AEPD (Spain) - PS/00092/2020

From GDPRhub
AEPD - PS/00092/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 58(2) GDPR
Article 83(5)(b) GDPR
Ley de servicios de la sociedad de la información y de comercio electrónico
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: AAA
GROW BEATS S.L.
National Case Number/Name: PS/00092/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: n/a

Spanish DPA fines a web site for not applying the provisions of Article 13 GDPR, which sets out the information to be provided to the data subject at the time his or her personal data is collected.

English Summary

Facts

The website referred in its privacy policy to the previous Spanish Data Protection Law, but it had not been adapted to the GDPR and did not provide the user with the information set out therein at the time of collection of their personal data.

Dispute

Holding

The Spanish DPA imposed a reprimand to the company for not complying with Article 13 GDPR, since it failed to even mention the GDPR in its Privacy Policy.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION ON DISCIPLINARY PROCEEDINGS
In the sanctioning procedure PS/00092/2020, instructed by the Spanish
Data Protection, before the entity, GROW BEATS SL, with CIF B02623601, holder
of the website, ***URL.1 (hereinafter "the requested entity"), for alleged infringement of Regulation (EU) 2016/679 of the European Parliament and of the Council of
27/04/16, relating to the Protection of Individuals with regard to the Processing of Personal Data and the Free Circulation of such Data (RGPD) and for alleged infringement of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI), based on the following
BACKGROUND
FIRST: On 16/05/19, the following complaint was filed with this Agency
by Ms. A.A.A., (hereinafter, "the complainant"), in which she indicated, among others, the following
"On April 1, 2019, I placed an order for two pairs of headphones on the website
***URL.1. Nowhere on this website is the actual name of
the company, the CIF, nor the physical address of the entity. Neither is there any reference to the data protection law that online stores are obliged to indicate. When you pay by card, you are not sent to a secure gateway".
SECOND: In view of the facts set out in the complaint and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to take action for clarification, under the investigative powers granted to the supervisory authorities in Article 57(1) of Regulation (EU)
2016/679 (RGPD). Thus, on 12/07/19, 15/12/19 and 20/01/20, information requests are addressed to the requested entity.
THIRD: On 25/02/20, the entity complained of presented a written statement to the
Agency, in which, among other things, it indicates:
"Sorry for the delay in responding to this but for various reasons it has been impossible for us to do so more promptly. Likewise, we appreciate the consideration of sending a copy of the same in paper format, since it is a
The newly created entity is still in the process of adaptation in terms of
new regulations on communication with the authorities.
With respect to the information required by a claim filed with this AEPD
on 16 May 2019, we have to report that the obligations imposed on Data Protection to
those who own a web page in which personal data can be incorporated; having verified the fulfillment of the decalogue that
You refer us yourselves.
Likewise, they should not exist on the date when the complaint was made to the AEPD
gaps or non-compliance on the website since it is hosted, and was developed, in
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/8
an internet platform (SHOPIFY) specialized in making available to freelancers or new entrepreneurs models of websites to open up trade to the internet, and we assumed that this tool already provided all the
notices, models and warranties to serve the purpose for which it is offered.
In this way, and as we are assured on the platform itself, if there were secure payment systems that would guarantee the privacy and protection of the users' data
of the website and in fact, no breach or damage to any user has occurred. Even so, everything related to the payment platform has been improved by incorporating
other secure payment platforms and have been reviewed and implemented on the web all
the warnings and consents set out in the regulations.
Without prejudice to all this, and to the fact that we understand that the regulations on data protection are being complied with, this entity has commissioned an evaluation of
risks to a specialized company to carry out a diagnosis and propose
corrective measures where appropriate.
In any case, I would like to insist once again that it has been and is the will of this entity to act in accordance with data protection regulations, that we always trust in specialised entities in the sector and that there is a total predisposition to collaborate with the AEPD to guarantee the protection of our clientele's data and
on this basis we would appreciate any guidance or recommendation that from the
AEPD could make us".
