AEPD (Spain) - EXP202301323

From GDPRhub
Revision as of 15:41, 27 March 2024 by Fm (talk | contribs) (Short summary changed)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202301323
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7(3) GDPR
Article 60(8) GDPR
Article 22 LSSI
Type: Internal Appeal
Outcome: Rejected
Started: 10.08.2021
Decided: 15.03.2024
Published:
Fine: n/a
Parties: Turner Broadcasting System España, S.L.
National Case Number/Name: EXP202301323
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The Spanish DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish LSSI instead of the GDPR applies and that it would need to verify the data subject's claim which was not possible because the website was deactivated in the meanwhile.

English Summary

Facts

In May 2021 a data subject accessed a website that, in their view, did not offer a reject button in the first layer of the cookie banner, used a deceptive link design for certain options in the cookie banner, used colors and contrast to nudge users regarding their options in the cookie banner and did not provide for an option to withdraw consent that would be as easy to use as the option to give consent.

The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website.

Through its own investigation of the webpage, the AEPD confirmed that the website the data subject initially visited now redirected to another one. On the redirected page, only technical or necessary cookies were used. As the website only uses necessary cookies, no option to withdraw consent was necessary. Additionally, it noted that the information in the cookie banner and the cookie policy was accurate. Consequently, in its decision the AEPD found no violation of applicable law.

The data subject filed an internal appeal focusing on three claims. First, the data subject argued that it would have been for the Austrian DPA under Article 60(8) GDPR to adopt and notify the decision (not the AEPD). Second, the data subject argued that the AEPD failed to consider the data subject’s website visit and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner of the redirected website, Google Analytics cookies, which are not strictly necessary, are installed. These cookies can only be installed where valid consent has been obtained – the website, however, offered no permanently visible option to withdraw consent. Revoking consent required multiple steps, including opening the privacy policy in order to find a link within this policy to an English-language portal and sending the controller an email requesting to withdraw consent. According to the data subject this is not an easy way to withdraw consent and violates Article 7(3) GDPR.

Holding

The AEPD dismissed the internal appeal, concluding that only the Spanish LSSI (the implementation of the ePrivacy directive) is relevant to the case, not the GDPR.

First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. According to the AEPD both the GDPR and the LSSI regulate the same situation. It considers the LSSI a lex specialis that is to be applied instead of the GDPR since the controller’s headquarters are in Spain and the website used the .es top-level domain. Further, the AEPD hold that it is competent under the LSSI.

The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims. However, it could only be established that the website no longer existed and redirected to a different site.

Finally, the DPA dismissed the third argument because it was not raised in the initial complaint.

Comment

I. Who decides if a case is a GDPR cross-border case? Issues when handling an ePrivacy and GDPR case

The decision of the AEPD is an excellent example of issues of international data protection complaints.

While the Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of § 165 TKG, which stems from Article 5(3) ePrivacy Directive) and forwarded it to the Spanish DPA, probably assuming that the case at hand involved cross-border processing and needs to be dealt with according to one stop shop mechanism (see Article 56 GDPR). The Spanish DPA, however, claims that only Article 22 LSSI (which also stems from Article 5(3) ePrivacy Directive) is applicable. It shows that in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under ePrivacy Directive related legislation, the GDPR of if it falls under both. As far as evident, the Austrian DPA is not even aware of a decision in the current case.

Additionally, in the case at hand the data subject who lodged a complaint in German with the Austrian DPA received a decision in Spanish. Unfortunately, these situations are common and the data subject frequently deprived of a decision from the authority where they lodged the complaint and in the language of this complaint.

While the AEPD claims that only the LSSI is applicable, this seems to be incorrect. The complaint concerned both setting cookies on the device of the complainant and the use of the data by the controller that occurred later on. Already in the initial complaint lodged at the Austrian DPA it was stated that both the GDPR and the relevant ePrivacy legislation apply. The latter one would apply to storing and gaining access to data in the complainant's terminal equipment, the GDPR to any processing of personal data thereafter. Consequently, at least a part of the "GDPR part" of the complaint was not dealt with by the AEPD. Assuming that the GDPR was applicable, a decision within the meaning of Article 60(8) GDPR should have been issued by the Austrian DPA.

