AEPD (Spain) - PS/00524/2023

AEPD - PS/00524/2023
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 22.2 LSSI
Type:	Complaint
Outcome:	Upheld
Started:	29.12.2023
Decided:	28.02.2024
Published:	22.10.2024
Fine:	90,000 EUR
Parties:	n/a
National Case Number/Name:	PS/00524/2023
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	Ao

The DPA fined a website provider €90,000 for setting unnecessary cookies without users’ consent and for not informing them about the existence and function of these cookies.

English Summary

Facts

On the 29 December 2023, the data subject filed a complaint against the controller, Techpump solutions, to the Spanish DPA (AEPD). The controller is a digital services provider and runs several websites.

The AEPD had already launched an investigation into the controller on the 27 December 2023 and found the following issues with three URLs:

1. Even though, no consent to cookies was given, third party cookies were placed. The cookie “uvt” was used for statistical analysis but the AEPD could not determine the purpose of the “upt” cookie.

2. The banner gave information on third party cookies but the two cookies mentioned above did not feature in at all in the banner.

3. Withdrawing consent was only possible through visiting the cookie policy page again. However, once consent was revoked by adjusting cursors or hitting “reject all”, the third party cookies continued to function and were not deleted.

The controller argued that on one website the cookie had been placed temporarily due to a technical error. In regard to two of the examined websites, the controller claimed that the cookies were placed as they are working on establishing a payment system which would need to identify a user even if the cookies were not accepted in order to block access by minors. During the proceedings however the controller admitted that this payment system had not yet been implemented.

Holding

1. The AEPD held that the use of cookies which are not technically necessary when the data subject did not consent to this violated Article 22.2 of the Spanish transposition of the e-privacy Directive (Ley 34/2002 de Servicios de la Sociedad de la Información y Comercio Electrónico – LSSI) .

2. The lack of information provided on the third party cookies within the cookie banner or policy also showed a violation of Article 22.2 LSSI.

3. Pointing out that revoking consent was practically impossible, the AEPD also found a violation of Article 22.2 due to continued functioning of the third party cookies after rejecting their use.

The AEPD sanctioned the violation with a total fine of €90,000, made up of three separate fines of €30,000 for each URL.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/31

Procedure No: PS/00524/2023

SANCTIONING PROCEDURE RESOLUTION

From the actions carried out ex officio by the Spanish Data Protection Agency
before the entity, TECHPUMP SOLUTIONS S.L. (TECHPUMP), CIF.: B33950338,
owner of the web pages: ***URL.1; ***URL.2, ***URL.3, ***URL.4; ***URL.5, for the
alleged violation of Law 34/2002, of July 11, on Information Society Services and
Electronic Commerce (LSSI), and taking into account the following:

BACKGROUND

FIRST: On 12/22/23, the Director of the Spanish Data Protection Agency agreed to open preliminary investigation proceedings against the entity,

TECHPUMP SOLUTIONS S.L. in accordance with the investigative powers that the
control authority may have for this purpose, established in section 1) of
article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of
27/04/16, on the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of such Data (RGPD), and in
relation to the “Cookie Policy” followed on the websites indicated above.

SECOND: On 12/27/23, the Inspection Subdirectorate of the Spanish Data Protection Agency carried out the following diligence regarding the “Cookie Policy” of the websites mentioned above, obtained through the “inspect  application” tool of the Google Chrome browser and after having cleared the cache of the web browser and its cookies, and after having forced the browser to download the latest version of the website hosted on the remote server:

a).- Regarding the installation of cookies without the user's prior consent:

In the checks carried out on the websites in question, it was found that when entering them for the first time, once the terminal equipment had been cleared of browsing history and cookies, without accepting new cookies or performing any action on them, the following own cookies were used:

- On the website ***URL.2, a own cookie was used, “OptanonConsent”,
detected as technical in nature.

- On the website ***URL.1, a proprietary cookie “OptanonConsent” was used,
detected as technical in nature and the proprietary cookies, “usuario_país”;
“stop_redirect”; “país” and “redirect_es” whose mission could not be identified,

although according to the information provided in the website's “Cookie Policy”,
these cookies were “necessary for the site to function…”

- On the website ***URL.4, a proprietary cookie was used: “stop_redirect”, whose mission
could not be identified, although according to the information provided in the website's “Cookie Policy”,
it was a necessary cookie, used to redirect the user to the area of the country of origin.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/31

- When trying to access the websites ***URL.3 and ***URL.5, it was observed that the user was
redirected to the website ***URL.6.

b).- Regarding consent to the installation of cookies on the terminal equipment:

It was found that, if the user did not give consent in the cookie control panel
for the websites to use cookies that were not of a technical nature, through the “reject all” option, and started browsing any of them,
these began to use two third-party cookies, “__uvt” and “__upt”, whose domain

belongs to “.magsrv.com”.

The domain “magsrv.com” is classified on the Internet as a distributor of “adware”,
which is software that displays unwanted ads on the user’s device,
which can interrupt the user experience, slow down systems and

compromise privacy by collecting data for targeted advertising.

It was possible to detect that the mission of the “__uvt” cookie was to perform
statistical operations on user preferences to offer targeted advertising, but
regarding the “__upt” cookie, its mission could not be identified. There was also
no information about it in the “Cookie Policy” of the investigated websites.

c).- Regarding the cookie information banner existing in the first layer and in the
“Cookie Policy”:

The cookie information banner existing in the first layer of the websites in

question informed that they used their own and third-party cookies and informed
how the user could accept, configure or reject the use of cookies.

It is also indicated that the purposes for which the cookies will be used were “for analytical purposes and to show personalized content based on a profile created

from browsing habits (…)”. However, it was found that, of the
two third-party cookies installed when web browsing began (“__uvt” and
“_upt”), there was no information about them in the “Cookie Policy”.

d).- Regarding the possibility of withdrawing consent once given.

It was found that, if the user had given their consent for the use of
cookies that were not of a technical nature through the option existing in the
initial information banner or through consent given in the control panel and
wanted to modify it later, there was the possibility of accessing the control
panel again through the link existing in the “Cookie Policy” of the
websites.

However, if the user now wanted to reject all cookies by clicking
on the <<Reject all>> option or moving the cursors of the cookie groups to

the “OFF” position and clicking on <<Confirm my preferences>> , in the control panel, it was verified that the websites continued to use the installed third-party cookies.
That is, it did not delete the cookies in question, so this tool,
present on the websites, was not operational.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/31

THIRD: On 29/12/23, Mr. A.A.A. filed a complaint with the
Spanish Data Protection Agency.

The complaint was directed against the entity TECHPUMP SOLUTIONS S.L. with CIF:
B33950338, owner of the aforementioned websites, for the alleged
violation of LSSI and in its letter it stated that after it had been indicated that
an age verification system had been installed for the indicated porn pages,
it had entered some of them to see how they were configured, since

almost two years had passed since the start of the procedure that gave rise to the previous
sanctioning file (PS/00555/2021), opened in this Agency, verifying that
the provisions of the cookie policy regulation were still being breached.

FOURTH: On 02/28/24, the Director of the Spanish Data Protection Agency

agreed to initiate sanctioning proceedings against the entity TECHPUMP SOLUTIONS
S.L. with CIF: B33950338, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), for the alleged violation of article 22.2 of the LSSI, regarding the “Cookie Policy” of the websites owned by it.

The opening agreement determined that the possible violations of the provisions of article 22.2 of the LSSI were as a consequence of the use of third-party cookies without the prior consent of the user and the impossibility of
rejecting them; the lack of information in the “Cookie Policy” on the purpose of these cookies and the impossibility of withdrawing consent if it was previously given.

In the opening agreement it was determined that the sanction that could correspond,
considering the evidence existing at the time of the opening and without prejudice to what
results from the instruction, would amount to 30,000 euros for the deficiencies

detected in the “Cookie Policy” of the website ***URL.2, 30,000 euros for the
deficiencies detected in the “Cookie Policy” of the website ***URL.1 and 30,000
euros for the deficiencies detected in the “Cookie Policy” of the website
***URL.4

FIFTH: After the initiation agreement was notified in accordance with the rules established in the

LPACAP, the respondent party submitted a written statement of allegations on 03/25/24, based
on the following arguments:

- The violation of the principle “non bis in idem”, arguing that the facts that
are dealt with in this file (PS/524/2023), have subjective,

factual and causal identity with those already analyzed in file PS/555/2021.

