AEPD (Spain) - PS/00388/2020
AEPD - PS/00388/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 7 GDPR Article 13 GDPR Article 22(2) LSSI |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 16.04.2021 |
Fine: | 3000 EUR |
Parties: | FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L. |
National Case Number/Name: | PS/00388/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined a website €3000 for installing third-party cookies without the user's consent, as well as for not informing the user about the purpose of such cookies.
English Summary
Facts
The AEPD received a complaint stating that two websites of a controller lacked a privacy and cookies policy, or any other kind of information regarding the data that they process.
After launching an investigation, the AEPD found that the one of the websites did have a privacy and cookies policy. However, the AEPD also found that both websites gathered consent from the use in a generic way. The user did not have an option to specify what processing they wanted to consent. This was amended by the controller during the proceeding.
The website also offered, in the form for collecting the user's data, information on who is responsible for the processing of personal data; the legitimacy of the data processing (consent); the recipients and the rights that assist the user in relation to the processing of their personal data.
The AEPD also found that the website placed unnecessary third-party cookies in the user's device without consent. The banner only offered generic information and had no button to reject the cookies in its first layer. An option to reject cookies was included by the controller during the proceeding.
In the second layer, the user can reject unnecessary cookies. However, the authority found that, when exercising this option, they were used anyway.
During the course of the investigation, the controller deleted the second website, that lacked a privacy and cookies policy, redirecting the user to the first website when using its domain.
Holding
The AEPD held that the cookie banner of the website violated Article 22(2) of the Spanish Information Society Services Act (LSSI), implementing the e-Privacy Directive, as it did not properly inform the user about the fact that the website used third-party cookies with marketing purposes, that would create a profile, based on the user's navigation behaviour, in order to show them advertisements related to their preferences.
It also violated Article 22(2) by not allowing to reject such cookies, using them without consent, even when the user had deactivated the option.
The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose what specific processing they wanted to consent.
The AEPD decided the following:
- To warn the controller with regards to a violation of Article 7 GDPR, for gathering consent in a generic way.
- To fine the controller €3000 for infringing Article 22(2) LSSI, for installing third-party cookies without consent.
- To warn the controller for lacking a privacy policy in their second website, thus violating Article 13 GDPR.
- To order the controller to adapt its website, with respect to the "cookies policy", including the necessary information in the cookie banner regarding the use of third party cookies, as well as preventing the use of unnecessary cookies until the user has consented to their use.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 Procedure No.: PS / 00388/2020 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00388/2020, instructed by the Spanish Agency for Data Protection, to the entity, FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L., with CIF.:B73447393, owner of the web pages: *** URL.1 and *** URL.2, (hereinafter, “the en- claimed amount ”), and based on the following, BACKGROUND FIRST: In the claim filed on 07/21/20, it was indicated, among others, the following: following: “The web pages *** URL.1 and *** URL.2 do not have a privacy policy privacy, legal text or cookie management. In the contact forms there is no information on what is going to be done with the form data ”. SECOND: In view of the facts presented in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in art 57.1 of the RGPD. Thus, with dated 09/16/20, an informative request is addressed to the claimed entity. THIRD: On 10/15/20, the entity claims to send this Agency a written statement of response to the request and the content of which is included in the document initiating the file and in the resolution proposal writing. FOURTH: On 11/19/20, by this Agency, checks are carried out on the "Privacy Policy" and on the "Cookies Policy" of the web pages indicated, checking the aspects that were already included in the brief of initiation of file and in the resolution proposal writing. FIFTH: In view of the facts denounced and the evidence observed in the web pages, the Director of the Spanish Agency for Data Protection, dated 11/25/20, agreed to initiate a sanctioning procedure against the claimed entity, by virtue of of the powers established in the current legislation, for the following infractions: a) .- Regarding the web page *** URL.1: .- Infringement of article 7) of the RGPD, when collecting the consent of the users, through a generic acceptance for all treatment purposes, with an initial penalty of "warning". .- Infringement of article 22.2) of the LSSI, regarding the non-existence of "Policy of Cookies ”of the website of its ownership, with an initial penalty of 3,000 euros. b) .- Regarding the web page *** URL.2: .- Infringement of article 13) of the RGPD, regarding the lack of privacy policy. city on its website, verifying that there is a treatment of personal data- the users, with an initial penalty of 3,000 euros. