AEPD (Spain) - EXP202103886: Difference between revisions

From GDPRhub
(Changed fine amount to reflect final total +style, fixed links to LSSI)
Line 70: Line 70:


===Facts===
===Facts===
The data subject alleged that it was impossible for a user to purchase an airline ticket from the controller's website without consenting to receive ads from third parties. The controller, Vueling Airlines S.A., had a box on its website indicating consent to receive ads, but, contrary to the data subject's complaint, it was possible to purchase a ticket without checking the box.   
The data subject claimed it was impossible for a user to purchase an airline ticket from the controller's website without consenting to receive ads from third parties. The controller, Vueling Airlines S.A., had a box on its website indicating consent to receive ads, but, contrary to the data subject's complaint, it was possible to purchase a ticket without checking the box.   


The controller's cookie policy allowed users to revoke consent to non-essential cookies via two pre-ticked boxes, one for "performance cookies" and one for "targeted cookies." However, some cookies were incorrectly categorized as essential, so even when users unchecked the relevant boxes or clicked "reject all," some non-essential cookies remained.  
The controller's cookie policy allowed users to revoke consent to non-essential cookies via two pre-ticked boxes, one for "performance cookies" and one for "targeted cookies." However, some cookies were incorrectly categorized as essential, so even when users unchecked the relevant boxes or clicked "reject all," some non-essential cookies remained.  

Revision as of 13:54, 21 June 2022

AEPD - PS/00032/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 22.2 Law 34/2002, of July 11 LSSI
Article 22.1 Law 34/2002, of July 11 LSSI
Type: Complaint
Outcome: Partly Upheld
Started: 01.04.2019
Decided: 06.10.2019
Published: 24.10.2019
Fine: €18,000 EUR
Parties: D.A.A.A
Veuling Airlines S.A.
National Case Number/Name: PS/00032/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: Samuel Uzoigwe

The Spanish DPA fined an airline company €18,000 for having pre-checked consent boxes for non-essential cookies and for continuing to use non-essential cookies even after users clicked "reject all."

English Summary

Facts

The data subject claimed it was impossible for a user to purchase an airline ticket from the controller's website without consenting to receive ads from third parties. The controller, Vueling Airlines S.A., had a box on its website indicating consent to receive ads, but, contrary to the data subject's complaint, it was possible to purchase a ticket without checking the box.

The controller's cookie policy allowed users to revoke consent to non-essential cookies via two pre-ticked boxes, one for "performance cookies" and one for "targeted cookies." However, some cookies were incorrectly categorized as essential, so even when users unchecked the relevant boxes or clicked "reject all," some non-essential cookies remained.

Holding

The Spanish Data Protection Authority (Agencia Española de Protección de Datos - AEPD) held that the controller's use of non-essential cookies without prior consent was a violation of article 22.2 of the Spanish Law on Services of the Information Society and Electronic Commerce (Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico - LSSI). The AEPD additionally held that the continued use of non-essential cookies even after users revoked consent violated article 22.1 of the LSSI.

