AEPD (Spain) - EXP202210346
From GDPRhub
| AEPD - PS-00079-2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 22.2 LSSI |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 07.06.2023 |
| Published: | |
| Fine: | 2000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00079-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | PS-00079-2023 (in ES) |
| Initial Contributor: | sh |
The Spanish DPA fined a company €2,000 after noyb submitted a cookie complaint over the installation of non-essential cookies and flawed consent practices in relation a cookie banner.
English Summary
Facts
A data subject represented by noyb (European Centre for Digital Rights) complained that a website installed non-essential cookies (which require consent) before the user had interacted with the cookie banner which is where the user can provide consent.
They also pointed out that the notion of consent related to the cookie banner was flawed for two reasons. Firstly, consent in the cookie control panel was not granular. If you chose to not allow any of the groups of cookies, without moving the corresponding cursor from the "deactivated" position and click on the "save and exit" option, the website continues to use the same cookies detected at the beginning.
Secondly, there was no mechanism that made it possible to return to the control panel to modify consent once the use of cookies has been allowed and web browsing had begun, making the withdrawal of consent impossible.
Holding
The Spanish DPA entered the website for the first time and verified that, without accepting cookies or performing any action on the page, performance cookies (_ga; _gid; _ga_DZD8C8RYLW and_ga_G4RJWW5CDC3) as well as targeting cookies (_gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_.30525763_4) were installed. They also identified cookies that could not be identified as technical or necessary but that belonged to a third party not responsible for the website (v1st; dmvk and nosotrosprivacidad).
They also verified that the "disabled cookies" pre-set settings had no impact. Clicking on the "save and exit" option without moving the “disabled cookies” setting, resulted in the website continuing to use the same cookies previously detected above.
They also verified that there is no mechanism that allows permanent access to the control panel after giving consent to the cookies.
The Spanish DPA fined the company €2,000 for infringing Article 22.2 LSSI. The fine was reduced to 1,600 because the company voluntarily paid the fine to terminate the DPA proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20
File No.: EXP202210346
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On April 10, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against B.B.B. (hereinafter the
claimed party). Notified of the initiation agreement and after analyzing the allegations
presented, on June 7, 2023, the proposed resolution was issued that
The following is transcribed:
<<
File No.: EXP202210346 (PS/00079/2023)
PROPOSED RESOLUTION OF THE SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
BACKGROUND
FIRST: On 08/10/22, Ms. A.A.A. (hereinafter, the complaining party) filed
claim before the Spanish Data Protection Agency. The claim is
led against D. B.B.B. with NIF ***NIF.1, owner of the website ***URL.1 (in
hereinafter, the claimed party), for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Natural Persons in what
regarding the Processing of Personal Data and the Free Circulation of these Data
(RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal Rights and Guarantee of Digital Rights (LOPDGDD), and against the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI), and taking into account the following:
The reasons on which the claim was based were that, during the visit to the website
found that it presents a banner from a consent platform
(CMP) provided by OneTrust and that among other installed cookies is
the IDE cookie of the domain doubleclick.net.
SECOND: On 02/14/23, a request letter is sent to the OPENHOST entity
S.L. to inform this Agency about the owner of the domain “cinenuevatribuna.es”.
THIRD: On 02/16/23, this Agency received a letter from the entity
OPENHOST S.L., where it states that: D. B.B.B. with DNI ***NIF.1, is the owner and
owner of the digital news website: ***URL.1.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/20
FOURTH: On 02/17/23, this Agency accessed the website
***URL.1, verifying the following characteristics regarding its “Policy of
Cookies":
1º.- Regarding the use of cookies before the user gives their consent:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the website, it has been verified that cookies that are not technical or
necessary, with the following characteristics:
Performance cookies (4): These cookies allow us to quantify the number
of visits and traffic sources in order to evaluate the performance of the site. Us
They help you know which pages are the most or least visited and how
ra visitors navigate the site.
cookies Domain Description
_ga ***DOMAIN.1 This cookie name is
associated with Google Universal
Analytics, which is an update
important service
most used analysis
Google. This cookie is used
to distinguish unique users
by assigning a
random-generated number
mind as an identifier
customer. It is included in each so-
page legality on a site and
is used to calculate the data
of visitors, sessions and exchanges
cloths for reports
site analysis.
_gid ***DOMAIN.1 This cookie is set
by Google Analytics. Warehouse-
na and updates a single value
for each page visited and
used to count and track
pages seen.