FOURTH: On 24/03/20, the web page is consulted, checking the following
aspects of the website's privacy policy and cookie policy
A) Regarding the Privacy Policy
At the bottom of the home page of the website, through the "legal" link, you can access
the page titled "Privacy", in which the part dedicated to the "privacy policy" provides the following information:
1 .- "In compliance with Law 34/2002 of Services of the Information Society and Electronic Commerce (LSSICE), we inform you that the ownership of the domain
of our virtual store, ***URL.1, corresponds to Grow Beats SL with CIF B02623601
domiciled in ***ADDRESS.1. For any questions, you can contact Grow
Beats in: ***EMAIL.1
Data processing: "In compliance with Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD), we inform you
that proceed to provide their data through the website of Growbeats.com
1- Of the existence of a file and treatment of the data and information requested in this form, for the purpose of making possible the intermediation in the purchase of
the products that Grow Beats offers on its website, as well as being able to send you information about the activities of the File Manager. Your email address
and other personal data may be used as a means of communication to process your request, with your express consent, by providing us with your
data, the treatment of the same and for the purposes indicated above.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/8
2- We inform you that your data will be communicated to the companies with which Grow
Beats has signed a Collaboration Contract, specifically the courier company that is in charge of sending the goods to the applicants.
3- You have the right of access, rectification, cancellation and opposition,
which you may exercise by sending a written request, with a copy of your ID card, to
the address of the File Manager, indicating the right or rights you want
exercise. (…)
B) About the Website's Cookie Policy:
b.1.) When accessing the website, there is a banner at the bottom of the page with
the following legend:
"We use our own and third-party cookies, both persistent and session cookies. If you continue
by browsing you accept its use" --- "More information" --- "I accept".
b.2.) If you access to the cookies policy, through the link "more information", you will access again to the page of the "Privacy Policy", where the part dedicated to the use of cookies, indicates:
 "(...) Use of Cookies
The Grow beats website uses Cookies and other similar tools. Cookies are
files sent to your browser to record your activity and help you navigate.
Cookies are only associated with an anonymous user and his/her computer and do not provide references that allow the user's personal data to be deduced.
Types and functions of Cookies:
There are session Cookies that expire when the user closes the browser and
Permanent cookies are stored in the browser and can be deleted
manually.
Grow beats manages its website through Google analytics that installs Cookies from
analytical character to allow anonymous identification, count the number of visitors, their trend over time, most visited contents... etc.
How to disable Cookies:
- Internet Explorer: Tools -> Internet Options -> Privacy -> Settings. For more information, you can consult Microsoft support or the
Browser help.
- Firefox: Tools -> Options -> Privacy -> History -> Settings
Customized. For more information, you can consult Mozilla support or
the browser Help
Chrome: Settings -> Show advanced options -> Privacy -> Content settings For more information, you can check out the support for
Google or your browser's Help.
- Safari: Preferences -> Security. For more information, see the
Apple support or browser help.
FIFTH: In view of the facts reported and in accordance with the evidence of
the Data Inspectorate of this Spanish Agency for the Protection of
Data considered that the action of the claimed entity did not meet the conditions
imposed by the regulations in force. Thus, on 03/04/20, the Director of the Agency
Española de Protección de Datos agreed to initiate sanctioning proceedings against the entity complained of, for infringement of articles 13) of the RGPD, punishable in accordance with
the provisions of article 83 of the aforementioned regulation, with respect to its Privacy Policy, and
article 22.2) of the ISESA, punishable under articles 39) and 40) of
the aforementioned Act, with respect to its Cookie Policy.
FOURTH: On 13/06/20, the entity in question was notified of the initiation of proceedings and has not submitted any written document or allegation to this Agency, within
of the period granted for this purpose.
PROVEN FACTS
1.- Regarding the privacy policy of the reported website, it has been verified
that the website, (***URL.1), has a specific "privacy" section: ***URL.2,
in which, mentioning compliance with Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD), the person responsible is identified and a contact is made, mentioning the existence of a file for the
processing of the data obtained to meet the requests.
2.- Regarding the cookie policy of the denounced website, it has been verified that