For these violations the AEPD ultimately fined the controller €18,000; an inital €30,000 fine was reduced by 40% because the controller voluntarily acknowledged responsibility for the infractions and agreed to pay the fine before final resolution of the sanctioning procedure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/17
 File No.: EXP202103886
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On March 28, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VUELING AIRLINES,
S.A. (hereinafter, the claimed party), through the Agreement that is transcribed:
<<
Procedure No.: PS/00032/2022 (EXP202103886)
AGREEMENT TO START A SANCTION PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency before
the entity VUELING AIRLINES, S.A., with CIF.: A63422141 owner of the website
***URL.1 (hereinafter “the party complained against”), by virtue of the claim presented
by D. A.A.A., for the alleged violation of data protection regulations:
Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16,
regarding the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of these Data (RGPD) and the Organic Law
3/2018, of December 5, on the Protection of Personal Data and Guarantee of the
Digital Rights (LOPDGDD), and against Law 34/2002, of July 11, on Services
of the Information Society and Electronic Commerce (LSSI), and attending to the
following:
FACTS
FIRST: On 08/22/21, he entered this Agency, a brief presented by
the claimant, in which he indicated, among others, the following:
“When buying a ticket through the ***URL.1 website, not only is it not
allows you to delete cookies when accessing the web, but it is impossible to buy a
airline ticket without accepting the sending of commercial data and promotions. because if not
check the box, the purchase is not continued”.
SECOND: Dated 11/04/21, in accordance with the provisions of article 65.4
of the LOPDGDD Law, said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/17
THIRD: On 12/21/21, the claimed entity files with this Agency,
written response to the request made where, among others, indicates the following:
“Therefore, Vueling has proceeded to carry out a review of the
following aspects of its website: The ticket purchase process and cookies
used, and where appropriate, installed on visitor devices. A
The conclusions of the reviews that have been carried out are presented below.
cape.
1) Review of the ticket purchase process.-
As has been verified, the user who buys tickets through the website,
***URL.1 can accept or not a box with the following text: “Yes, I want to be updated
of Vueling offers and news. See conditions”.
Users who do not check this box do not receive commercial communications. A
Despite what the complaining party indicates, it is possible to complete the process of
ticket purchase without checking this box.
Additionally, there are two mandatory check boxes, in which the user
declares to have read and accept the privacy policy and the transport contract.
Document No. 1 includes screenshots of the entire purchase process, and that
show that the user can purchase a ticket without accepting the sending of
commercial communications.
In the privacy policy of the website, which is accessible at all
moment during navigation, and which is divided into drop-down sections for
greater ease of access to the contents, it is indicated that the personal data of the
affected may be used, among others, for the following purposes:
“To carry out surveys related to the experience on board Vueling.
Based on the consent you have previously given us, we may
contact you so that you can participate in surveys related to the
experience on board Vueling flights, as well as to offer you the opportunity to
participate in market research carried out by Vueling or by a third party.
To carry out marketing activities and keep you informed about the products and
Vueling services. Based on the consent that you have previously given us
granted, we may send you information about our products and services by
email, push messages from our app or text message.
We may also send you personalized communications after identifying those
products and services that may interest you. This means that we will create a profile
yours to get to know you better as a customer and personalize communications that
we send.
To learn what is relevant to you, we use tools that analyze
data we obtain from information provided by you (via
surveys), your browsing, your shopping preferences or services provided in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
3/17
past to create profiles that allow you to be identified with customer segments with
similar characteristics to yours and send you promotions or personalized offers
that we think may interest you. You have the right to revoke your consent to
the processing of data for the purpose of carrying out said marketing activities in
any time, as well as in every communication.”
In addition, there is a section called "Consent" in which the
mechanism enabled for the revocation of consent: "If the basis of the
treatment of your personal data outside your consent, you can revoke it in
any time, by contacting us through the address
Data Protection Officer, Vueling Airlines, S.A., Plaza Pla de l'Estany, 5,
08820, El Prat de Llobregat, Barcelona, Spain or by email
***EMAIL.1.”
Finally, all commercial communications sent to those affected by
e-mail (and which constitute the preferred means of contact with clients and
possible clients, since other options such as postal mail or calls
telephone lines are not part of the tools normally used by the area