_ga_DZD8C8RYLW ***DOMAIN.1 Google Analytics uses this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/20
cookies Domain Description
cookie to maintain the status
of the session.
_ga_G4RJW5CDC3 ***DOMAIN.1 Google Analytics uses this
cookie to maintain the status
of the session.
Targeting cookies (3): These include social media cookies that are placed
on sites to track users across the web and serve them ads.
cookies Domain Description
_gat_gtag_UA_ ***DOMAIN.1 This cookie is part of
40838799_5 Google Analytics and is used
to limit applications
des (application rate
acceleration).
ts ***DOMAIN.2 This cookie generally
It is provided by PayPal and
supports payment services
on the website.
_gat_gtag_UA_ ***DOMAIN.1 This cookie is part of
30525763_4 Google Analytics and is used
to limit applications
des (application rate
acceleration).
Unclassified cookies (3): Cookies that have not been classified as technical
unique but your domain belongs to a third party
cookies Domain Description
v1st ***DOMAIN.2
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/20
cookies Domain Description
dmvk ***DOMAIN.2
usprivacy ***DOMAIN.2
2.- About the cookie information banner in the first layer:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without performing any action on the web page, a
cookie information banner at the bottom of the main page with the
next message:
Your privacy is important to us:
We and our <<partners>> store or access information on a
device, such as cookies, and we process personal data, such as
unique identifiers and standard information sent by a device, to
personalized ads and content, ad and content measurement and
information about the public, as well as to develop and improve products. with his
permission, we and our partners may use location data
precise geographic and identification through device characteristics.
You may click to consent to us and our partners
for us to carry out the processing previously described. So
Alternatively, you can access more detailed information and change your preferences
before granting or denying consent. Please note that some
processing of your personal data may not require your consent,
but you have the right to object to such processing. Your preferences are
They will apply only to this website. You can change your preferences at any time.
moment by re-entering this website or visiting our privacy policy.
privacy.
<<more options>> <<I accept>>
If you access the second layer through the link <<more options>> the web
displays a control panel where it is verified that the cookie groups are
are pre-marked in the “OFF” option:
Your privacy is important to us:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/20
We and our partners store or access information on
devices, such as cookies, and we process personal data, such as
unique identifiers and standard information sent by a device, for which
purposes described below. You can click to give us your
consent to us and our partners to carry out the
processing for such purposes. Alternatively, you can click to
deny your consent or access more detailed information and change your
preferences before giving your consent. Your preferences will be applied only
to this website. Please note that some processing of your personal data
may not require your consent, but you have the right to refuse such consent.
prosecution. You can change your preferences at any time by logging in.
new to this website or by visiting our privacy policy.
<<LOCK ALL>> <<AUTHORIZE ALL>>
Precise geographic location data and identification through characteristics
of devices “DISABLED”
Personalized ads and content, ad and content measurement,
public information and product development “OFF”
Store or access information on a “DISABLED” device
<<PARTNERS>> <<LEGITIMATE INTEREST>> <<SAVE AND EXIT>>
In this control panel you can see that consent is not granular because
both “analytical” and “advertising” cookies are in a single block: “Data
precise geographical location and identification through the characteristics of
devices: (OFF)” and the user is obliged to accept or reject them
jointly.
If you choose NOT to allow any of the cookie groups, without moving the cursor
corresponding from the “disabled” position and click on the “save and save” option.
exit” it is checked how the website continues to use the same non-technical cookies or
necessary detected at the beginning.
3º.- About the information provided in the “Cookies Policy”:
If you wish to access the information in the “Cookies Policy”, through the
existing link at the bottom of the main page, the website redirects the user to
a new page ***URL.2, which provides information about: what are the
cookies; the cookies used on this website or how to deactivate or delete them
cookies through the browser installed on the terminal equipment.
4º.- About how to withdraw consent to the use of cookies after
having offered:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/20
It is verified that there is no mechanism that makes it possible to return to the control panel.
cookie management control to modify the consent, once the
use of cookies and started web browsing.
FIFTH: On 04/10/23, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the defendant, for the alleged
violation of article 22.2 of the LSSI regarding the irregularities detected in the
cookie policy of the website it owns. In the opening agreement
determined that the sanction that could correspond given the evidence
existing at the time of opening and without prejudice to what results from the
instruction, would amount to a total of 2,000 euros.
