detected. Therefore, in the present case, no evidence has been obtained from which it can be inferred that the use of cookies by the website in question, prior to the consent of the user, contradicts what is stipulated in the LSSI. b).- About the cookie information banner existing in the first layer (page major): The cookie banner of the first layer must include information regarding the identification of the editor responsible for the website, in the event that its identifying data does not appear in other sections of the page or its identity cannot be detached evident from the site itself. It must also include a generic identification of the purposes of the cookies that will be used and whether they are our own or also from third parties, without it being It is necessary to identify them in this first layer. In addition, it must include generic information about the type of data to be collected and used in case of profiling users and must include information and how the user can accept, configure and reject the use of cookies, with the warning, if applicable, that, if a certain action, it will be understood that the user accepts the use of cookies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 In the case at hand, in the information banner about cookies existing in the first layer of the web, identifies in a generic way, the purposes for which the cookies and whether these are our own or also from third parties. “(…) CaixaBank uses its own and third-party cookies to analyze your browsing for statistical, personalization (e.g., language) and advertising, including showing you advertising personalized from a profile created based on your navigation (…)”. Therefore, in the present case, in accordance with the evidence available at this time, It is considered that the information provided about the “cookie policy” in the banner of information existing on the main page does not contradict what is stipulated in the LSSI. c).- Regarding consent to the installation of cookies on the terminal equipment: For the use of non-excepted cookies, it will be necessary to obtain the consent of the user expressly. This consent can be obtained by clicking, “accept”. or inferring it from an unequivocal action carried out by the user that denotes that the consent has been produced unequivocally. Therefore, the mere inactivity of the user, scrolling or browsing the website will not be considered, for these purposes, a clear action affirmative under any circumstances and will not imply the provision of consent by itself. same. Similarly, access to the second layer if information is presented in layers, as well as the navigation necessary for the user to manage their preferences in relation to the cookies in the control panel, it is not considered an active conduct that can derive the acceptance of cookies. The existence of “Cookie Walls”, that is, pop-up windows, is also not permitted. that block the content and access to the website, forcing the user to accept the use of the cookies to be able to access the page and continue browsing without offering the user any type alternative that allows you to freely manage your preferences regarding the use of the cookies. If the option is to direct a second layer or cookie control panel, the link must be the user directly to said configuration panel. To facilitate selection, in the panel In addition to a granular cookie management system, two more buttons can be implemented, one to accept all cookies and another to reject all. If the user saves his election without having selected any cookie, it will be understood that you have rejected all cookies. In relation to this second possibility, in no case are the boxes admissible pre-marked in favor of accepting cookies. If for the configuration of cookies, the website refers to the configuration of the installed browser in the terminal equipment, this option could be considered complementary to obtain the consent, but not as the only mechanism. Therefore, if the editor opts for this option, must also offer and in any case, a mechanism that allows rejecting the use of cookies and/or do it in a granular way. In the case at hand, although there is no button on the information banner of the first layer that makes it possible to reject all cookies that are not technical or necessary, if possible reject them all at once through the control panel or do it on a granular basis. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 Therefore, in the present case, in accordance with the evidence available at this time, It is considered that the management of cookies that are not technical or necessary for the website is not contradicts what is stipulated in the LSSI. d).- The possibility of withdrawing the consent previously given regarding the use of cookies The withdrawal of the consent previously given by the user may be carried out in any moment. To this end, the publisher must offer a mechanism that makes it possible to withdraw the consent easily at any time. It will be considered that this facility exists, for example, when the user has simple and permanent access to the management system or cookie settings. If the editor's cookie management or configuration system does not allow you to avoid its use of third-party cookies, once accepted by the user, information will be provided about the tools provided by the browser and third parties, and must warn that, if the user accepts third-party cookies and subsequently wishes to delete them, they must do so from your own browser or the system enabled by third parties for this purpose. In the case at hand, if it is possible to modify said consent given to the use of non-technical or necessary cookies at any time while browsing the web, through the link <<Cookie Policy>>, existing at the bottom of the website, through which The cookie control panel appears to be able to modify the selection initially done. Therefore, in the present case, in accordance with the evidence available at this time, the possibility of withdrawing the consent given at any time through the link existing at the bottom of the website <<Cookie Policy>> does not contradict what is stipulated in article 22 of the LSSI. Therefore, in accordance with what was indicated, by the Director of the Spanish Protection Agency of data, HE REMEMBERS: FIRST: PROCEED TO THE ARCHIVE of these proceedings. SECOND: NOTIFY this resolution to the entity CAIXABANK, S.A and the party claimant. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution is will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, and in accordance with the provisions of arts. 112 and 123 of the cited Law 39/2015, of October 1, interested parties may optionally file appeal for reconsideration before the Director of the Spanish Data Protection Agency in the period of one month counting from the day following the notification of this resolution or directly administrative contentious appeal before the Contentious Chamber - administrative of the National Court, in accordance with the provisions of article 25 and the section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXX Spanish Data Protection Agency What is notified for appropriate purposes in accordance with art. 40 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (BOE of 2-10) and as established in art. 29.2, section b) of Royal Decree 389/2021, of 1 June, by which the Statute of the Spanish Data Protection Agency is approved. XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es