marketing) include a simple and free unsubscribe mechanism.
2) Review of the cookies used on the website.
When accessing the ***URL.1 website for the first time, an informative message appears
first level with the following text:
“We use our own and third-party cookies for analytical purposes and to show you
advertising related to your preferences based on a profile created from
your browsing habits. For more information you can read our Privacy Policy
cookies.
<<CONFIGURE COOKIES>> <<ACCEPT COOKIES>>
If the user chooses the option to configure cookies, a panel opens where they can
select your preferences. Cookies have been classified, according to their purpose, into
the following categories:
“Technical cookies (strictly necessary). These cookies are strictly
necessary for the correct functioning and navigation of the user through the website,
as well as to remember cookie preferences and therefore it is not possible
turn them off. They do not store any personally identifiable information.
Performance cookies. Performance cookies allow us to know the level of
recurrence of our visitors and perform the measurement and statistical analysis of the
use of our service in order to improve its performance. All the information
collected by these cookies is aggregated and therefore anonymous.
Targeted cookies. Vueling may use its own or third-party advertising cookies,
that store information about your behavior obtained through your browsing habits.
navigation to create a profile. This information allows us to display advertising
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
4/17
more personalized and according to your tastes on our website or on other websites of
third parties (for example, destination searches or pages visited).”
Vueling uses the Ensighten consent management platform (***URL.2) to
guarantee that only the cookies selected by the user will be used.
Document No. 2 includes screenshots showing the process
described. Likewise, you can see how the text of the cookie policy includes
a link to the complete list of cookies used on the web, as well as information
to configure the user's browser to reject these devices. From the
cookie policy, it is possible to return at any time to the configuration panel
initial, and revoke consents given.
The option to revoke consent is one of the reasons why
select the Ensighten consent manager.
For this option to be possible, Ensighten installs the deactivated cookie in the
user's browser. Although it can be viewed in the user's browser
because it is “installed”, it remains inoperative if the user does not consent to the category
in which said cookie has been classified. That is, if the category is not accepted
corresponding, it does not activate or generate any type of trace. The cookie cannot be
used since Ensighten applies a filter that prevents its use.
We understand that this could have been the reason why the complainant considers
that the appropriate consent for the use of cookies has not been obtained.
However, as indicated, this system does not allow the use of cookies.
unauthorized and facilitate the user the revocation of consent in a more
effective than your browser settings: At any time you can change
your preferences without affecting the installation of technical cookies. In this
In this sense, we must point out that a high percentage of passengers buy their tickets at
through registered users, so technical cookies must be installed in their
computers, and certain browser settings may hinder or prevent
the normal access to the registry options.
The use of the Ensighten platform is reflected in the internal process
called “ENSIGHTEN_Client-side website security workflows” (Document No. 3).
The approval of the installation of cookies and their classification within the categories
established is a manual process, not automated through the platform of
consent management.
Upon receipt of the transfer of the claim filed against Vueling, a
a list of all the cookies currently used on the Vueling website Doc. No.
4, where it is indicated to which category it belonged at the time of the revision
each. It has been verified that some cookies were erroneously found
classified as functional cookies, and must be subject to consent.
The list attached as Doc. No. 5 contains the corrected classification, which,
as indicated later, it will be implemented in the web ***URL.1.
2. Report, if applicable, on the measures adopted to adapt your “Privacy Policy”
Privacy” to article 13 of Regulation (EU) 2016/679 of the European Parliament and of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
5/17
Council of April 27, 2016 (RGPD), implementation dates and controls
carried out to check its effectiveness.
Based on what is explained in section 1 of this document, we understand that
It is appropriate to carry out any action to adapt the privacy policy of the
Vueling's website or the ticket purchase process.
3. Report, if applicable, on the measures adopted to adapt the use of
cookies to the provisions of article 22.2 of Law 34/2002, of July 11, of
information society services and electronic commerce (LSSI), in
particularly with regard to the information provided to users on the use of
cookies and the purposes of data processing, as well as how to collect,
refuse or withdraw consent to its use. Dates are also required.
implementation and controls carried out to verify its effectiveness.
Based on what is indicated in section 1 of this document, in relation to the policy
of cookies, the following measures will be implemented:
1st. Cookie categories will be redefined, to align terminology