The irregularities detected regarding the cookie policy of the website in
issue, in the present procedure were:
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
When entering the website for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies that are not technical or
necessary:
- 4 Performance Cookies: _ga; _gid; _ga_DZD8C8RYLW and
_ga_G4RJW5CDC3
- 3 Targeting Cookies: _gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_
30525763_4
- 3 Cookies that could not be identified if they are technical or necessary but the
domain belongs to a third party not responsible for the website (***DOMAIN.2):
v1st; dmvk and usprivacy
b).- Regarding consent to the installation of cookies on the terminal equipment:
In the cookie control panel, if you choose NOT to allow any of the groups
of cookies, without moving the corresponding cursor from the “deactivated” position and
Click on the “save and exit” option to see how the website continues to use
the same cookies detected at the beginning.
c).- About the withdrawal of consent for the use of cookies once given.
Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the control panel.
troll checks that the cookies detected at the beginning are installed. However, it
Verify that there is no mechanism or access to the permanent control panel
that allows after having given consent to withdraw it.
SIXTH: Once notified of the aforementioned initiation agreement, the defendant presented a document dated
05/12/23, in which he states the following:
1st. Regarding the complainant, this is the first news we have of this
user since we have not received any type of complaint from them or in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/20
our contact emails that we have provided on our website:
Contact: ***EMAIL.1 and Commercial Department: ***EMAIL.2.
In this regard, we have not been able to give them the corresponding explanation or
resolve any claim in this regard. It is very strange that a
client formalizes a complaint, without previously having communicated with the
company, it seems that what is sought is not to solve the problem but
generate a sanction, which could have its origin in an action of
unfair competition promoted by a competitor.
2nd. This company has been granted OPENHOST S.L. by service contract,
Therefore, the following explanation has been provided by this company.
3rd. The operation of the website is as follows:
The cookie management system that “cinenuevatribuna” has is the system
Quancast, installed by us, by opennemas.com.
All cookie management systems, in their default installation in the
websites allow Google Analytics cookies. We on the websites of
opennemas.com we have installed Quancast.
Quancast is a company that has a consent management system
Cookies and is accepted by IAB Europe and IAB Spain.
IAB is the largest body in the world that regulates the entire issue of
advertising, cookies and consents. More information: ***URL.3.
90% of digital media install Google Analytics cookies even
without the reader accepting cookie consent.
We understand that implicit consent for analytics cookies
Google Analytics are necessary for the internal control of the website.
Google Analytics analytics cookies are for management purposes only.
internal and traffic control. Otherwise the owner of the news website is blind and
cannot correctly manage its publishing business since it does not
You would know what is happening in your environment.
The cookies that are registered are anonymous with the sole intention of measuring
user, that is, no type of tracking will be carried out on the user.
user. And this use is legal since it is an access control system, but
No user tracking.
We can apply improvements to the cookie consent system so that
BLOCK THE COOKIES of Google Analytics but you would be lost
all control of real web traffic.
4th. The system that is being used is similar to the one used by media
national dissemination tested as: (…).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/20
The use of cookies in these media is precisely tested to verify
that the implemented system has the same operation.
Starting from the presumption that these media, due to their own policy of legality and
under the control of THE SPANISH DATA PROTECTION AGENCY,
They are complying with the parameters of legal action.
5th. Regarding the infringement, as has been stated, it is considered that it is not
of application of art 38.4.g of the LSSI to the extent that it is not being breached
the art. 22 LSSI.
6th. If there is any doubt about the legality, we understand that the criteria for
The acceptance of cookies must be unanimous and unified for all
companies, given that the exclusion criterion is still interpretative 22.2
of the LSSI. For all the above,
REQUEST: 1st. That the opposition to the file be considered formalized
sanctioner. 2nd. Let it be considered that both in the way of acting,
intentionality legality, is not a reason for infringement, given that anonymous use
of cookies, to the sole global access control criteria, does not imply
a violation of art. 22 of the LSSI 3rd. Let the clarification proceed,
on the legality of the use of the anonymous usage tracking procedure
of cookies without the need for express authorization from the user.