- The contentious-administrative prejudiciality due to the existence of a prejudicial
question, with the added circumstance that without having been procedurally
answered, this new sanctioning file is opened, with

identical characteristics and on the same subject matter as the previous ones. - That, in view of the aforementioned administrative litigation procedure, as well as
in relation to file PS/00523/2023, the document was submitted

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/31

review of Techpump cookies, external audit of measures
implemented on the company's adult content websites (N
REF. 21B 7), where all the indicated issues have been resolved

and rectified.

- The disproportion in relation to the files initiated by the AEPD regarding
other companies competing in adult content.

SIXTH: On 03/26/24, this Agency received a new letter of

allegations in which the following is stated:

That as a complement to the letter presented this morning, the present one prepared by the technical department of the company is added
regarding the reasons why this file has been initiated in view of the following:

Summary of cookies __uvt and __upt

1. Cookies Involved: The company ExoClick manages two specific cookies, called __uvt and __upt.

2. Status in December: During December, when the data protection agency

evaluated the cookies, there were no measures implemented to block these specific cookies
since ExoClick had no option to block them.

3. February Fix: In February, ExoClick introduced a fix that
allows __uvt and __upt cookies to be blocked when users choose to
block all cookies on the site.

4. Partial Implementation: This fix has been implemented on only
two websites, XXXXXXX and XXXXXXX. It is still pending implementation on
XXXXXXXX.

5. Impact of Cookie Blocking: When blocking these cookies, it is observed that
no advertising appears on websites.

6. ExoClick Pending Fix: ExoClick still needs to develop a
fix that allows advertising to be displayed on websites even when these
cookies are blocked.

Please note: To address this issue, ExoClick introduced a fix in
February that allows users to block these cookies. However,
this fix has been implemented in a limited way, being active on only
two of its main websites, XXXXXXX and XXXXXX, while sites
such as XXXXXXX are still pending implementation.

It is important to note that blocking these cookies has a significant impact
on the display of advertising on websites. When a user chooses to block the __uvt and __upt cookies, no advertising is displayed. This situation poses a challenge for ExoClick, which must
still find a way to display advertising without the use of these cookies. For all the reasons set forth above, I REQUEST that you comply in a timely manner

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/31

with the request made in File 00524/2023, proceeding to the archiving of the present proceedings without further proceedings. SEVENTH: On 05/22/24, a resolution proposal was made to the effect that

the Director of the AEPD would sanction the respondent party, for the
violation of article 22.2 of the LSSI, regarding the “Cookie Policy” of the
web pages in question, with 30,000 euros (thirty thousand euros) for the deficiencies
detected in the “Cookie Policy” of the website ***URL.2, 30,000 euros
(thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the
web page ***URL.1 and 30,000 euros (thirty thousand euros) for the deficiencies detected

in the “Cookie Policy” of the website ***URL.4.

The resolution proposal was made in accordance with the deficiencies detected in the
“Cookie Policy” of the websites in question and which were, in essence, the following:

- Even if the user did not give consent to use cookies that were not of a
technical nature, and started browsing any of the indicated web pages, these began to use two third-party cookies:
“__uvt” and “__upt”, whose domain belongs to “.magsrv.com”, being able to
verify that the “__uvt” cookie was used to perform statistical operations on
user preferences and show targeted advertising and

regarding the “__upt” cookie, its mission could not be identified. Nor was there any
information about them in the “Cookie Policy” of the websites.

- Regarding the possibility of modifying consent, even if there was the possibility of accessing the control panel again through the link

existing in the “Cookie Policy” of the websites and the consent given was withdrawn, the websites continued to use the installed third-party cookies. That is, the installed cookies were not deleted, so this tool, present on the websites, was not operational.

EIGHTH: On 06/13/24, the entity TECHPUMP presents a written statement of allegations
to the proposed resolution where it states the following:

Note: Only section C) and D) of the written statement of allegations are transcribed, since
it corresponds to the allegations presented regarding the events that are being
discussed in this file, PS/00524/2023, omitting the allegations

presented in sections A) and B) for procedural economy, when referring to the
events discussed in files PS/00555/2021 and PS/00523/2023
respectively and which will be resolved, if applicable, within said files:

“PREVIOUS QUESTION: This representation makes a joint allegation

in relation to the various sanctioning procedures opened by the
SPANISH DATA PROTECTION AGENCY TECHPUMP as a result of the existence of various sanctioning proceedings related to the current regulations on the protection of personal data.

By means of this written statement of allegations, the request made in Procedure PS524/2023 is also fulfilled, in a timely and legal manner, derived from the Resolution Proposal of the aforementioned Sanctioning Procedure dated May 22, 2024.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/31

This written statement of allegations maintains references that it reproduces from previous responses and includes updates and new allegations in relation to them. It also contains references (REF) that help with the traceability of documents in accordance with the internal system used for continuous improvement in the protection of personal data.

Likewise, whenever Techpump is mentioned, we refer to Techpump
Solutions, S.L. And when referring to Techpump web pages, we will refer in

most cases to pages with exclusive content for
adults, which does not mean that Techpump has other web pages, and as an
example www.padresprotegen.com which is an educational website for parents and
guardians precisely to protect minors.

A). IN RELATION TO PS 55/2021: (…)

B). PROCEDURE PS 523/2023: (…)

C) CASE 524/2023

Finally, Procedure PS524/2023 was initiated against my client,
with the following allegations being made in this regard.

FIRST. VIOLATION OF THE NON BIS IN IDEM PRINCIPLE.

Firstly, this party again alleged the violation of the principle
non bis in idem, since the facts that are being judged in file
00555/2021, have, as will be seen later, a subjective, factual
and causal identity, with those analyzed in the present file 524/2023, there being
no difference between both administrative sanctioning procedures.

But there is also another sanctioning file that was initiated and with
reference 523/2023 to which a response was given, even complementary
briefs were submitted regarding the different measures that were adopted both at the
presentation of the brief and afterwards.

We understood with all this that the AEPD was initiating different proceedings,

also very repetitive over time, and that they deal with the same matters
and that they have already been resolved. All this without responding to the briefs
that TECHPUMP SOLUTIONS S.L. had been submitting. and where an absolute and sincere willingness to collaborate on the part of this company is demonstrated,
with the Agency, thereby generating a clear lack of defense.

To make matters worse, all this when through the media
TECHPUMP SOLUTIONS S.L. showed an absolute willingness to collaborate with
the AEPD, and when it has even requested a meeting, which has been
denied by this authority in an incomprehensible way, given that the

objective was to address this issue of social importance in the most constructive way possible,
more than even the sanctioning procedures initiated, which in practice are not going to solve the problems, to which
my client is putting all its efforts to give a constructive solution, and assumed both by the regulator in question, as well as by my
own client.

As regards the qualification and application of the concept of “non bis idem” to the present case, we considered reproduced everything that had already been indicated in the response to the initiation of case PS 253/2023 regarding the scope of the subjective, factual and casual identities of the principle invoked, as well as the legal basis of legality and typicality and proportionality.

All in all, the sanction sought in this new procedure has the
same legal cause as the previous ones, and for this reason my client is already being
sanctioned three times for the same facts, thereby injuring the rights that must
protect her against irregular and/or excessive actions against the Administration itself, as is the
case in the present case, especially taking into consideration that the actions taken on the basis of file 00555/2021 were expressly challenged
before Section 1 of the Administrative Litigation Chamber of the National Court, and consequently, they did not have a firm character at the present time, and a claim was also filed that was admitted
by means of an order dated February 13, 2024, which was
substantiated in Ordinary Procedure number 1794/2022, as indicated, before Section One of the Administrative Litigation Chamber. Administrative Litigation of the National Court, and with the new developments known by the parties, including the pronouncement made by the State Attorney.

This once again highlights the failure in this case of the aforementioned principle of non bis in idem, with the consequent violation of article 25 of the Spanish Constitution, where the principle of legality in the actions of the Administration is expressly recognized.

In this sense, the doctrine of the European Court of Human Rights has been violated, e.g. in Judgment 15963/90, of October 23, 1995, Case of Gradinger v. Austria [ECLI: EC: ECHR:1995:1023JUD001596390], where the ECHR considers that the fine imposed by the administrative authority after a conviction for the same facts constitutes a genuine penalty, which violates the principle of non bis in idem. There has been a violation of

Article 4 of Protocol 7 of the European Convention on Human Rights.
Also, it is necessary to take into account Judgment 38237/1997, of 6 June 2002, Sailer v. Austria [ECLI: EC: ECHR:2002:0606JUD003823797], in
which the ECHR considers that Article 4 of Protocol No. 7 of the European Convention on Human Rights must be understood in the sense that

it prohibits the initiation of proceedings or the prosecution of a second infringement, as long as it derives from identical or
substantially the same facts. This provision contains a guarantee against prosecution in a new procedure, as is improperly
occurring in the present case.