used with the one that appears in the Cookies Guide of the Spanish Agency for
Data Protection. Although we consider that the classification made is correct,
and an average user understands the purpose of each type of cookie with the explanation
provided, the name of these categories has been modified to align it
with the terminology used in the Guide on the use of cookies prepared by this
Agency. In this way, performance cookies will be renamed "cookies
analytics” and targeted cookies will be referred to as “advertising cookies”.
2nd. In the cookie configurator, the categories of cookies will be unchecked by default.
cookies that are not strictly necessary.
3rd. Some cookies have been misclassified in a category that is not
corresponded. Therefore, Doc. No. 5 will be reclassified.
4th. The full text of the Cookies Policy of the website will be reviewed once
carried out the above actions.
We have not had access to the identification of the complaining party, nor to captures of
screen that, if any, has been presented. Therefore, out of the actions already
explained in this writing, we cannot take any additional measures, such as
send a detailed explanation to the affected party about the treatment that is carried out of their
data, block your email for the purpose of commercial communications or
verify if you have exercised your right to object and have not been attended to
satisfaction".
FOURTH: On 01/20/22, by the Director of the Spanish Agency for
Data Protection agreement is issued for the admission of processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible
reasonable indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
6/17
FIFTH: The General Subdirectorate for Data Inspection proceeded to carry out
preliminary investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of the RGPD and in accordance with the provisions of the Title
VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following ends:
a).- On obtaining the personal data of users:
1º.- Through the link <<register>>, located at the top of the page
main page, the website redirects to a new page "Registration in Vueling Club" where you can
can enter personal data of users such as name, surname and
mail address.
Before being able to send the registration form, the user must click the option:
_ I accept the <<terms and conditions of Vueling Club y avíos>> and
the << Vueling Privacy Policy >>.
There is the possibility of registering, voluntarily, in the following option, to
receive commercial communications:
_I want to find out about the best promotions from Vueling and its partners.
<<See conditions>>
2º.- In the ticket purchase option, before being able to send the purchase form,
the user must click the option:
_ I have read and accept the <<Privacy Policy>>.
There is the possibility of registering, voluntarily, in the following option, to
receive commercial communications:
_Yes, I want to keep up to date with Vueling offers and news. <<View
conditions>>
b).- About the “Privacy Policy”:
1º.- If you access the "Privacy Policy" of the web, through the links
existing in the forms indicated above, or through the existing link
on the main page, the web redirects the user to a new page ***URL.3, where
The following questions are answered: Responsible for Data Processing
personal; When the privacy policy is applicable; How can you protect your
personal information; When we collect your personal data; what types of data
information we collect and keep; When and why we collect "data"
sensitive personal; What we use your personal data for; When
we will send commercial communications; How can you change the type of
commercial communications to receive and how to receive them; What is the legal basis
to process your personal data; How long we keep the data
personal; Performance of a contract with you; Legitimate interests; Compliance
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
7/17
of legal obligations; To protect your vital interests or those of third parties;
Consent; With whom we share your personal data; to which countries
will send your personal data; What rights you have and how you can exercise them.
c).- About the Cookies Policy:
1.- When entering the web for the first time, once the history terminal equipment has been cleaned
navigation and cookies, without accepting cookies or performing any action on the
web page ***URL.1, has been verified, through the tool
“inspectGoogle Chrome browser application, which are used the
following third-party cookies that are not technical or necessary:
Cookie Provider Cookie Provider
MUID .bing.com / IDE .doubleclick.net
AEC .google.com / uid .criteo.com /
CONSENT .google.com / _kuid_ .krxd.net /
IDSYNC .analytics.yahoo.com A3 .yahoo.com /
pxrc.rlcdn.com/uid.adform.net/
ab .agkn.com / uid .criteo.com /
ruds.rfihub.com / ruds.rfihub.com /
rlas3.rlcdn.com/C.adform.net/
eud .rfihub.com / IDE .doubleclick.net
_kuid_ .krxd.net / CONSENT .google.com /
NID .google.com / AEC .google.com /
IDE .doubleclick.net
2.- There is an information banner about cookies on the main page with the
following message:
We use our own and third-party cookies for analytical purposes and to show you
advertising related to your preferences based on a profile created from
your browsing habits. For more information you can read our
<<Cookie Policy>>.
<<Configure your cookies>> <<Accept all cookies>>.
3.- If you access the cookie control panel through the link <<Configure your
cookies>>, the website displays a page or control panel checking that the
performance cookies and targeted cookies are pre-marked in the
“accepted” option:
X Technical cookies (strictly necessary)