SEVENTH: On 06/07/23, this Agency accessed the website
***URL.1, verifying the following characteristics regarding its “Policy of
Cookies":
1º.- Regarding the use of cookies before the user gives their consent:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on
the website, it has been verified that cookies that are not technical or
necessary, with the following characteristics:
Performance cookies (3): These cookies allow us to quantify the number
of visits and traffic sources in order to evaluate the performance of the site. Us
They help you know which pages are the most or least visited and how
ra visitors navigate the site.
cookies Domain Description
_ga ***DOMAIN.1 This cookie name is-
is associated with Google
Universal Analytics, what is
an important update
analysis service
sis most used
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/20
cookies Domain Description
Google. This cookie is used
list to distinguish users
unique by assigning
tion of a generating number
do randomly like
client identifier. HE
included in each request
of page on a site and
used to calculate the data
of visitors, sessions and
campaigns for information
month of site analysis.
_gid ***DOMAIN.1 This cookie is configured
given by Google Analyti-
cs. Store and update
a unique value for each
page visited and used
to count and track pages
some views.
_ga_1L5EYBL9XB ***DOMAIN.1 Google Analytics uses
this cookie to keep
the state of the session.
Targeting cookies (3): These include social media cookies that are placed
on sites to track users across the web and serve them ads.
cookies Domain Description
_gat_gtag_UA_ ***DOMAIN.1 This cookie is part of
30525763_4 Google Analytics and is used
to limit applications
des (application rate
acceleration).
b).- Regarding consent to the installation of cookies on the terminal equipment:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/20
In the cookie control panel, if you choose NOT to allow any of the groups
of cookies, without moving the corresponding cursor from the “deactivated” position and
Click on the “save and exit” option to see how the website continues to use
the same cookies detected at the beginning.
c).- About the withdrawal of consent for the use of cookies once given.
Once consent has been given for the use of cookies through the option
existing in the initial banner or through consent given in the panel
control checks that the cookies detected at the beginning are installed. Nevertheless,
It is verified that there is no mechanism or access to the control panel
permanent that allows the user to later access the control panel to be able to
modify your consent if you wish.
PROVEN FACTS
Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:
First: The irregularities detected regarding the page's cookie policy
website ***DOMAIN.1, in the verification carried out by this Agency on 02/17/23,
were:
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
When entering the website for the first time, without accepting cookies or performing any
action on the page, it has been verified that cookies are used that are not
technical or necessary: 4 Performance cookies: _ga; _gid;
_ga_DZD8C8RYLW and _ga_G4RJW5CDC3; 3 Targeting Cookies:
_gat_gtag_UA_40838799_5; ts and _gat_gtag_UA_ 30525763_4 and 3 Cookies that
It has not been possible to identify whether they are technical or necessary but the domain
belongs to a third party not responsible for the website (.dailymotion.com): v1st;
dmvk and usprivacy
b).- Regarding consent to the installation of cookies on the terminal equipment:
In the cookie control panel, if you choose NOT to allow any of the
groups of cookies, without moving the corresponding cursor from the position
“disabled” and click on the “save and exit” option, you will see how the
The website continues to use the same cookies detected at the beginning.
c).- About the withdrawal of consent for the use of cookies once given.
Once consent has been given for the use of cookies through the
existing option in the initial banner or through consent given in
The control panel checks that the cookies detected when
principle. However, it is found that there is no mechanism or
access to the permanent control panel that allows after having provided
consent to withdraw.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/20
Second: The irregularities detected regarding the cookie policy of the
website ***DOMAIN.1, in the verification carried out by this Agency the
06/07/23, after having received the written allegations regarding the initiation of the
file, were:
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
When entering the website for the first time, without accepting cookies or performing any
action on the page, it has been verified that cookies are used that are not
technical or necessary: 3 Performance cookies: _ga; _gid; _ga_1L5EYBL9XB
and 1 Targeting Cookies: _gat_gtag_UA_30525763_4
b).- Regarding consent to the installation of cookies on the terminal equipment:
In the cookie control panel, if you choose NOT to allow any of the
groups of cookies, without moving the corresponding cursor from the position
“disabled” and click on the “save and exit” option, you will see how the
The website continues to use the same cookies detected at the beginning.
c).- About the withdrawal of consent for the use of cookies once given.
Once consent has been given for the use of cookies through the
existing option in the initial banner or through consent given in
The control panel checks that the cookies detected when
principle. However, it is found that there is no mechanism or
access to the permanent control panel that allows after having provided
consent to withdraw.
FOUNDATIONS OF LAW
YO.-
Competence:
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection, in accordance with the provisions of art. 43.1,
second paragraph, of the LSSI Law.
II
Prior to examining the substantive issue, it is necessary to analyze the
issues alleged by the defendant.