the web page, (***URL.1), has in its first layer (home page), a banner on
Cookies with the following legend: "We use our own and third party cookies, both persistent and session cookies. If you continue to browse you accept their use", but without providing
information on the purposes of the cookies to be used.
In its second layer (cookie policy), information is provided on: what they are
Cookies; types of cookies and their purposes, but NO information is provided
about the identity and characteristics of the cookies that are installed and the time
that remain active on the terminal equipment nor on third party cookies. For its management, it only refers to the browser installed on the terminal equipment, but does not even include a link to the different browsers. There is also no mechanism to reject all cookies.
LEGAL FOUNDATIONS
I
Competition:
As far as the Privacy Policy is concerned, it is competent to resolve this
the Director of the Spanish Data Protection Agency, of
in accordance with the provisions of art. 58.2 of the RGPD in art. 47 of LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/8
With regard to the Cookie Policy, the Director of the Spanish Data Protection Agency is competent to resolve this procedure, in accordance
with the provisions of article 43.1 of the LSSI.
II
In the present case, two aspects of the website ***URL.1.
On the other hand, in the privacy policy it still refers to the fulfillment of the Organic Law 15/1999, of December 13, on the Protection of Personal Data
(LOPD), and without having yet applied the new RGPD, which according to its Article 99, would enter
in force as of 25/05/18, it being noted that the claimed entity is NOT applying the provisions of Article 13 of the aforementioned RGPD, which establishes the information that must be provided to the interested party at the time of collection of its data
personal.
These facts constitute an infringement, attributable to the defendant, for violation of Article 13 of the RGPD, since his website was not adapted to the RGPD and not
provide the user with the information set out therein, at the time of
collection of your personal data.
For its part, Article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
the omission of the duty to inform the affected person about the treatment of
your personal data in accordance with Articles 13 and 14 of the GPRS'.
This infringement is punishable by a fine of up to 20,000,000 euros or, in the case of a company, of up to 4 % of the total annual turnover of the previous financial year, whichever is the greater
higher amount, in accordance with Article 83.5(b) of the GPRS.
However, Article 58(2) of the GPRS provides that: 'Each supervisory authority shall have all the following corrective powers
processing operations have infringed
On the other hand, regarding the Cookie Policy of the claimed website, in its first
Layer (home page), NO information on the purposes of cookies is provided
that will be used and in the second layer (cookie policy), NO information is provided about the identity and characteristics of own cookies that are installed and of the
time they remain active on the terminal equipment nor on the cookies from
third parties and for its management it only refers to the browser that is installed on the computer
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/8
terminal, but does not even include a link to the different browsers. There is no
Also, no mechanism to reject all cookies.
These facts constitute an infraction, attributable to the defendant, for violation of Article 22.2 of the LSSI, according to which
"Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that the recipients have given their consent after the information has been provided
clear and complete on its use, in particular on the purposes of the processing of
the data, in accordance with the provisions of Organic Law 15/1999 of 13 December,
of personal data protection.
Where technically possible and effective, the consent of the recipient to
accepting the processing of the data may be facilitated by the use of the
appropriate browser or other applications.
The above shall not preclude possible storage or access of a technical nature to the
to effect the transmission of a communication over a communications network
electronic or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient".
This infringement is classified as "minor" in Article 38.4 g) of the aforementioned law, which
considers as such: "Use data storage and retrieval devices
when the information has not been provided or the consent of the recipient of the service has not been obtained under the terms required by Article 22.2.", and may be subject to a fine of up to 30,000 euros, in accordance with Article 39 of the aforementioned ISESA.
Following the evidence obtained in the preliminary investigation phase, it is considered that
The penalty to be imposed should be graduated according to the following criteria established in Article 40 of the ISSA:
- The existence of intentionality, an expression that must be interpreted as equivalent to the degree of guilt in accordance with the Court's ruling