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/19 .- Infringement of article 22.2) of the LSSI, regarding the non-existence of "Policy of Cookies ”of the website of its ownership, with an initial penalty of 3,000 euros. SIXTH: Once the agreement to initiate the sanctioning file has been notified, the entity complained mada, by letter dated 12/11/20, made allegations to the initiation of ex- petitioner, whose content was already indicated in the resolution proposal writing. SEVENTH: On 02/20/21, by this Agency, they are again made Provisions of the "Privacy Policy" and the "Cookies Policy" of the pages website indicated, and the proposed resolution is notified to the entity claimed in the that it was proposed that, by the Director of the Spanish Agency for Data Protection the claimed entity is sanctioned: .- Regarding the web page *** URL.1, with "warning", for the violation of article lo 7, of the RGPD, regarding the inoperability in the collection of consent for the different purposes for which the entity wishes to process personal data, and with 3,000 euros (three thousand euros), for the violation of article 22.2) of the LSSI, regarding the "Cookies Policy" on the website. .- Regarding the website *** URL.2, with 3,000 euros (three thousand euros), for the infringement tion of article 13 of the RGPD, regarding the lack of privacy policy in the web and with 3,000 euros (three thousand euros), for the violation of article 22.2) of the LSSI, Regarding the "Cookies Policy" on the website of its ownership. In addition, in accordance with article 58.2 of the RGPD, it was proposed to the Director of the Spanish Data Protection Agency to order the entity to: .- Take the necessary measures to activate the mechanism to collect consent. ment of the website users *** URL.1. .- Take the necessary measures to include on the web, *** URL.2, the “Privacy Policy Vacity ”adapting it to the provisions of article 13 of the RGPD. .- Take the necessary measures to adapt the cookie policies of the two pa- web pages, as stipulated in current regulations. NINTH: After notification of the proposed resolution, dated 03/30/21, the complained entity submitted a brief of allegations to the resolution proposal, in the which indicated, among others, the following: “In the Document received by Flexomed, in relation to the treatment of personal data sonals of the web page *** URL.1, once that incorrect phrase that appears company on the web, it was used to provide users with an independent opt-in, not marked by default, in which they could provide their consent to receive commercial communications, modifying accordingly, the purposes of the treatment of the data and including that they would be, the main purpose of giving response to the request made by the user and, in addition, and only in case of consent express consent through the opt-in provided separately for this, your data would also be used for the purpose of sending communications. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/19 Regarding the newsletter form, it is possible that, at the time it is made- The appropriate checks were made by the Aepd, there was a computer error that did not allow access to the form to subscribe to the newsletter, however, this The form is active and has the information related to the treatment of personal data, as can be seen in the screenshot ... - Regarding the "Cookies Policy" on the website, the Aepd is informed that Flexomed carried out the appropriate checks being able to confirm at present that, without perform any action on the web and without accepting the use of cookies, you will not They install unnecessary cookies. Similarly, in case the user rejects them, Except for those strictly necessary, said non-necessary cookies will not be installed. In addition, in the drop-down banner the types of cookies About the alleged infringements on the website *** URL.2 This website, as was indicated in the allegations made by Flexomed dated December 10, 2020, was created and published by the former employee's own decision without having instructions. purposes of the company to do so or inform it of said action. Proof of this is that this website, has not been published or announced by the company in any way. The same- This happened with the registration of the domain *** URL.3, carried out by the ex- worker under his ownership and without notifying Flexomed. One of the complaints filed against the former employee for this reason is provided. TO in view of the above, this web domain was redirected by Flexomed to the web *** URL.1 permanently, and for the time being, until the company decides whether to nally they will use this website and in what way they will do it, as well as the types of data that will be collected and the treatment that will be made of them in order, in this way, to inform correctly to users and comply with current regulations. Flexomed undertakes that, in the event of making the decision to activate again this website, it will implement all the measures adopted by the website *** URL.1, especially with regard to information on data processing personal data that are collected through it and regarding the cookies that go to ins- be logged in the same, attending to the indications of the Aepd in the notifications between sent to Flexomed and the cookie guide published by the same body, complying with In this way, the regulations on data protection and the Law on services of the information society and electronic commerce. As detailed and documented in this writing and as a sample of the good faith and the interest of the company in complying with the data protection regulations not suppose any type of damage in this sense to the owners of the personal data sonal and solve this matter as quickly as possible, the above measures days imposed by the Aepd had already been adopted ”. TENTH: On 04/06/21, by this Agency, they will again carry out Provisions on the “Privacy Policy” and the “Cookies Policy” on the pages web sites indicated, checking the following aspects in each of them: A) .