The complainant states, among others, that “the cookie management system, in its
default installation on the websites, allow Google Analytics cookies and that the
implicit consent of Google Analytics analytics cookies are
necessary for the internal control of the website.”
It also states that, “Google Analytics analytics cookies are only
for internal management and traffic control, are anonymous with the sole intention of measuring
user, that is, no type of tracking will be carried out on the user. And this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/20
It is legal to use since it is an access control system, but it is not tracked.
user".
Finally, he states that, “improvements could be applied to the consent system.”
of cookies so that it BLOCKS THE COOKIES of Google Analytics Analytics but
“All control of real web traffic would be lost.”
Well, indicate that the second section of article 22 of the LSSI establishes:
“Service providers may use storage devices and
data recovery on recipients' terminal equipment, provided
that they have given their consent after they have been
provided clear and complete information on its use, in particular on
the purposes of data processing, in accordance with the provisions of the Law
Organic 15/1999, of December 13, Protection of Personal Data
Staff.
Where technically possible and effective, the consent of the recipient
to accept the processing of the data may be facilitated through the use of the
appropriate settings of the browser or other applications.
The above will not prevent possible storage or access of a technical nature
for the sole purpose of carrying out the transmission of a communication over a network of
electronic communications or, to the extent strictly necessary
necessary, for the provision of an information society service
expressly requested by the recipient.”
This article 22.2 refers to Organic Law 15/1999, of December 13, of
protection of personal data, in relation to the requirements of the
informed consent, although currently this referral must be interpreted
made to the RGPD, applicable from May 25, 2018, and to the LOPDGDD, applicable
since December 7, 2018.
In this sense, the RGPD itself, in its recital 30, mentions these technologies
and its impact on data protection:
“Natural persons can be associated with online identifiers
facilitated by your devices, applications, tools and protocols, such as
Internet protocol addresses, session identifiers in the form of
"cookies" or other identifiers, such as identification tags
radio frequency.
This can leave traces that, in particular, when combined with
unique identifiers and other data received by servers, may be
used to create profiles of natural persons and identify them.”
Therefore, when the use of a cookie entails the processing of data
personal,
Those responsible for such treatment must ensure compliance with the
additional requirements established by data protection regulations
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/20
personal, in particular in relation to special categories of data. HE
It will be considered that there is processing of personal data when the user is
identified by a name or email address that identifies you (for example, by
be a registered user) or when unique identifiers are used that
allow us to distinguish some users from others and carry out individualized monitoring of
the same (for example, an advertising ID).
However, in relation to the attention to data protection rights of the
interested parties, if the person responsible for the treatment is not in a position to identify the
interested party, may deny the request under the terms of article 12.2 of the RGPD.
(except when the interested party in its exercise will provide additional information through
which the person responsible for the treatment was able to identify it).
Furthermore, in order to determine the scope of the regulations, it is necessary
point out that they are exempt from compliance with the obligations established in
article 22.2 of the LSSI the cookies used for any of the following
purposes:
- Only allow communication between the user's computer and the network.
- Strictly provide a service expressly requested by the user.
In this sense, the GT29, in its Opinion 4/201210, interpreted that among cookies
Excepted would be those whose purpose is:
- “User input” cookies: Session and user input cookies.
user are often used to track the user's actions when filling out the
forms
online on several pages, or as a shopping cart to make the
Track items that the user has selected when clicking a button.
- Authentication or user identification cookies (session only).
- User security cookies: For example, cookies used to
detect erroneous and repeated attempts to connect to a website.
- Media player session cookies.
- Session cookies for load balancing.
- User interface customization cookies.
- Certain plug-in cookies to exchange content
social: The exception only applies to users who have decided to maintain
the open session.
That said, for reasons of transparency it is recommended to inform, at least with
generic nature, of those cookies excluded from the scope of application of the article
22.2 of the LSSI, either in the cookies policy or in the privacy policy itself
(example: “This website uses cookies that allow the operation and provision
of the services offered therein").
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/20
In any case, it must be taken into account that the same cookie may have more than
a purpose (multipurpose cookies), so there is the possibility that a cookie
is exempt from the scope of application of article 22.2 of the LSSI for one or more
several of its purposes and not for others, the latter being subject to the scope of
application of said precept. This should, in the words of WG29, “incite
website owners to use a different cookie for each purpose.”