At the domestic level, the Spanish Constitutional Court serves as a reference, among many other rulings, in STC 177/1999, dated 11 October, Appeal for protection 3657-94. Filed against the rulings of the Provincial Court

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/31

and of the Criminal Court No. 22 of Barcelona, which convicted the
appellant as the author of a crime against the environment. Violation of the
right to criminal legality. The High Court expresses the doctrine
about the principle non bis in idem, indicating that, taking into account the above,
it should be noted that we are not in the hypothesis that the Courts of the

criminal jurisdictional order appreciate diversity of conducts or facts, or
that the foundation or protected legal asset protected by
the administrative norm and that preserved by the applicable criminal type are not identical and, in the
absence of such identity, they understand the prohibition of bis in idem or
duality of punitive reproach to be inapplicable, but rather in a case that presents the peculiarity
that the judicial bodies start, as an initial premise, that the aforementioned identifying elements of the principle that is alleged to be
violated, that is, the triple identity of subject, fact and foundation, concur, and that, nevertheless, they do not conclude in an acquittal pronouncement for the sole and only reason, explained in the condemnatory sentences, of the rule or criterion of
prevalence of the criminal jurisdiction over the administrative power to sanction, understanding that this, due to its subordinate rank, must yield in
its exercise or manifestation to the ius puniendi of the former, which leads to the
criminal incrimination and consequent conviction sentence considering that the conduct of the accused is constitutive of a crime, and this despite the fact that the same conduct has been previously sanctioned by the Administration.

It can therefore be stated that the contested Sentences establish the material violation of non bis in idem, but consider the subsequent imposition of punishment to be unavoidable in application of the indicated rule of prevalence.

The principle of non bis in idem is configured as a fundamental right of the
citizen against the decision of a public power to punish him for acts that were already subject to sanction, as a consequence of the previous
exercise of the ius puniendi of the State. It is essentially aimed not only at
preventing the prohibited result of double incrimination and punishment for the same
facts, but also at avoiding possible pronouncements of a contradictory nature, in the event of allowing the parallel or simultaneous
prosecution of two procedures --criminal and administrative sanctioning-- attributed to authorities of different orders. To prevent such
results is aimed the priority attribution to the criminal jurisdictional bodies of the
prosecution of facts that appear, prima facie, as crimes or misdemeanors.

We must conclude that, once a sanction has been imposed, be it of a criminal or
administrative nature, it is not possible, without violating the aforementioned fundamental right, to
superimpose or add another different one, provided that the oft-repeated identities of subject, facts and basis concur. It is this essential core that must be
respected in the field of the generic punitive power,
considered, to avoid a single conduct receiving a double reproach.

All this leads to the conclusion that, as occurs in the present case, a double sanction is being
imposed in the administrative sanctioning order, which presents and
has the same characteristics as the criminal jurisdiction itself, for acts analogous to those already sanctioned

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/31

previously, with the corresponding subjective, factual and casual
identities existing between both procedures, which determines, precisely, the
application of the principle “non bis in idem” now invoked, as well as the same
legal basis relative to legality, typicality and the requirement of
proportionality, which must exist in the use of administrative sanctioning powers.

SECOND. PREJUDICIALITY IN ADMINISTRATIVE LITIGATION.

In order to avoid argumentative repetitions, it is appropriate to consider as
reproduced the statements made in file 523/2023, to which it is appropriate to refer in order to take into consideration the
existence of a preliminary question of a contentious-administrative nature, with
identical characteristics and on the same subject matter as the previous ones.

THIRD. SUBSIDIARY TO THE PREVIOUS SECTIONS AND
IN RELATION TO THE CONSIDERATIONS MADE BY THE AEPD.

It should be noted that, in the aforementioned procedure before the
Contentious-Administrative Chamber, as well as in relation to the previous file

523/2023, the REVIEW DOCUMENT OF TECHPUMP COOKIES was submitted. EXTERNAL AUDIT OF MEASURES IMPLEMENTED IN
THE COMPANY'S ADULT CONTENT WEBSITES (REF.

No. 21B 7) for which the documentary evidence is not attached for the sake of procedural economy, since

it has been provided in the aforementioned proceedings, to which it is appropriate

to refer for the purposes of justifying this written statement of allegations,

as the typical case of justification by referral, for the purposes of
the motivation of these allegations.

We understand that all those issues indicated by the regulator have been

openly resolved and corrected by my representative, and,
consequently, therefore, the initiation of a new sanctioning
procedure is not appropriate, without prejudice to the fact that in this new procedure an inspection was

carried out. We conclude that this cookie was indeed temporarily placed due to a technical error on the part of the advertising provider Exoclick, without being active at the time the external audit was carried out (January 2024), and without being active at present. Therefore, it was only a temporary error within a technical process.

For these purposes, the advertising provider was asked to issue a report, which we are waiting to receive, and currently, in the event of consenting to cookies, advertising is managed independently of the cookies, which implies full compliance on the part of my client.

And not only that, but also the Techpump Solutions S.L. websites related to adult content, such as those for which a file has been opened, are in a clear process of mitigating errors in the aforementioned transition to payment sites, as well as the possible establishment of a payment system also in the event that cookies are not accepted, which would mean an identification of the user of the websites, with what this entails

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/31

in terms of adult privacy but also establishing a better control system to prevent access by minors, which as we have already indicated and demonstrated through documents, we have no evidence that it has occurred on the adult websites of Techpump Solutions, S.L. Neither from the access statistics already mentioned, nor from any claim through the DPO or compliance systems. A COOKIE REVIEW DOCUMENT carried out by TECHPUMP SOLUTIONS, S.L. was submitted, which constituted an EXTERNAL AUDIT OF MEASURES IMPLEMENTED ON THE COMPANY'S ADULT CONTENT WEBSITES, dated January 24, 2024. (REF. No. 21 B 7).

In addition to the above, and due to its close relationship, and having also been provided in the previous sanctioning files, a complete review of the onboarding procedure for the protection of minors was carried out, placing TECHPUMP SOLUTIONS S.L. with certainty as the currently safest site in the field of its sector of activity, that is, in this aspect that is known and within open adult content pages. It was accompanied as DOCUMENT NUMBER 2, DOCUMENT OF REVIEW OF THE TECHPUMP ONBOARDING PROCESS AND
MECHANISM TO PREVENT ACCESS BY MINORS. EXTERNAL AUDIT OF MEASURES IMPLEMENTED ON THE COMPANY'S ADULT CONTENT WEBSITES. (N REF. 21 F 1 4).

However, since then a new Compliance procedure has also been implemented (N REF. 21 C 0) called TECHPUMP'S CHILD AND ADOLESCENCE PROTECTION POLICY and
which was accompanied as DOCUMENT NUMBER. There is no doubt about the intention of
TECHPUMP SOLUTIONS S.L. which places it on a plane of absolute priority.

FOURTH. DISPROPORTION IN RELATION TO THE PROCEEDINGS
INITIATED BY THE AEPD AGAINST OTHER COMPANIES
COMPETITORS IN ADULT CONTENT.

We must finally indicate, and as a continuation of everything already stated in

the previous allegations, as well as in the previous ones presented in the
administrative sanctioning proceedings presented against my
representative, and all the changes that are being made within this
more than demonstrable willingness to collaborate, which is perceived by the
same, carries with it a more than evident disproportion in terms of the
treatment that these competing companies are receiving from the Spanish Agency
for Data Protection, whose web pages are receiving much more traffic even than those of TECHPUMP SOLUTIONS S.L.

These websites, which have never been restricted from accessing traffic in Spain, although they may do so if that is a concern, and which have

much fewer guarantees than those of TECHPUMP SOLUTIONS S.L., and at the same time, present circumstances that may
put the processing of your data in relation to minors and/or third parties at risk, not to mention that, in many cases, they lack any type of guarantee. In this regard, see the comparables that are included in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/31

documents as an example, and not to go into real nonsense, which are freely accessed without any restriction of any kind from Spain.

And not only that, but only the website generated by my client

TECHPUMP SOLUTIONS S.L. in 2023 ***URL.7 is a reference in terms of
the education of parents and guardians in safe navigation, when
even in educational institutions dependent on the State and the
Autonomous Communities there have been complaints of very inappropriate and precocious educational
practices for minors in relation to sexual education and not only
that, but even the viewing of pornography by minors has been encouraged,
as well as inappropriate sexual practices for minors, which
is far from all the efforts that have been made by
TECHPUMP SOLUTIOS S.L. and in this case it is the administration itself that
tolerates them. With all this experience, TECHPUMP
SOLUTIONS S.L. has approached this AEPD to try to

contribute to the development of appropriate policies that involve education,
given the technological evolution and the knowledge that minors have and that
makes the controls not work, in addition to the clash of rights between the
freedom of the adult to access and the restriction to minors.