X Performance Cookies
X Targeted Cookies
<<Confirm my preferences>> <<Reject all cookies>>
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
8/17
If you choose "Reject all cookies" it is checked how the web continues
using third-party cookies that are not technical or necessary:
Cookie Provider Cookie Provider
MUID .bing.com / CONSENT .google.com /
IDE .doubleclick.net NID .google.com /
_kuid_ .krxd.net / AEC .google.com /
4.- If you access the "Cookies Policy", through the existing link in the banner
about cookies of the first layer or through the existing link at the bottom of
the main page, the web redirects to a new page, ***URL.4 where the user is informed
user of what cookies are, what types of cookies exist; cookies are identified
that uses the website, its functionality and the time of activity (***URL.5), in addition
how to manage cookies through the browsers installed on the computer
user terminal.
FOUNDATIONS OF LAW
I.- Competition:
- Regarding the processing of personal data and the "Privacy Policy":
It is competent to initiate and resolve this procedure, the Director of the Agency
Spanish Data Protection, by virtue of the powers that article 58.2 of the RGPD
recognizes each Control Authority and, as established in arts. 47, 64.2 and
68.1 of the LOPDGDD Law.
- About the "Cookies Policy":
It is competent to initiate and resolve this procedure, the Director of the Agency
Spanish Data Protection, in accordance with the provisions of art. 43.1,
second paragraph, of the LSSI Law.
II.- On the processing of personal data and the "Privacy Policy" of the website
***URL.1 :
It has been found that personal data can be obtained on the web from
users who want to register on the web or buy a plane ticket, through
the corresponding links.
Before being able to submit either of the two forms, the user must click
obligatorily in the box of having read and accepted its privacy policy.
There is also the possibility of registering, voluntarily, to receive
commercial or promotional communications of the company.
Regarding this, article 6.1 of the RGPD, establishes, on the legality of the treatment of
personal data, the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
9/17
“The processing of personal data will be lawful if it meets one of the following
conditions:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures; (...).
On the other hand, if the "Privacy Policy" is accessed through the links
existing in the forms or through the existing link at the bottom of the
main page, the website provides information on the identity of the person responsible for
the page; where they obtain the personal data, the purpose of the treatment of
said data, the time of conservation of the same and the rights that attend to
users regarding their personal data, to whom to do it and how
do so, as well as the possibility of filing a claim with the authority
national control.
In this sense, article 13 of the RGPD establishes the information that must be
provide the interested party at the time of obtaining their personal data:
“1. When personal data relating to him is obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide you with:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection delegate, if any;
c) the purposes of the treatment to which the personal data is destined and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate of the person in charge or of a third party;
e) the recipients or the categories of recipients of the personal data, in their
case;
f) where appropriate, the intention of the controller to transfer personal data to a third party
country or international organization and the existence or absence of a decision to
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the person in charge of the
treatment will facilitate the interested party, at the moment in which the data is obtained
personal, the following information necessary to guarantee data processing
fair and transparent
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
10/17
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;
b) the existence of the right to request from the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to which
referred to in article 22, sections 1 and 4, and, at least in such cases, information
about applied logic, as well as the importance and consequences
provisions of said treatment for the interested party”.
Therefore, in this case, based on the evidence available in this
moment, it is considered that the management of personal data carried out by the page
web, ***URL.1 does not contradict the provisions of the RGPD regarding the
consent to the processing of personal data to send you
commercial communications and regarding the information provided to the
interested when their personal data is obtained from them.
III.- About the Cookies Policy of the website ***URL.1.
a).- Regarding the installation of cookies in the terminal equipment prior to
consent:
Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.
Therefore, when the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.
However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
11/17
for the intercommunication of the terminals and the network and those that provide a service
expressly requested by the user.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies
excepted would be the user input Cookies” (those used to
filling in forms, or managing a shopping cart); cookies from
user authentication or identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
plugin (plug-in) to exchange social content.
These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about your