- Regarding the website, *** URL.1: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/19 - About the processing of personal data on the website: 1.- On the initial page, through the tab: <<contact>>, the web redirects to a form- form where personal data of users are collected, such as name, telephone number, phone or email. On the same page where the form is located, there is also information about bre, who is responsible for the processing of personal data; legitimation that you have for the treatment of the data (consent); recipients and rights that assist the user in relation to the processing of their personal data- them. Before being able to send the questionnaire, it is necessary to accept the privacy policy marking the corresponding box: “_ I accept the << Legal Notice >> and the << Policy of Privacy >> whose basic information appears below (…) ”. At the bottom of the main page, the user can subscribe to receive co- Commercial communications of the entity: "_I wish to receive commercial communications related to the products and services of FLEXOGRÁFICA DEL MEDITERAAÉ- NEO, S.L. ". There is also the possibility of subscribing to the entity's newsletter by filling in the existing form at the bottom of the main page: Subscribe to our NEWSLETTER to keep up to date with all the news in our universe of pa- ckaging and food packaging <<send>>. - About the "Privacy Policy" of the website: 1.- Through the link << Privacy Policy >>, existing at the bottom of the form. As previously indicated, the web redirects to a new page, *** URL.4, which provides provides information on compliance with current legislation on the subject of data protection; identification of the person responsible for data processing; the finali- nature of data collection; the rights of users regarding the treatment of your personal information; on the use of the web portal or on intellectual property, in- among others. - About the "Cookies Policy" of the website: 1.- When entering the initial page of the indicated web (first layer), without making any action on it and without rejecting cookies, it is verified that they are used non-necessary third-party cookies, whose domain belongs to "youtube.com" and which are the following: - VISITOR_INFO1_LIVE: cookie that tracks the videos you visit- two that are embedded in the web. Has a permanence of 240 days approximately. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/19 - YSC: cookie that measures the reproductions of videos made by the user and logs the "Like" or "Share Video" events. It is a cookie of se- sion, expiring when the session with the browser ends; - CONSENT: which measure when a video is seen, liked or shared. 2.- On the same initial page, (first layer), the following banner is displayed with in- cookie training: “We use cookies on our website to give you the most relevant experience re- matching your preferences and repeat visits. By clicking "Accept", you agree to the use of ALL cookies ”. << Cookie Settings >> --- <<accept>> 3.- If you choose to go to the cookie configuration panel, through the link, << set cookies >>, a cookie configuration panel is displayed where you can den manage their use, in a granular way, by moving the cursor from position <<off>> to position <<on>>, in the different groups of cookies constituted: "Functional"; "Performance"; "Analytics" and "Others". However, if you choose NOT to allow the use of cookies, leaving the cursors in the position, <<off>>, it is verified that the web page continues to use third-party cookies zeros not necessary and not now allowed by the user, whose domains belong to they need to, "Google.com"; "Youtube.com" and "doubleclick.net" and which are the following: - 1P_JAR: Cookie that transfers data to Google to advertise more attractive. - VISITOR_INFO1_LIVE: cookie that tracks the videos you visit- two that are embedded in the web. Has a permanence of 240 days approximately. - YSC: cookie that measures the reproductions of videos made by the user and logs the "Like" or "Share Video" events. It is a cookie of se- sion, expiring when the session with the browser ends. - CONSENT: which measure when a video is seen, liked or shared. - IDE: cookies used to display Google ads on sites that do not They are from Google. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/19 - NID: cookie used by Google to store user preferences. 4.- On the "Cookies Policy" page, whose link is at the bottom of the page, << Cookies Policy >>, the web redirects to a new page, *** URL. 5, that provides information about what cookies are and what they are used for; what infor- mation saves a cookie; what type of cookies exist and identifies the cookies used liza the website, both its own and those of third parties (Google Analytics), the finali- how long they have and how long they will be active. On how to manage the installation of cookies in the terminal equipment, the web page refers the user to configure the navigation- dor installed in your terminal equipment. B) .- Regarding the website, *** URL.2: It has been found that, when trying to access the page. *** URL.2, the web redirects the user to the *** URL. 1. PROVEN FACTS 1º.