We regret that this attempt to approach the AEPD by

TECHPUMP SOLUTIONS has resulted in a new initiation of
sanctioning proceedings, which we understand to be disproportionate and out of place
for all the reasons stated, and that in the case at hand the measures have
already been implemented.

In any case, my client doubts that other similar websites have

shown such an evident willingness to collaborate as it is doing, with the intensity, seriousness and commitment to defending the
same values that the Spanish Data Protection Agency tries to defend.

D). ALLEGATIONS REGARDING ALL OF THE FILES INITIATED AGAINST MY REPRESENTATIVE, INCLUDING THOSE CORRESPONDING

TO PS 524/2023

In conjunction with all the files initiated by the SPANISH DATA PROTECTION AGENCY in relation to my representative, the following explanatory allegations are made below.

FIRST. In the case at hand, as can be seen from the set of allegations made by my client in the FILES PS
00555/2021, PS00523/2023 PS524/2023, the existence of breaches carried out by my client is certainly evident, which are
recognized as such, as it is also evident that all the activity aimed at efficiently and
effectively correcting said anomalies has been deployed by the client, making the
deficiencies identified by the SPANISH DATA PROTECTION AGENCY disappear in practice.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/31

This mitigating circumstance developed by my client is nothing more than
the reflection that on the part of the same, there has been no doubt at any time in the
need to protect the privacy of the people who approach this
type of web pages, and at the same time, with a fundamental character,
to protect the rights of minors so that they do not have any access to said web pages.

The public communication made by my client has tried to
bring to the attention of the general public the need and to effectively
raise awareness of the need to establish the appropriate protection measures that
guarantee that said minors did not have nor could have
access to the aforementioned web pages, having achieved this purpose.

In this regard, it is important to emphasize in detail the important investments made by my client in the sense of trying to transmit in a holistic and global way to everyone the need to raise awareness about the necessary protection of minors. This has been achieved through the creation of specific websites, as indicated in the allegations included in this document, for training and raising awareness among parents, so that they can exercise the proper control over their minor children and said websites.

Likewise, it should be noted that my client has developed systems, in collaboration with the companies that provide Internet services, in order to try to prevent unauthorized access by said minors to the indicated websites.

This effort to raise awareness and mitigate the hypothetical damage that these

pages could cause has also been attempted to mitigate, not only by
actively correcting and stopping all the irregularities
revealed in its actions by the SPANISH DATA PROTECTION AGENCY, but the position of my client has
gone further, in the sense of offering, given the experience acquired, its legal and sincere
collaboration both to the governmental plans carried out for this purpose by the GOVERNMENT OF SPAIN, as well as by the SPANISH DATA PROTECTION AGENCY, with the purpose of collaborating in the
legal and technological regulation of the sector, so that the typology of these pages stops being a factor of conflict in relation to minors.

In addition to all this, it cannot be ignored that my client, TECHPUMP SOLUTIONS S.L., in proof of its conviction to mitigate this type of
risks, has placed itself at the forefront of the sector of this type of web pages,
both nationally and internationally, developing effective and convincing
technical means for the purposes of protecting and preserving the legitimate
rights of minors in relation to this type of web pages.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/31

These circumstances are sufficiently and principally proven in the
allegations made in relation to File PS00555/2021, and are
equally verifiable in relation to PS523/2023 and PS524/2023

SECOND: This representation expressly requests the
accumulation of procedures PS00555/2021, PS00523/2023 and PS524/2023, as they
deal with identical issues, and in any case analogous to the
technical conditions that these web pages must meet, in order to

comply with the privacy requirements required by current legislation. The accumulation in the administrative field is configured as an act of
procedure that is adopted as an incident within a main procedure
by the body that has initiated or processed it for the purposes of

accumulating it to others with which it has a substantial identity or close connection,
provided that it is the same body that must process and resolve the
procedure. We will analyze its legal configuration below.

In general, article 57 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter,

LPACAP), under the heading of Accumulation, provides that "the administrative body that initiates or processes a procedure, whatever
the form of its initiation, may order, ex officio or at the request of a party, its
accumulation to others with which it has a substantial identity or close connection,
provided that it is the same body that must process and resolve the

procedure" and that "no appeal shall proceed against the agreement of accumulation".

This accumulation of files is caused in the present case by the
substantial identity that occurs between the various files initiated

against my client to which reference has been made, having
between them a close connection, since as has been
stated This decision is adopted with respect to a procedure that forms
an administrative file. By administrative procedure we must
understand the succession of actions carried out by the Administration subject to
the general rules of initiation and procedure provided for in Title VI of the
cited LPACAP and which end through any of the forms provided for in
Chapter V of the aforementioned Title. The procedures are documented in the
files.

The accumulation may be agreed upon at the time of initiating the procedure or

it may be agreed upon regarding procedures already initiated, and it may be done ex officio or
at the request of a party. Article 57 LPACAP establishes the requirement that the
body that decides the accumulation be the same one that must process and resolve the
procedure. In this sense, the jurisprudence already understood that the decision
to accumulate is discretionary and that the body that orders the accumulation must

have the authority to decide on the matters to which the accumulated procedures refer, speaking for this purpose of "body with more specific
competence" (cf. judgment of the Supreme Court of December 26, 1989).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/31

As regards the content of the decision itself, as has been said, the jurisprudence
understands that it is a discretionary decision, but it cannot be forgotten
that article 57 LPACAP requires that between the procedures that are
accumulated there must be the logical "close connection" or "substantial identity",
these indeterminate legal concepts that must be integrated by the authority that
decides to accumulate, which makes it possible for it to be challenged not in isolation as
has been seen - but with respect to the resolution that ends the procedure; in
this sense the idea of discretion must be qualified and not identified with the
non-appealability of the decision to accumulate. On the other hand, it is not necessary to
hear the interested parties, hence the jurisprudence understands that there is no vice of
defenselessness.

As can be deduced from the above, the effect produced by the accumulation is to
resolve in a single procedure and in a single resolution all the

issues raised, which is basically what is requested in this document.

THIRD. This representation as it can be deduced from the allegations, and from
the documentary evidence provided in sections A), B), and C) of this
document of allegations, shows to the SPANISH DATA PROTECTION AGENCY the
appropriateness of considering the factors of mitigation of the administrative
liability to be imposed on my representative.

This must begin with the aforementioned accumulation of sanctioning

files, in order not to repeat the same sanction for the same
facts, or for facts that are a consequence of the previous ones.

Next, this representation highlights the need to
weigh the circumstances expressly provided for in section 2 of

article 83 of Regulation 2016/679 General Data Protection of the EU,
in order to adequately quantify the fines imposed
as a result of alleged administrative infringements.

In this sense, the intentionality or negligence in the infringement must be brought to
attention, where in relation to it, it must be made clear that the

situation for which my client was sanctioned or the sanction was proposed was
the common one existing in the market, both from a national and
international perspective, where it must be highlighted, as has been made clear, the
level of reaction of my client in the implementation of mitigating measures that
are truly effective, as has occurred in an effective manner, guaranteeing the rights and freedoms of the owners of the
compromised data, and preventing access by minors to said web pages.

In relation to article 83.2.c., any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties must be taken into account.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/31

In this case, the set of measures referred to in this statement of allegations represents the real and effective adoption of said measures, to mitigate the damages and losses that may occur to this effect, with the

aim of ensuring that these are non-existent when the controls carried out voluntarily by my representative function adequately.

It is important to highlight at the same time, the capacity of reaction of my representative to mitigate or avoid the production of injuries to the rights of users, proceeding to correct in an active and immediate manner the irregularities that have been detected to this effect.

Likewise, the degree of cooperation of my client with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement must be highlighted, as evidenced by the measures adopted as noted in the various written allegations incorporated in this document. It is also important to highlight, as has been done, the
position that my client has assumed, who has not hesitated publicly
through various media to assume without hesitation or ambiguity,

the positions of the government and/or the Spanish Data Protection Agency, trying to raise awareness and educate users in order to
respect, first of all, their rights and freedoms in the area of privacy, but also to reinforce the educational measures, and the
consequent control that they entail, in order to guarantee

at all times the rights of minors, as the main concern of my client, as he has been publicly
stating, said position and attitude having to be valued as a
more than important mitigating factor any other aggravating or mitigating factor
applicable to the circumstances of the case, such as the financial benefits

obtained or the losses avoided, directly or indirectly, through the infringement.