In relation to cookie management or configuration systems, when they are used
Multipurpose cookies with two or more different purposes and not exempt from the scope
application of article 22.2 of the LSSI, it must be guaranteed that these cookies
They are only used if all the purposes they group together are accepted, that is, if a
cookie serves two purposes, but the user only accepts one of them, the cookie does not
should be used, and this unless the management system used allows for a
differentiated treatment for the different purposes of these multipurpose cookies,
so that it is possible that if the user accepts one of its purposes and not others, the
cookie only operates with the accepted purpose.
About the different types of cookies according to their purpose for which the data is processed
obtained through cookies, in this case the use has been detected
of the following cookies:
- Three Performance Cookies: _ga; _gid; _ga_1L5EYBL9XB.
Cookies, for analysis, measurement or performance, are those that allow the
responsible for monitoring and analyzing the behavior of the
users of the websites to which they are linked, including the quantification of the
impacts of advertisements. The information collected through this type of cookies is
used in measuring the activity of the websites, application or platform, with the
in order to introduce improvements based on the analysis of usage data made by the
service users.
Regarding the processing of data collected through analysis cookies or
performance, the GT29 has stated that they are not exempt from the duty to obtain a
informed consent for its use.
- A Targeting Cookies: _gat_gtag_UA_30525763_4
include social media cookies that are placed on sites to track users.
users on the web and provide them with advertisements. They store information about
user behavior obtained through continuous observation of their
browsing habits, allowing you to develop a specific profile to display
advertising based on it.
Regarding the processing of data collected through targeting cookies, the
GT29 has stated that they are not exempt from the duty to obtain consent
informed for use.
III.-
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/20
Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, about the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR.
Therefore, when the use of a cookie involves processing that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.
However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among cookies
“User input Cookies would be excepted” (those used to
fill out forms, or manage a shopping cart); cookies
user (session) authentication or identification; user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content.
These cookies would be excluded from the scope of application of article 22.2 of the
LSSI, and, therefore, it would not be necessary to inform or obtain consent about its
use. On the contrary, it will be necessary to inform and obtain the prior consent of the
user before using any other type of cookies, both first and
third-party, session or persistent.
In the verification carried out by this Agency on the claimed website, it was possible
note that, upon entering the main page and without performing any action on the
mime or accept cookies, the following non-necessary cookies were used:
When entering the website for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies that are not technical or
necessary and therefore must obtain the user's informed consent. Are
cookies are: 3 Performance cookies: _ga; _gid; _ga_1L5EYBL9XB
and 1 Targeting Cookies: _gat_gtag_UA_30525763_4
b).- Regarding consent to the installation of cookies on the terminal equipment:
To use non-excepted cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
by clicking on, “accept” or inferring it from an unequivocal action carried out by the
user that denotes that consent has been unequivocally produced. By
Therefore, the mere inactivity of the user, scrolling or browsing the website, is not
will consider for these purposes a clear affirmative action under no circumstances and will not
will involve the provision of consent itself. Likewise, access to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/20
the second layer if the information is presented in layers, as well as navigation
necessary for the user to manage their preferences in relation to cookies in
the control panel, it is not considered an active behavior that can
derive the acceptance of cookies.
The existence of “Cookie Walls” is also not permitted, that is, windows
pop-ups that block content and access to the website, forcing the user to
accept the use of cookies to access the page and continue browsing without
offer the user any type of alternative that allows them to freely manage their
preferences regarding the use of cookies.
If the option is to go to a second layer or cookie control panel, the link
should take the user directly to said configuration panel. To facilitate the
selection, in the panel it can be implemented, in addition to a management system
granular cookies, two more buttons, one to accept all cookies and another to
reject them all. If the user saves his choice without having selected any
cookie, it will be understood that you have rejected all cookies. In relation to this second
possibility, in no case are pre-checked boxes in favor of accepting
cookies.
If for the configuration of cookies, the website refers to the browser configuration
installed on the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the editor
opts for this option, it must also offer, and in any case, a mechanism that
allow you to reject the use of cookies and/or do so on a granular basis.
On the other hand, the withdrawal of the consent previously given by the user
It must be able to be done at any time. To this end, the editor must offer a
mechanism that makes it possible to easily withdraw consent at any time.
moment. That facility will be considered to exist, for example, when the user
have simple and permanent access to the management or configuration system of the
cookies.