- According to the claim presented in this Agency, the web pages, *** URL.1 and *** URL.2, did not have a privacy policy or cookie management. 2.- At the request of this Agency, the entity reported, among others, that: “The web, *** URL.1, owned by the Company, has the information and documents necessary information regarding data protection, including the Privacy Policy, *** URL.4, and Cookies Policy, *** URL.5, with a cookie notice that appears pray on the screen when entering the Web (Annex III) (…) ”. “Likewise, the web *** URL.2, also owned by the Company, redirects users who want to contact the owner of the page to the contact form of the Web: *** URL.1, which includes information on the processing of user data (…) ”. 3.- This Agency was able to verify the following aspects on the page, *** URL.1: - Regarding the processing of personal data on the website, it was found that Through the website, users' personal data could be obtained. On said page there was a message that informed users of the following: “Your email address is only used to send you our catalog. go and inform you about our personalized packaging services for em- dams. You have the right to contact us to remove your data from our records ”. - It was found that in the “Privacy Policy”, *** URL.4, which provided information training on compliance with current legislation on the protection of tion of data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/19 - About the "Cookies Policy" of the website, when entering the main page of the web, without taking any action on it and without accepting the use of cookies, unnecessary cookies were used. It was also proven that no banner was displayed with information on the use of these. - In the second layer, "Cookies Policy", *** URL.5, provided information information on cookies, but there was no mechanism that would allow the chazo of the same, only the user was sent to configure the browser installed on your terminal equipment. 4.- On the web page, *** URL.2, this Agency was able to verify the following aspects: cough: - About the processing of personal data, through the tabs, << examples of psycho packaging >>, and << online digital printing >>, the web redirected to pages where personal data could be collected. - About the "Privacy Policy" of the website, *** URL.6, when accessing it, the following message appeared: “Could not find the page that you seek. It may have been removed, renamed or not even exist. " - About the "Cookies Policy" of the website, when entering the main page of the web, without taking any action on it and without accepting the use of cookies, unnecessary cookies were used. It was also proven that no banner was displayed with information on the use of these. Through the link, *** URL.7, the web redirected to a new page with the following: “The page you are looking for could not be found. It may have been removed renamed or not even exist ”. 5.- Once the initiation agreement has been notified, the claimed entity, owner of the individual web pages each, alleged, dated 12/11/20, among others, the following: Regarding the website *** URL.1: "On the consent given by users for the processing of their data personal information, it is reported that Flexomed will eliminate the apartment ted to which the Aepd refers at this point, (...), because, erroneously, it has been including that information on that form and not on the registration form for the newsletter also available on the web since the data collected through the form C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/19 Contact details are not treated for the purpose of sending the newsletter but only, in order to answer requests for information or doubts indicated by users rios through said form. On the "Cookies Policy" of the website "of the Document, it is reported that the The website does have a banner where information on the installation of cookies is provided, attaching as Annex I a capture of said banner that appears on the web, where It can be appreciated that the user is offered the possibility to accept, reject or confi- set cookies. and is currently modifying the second layer of the Polí- Cookies policy on your website to include clearer information (…). In relation to the website *** URL.2: Regarding this web address, the Aepd is informed that Flexomed did not have knowledge of the publication of this website, since, only requested a worker the company that will register the domain without having to do any other management beyond this, worker who no longer provides his services to the company. East In addition, and without any indications from the Company, he registered the domain *** URL.3, in his own name, without informing Flexomed of this and while rendering services to the herself. In addition to registering in your name, in your last stage as a worker in the Company, created and published the web page *** URL.2, by own decision, without having ins- instructions for it by the Company and without informing it of this action, therefore that the Company and its staff were unaware of the existence of said page until moment in which the first of the Aepd notifications is received. (…) Therefore, Flexomed wants to record before this body that it was not aware that said website was created, far from it, enabled or published since the indication that the former worker received by the Company was only that of register the domain name. (…) Notwithstanding the foregoing, the Company is currently in processes to recover the ownership of the domains registered by the former employee and power start with their management, complying, at all times, with the legislation current status. For the moment, the Company proceeds to implement the necessary legal texts (Avi- so Legal, Privacy Policy and Cookies Policy) at *** URL.2, to guarantee that the web complies with the regulations. Likewise, said website will have the cookie notice in the same way as *** URL.1 Currently, Flexomed has initiated legal proceedings against the author of the claim (…) 6.