The express implementation of a website aimed at parents, with the investment that this has entailed, must be interpreted as a sign of institutional loyalty on the part of my client, as well as the fact that

it has implemented means that have meant a more than evident reduction in its income, in order to guarantee the rights of users and above all, taking into account the technical and organizational measures in order to preserve access for minors.

Consequently, the implementation of significant economic means by my client in order to align itself with the same position indicated, in this case, by the SPANISH DATA PROTECTION AGENCY must be brought to the fore. With this, TECHPUMP
SOLUTIONS, S.L. not only does it have these websites for adults against which

these recurring disciplinary proceedings have been initiated, but also an educational website like no other known and which has already been
demonstrated to be serving as an effective aid for parents and guardians who may even contact my representative in the event of technical
issues.

FOURTH. In line with what has been set out in the previous section, it is necessary to
additionally but systematically take into account the actions undertaken by my representative in order to mitigate, in a responsible manner and in full
collaboration with the SPANISH DATA PROTECTION AGENCY, certain measures that have guaranteed the rights of the data owners, and especially, as has been pointed out with a certain reiteration, the
specific protection of minors.

Among these measures to which special reference must be made,
the following stand out for their importance, and are those that
are set out below: 1). The generation of a Compliance procedure in relation to minors.
“TECHPUMP CHILD AND ADOLESCENT PROTECTION POLICY” already submitted to the AEPD and

the appointment of an external Compliance Office. 2). The generation, as has been repeatedly referred to in this written statement of allegations of the website www.padresprotegen.com by TECHPUMP SOLUTIONS S.L. so that through them both parents and guardians can manage and limit access and the safety of minors. A unique initiative by a provider and within realistic standards using education as a basis.

3). The carrying out of the appropriate communications with the AEPD with the
purpose of collaborating both with the Agency and with other administrations and
with the Government of Spain in this area of activity, in order to
provide effective and efficient solutions, based on the experience
acquired by my representative, as an expert in this specific sector of
activity, which can help and provide this Agency with ideas and data that

may be important in view of the declared urgency of the situation. Furthermore, when TECHPUMP SOLUTIONS S.L. is surely the
one that best performs in the sector and when its market share is minimal in relation
to foreign operators in Spain. All of this is exhaustively documented
in the documents presented. This help is offered voluntarily and with
all generosity to the Agency to which I have the honor of addressing myself, and

your contribution is once again interested, since it may prove to be very
constructive. 4). Hiring an external legal team to
resolve the incidents: Techpump has hired external specialists
in order not to hide the problem but to address it with solutions and
approaches based on ethics, which has meant an important change
particularly in onboarding processes and in education. 5). As has

also been repeatedly stated, my client has launched various
information campaigns in the press on the website www.padresprotegen.org and
the desire to collaborate with the AEPD and the Government of Spain. With this,
TECHPUMP SOLUTIONS S.L. has publicly acknowledged at all times
its desire to contribute and ultimately correct breaches. 6). The

implementation and continuous review of a more complete onboarding process of open adult pages existing in Spain in
the protection of minors and respecting adult access in accordance with the
data minimization processes and the demanding “balance”: Including
date of birth, access to educational websites, dark backgrounds up to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/31

the acceptance of cookies, session cookies, among other technical and
organizational measures implemented for this purpose. 7). The implementation of a migration project to
payment pages in the coming months without open content and
making registration necessary. Faced with foreign competitors and with what this
implies in terms of loss of market share. In addition, Techpump will implement the

payment system in the case of non-acceptance of cookies, which means
more access control as user registration becomes necessary. All of this,
ignoring the economic cost that the adoption of
these technical measures represents for me. 8). The configuration of a contact process with
mobile telephone operators to restrict access to subscribers under the age of
18. In this regard, TECHPUMP SOLUTIONS S.L. is studying the

implementation of an access control in relation to the age of the owners of mobile
terminals, restricting access in the event that the owner is a minor. To this end, my client has sought contact
and the involvement of the AEPD itself, although the process is already
beginning with the operators. In this regard, TECHPUMP SOLUTIONS S.L. TECHPUMP SOLUTIONS S.L.

would also support initiatives that have not yet been addressed by the AEPD, as far as we know, but which are aimed at banning smartphones from children under 14 years of age, as teachers have already indicated, which is necessary for the protection of minors and for the problems that the early use of these technologies poses in the development and relationships with others. TECHPUMP SOLUTIONS S.L.

already has internal studies in this regard. 9). The contracting and
linking of Compliance with the RTA (Restricted to Adults)
https://www.rtalabel.org/ following the international standards of the
Association of Sites Advocating Child Protection (ASACP). As a culmination of all this, it should be noted that TECHPUMP SOLUTIONS S.L. has
demonstrated and demonstrates every day in a palpable and evident way its absolute

commitment to this AEPD and other state agencies, aimed at
resolutely supporting the public policies and commitments of the Spanish Data
Protection Agency, thereby protecting those measures that are
necessary to guarantee the rights of users.

The aim is to provide protection independently of any
ideological or political approach, but rather to defend society
without leaving aside any kind of recommendations aimed at greater
protection, in particular, of minors. Finally, the fact of this loyal, committed and sincere
collaboration in this area of activity must be valued, far from the image that third parties have tried to project of
some companies in this area or sector, since operators such as TECHPUMP only

aim within their business to do things as well as possible and collaborate in
education.

FIFTH. Consequently, this representation expressly requests that these sanctioning processes be accumulated, first of all, and that in any case, the sanctions imposed on my representative be moderated, based on the activity of compliance and orthodoxy intended, which is not only exemplary, but constitutes a reference
for the entire sector of activity of these web pages, in the sense of the more than patent and evident will to adapt to the regulations in force in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/31

the matter of data protection and privacy, guaranteeing the rights of users and minors. For all the above,

I REQUEST FROM THE DATA PROTECTION AGENCY that it considers this document to be submitted, and that the allegations contained therein be made. And consequently with the same: a). That the required procedure for allegations corresponding to procedure PS524/2023 be considered to have been completed in a timely and legal manner. b). That procedures PS00555/2021, PS00523/2023 and PS524/2023 be combined as they are closely connected, and should be dealt with in a single administrative procedure. c). Given the special situation of procedure PS00555/2021, that it be archived without further processing. d). That,
in any case, the mitigating circumstances of liability be applied,
for the purposes of imposing the fine, in accordance with the

circumstances of weighing liability provided for in article 83
of Regulation (EU) 2016/679, General Data Protection, to which reference has been
made, reducing the monetary fines imposed on my representative in the files to which reference has been made in this written statement of allegations.

NINTH: On 07/04/24, the entity submitted a new written statement of allegations
in which it states the following:

First.- That as has already been stated before this AEPD, in the event
of the onboarding system published in the Press Release being approved,

TECHPUMP will adopt it immediately, without prejudice to the measures that have
already been implemented, demonstrating that there is no mandatory onboarding procedure established to date for adult pages, as
is made clear by the accompanying note from the Ministry itself.

Second.- That the publication of the aforementioned press release therefore
demonstrates that to date there was no established onboarding system for
adult pages, and therefore it is not admissible that the AEPD
seeks to sanction Techpump, when it has an onboarding system, more
guaranteeing than that of its competitors, and there was no other mandatory one.

Third.- That the onboarding system that is intended to be established according to the
aforementioned press release, includes personal data that in our
understanding constitutes a significant violation of the rights of people, in this case of adults, and is an onboarding system
outside the framework of the GDPR and consequently of the LOPD.

Without prejudice to the above, and in the event of not migrating to "paid" pages for
when this regulation is applicable, it will be applied, despite the fact that it is
considered not to be in accordance with the law. In relation to the legality of the
ministerial proposal, we understand that the AEPD will issue a report before its

implementation.

Fourth.- We reiterate, once again, that Techpump in this regard
maintains an absolutely proactive attitude and proposes alternative systems

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/31

that are more effective and that are in accordance with the privacy of individuals,
with the Government of Spain's proposal being, in our opinion, not
proportional, violating the principle of data minimization, among others."

TENTH: On 07/05/24, the entity submitted a new written statement of allegations

in which it states the following:

That in relation to the reference files, new allegations are hereby made
in addition to our written statement of allegations dated
June 13, 2024 and earlier. And in view of the publication last Monday of the Press Release “Digital Beta Wallet, the application that includes the

system for verifying the age of majority in access to adult content, will be available at the end of the summer” published by the MINISTRY
FOR DIGITAL TRANSFORMATION AND THE PUBLIC FUNCTION. Which is
attached as DOCUMENTARY ONE. The following
STATEMENTS are made:

First.- That as has already been stated before this AEPD, in the event
of the onboarding system published in the Press Release being approved,
TECHPUMP will adopt it immediately, without prejudice to the measures that have
already been implemented, demonstrating that a mandatory onboarding procedure for adult pages has not been established to date, as

is made clear by the accompanying Ministry note itself.