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before the use of any other type of cookies, both first and
third-party, session or persistent.
In the verification carried out by this Agency on the claimed website, it was possible
verify that, when entering the main page and without performing any action on the
pamper or accept cookies, the following non-necessary cookies were used:
When entering the web for the first time, without accepting cookies or performing any action
on the page, it has been verified that third-party cookies are used that are not
technical or necessary, whose suppliers are:
.bing.com; .doubleclick.net; .Google com; .criteo.com; .krxd.net; .analytics.yah
oo.com; .yahoo.com; .rlcdn.com; .adform.net; .agkn.com; .criteo.com; .rfihub.co
m; .adform.net
b).- About the consent to the installation of cookies in the terminal equipment:
For the use of non-excepted cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
clicking on, “accept” or inferring it from an unequivocal action performed by the
user that denotes that the consent has occurred unequivocally. By
Therefore, the mere inactivity of the user, scrolling or browsing the website, is not
be considered for these purposes, a clear affirmative action in any circumstance and not
will imply the provision of consent by itself. Similarly, access to
the second layer if the information is presented in layers, as well as the navigation
necessary for the user to manage their preferences in relation to cookies in
the control panel, it is also not considered an active behavior that can be
derive the acceptance of cookies.
The existence of "Cookie Walls" is not allowed either, that is, windows
pop-ups that block the content and access to the web, forcing the user to
accept the use of cookies to be able to access the page and continue browsing without
offer the user any type of alternative that allows him to freely manage his
preferences about the use of cookies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
12/17
If the option is to go to a second layer or cookie control panel, the link
it should take the user directly to that configuration panel. To facilitate
selection, the panel can be implemented, in addition to a management system
granular cookies, two more buttons, one to accept all cookies and one to
reject them all. If the user saves his choice without having selected any
cookie, it will be understood that you have rejected all cookies. Regarding this second
possibility, in no case are pre-marked boxes admissible in favor of accepting
cookies.
If for the configuration of cookies, the web refers to the browser configuration
installed in the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also offer, and in any case, a mechanism that
allows you to reject the use of cookies and/or do it in a granular way.
On the other hand, the withdrawal of the consent previously given by the user
It should be possible to do it at any time. To this end, the publisher must offer a
mechanism that makes it possible to withdraw consent easily at any
moment. This facility will be considered to exist, for example, when the user
have simple and permanent access to the management or configuration system of the
cookies.
If the editor's cookie management or configuration system does not allow to avoid the
use of third-party cookies once accepted by the user, it will be provided
information about the tools provided by the browser and third parties,
It must be noted that, if the user accepts third-party cookies and subsequently wishes to
delete them, you must do it from your own browser or the system enabled by the
third parties for it.
In the case that concerns us, the banner of the first layer makes it possible to accept all the
cookies or manage them in the control panel. However, if you access the dashboard
control is checked as performance cookies and targeted cookies are
They are pre-marked in the “accepted” option.
If you choose to "reject all cookies", in the existing option in the control panel
control is verified as the web continues to use third-party cookies that are not
technical or necessary, whose providers are: bing.com; Google com; doubleclick.net
and krxd.net.
IV.- Qualification and sanctions that may correspond with respect to infractions
committed in the Cookies policy:
Of the deficiencies detected, regarding the cookie policy, on the website
***URL.1: (The use of third-party cookies that are not technical or necessary; the
groups of cookies pre-marked in the "accepted" option in the control panel and the
impossibility of rejecting third-party cookies that are not technical or necessary,
could suppose by the claimed, the commission of the infraction of article 22.2
of the LSSI, since it establishes that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
13/17
“Service providers may use storage devices and
recovery of data in terminal equipment of the recipients, provided that
they have given their consent after they have been provided
clear and complete information on its use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13
December, on the protection of personal data.
Where technically possible and effective, the recipient's consent to
Accepting the processing of the data may be facilitated through the use of the parameters
from the browser or other applications.
The foregoing will not prevent the possible storage or access of a technical nature to the sole
purpose of effecting the transmission of a communication over a communications network
electronic or, to the extent that is strictly necessary, for the provision of