- On 02/20/21, by this Agency, checks are made on the Privacy Policy and the Cookies Policy of the indicated web pages: - Regarding the web page, *** URL.1, it has been possible to verify the following as- pects: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/19 a) .- About the processing of personal data on the website: It was found that through the website it was possible to obtain personal data from users. Regarding the purpose of the data obtained in the form, the website indicated ca which will be: "To be able to reply to the message you send me with this form contact". However, there is also a message at the bottom of this page. na, where the user is informed that: “your email address is only used to send you our catalog and inform you about our personal packaging services sonalizado for companies. You have the right to contact us to delete your data from our records ”, there being no possibility of denying the consent for this specific treatment. At the bottom of the main page there is the following message: “subscribe to our NEWSLETTER to keep up to date with all the news in our universe of food packaging and packaging. [sibwp_form id = 4] - Your email address nico is only used to send you our newsletter and information about the activities, offers and communications from FLEXOMED. You can always use the link to give yourself unsubscribe included in each newsletter in your email ”. However, check that the form to subscribe to the "newsletter" is not active. b) .- About the "Cookies Policy" of the website: When entering the home page of the web, without taking any other action on it and without rejecting cookies, it is verified that unnecessary cookies are used. In the same initial page, when entering it, the banner with information about cookies. In the same banner, there are the options to accept all cookies, re- Chase all cookies and accept cookies in a granular way (preferences; statistics and marketing. However, all of the options are pre-marked. found in "accept cookies"). If you choose to reject all cookies except those strictly necessary, (<< only use necessary cookies >>), it is verified that the website continues to use cookies not necessary from the domains *** URL.1, Google.es and Google.com; youtube.com; dou- bleclick.net, sibautomations.com. On the "Cookies Policy" page, *** URL.5, which provides information on, what cookies are and what they are used for; what information a cookie stores; what type of cookies exist and identifies the cookies used by the website, both its own such as those of third parties, the purpose they have and the time they will be active in the equipment po terminal. - Regarding the web page, *** URL.2, the following has been found: a) .- On the initial page of the website, the person responsible for it is identified as: Flexomed; *** ADDRESS.1, *** LOCATION.1; (MURCIA) SPAIN. b) .- On the processing of personal data on the web: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/19 However, through the tabs, << examples of psycho packaging >> and << printing online digital sion >>, the web redirects to pages where data can be collected personal data of the users. c) .- About the "Privacy Policy" of the website: Through the link, << Privacy Policy >>, existing on the main page, the web redirects to a new page: *** URL.6, where the following message appears: “No the page you are looking for could be found. It may have been removed, rename- it gives or not even exist ”. d) .- About the "Cookies Policy" of the website: When entering the home page of the web, without taking any other action on it and without rejecting cookies, it is verified that unnecessary cookies are used. In the same initial page, when entering it, the banner with information about cookies. In the same banner, there are the options to accept all cookies, re- Chase all cookies and accept cookies in a granular way (preferences; statistics and marketing. However, all of the options are pre-marked. found in "accept cookies"). On the "Cookies Policy" page, *** URL.5, which provides the following message heh: “Page not found. The page you are looking for could not be found. Can to have been eliminated, renamed or not even exist ”. 7.- After receiving the allegations to the proposed resolution, it is verified again the "Privacy Policy" and the "Cookies Policy" of the web pages, noting in this last check the following questions: A) .- Regarding the website, *** URL.1: - About the processing of personal data on the website: 1.- On the initial page, through the tab: <<contact>>, the web redirects to a form- form where personal data of users are collected, such as name, telephone number, phone or email. On the same page where the form is located, there is also information about bre, who is responsible for the processing of personal data; legitimation that you have for the treatment of the data (consent); recipients and rights that assist the user in relation to the processing of their personal data- them. Before being able to send the questionnaire, it is necessary to accept the privacy policy marking the corresponding box: “_ I accept the << Legal Notice >> and the << Policy of Privacy >> whose basic information appears below (…) ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/19 At the bottom of the main page, the user can subscribe to receive co- Commercial communications of the entity: "_I wish to receive commercial communications related to the products and services of FLEXOGRÁFICA DEL MEDITERAAÉ- NEO, S.L. ". There is also the possibility of subscribing to the entity's newsletter by filling in the existing form at the bottom of the main page: Subscribe to our NEWSLETTER to keep up to date with all the news in our universe of pa- ckaging and food packaging <<send>>. - About the "Privacy Policy" of the website: 1.