Second.- That the publication of the aforementioned press release therefore
shows that to date there was no established onboarding system for
adult pages, and therefore it is not admissible that the AEPD
intends to sanction Techpump, when it has an onboarding system, more

guaranteeing than that of its competitors, and there was no other mandatory use.

Third.- That the onboarding system that is intended to be established according to the
aforementioned press release, includes personal data that in our
opinion constitutes a significant violation of the rights of people, in this case of
adults, and is an onboarding system outside the framework of the General Data Protection Regulation and
consequently of the LOPD. Without prejudice to the above, and in the event of not
migrating to "paid" pages by the time this regulation is applied,
it will be applied, despite the fact that it is considered not to be in accordance with the law. Regarding
the legality of the ministerial proposal, we understand that the AEPD will issue a report
before its implementation.

Fourth.- We reiterate, once again, that Techpump in this regard
maintains an absolutely proactive attitude and proposes alternative systems that are
more effective and that are in accordance with the privacy of individuals,
with the proposal of the Government of Spain being, in our opinion,
not proportional, violating the principle of data minimization among others.

Therefore, we request the filing of all the complaints imposed on my client, since through what is set forth in the body of this document it is
clearly evident that the system that was required of my client did not exist at the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/31

time to severely sanction him for it, the possession of a specific and determined system for this purpose not yet being obligatory.

For all the above, I REQUEST THE SPANISH DATA PROTECTION AGENCY that considers this document submitted, to accept it
together with the accompanying documentation, considering the previous statements made and DECREING THE ARCHIVE OF ALL THE
COMPLAINTS IMPOSED ON MY REPRESENTATIVE.

From the actions carried out in this procedure and from the documentation in the file, the following have been proven:

PROVEN FACTS

Sole: On 27/12/23, the Inspection Subdirectorate of the Spanish Data Protection Agency completed the following characteristics of the "Cookie Policy" of the websites:
***URL.1, ***URL.2, ***URL.3, ***URL.4 and ***URL.5:,

a).- Regarding the installation of cookies prior to the user's consent:

When entering them, for the first time, once the terminal equipment had been cleared of browsing history and cookies, without accepting new cookies or performing any action on them, the following own cookies were used: - On the website
***URL.2, a own cookie was used, "OptanonConsent", detected as

technical or necessary; - On the website ***URL.1, a proprietary cookie is used:
“OptanonConsent”, detected as technical or necessary and the proprietary cookies,
“user_country”; “stop_redirect”; “country” and “redirect_es” whose purpose could not be
identified although according to the information provided in the “Cookie Policy” of the
website, these cookies “are necessary for the website to function…”; - On the website

***URL.4 , a proprietary cookie was used: “stop_redirect”, whose purpose could not be
identified, although according to the information provided in the “Cookie Policy” of the
website it is a necessary cookie, used to redirect the user to the country of origin.

It was found that when trying to access the websites ***URL.3 and ***URL.5, they
redirect the user to the website ***URL.6.

b).- Regarding consent to the installation of cookies on the terminal equipment:

It was found that, if the user did not give consent for the websites to
use cookies that were not technical or necessary and started browsing

any of the websites mentioned, they began to use two third-party cookies:

“__uvt” and “__upt”, whose domain belongs to “XXXXXXX”. From these two cookies, it was
found that the mission of the “__uvt” cookie is to perform statistical
operations on user preferences and regarding the “__upt” cookie, its
mission could not be identified.

c).- Regarding the cookie information banner in the first layer:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/31

The cookie information banner in the first layer of the websites in question informed that they used their own and third-party cookies and informed them of the
way in which the user could accept, configure or reject the use of cookies.

It also indicated that the purposes for which the cookies would be used were “for
analytical purposes and to show personalized content based on a profile created from
browsing habits (…)”.

However, it was found that, of the two third-party cookies installed
when browsing the web (“__uvt” and “_upt”), there was no information about them in the “Cookie Policy” of the websites.

d).- Regarding the possibility of withdrawing consent for the use of cookies once it has been
given.

It was found that, if the user had given his consent for the use of
cookies that were not technical or necessary through the option existing in the
initial information banner or through consent given in the control panel
and wanted to modify it later, there was the possibility of accessing the control panel
again through the link existing in the “Cookie Policy” of the websites.

However, if the user now wanted to reject all cookies by clicking
on the <<Reject all>> option or by moving the cursors of the cookie groups to
the “OFF” position and clicking on the <<Confirm my preferences>> option, in the
control panel, it was possible to see how the websites continued to use the installed
third-party cookies (“__uvt” and “_upt”).

LEGAL BASIS

I

Competition.

In accordance with the provisions of article 43.1 of the LSSI and the provisions of
articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the Director of the
Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory

provisions issued in its development and, as long as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

The fourth additional provision "Procedure in relation to the powers attributed to the Spanish Data Protection Agency by other laws" establishes

that: "The provisions of Title VIII and its implementing regulations shall apply to
the procedures that the Spanish Data Protection Agency must process in the exercise of the powers attributed to it by other laws."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/31

II
Response to the allegations presented to the resolution proposal

First: The entity TECHPUMP begins the written allegations indicating that, as a
consequence of the existence of various sanctioning files related

to the current regulations on personal data protection, it groups the allegations to
each one of them in this writing and thus, section A), with the title “IN RELATION
TO PS 55/2021” is dedicated to defending its interests in relation to file
PS/00555/2021 and section B) with the title “PROCEDURE PS/523/2023” is
dedicated to the file opened to the entity with said reference.

Well, in order to put into context the situation of the three files to which the TECHPUMP entity refers, let us remember that, in PS/00555/2021, the aforementioned was charged and sanctioned for both violations of the GDPR and the LSSI (although as we will see later, the facts charged in that procedure do not coincide with the facts charged in the present sanctioning procedure; PS/00523/2023 was initiated as a consequence of non-compliance with the corrective measures imposed in PS/00555/2021 in relation only to breaches of the GDPR and the present sanctioning procedure, PS/00524/2024 only refers to breaches of the LSSI, as we have indicated, in relation to facts different from and subsequent to the facts noted in PS/00555/2021.

Therefore, to state with respect to the allegations presented in sections A) and B)
of the written allegations that they have no relation to the matter being
discussed in this file (PS/00524/2023) and that, therefore, they cannot be
taken into consideration in this procedure since they will be dealt with and resolved, if
appropriate, within each of them.

Furthermore, please note that PS/00555/2021 is currently being settled in a contentious administrative judicial procedure (CA/00086/2022)
before the NATIONAL COURT (PO 0001794 /2022) and therefore, it will be this Judicial Body that will resolve, where appropriate, the controversies raised in section A),
while PS/00523/2023 is following an administrative procedure independent of this one

and that it will be within this procedure, if appropriate, where the
allegations raised in section B) will be settled.

Second: In the “first” point of section C) of the written allegations, the entity
TECHPUMP raises the application of the “NON BIS IN IDEM” principle to the present case,
alleging that the facts that are being judged in it have the same

subjective, factual and causal identity as those judged in file PS/00555/2021, there being no
difference between both administrative sanctioning procedures and that therefore, it requests that the present file should be archived.

Well, let us remember that the principle of "non bis in idem", applied to

administrative law, is a legal principle that establishes that a person cannot be
sanctioned twice for the same act, thereby seeking to protect people
from being repeatedly prosecuted for the same acts.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/31

However, for the principle of "non bis in idem" to apply, there must be
a subjective, factual and causal identity between the two causes. Subjective
identity refers to the fact that the person accused in both processes is the same. Factual
identity refers to the fact that the facts charged in both processes are the
same, that is, there must be a coincidence in the description of the
facts charged and finally, causal identity refers to the fact that the cause of the
action is the same in both processes, that is, there must be a causal relationship
between the facts charged and the infringed legal norm. If these three
requirements are met, then the principle of "non bis in idem" demanded by the entity
could be applied.

However, in the case at hand, although it is clear that the subjective identity is fulfilled by the fact that the subject is the same in both proceedings, that is, the entity TECHPUMP SOLUTIONS S.L. and the same causal identity because there is a causal relationship between the facts charged in the two proceedings and the infringed legal norm, article 22.2 of the LSSI, the same does not occur with respect to the factual identity because the facts charged in both proceedings are not identical in their description and relevant circumstances.