a service of the information society expressly requested by the
addressee".
This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and retrieval devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.
After the evidence obtained in the preliminary investigation phase, and without prejudice to
whatever results from the investigation, it is considered appropriate to graduate the sanction to
impose in accordance with the following aggravating criteria, established by art. 40 of
the LSSI: The existence of intentionality, an expression that must be interpreted as
equivalent to degree of guilt according to the Judgment of the Hearing
National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the
denounced entity the determination of a system for obtaining consent
informed that it is in accordance with the mandate of the LSSI.
In accordance with these criteria, it is considered appropriate to impose an initial sanction of
30,000 euros, (thirty thousand euros), for the infringement of article 22.2 of the LSSI, regarding
of the cookie policy made on the website of its ownership: ***URL.1.
Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
START: PUNISHMENT PROCEDURE before the entity VUELING AIRLINES,
S.A., with CIF.: A63422141 owner of the website ***URL.1 for infraction of the article
22.2 of the LSSI, due to the deficiencies detected on its website regarding the
"Cookies policy".
APPOINT: Mr. B.B.B. as Instructor, and Secretary, if applicable, Ms. C.C.C.,
indicating that any of them may be challenged, as the case may be, in accordance with
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
of the Public Sector (LRJSP).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
14/17
INCORPORATE: to the disciplinary file, for evidentiary purposes, the claim
filed by the claimant and his documentation, the documents obtained and
generated by the Subdirectorate General for Data Inspection during the
investigations, all of them part of this administrative file.
WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the
Common Administrative Procedure of the Public Administrations, the sanction that
could correspond would be 30,000 euros (thirty thousand euros), for the infringement of the
Article 22.2 of the LSSI, without prejudice to what results from the instruction of this
proceedings.
NOTIFY: this agreement to initiate disciplinary proceedings against VUELING
AIRLINES, S.A., granting a hearing period of ten business days for
formulate the allegations and present the evidence that it deems appropriate.
If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed was a fine, it may recognize its responsibility within the
term granted for the formulation of allegations to this initial agreement; it
which will entail a reduction of 20% of the sanction to be imposed in
this procedure, equivalent in this case to 6,000 euros. with the app
of this reduction, the sanction would be established at 24,000 euros, resolving the
procedure with the imposition of this sanction.
Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will entail a reduction of 20% of the amount of this, equivalent in this case to
6,000 euros. With the application of this reduction, the sanction would be established in
24,000 euros and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of the penalty would be
set at 18,000 euros (eighteen thousand euros).
In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.
If you choose to proceed to the voluntary payment of any of the amounts indicated
above, you must make it effective by depositing it in account Nº ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
15/17
Data in Banco CAIXABANK, S.A., indicating in the concept the number of
reference of the procedure that appears in the heading of this document and the
cause of reduction of the amount to which it is accepted.
Likewise, you must send proof of payment to the General Subdirectorate of
Inspection to proceed with the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.
Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
Sea Spain Marti
Director of the Spanish Agency for Data Protection.
>>
SECOND: On April 11, 2022, the claimed party has proceeded to pay
the sanction in the amount of 18,000 euros making use of the two reductions
provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via
administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of
services of the information society and electronic commerce (hereinafter
LSSI) and as established in articles 47 and 48.1 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the
Director of the Spanish Agency for Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
16/17
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
Finally, the fourth additional provision "Procedure in relation to the
competences attributed to the Spanish Data Protection Agency by other
laws" establishes that: "The provisions of Title VIII and its implementing regulations
will apply to the procedures that the Spanish Agency for the Protection of
Data would have to be processed in the exercise of the powers attributed to it by
other laws."
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:
"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.
The reduction percentage provided for in this section may be increased
regulations."
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure EXP202103886, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to VUELING AIRLINES, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
17/17
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
936-240122
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es