- Through the link << Privacy Policy >>, existing at the bottom of the form. As previously indicated, the web redirects to a new page, *** URL.4, which provides provides information on compliance with current legislation on the subject of data protection; identification of the person responsible for data processing; the finali- nature of data collection; the rights of users regarding the treatment of your personal information; on the use of the web portal or on intellectual property, in- among others. - About the "Cookies Policy" of the website: 1.- When entering the initial page of the indicated web (first layer), without making any action on it and without rejecting cookies, it is verified that they are used non-necessary third-party cookies, whose domain belongs to "youtube.com" and which are the following: VISITOR_INFO1_LIVE; YSC and CONSENT 2.- On the same initial page, (first layer), the following banner is displayed with in- cookie training: “We use cookies on our website to give you the most relevant experience re- matching your preferences and repeat visits. By clicking "Accept", you agree to the use of ALL cookies ”. << Cookie Settings >> --- <<accept>> 3.- If you choose to go to the cookie configuration panel, through the link, << set cookies >>, a cookie configuration panel is displayed where you can den manage their use, in a granular way, by moving the cursor from position <<off>> to position <<on>>, in the different groups of cookies constituted: "Functional"; "Performance"; "Analytics" and "Others". However, if you choose NOT to allow the use of cookies, leaving the cursors in the position, <<off>>, it is verified that the web page continues to use third-party cookies zeros not necessary and not now allowed by the user, whose domains belong to they need to, "Google.com"; "Youtube.com" and "doubleclick.net" and which are the following: 1P_JAR; VISITOR_INFO1_LIVE; YSC; CONSENT; IDE and NID. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/19 4.- On the "Cookies Policy" page, whose link is at the bottom of the page, << cookie policy >>, the web redirects to a new page, *** URL.5, that provides information about what cookies are and what they are used for; what infor- mation saves a cookie; what type of cookies exist and identifies the cookies used liza the website, both its own and those of third parties (Google Analytics), the finali- how long they have and how long they will be active in the terminal equipment. On how to manage tion the installation of cookies on the terminal equipment, the web page refers the user to configure the installed browser. B) .- Regarding the website, *** URL.2: It has been found that, when trying to access the page. *** URL.2, the web redirects the user to the page, *** URL.1. FOUNDATIONS OF LAW I.-Competition: It is competent to resolve this procedure, regarding the privacy policy and the treatment of the personal data of the users of the webs, the Director of the Spanish Agency for Data Protection, in accordance with the provisions of art. 58.2 of the RGPD in art. 47 of LOPDGDD. It is competent to resolve this procedure, regarding the cookie policy, the Director of the Spanish Agency for Data Protection, in accordance with the provided in art. 43.1, second paragraph, of the LSSI. II The joint assessment of the documentary evidence in the procedure brings to knowledge of the AEPD, a vision of the denounced action that has been strapped in the facts declared proven above related, verifying that, as- The privacy policy and the cookie policy had been modified after the initiation of ation of the file and notification of the resolution proposal. Upon receipt of the allegations to the proposed resolution, it is verified Again, the "Privacy Policy" and the "Cookies Policy" of the web pages, consists of taking in this last check the following questions: a) .- Regarding the web page *** URL.1: In relation to the processing of personal data carried out on the website, the website will directs to a form where personal data of users are collected, such as the name, phone or email. On the same page where the form is located, There is also information about who is responsible for data processing personal; the legitimacy that it has for the treatment of the data (the consent to); the recipients and the rights that assist the user in relation to the treatment storage of your personal data. Before being able to send the questionnaire, it is necessary to accept the privacy policy by checking the corresponding box. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/19 On the other hand, the user can subscribe to receive commercial communications of the entity by checking the corresponding box, if you wish. There is also the possibility of subscribing to the entity's newsletter, by filling in the existing form Tente for this purpose. In relation to the "Cookies Policy" of the website, it continues to be verified that: - When entering the home page of the web, without taking any other action on the itself and without rejecting cookies, unnecessary cookies are used. - The banner on cookies existing in the first layer does not inform the user of the use of third-party cookies, it is not reported that it will be displayed advertising related to preferences, based on the profile prepared from of the user's browsing habits. - If you choose to reject all cookies, in the control panel, leaving all the cursors in the <<off>> position, it is verified that the web page follows using non-necessary third-party cookies. b) .