If we look at the resolution of file PS/0555/2021, dated 09/16/22, we can
see that the entity TECHPUMP was sanctioned, among other issues, for
violation of article 22.2 of the LSSI based on the following deficiencies

observed in the “Cookie Policy” of its web pages (see point XXVII of the
FD.- On the “Cookie Policy” of the website):

- a).- For the installation of cookies on the terminal equipment prior to the user's consent:

It was found that when entering its main pages and without performing any type of action on them, third-party cookies that are not necessary

are used, without the user's prior consent: - On the website ***URL.2, the cookies: “_ga_RKCN8YSRSF” “_ga” and “_gid” were used, whose provider is
Google. On the website ***URL.1 , the cookies “User_country” were used, whose
provider is Addition Technologies GmbH and the cookies “gat_UA-38248820-
52”; “_ga”; “_gid”; “_ga_8WNV1D198Q” were used, whose provider is Google. On the website
***URL.3 , the cookies: “_ga_JREJ5KRZQT”; “_gat_UA-

50005236-1”; “_ga”; and “_gid” were used, whose provider is Google. On the website ***URL.4 ,
the cookies “_ga_KJ5V9F3XJJ”; “_ga” and “_gid” were used, whose provider is
Google and on the website ***URL.5 , the cookies “ga_CKL7S7S25E”;
“_ga” and “_gid” whose provider is Google.

- b.- There was no type of banner on the main page that informed in a generic way

about the cookies they used.

- c).- There was no mechanism that made it possible to reject cookies or the possibility of managing them in a granular way through a control panel and,

- d).- The information about cookies that was provided in the “Cookie Policy” was written in English, which is not the official language in Spain.

While, in the present file, PS/00524/2023 sanctions the following
deficiencies in the “Cookie Policies” of its web pages:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/31

- a).- Due to the installation of cookies prior to the user's consent, it has been
detected that when entering them, for the first time, once the terminal equipment has been cleared of browsing history and cookies, without accepting new
cookies or performing any action on them, the following

own cookies were used: On the website ***URL.2 , a proprietary cookie is used,
“OptanonConsentimiento”, detected as technical or necessary. On the website
***URL.1 , a proprietary cookie “OptanonConsentimiento” is used, detected
as technical or necessary and the proprietary cookies, “usuario_país”; “stop_redirect”;
“country” and “redirect_es” whose purpose could not be identified, although according to
the information provided in the “Cookie Policy” of the website, these cookies

“are necessary for the website to function…”. On the website ***URL.4, a proprietary cookie is
used: “stop_redirect”, whose purpose could not be
identified, although according to the information provided in the “Cookie Policy”
of the website, it is a necessary cookie, used to redirect the user to the
country of origin.

- b).- If the user does not give consent for the websites to use cookies that are not technical or necessary and starts browsing any of them, they begin to use two third-party cookies: “__uvt” and “__upt”, whose
domain belongs to “.magsrv.com”. From these two cookies it has been possible to know
that the mission of the “__uvt” cookie is to perform statistical operations

on user preferences to show targeted advertising but regarding the “__upt” cookie, its mission has not been able to be identified. There is also
no information about these cookies in the “Cookie Policy” of the websites
and,

- c).- There is no possibility of withdrawing consent for the use of cookies once it has been given.

Therefore, it is evident that one of the three identities necessary for the application of the principle "non bis in idem" to be considered, the factual identity is not met in the present case, since the facts charged in both processes are not
identical in their description or in their relevant circumstances, and therefore, the request made by the entity TECHPUMP to archive this file based on the principle of non bis in idem cannot be attended to.

Third: The entity TECHPUMP states in the "second" point of section C) of
its allegations, that it considers the statements made in the file PS/00523/2023 (dated 12/18/23) on the contentious administrative

prejudiciality to be reproduced, alleging in said document that the facts that have motivated the
sanctions established in the administrative sanctioning file PS/00555/2021,
are immersed in the administrative appeal 0001794/2022 before
the National Court, and therefore, this Agency cannot open a new administrative file
for the same facts on which the file PS/00555/2021 is based.

Well, it is necessary to reiterate at this point what was stated in the previous section and
that is that between file PS/00555/2021 and the present file PS/00524/2023
although there is the same subjective and causal identity, there is not the same factual identity, that is, the facts charged in each of the files are not the
same and therefore both files are totally independent, so that,
although PS/00555/2021 is immersed in an administrative dispute,
PS/00524/2023, being different in terms of factual identity, can follow its
process. Remember that in file PS/00555/2021, the entity TECHPUMP was sanctioned for the use, on its websites, of third-party cookies without the user's prior consent. These cookies were, on the website ***URL.2 : “_ga_RKCN8YSRSF” “_ga” and “_gid” from Google. On the website ***URL.1 :
“User_country” from Addition Technologies GmbH and the cookies “gat_UA-38248820-52”;

“_ga”; “_gid”; “_ga_8WNV1D198Q” from Google. On the website ***URL.3 ,
“_ga_JREJ5KRZQT”; “_gat_UA-50005236-1”; “_ga”; and “_gid” from Google. On the website
***URL.4 , the cookies: “_ga_KJ5V9F3XJJ”; “_ga” and “_gid” from Google and on the website
***URL.5 , the cookies: “ga_CKL7S7S25E”; “_ga” and “_gid”, also from Google. It was
also sanctioned that there was no type of information banner about

cookies in the first or main layer of the websites. It was sanctioned that there was
no mechanism that made it possible to reject the aforementioned cookies or the
possibility of managing them in a granular way and it was sanctioned that the information
provided in the Cookies Policy was written in English, which is not the official language
in Spain.

However, the present file, PS/00524/2023, is sanctioned for the use of
third-party cookies, (“__uvt” and “__upt”), whose domain belongs to “XXXXXXX”,
even if the user has not given consent for it. It is sanctioned that there is
no possibility of rejecting the use of these cookies, nor the possibility of
modifying consent once given.

Therefore, it is evident that the facts that the AN is considering in the
contentious-administrative appeal 0001794/2022, (PS/0555/2021) are not the same as the reason
for which the present sanctioning procedure has been opened and therefore, it is not possible
to consider at this point the allegations presented on the possible
contentious-administrative prejudice of the facts known in the present procedure
PS/00524/2023.

Fourth: The entity TECHPUMP states in the “third” point of section C) of its
allegations, referring to file PS/00555/2021 that all the
issues indicated, regarding the cookie policy, “(…) have been openly
resolved and corrected by my representative, and, consequently with
this, therefore, the initiation of a new sanctioning file is not appropriate,
without prejudice to the fact that in this new procedure an inspection or the
corresponding investigative procedures will be carried out…” and that “...this cookie was effectively
placed temporarily due to a technical error on the part of the advertising provider
Exoclick without being active at the time the external audit was carried out (January
2024), and without being active at present. Therefore, it was only a temporary error

within a technical process…”

Well, at this point, just remember that it is the TECHPUMP entity itself, in
the document submitted to this Agency on 26/03/24, who recognizes that
the cookies “__uvt” and “__upt” are managed by the company ExoClick. That during the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/31

month of December 2023, when this Agency evaluated the cookies, there were no
measures implemented to block them. That it was not until February 2024, when
ExoClick presented a solution that allowed them to be blocked, but it was only

implemented in, “XXXXXX” and “XXXXXX”, but not in “XXXXXX” which is still
pending a solution.

Therefore, it is the TECHPUMP entity itself that recognizes that, when this Agency
evaluated the web pages owned by it, in December 2023, they used
two third-party cookies (__uvt and __upt); but they lacked measures to block them,

so it is not possible to take into consideration the allegations presented in this
point regarding the entity having solved the deficiencies detected in the
“Cookie Policy” of its web pages because, in Dec-23, this was not true.

Fifth: The TECHPUMP entity states in the “fourth” point of section C) of its

writing what it considers to be discrimination in relation to the files
initiated by the AEPD regarding other companies competing in adult content.

To state that these allegations cannot be admitted or taken into consideration
since the purpose of this sanctioning procedure is to find out the deficiencies in the

“Cookie Policy” of the websites owned by it and, therefore, it is not to deal with the
management carried out by this Agency regarding the control over the processing of personal data
by entities that are dedicated to disseminating adult content, there being other areas of the Public Administration where, if the entity so wishes,
it can raise these issues.

Sixth: In section D).- (points “first” to “fifth”), of the written allegations, the
entity defends the need to accumulate the procedures PS00555/2021,
PS523/2023 and PS00524/2023, as they deal with identical issues, according to
its assessment.