If the editor's cookie management or configuration system does not allow you to avoid the
use of third-party cookies, once accepted by the user, will be provided
information about tools provided by the browser and third parties,
must warn that, if the user accepts third-party cookies and subsequently wishes
delete them, you must do so from your own browser or the system enabled by the
third parties for this.
In the case at hand, in the cookie control panel, if you choose NO
allow any of the cookie groups, without moving the corresponding cursor
from the “disabled” position and click on the “save and exit” option.
Check how the website continues to use the same cookies detected at the beginning.
c).- About the withdrawal of consent for the use of cookies once given.
Users must be able to withdraw the consent previously granted at any time.
any time To this end, the publisher must ensure that it provides information to
users in their cookie policy on how they can withdraw consent.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/20
The user must be able to revoke consent easily. The system that
offer to withdraw consent should be as easy as that used when
presto. This facility will be considered to exist, for example, when the user has
simple and permanent access to the cookie management or configuration system.
In this case, once consent has been given for the use of cookies to
through the existing option in the initial banner or through consent provided
The control panel checks that the cookies detected at the beginning are installed.
cheep. However, it is found that there is no mechanism or access to the control panel.
permanent control that allows after having given consent to withdraw it.
In view of the above, the following is issued:
MOTION FOR RESOLUTION
FIRST: That by the Director of the Spanish Data Protection Agency san-
tion to D. B.B.B.. with NIF ***NIF.1, owner of the website ***URL.1, for an infringement
tion of Article 22.2 of the LSSI regarding the irregularities detected in the policy.
ca of cookies from the website it owns, with a fine of 2,000 euros (two
a thousand euros).
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs that it may, at any time prior to the resolution of this proceeding
cession, carry out the voluntary payment of the proposed sanction, which will mean
a 20% reduction in the amount. With the application of this reduction
tion, the penalty would be established at 1,600 euros (one thousand six hundred euros) and its payment
will imply the termination of the procedure. The effectiveness of this reduction will be
conditioned upon the withdrawal or renunciation of any administrative action or resource.
attempt against the sanction.
In the event that you choose to proceed with the voluntary payment of the amount specified above,
Subsequently, in accordance with the provisions of the cited article 85.2, it must be carried out.
tive by depositing it into the restricted account No. ES00 0000 0000 0000 0000 0000
opened in the name of the Spanish Data Protection Agency in the banking entity-
CAIXABANK, S.A., indicating in the concept the reference number of the procedure.
ment that appears in the heading of this document and the cause, for voluntary payment
voluntary, reduction of the amount of the penalty. Likewise, you must send proof
of entering the General Inspection Subdirectorate to proceed to close the experi-
tooth. In its virtue, you are notified of the above, and the process is made clear to you.
ment so that within a period of TEN DAYS you can allege whatever you consider in your
defense and present the documents and information that it considers pertinent, of
in accordance with article 89.2 of the LPACAP.
C.C.C.
INSTRUCTOR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/20
File Index EXP202210346:
08-10-2022 Claim
08-11-2022 Claim
08-11-2022 Claim
04-10-2022 Resolution to NOYB EUROPEAN CENTER FOR DIGITAL
01-11-2022 Replacement resource
11-15-2022 Resolution to NOYB EUROPEAN CENTER FOR DIGITAL
11-15-2022 Communication to NOYB EUROPEAN CENTER FOR DIGITAL
12-21-2022 Cookie diligence
01-13-2023 Google Analytics cookies diligence
02-14-2023 OPENHOST request to OPENHOST, S.L.
02-16-2023 Response to request from OPEN HOST SL
02-17-2023 NIC Diligence
02-17-2023 Diligence opennemas
02-17-2023 Inf. planned actions.
04-11-2023 Startup agreement
05-04-2023 Claimant Info.
05-12-2023 Brief of allegations
>>
SECOND: On July 2, 2023, the claimed party has proceeded to pay the
sanction in the amount of 1600 euros making use of the reduction provided in the
proposed resolution transcribed above.
THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the
resolution proposal.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of
services of the information society and electronic commerce (hereinafter
LSSI) and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law
3/2018, of December 5, on Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
Finally, the fourth additional provision "Procedure in relation to the
powers attributed to the Spanish Data Protection Agency by others
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/20
laws" establishes that: "The provisions of Title VIII and its implementing regulations
will apply to the procedures that the Spanish Agency for the Protection of
Data would have to be processed in the exercise of the powers attributed to it by
other laws."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202210346, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to B.B.B..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/20
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
968-171022
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