- Regarding the website, *** URL.2, It has been found that, when trying to access the page. *** URL.2, this one no longer exists, redirecting the user to the page, *** URL.1. III - On the consent given by users for the treatment of their personal data, on the website *** URL.1. In the last check that has been made of the web page, it has been possible to verify that it allows collecting the consent of the user, individualized for each of the purposes to which the entity will dedicate the data processing. Article 6.1.a) of the RGPD, establishes that, “the treatment will only be lawful if the interested party gave their consent to the processing of their personal data for one or more specific purposes ”. For its part, article 7 of the RGPD indicates, regarding consent, that: "1. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of his data personal. 2. If the consent of the interested party is given in the context of a written statement that also refers to other matters, the request for Consent will be presented in such a way that it is clearly distinguishable from others matters, in an intelligible and easily accessible way and using clear and simple language. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/19 Any part of the declaration that constitutes an infringement of the this Regulation (…). In relation to these two cited articles, the recital should be taken into account (32) of the RGPD, as it indicates that: “Consent must be given through a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party accept the processing of personal data that concerns you ... Therefore, the silence, checked boxes, or inaction should not constitute consent. The Consent must be given for all processing activities carried out with the same or the same ends. When the treatment has several purposes, the consent for all of them ... " Likewise, article 6.2 of the LOPDGDD indicates, on the treatment based on the consent, that: "two. When it is intended to base the processing of the data on the consent of the affected for a plurality of purposes, it will be necessary to record in a specific and unequivocal that said consent is granted for all of them. Therefore, the known facts about the processing of personal data by the website, until the collection of personal data processing was modified were constitutive of an infringement for violation of article 7 of the RGPD mentioned. For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes of prescription, "Failure to comply with the requirements of article 7 of the RGPD". This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. However, Article 58.2) of the RGPD provides that: “Each control authority have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; (…); i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case, therefore, the sanction that could Corresponding would be a warning, without prejudice to what results from the instruction of the present file, since in this case, it has not been verified that the defendant has sent communications unrelated to the main purpose. In accordance with these criteria, it is considered appropriate to impose a sanction on the defendant of "warning", for the violation of article 7 of the RGPD, on the website of your ownership, during the time that the collection of the consent of the user in a generic way for all purposes of the processing of personal data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/19 IV - About the "Cookies Policy" of the website *** URL.1. In the last check made on the website in question, and despite having observed that the cookie policy of the same has been changed, it has become to verify the following circumstances not in accordance with current regulations: - When entering the home page of the web, without taking any other action on the itself and without rejecting cookies, unnecessary cookies are used. - The banner on cookies existing in the first layer does not inform the user of the use of third-party cookies, it is not reported that it will be displayed advertising related to preferences, based on the profile prepared from of the user's browsing habits. - If you choose to reject all cookies, in the control panel, leaving all the cursors in the <<off>> position, it is verified that the web page follows using non-necessary third-party cookies. Therefore, the facts presented suppose, on the part of the claimed entity, the commission of the violation of article 22.2 of the LSSI, regarding the cookie policy on its website, according to which: “Service providers may use storage devices and data recovery on recipients' terminal equipment, provided that they have given their consent after it has been provided to them clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, protection of personal data. When technically possible and effective, the consent of the recipient to accept the data processing may be facilitated by using the parameters from the browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to only in order to carry out the transmission of a communication over a communication network electronic devices or, to the extent strictly necessary, for the