Well, let us remember that, in general, article 57 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations
(LPACAP), under the heading of "Accumulation" provides that: "the administrative body
that initiates or processes a procedure, whatever the form of its initiation, may order, ex officio or at the request of a party, its accumulation with others with which it has substantial identity or close connection, provided that it is the same body that must process and resolve the procedure" and that "no appeal shall be filed against the agreement of
accumulation."

From the aforementioned article 57 LPACAP it follows, and the jurisprudence understands it as such, that the

decision to accumulate several files is discretionary and that the body that orders
the accumulation must have the competence to decide on the matters to which the accumulated
procedures refer, requiring that between the procedures that are accumulated there must exist the logical "close connection" or "substantial identity".

In view of the above, and in relation to files PS/00524/2023 and
PS/00523/2023, it is evident that among the facts that are being analyzed in each of them, the criterion of substantial identity and close connection that the entity alleges does not exist, since in the present file, PS/00524/2023, the possible violations of the provisions of the LSSI are being analyzed and, on the other hand, in
file PS/00523/2023 the objective is to elucidate whether or not there is a violation of the GDPR.

Finally, it should be remembered that file PS/00555/2021 is already final in the administrative
process and is currently being tried in the National Court under the administrative
contentious appeal PO 0001794/2022 and therefore, the bodies in charge of resolving the disputes raised in files PS/00555/2021, which will be the Judge of the AN in charge of the case, and
PS/00524/2023, which will be the Director of the AEPD, do not coincide.

Therefore, based on the above, it is not possible to comply with the request for
accumulation of files as proposed by the entity.

Seventh: Within the requests made by the entity, in point d) it requests that the

financial fine imposed be reduced by taking into account the circumstances of
weighting of liability provided for in article 83 of the RGPD.

Well, state that the present sanctioning procedure was initiated due to the
irregularities detected in the "Cookie Policy" of the web pages of its
ownership, thereby violating the provisions of article 22.2 of the LSSI, and it is in the

LSSI where the legal regime relating to infringements is regulated, for the
non-compliance with the norm, the sanctions and their weighting, regulating in its art. 40
what is related to the gradation of infringements.

Let us remember that article 38.4 g) of the LSSI classifies the facts that give rise to the

infraction as “minor”, and may be sanctioned with a fine of up to €30,000, in
accordance with article 39 of the LSSI and that to graduate the sanction, the provisions of article 40 of the LSSI must be taken into account, estimating, in this case, that the existence of
intention (section a) should be applied as aggravating factors to calculate the sanction to be imposed, an expression that must be interpreted as equivalent to

degree of guilt in accordance with the Judgment of the AN 12/11/07 issued in the
Appeal 351/2006, and the recidivism for committing infractions of the same nature, when this has been declared by a final resolution (section c), taking
into consideration the resolution issued on 16/09/22, file PS/00555/2021.

Furthermore, it should be noted that it is not possible to apply article 83.2 of the GDPR

to assess the fine imposed under the LSSI, since the GDPR regulates a
manifestly different objective, subjective and territorial scope of application.

Therefore, in consideration of all the above, the entity's request to reduce the sanction imposed cannot be accepted in this case,
as there are two

aggravating factors that condition the imposition of the maximum possible sanction.

Eighth: Regarding the allegations presented on 04/07/24 and 05/07/24, where
reference is made to the press release announcing the approval of the mandatory “onboarding” system for web pages dedicated to disseminating adult content and

that the publication of the aforementioned press release shows that to date there was no “onboarding” system for this type of pages and therefore it is not admissible
that the AEPD intends to sanction Techpump, when it has an “onboarding” system, more guaranteeing than that of its competitors, requesting the filing of the present file, state the following:

The “onboarding” system, to which the entity refers, according to the press release
published on July 1, 2024, says verbatim: “The Minister for Digital Transformation and the Civil Service, José Luis Escrivá, has today presented Cartera Digital Beta, the “wallet” (digital document holder) that includes the system for verifying the age of majority in accessing adult content, after completing the design phase of the tool with the publication of the technical specifications….”,

while, in the present sanctioning procedure, PS/00524/2023, nothing is being elucidated regarding the systems implemented on adult content web pages regarding age verification for access to the same, but rather aspects related to the “Cookie Policy” of the web pages, so it is not possible to address, in this case, the allegations presented regarding this matter.

III
Classification of the infringement committed

Of the deficiencies detected, with respect to the cookie policy, on the websites
***URL.2; ***URL.1 and ***URL.4, that is, the use of third-party cookies that are

not technical or necessary even if the user has not given their consent; the
impossibility of rejecting them or being able to manage them in a granular manner; The lack of
information in the “Cookie Policy” on the purpose of these third-party cookies
and the impossibility of withdrawing consent once given, constitute the commission
of an infringement of article 22.2 of the LSSI, as it establishes the following:

“Service providers may use data storage and
recovery devices on recipients' terminal equipment, provided that
they have given their consent after having been provided with clear and complete
information on their use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the
protection of personal data.

When technically possible and effective, the recipient's consent to
accept the processing of data may be facilitated by using the appropriate parameters of the browser or other applications.

The above shall not prevent possible storage or access of a technical nature for the sole purpose of
transmitting a communication over an electronic communications network or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient”.

IV.
Graduation of the Sanction

This Infringement is classified as “minor” in article 38.4 g) of the aforementioned Law, which
considers as such: “Using data storage and recovery devices
when the information has not been provided or the consent of the recipient of the service has not been obtained in the terms required by article 22.2.”, and may be

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/31

sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.

The LSSI, in its article 40, establishes the “graduation of the amount of the sanctions”,
according to the following criteria:

a) The existence of intentionality.
b) Period of time during which the infringement has been committed.
c) Recidivism by committing infringements of the same nature, when

this has been declared by a final resolution.
d) The nature and amount of the damages caused.
e) The benefits obtained by the infringement.
f) Volume of turnover affected by the infringement committed.
g) Adherence to a code of conduct or a system of self-regulation of advertising

applicable with respect to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been
favourably reported by the competent body or bodies.

After the evidence obtained, it is considered that it is appropriate to graduate the sanction to be imposed
in accordance with the following aggravating criteria, established in art. 40 of

the LSSI:

- The existence of intentionality (section a). Expression that must be
interpreted as equivalent to degree of guilt in accordance with the
Judgment of the National Court of 12/11/07 issued in Appeal No.

351/2006, corresponding to the entity reported to determine a
system of obtaining informed consent that is appropriate to the mandate
of the LSSI.

- Recidivism for the commission of infractions of the same nature, when

this has been declared by a final resolution (section c). In this regard, the resolution issued on 09/16/2022 by the Director of the Spanish Data Protection Agency must be taken into consideration, within the framework of the sanctioning file PS / 00555/2021, opened to the entity TECHPUMP SOLUTIONS S.L., among other issues, for the deficiencies detected in the "Cookie Policies" of the websites in question.

In accordance with these criteria, it is considered appropriate to impose, for the violation of
article 22.2 of the LSSI, regarding the cookie policy carried out on the websites owned by it, a penalty of 30,000 euros (thirty thousand euros) for the
deficiencies detected in the "Cookie Policy" of the website ***URL.2. A

penalty of 30,000 euros (thirty thousand euros) for the deficiencies detected in the
“Cookie Policy” of the website ***URL.1 and a penalty of 30,000 euros
(thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the
website ***URL.4.

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/31

RESOLVES:

FIRST: TO IMPOSE on the entity TECHPUMP SOLUTIONS S.L. (TECHPUMP), CIF.:
B33950338, owner of the web pages: ***URL.1 ; ***URL.2 , ***URL.3 , ***URL.4 ;
***URL.5 , for the infringement of article 22.2 of the LSSI, classified as “minor” in

article 38.4 g), the following sanctions:

- 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookie Policy” of the website ***URL.2.
- 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookies Policy” of the website ***URL.1 and

- 30,000 euros (thirty thousand euros) for the deficiencies detected in the “Cookies Policy” of the website ***URL.4.

SECOND: NOTIFY this resolution to the entity TECHPUMP SOLUTIONS
S.L. (TECHPUMP).

Warn the sanctioned party that they must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal

Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account Nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..

Otherwise, it will be collected during the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability falls between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be
until the 20th of the following month or the next business day thereafter, and if it falls between
the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th

of the second following month or the next business day thereafter. In accordance with the provisions of
article 50 of the LOPDGDD, this Resolution will be made public
once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/31

LPACAP, the final decision may be provisionally suspended by administrative means if
the interested party expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of
a letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/],
or through one of the other registries provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. He must also transfer to the Agency the documentation
that proves the effective filing of the administrative appeal. If the
Agency is not aware of the filing of the administrative appeal within two months from the day following notification of

this resolution, it will consider the precautionary suspension to be terminated.

Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es