National Appeal of 12/11/07 filed under Appeal No. 351/2006, corresponding to
the reported entity the determination of a system for obtaining informed consent that is consistent with the mandate of the ISSA.
- The period of time during which the infringement has been committed, as the complaint was filed in May 2019, (section b).
In accordance with these criteria, it is considered appropriate to impose on the entity complained of
a penalty of EUR 3,000 (three thousand euros), for the infringement of Article 22(2) of
LSSI.
Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,
RESOLVED
FIRST: IMPOSE on the entity, GROW BEATS SL, with CIF B02623601, holder of
the website, ***URL.1, two sanctions, regarding the privacy policy and regarding its cookie policy, consisting of
a- Warning, for the infringement of article 13) of the RGPD, regarding its Privacy Policy.
b- 3,000 euros (three thousand euros), for the infringement of article 22.2) of the LSSI, regarding its Cookie Policy.
SECOND: REQUIRING the entity GROW BEATS SL. so that, within a
month from this act of notification, proceed to
a. Take the appropriate measures to adapt the web page of its ownership to
the new data protection regulations in force and include in the
information about your "privacy policy" as set out or in
Article 13 of the RGPD.
b. Take appropriate measures to include in the website of your ownership
(first layer), information on the purposes of the cookies to be used and
in the second layer (cookie policy), information about the identity and
characteristics of own cookies that are installed and of the time that they remain active in the terminal equipment; on the cookies of third parties and a mechanism that allows to reject all the cookies, being able to use for it, the existing information in the "Guide on Cookies", published by the Spanish Agency
Data Protection Act in November 2019.
THIRD: TO NOTIFY the present resolution to the entity GROW BEATS SL., and to
claimant on the outcome of the claim.
Warn the sanctioned party that the sanction imposed must be effective once
enforce this decision in accordance with Article 98(1)(b)
of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (LPACAP), within the voluntary payment period indicated in Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005,
of 29 July, in connection with Article 62 of Law 58/2003 of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000, opened
on behalf of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A. or otherwise, it will be collected during the enforcement period.
Once the notification has been received and once it has been enforced, if the enforcement date is
between the 1st and the 15th of each month, inclusive, the deadline for making the voluntary payment shall be the 20th of the following month or the next working month, and if it is between the 16th and the last day of each month, inclusive, the deadline for payment
will be until the 5th of the second or immediately following month.
In accordance with the provisions of Article 82 of Law 62/2003, of 30 December, on fiscal, administrative and social order measures, this Resolution is
will make public, once it has been notified to the interested parties. The publication will be made in accordance with the provisions of the Agency's Instruction 1/2004 of 22 December
Spanish Data Protection Agency on the publication of its resolutions.
Against this resolution, which puts an end to the administrative procedure, and in accordance with
established in Articles 112 and 123 of the LPACAP, the interested parties may, on an optional basis, lodge an appeal for reconsideration with the Director of the Spanish Agency
of Data Protection within one month from the day following the notification of this decision, or, directly, an administrative appeal before the
Sala de lo Contencioso-administrativo de la Audiencia Nacional, in accordance with disC/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/8
put in Article 25 and paragraph 5 of the fourth additional provision of the Act
29/1998, of 13/07, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to
the provisions of Article 46.1 of the aforementioned legal text.
Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP
may suspend the final resolution in administrative proceedings as a precautionary measure if the interested party expresses his intention to file a contentious-administrative appeal. If
In this case, the person concerned must formally communicate this fact in writing
addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through one of the other registers provided for in Article 16.4 of the aforementioned Law
39/2015, 1 October. You must also send the Agency the documentation
to prove the effective filing of the contentious-administrative appeal. If the
Agency was not informed of the lodging of the contentious-administrative appeal within two months of the day following notification of this
resolution, I would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Data Protection Agency