provision of an information society service expressly requested by the addressee". This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/19 After the evidence obtained in the preliminary investigation phase, and without prejudice to Whatever results from the instruction, it is considered that the sanction should be impose in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equi- value to degree of guilt according to the Judgment of the Hearing National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system for obtaining consent informed service that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, as it is the first mere claim of July 2020, (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the LSSI, regarding the cookie policy carried out on the website of its ownership. V - About the "Privacy Policy" of the web: *** URL.2 In the first checks carried out by this Agency, on the website, it was verified that, through the tabs, << examples of psycho packaging >> and << online digital printing >>, the web redirected to pages where they could obtain personal data. However, through the link << Privacy Policy >>, that existed on the main page, the web redirected to a new page, where reports that the page did not exist. According to the allegations of the claimed entity, this web page was created and published given by a former employee's own decision without having instructions from the company to this, providing the complaints filed against the former employee for this reason. To In view of the above, this web domain was redirected by Flexomed to the web *** URL.1, permanently. The known facts are constitutive of an infringement, for violation of article 13 of the RGPD, as the page where the information must be provided is not operational. information to the interested party at the time of collection of their personal data. For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD ”. This offense may be punished with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of a higher amount, in accordance with article 83.5.b) of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/19 The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of its article 13, it allows set a final sanction of "warning", taking into consideration that the website in question no longer exists, redirecting the user to the web page *** URL.1, and to the corroborate the allegations that the website was created and published by decision of the pia of an ex-employee without having instructions from the company to do so, providing the complaints filed against the former worker for this reason. SAW - About the "Cookies Policy" of the website *** URL.2: It has been found that, when trying to access the page. *** URL.2, this one no longer exists, redirecting the user to the page, *** URL.1. In accordance with the foregoing, by the Director of the Spanish Agency for Data Protection, RESOLVES: FIRST: SANCTION the entity FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L., with CIF .: B73447393, owner of the web pages: *** URL.1 and *** URL.2, for the following offenses: A) .- Regarding the web page *** URL.1: .- With a sanction of "warning", for Infringement of article 7) of the RGPD, when rea- lizar the collection of the consent of the users in a generic way, during the time it was active on the website until its modification and adaptation to the regulations in force. .- With a penalty of 3,000 euros (three thousand euros), for violation of article 22.2) of the LSSI, regarding the "Cookies Policy" of the website. B) .- Regarding the web page *** URL.2: .- With a sanction of "warning" for the violation of article 13) of the RGPD, res- pect of the non-existence of privacy policy on its website, verifying that there was a treatment of the personal data of the users, taking into account tion, for the final imposition of the sanction, the allegations and the documentation sitting by the entity denouncing that the web page had been created by an extra- downloader without the consent of the company. .- File this procedure with respect to the "Cookies Policy" of the page web to verify, this Agency, that it no longer exists. SECOND: REQUEST: the entity, FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L., so that, within a month, counting from the notification of this resolution, adapt the website of your ownership (*** URL.1), regarding the "Cookies Policy", including the necessary information in the banner about cookies regarding the use- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/19 tion of third-party cookies, as well as preventing the use of cookies, does not need sary until the user has not consented to its use. SECOND: NOTIFY this resolution to the entity FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L., and the claimant on the result of the claim. Warn the sanctioned person that the sanction imposed must be effective once it is executive this resolution, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad- Public Ministries (LPACAP), within the voluntary payment period indicated in article 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- Upon entering the restricted account No. ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A. or otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions set out in article 25 and in section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the or two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal trative within two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar Spain Martí C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/19 Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es