This showcases the issues of complaints that concern both ePrivacy Directive legislation and the GDPR.

II. What are the facts of the case and which moment is relevant?

Furthermore, the AEPD did not investigate the individual situation of the complainant. While the complainant had provided sufficient evidence to reconstruct each detail of their visit to the website through technical means (among others through an HAR-file of the website visit), the AEPD did not consider such evidence.

It visited the website almost three years after the complainant. Unsurprisingly, it found changes to the website and continued to assess the website on basis of these findings. This is, unfortunately, a common practice of different data protection authorities. However, SAs would need to take into account the situation of the complainant (see Recital 141 GDPR, Internal EDPB Document 02/2021 para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to deactivate a website (or discontinue a service, etc.), no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.

In this regard the AEPD puts forward the argument that it needs to prove an infraction, otherwise the presumption of innocence would operate. This is true for sanctioning procedures. However, establishing if the controller complied with the law or did not and order the deletion of the processed data, in case such data processing was illegal, is not a sanction. The controller would need to comply with the law in any case (with or without intervention of the the authority). To that extent no sanction is imposed and it is not clear how the presumption of innocence would be relevant. Also, the decision of the AEPD was not issued in the course of a sanctioning procedure.

III. Current cookie banner of the redirected website

Although the AEPD did not proceed with any investigation against the redirected website, the cookie banner of this site now features two equivalent options to accept and reject cookies in the first layer. This could be a reaction to the updated cookie guidelines (version of January 2024) of the Spanish AEPD.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/8








     Procedure No.: EXP202301323 (AI/00057/2023)

                     Replacement Appeal No. RR/00111/2024


Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION
EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria),
against the resolution issued by the Director of the Spanish Agency for the Protection of
Data in the procedure AI/00057/2023, for violation of the provisions of the Law
34/2002, of July 11, on Information Society Services and Commerce
Electronic (LSSI) and based on the following:


                                       FACTS

FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of
Data issued Resolution to File Actions in procedure AI/00057/2023,
open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:

B82320227, owner of the website https://www.canaltnt.es, for the alleged
violation of article 22 of the LSSI.

The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF
INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded
on the record.


SECOND: As proven facts of the aforementioned procedure, there was evidence of
the following:

    - When trying to enter the website that is the subject of the claim, https://www.canaltnt.es,

       It was found that this no longer existed, redirecting the user to a new page
       website, https://www.warnertv.es whose owner is the entity Discovery Networks SL,
       with CIF B-86815560, different from the entity initially claimed, (Turner
       Broadcasting System España, with CIF.: B82320227).

THIRD: On 02/14/24, this Agency has received a written appeal for

replacement presented by the appellant, in which it stated the following:

       FIRST – Lack of notification by the DSB

       1. On January 24, 2024, the AEPD adopted its resolution, which was notified
       to this part on January 29, 2024. However, according to the

       article 60(8) GDPR is the supervisory authority to which the
       claim, i.e. the DSB, who should have adopted and notified the
       resolution to the person interested in this case.

       2. Therefore, the resolution adopted by the AEPD must be considered null
       of right, as provided in article 47(1)(b) LPACAP.


       SECOND – The AEPD did not consider the facts or the petition of the claim

       3. The AEPD did not consider the specific circumstances of the visit of the
       website of this party, set forth in the claim in detail. In fact,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








       It seems that the AEPD decided based on the banner that appeared on the
       website of the controller during your own visit.

       4. However, the control authority must provide an effective response to the
       individual situation of the interested party, taking into account the circumstances

       individuals and the facts about which the claim presented by the
       interested. This follows from Considering 141 GDPR, from Article 77.
       RGPD and Article 65(3)(b) of the LOPDGDD.

       5. In addition, this party requested in its complaint various measures to be adopted
       by the AEPD (see First Fact). The formulated petitum determines

       specifically requested and underlines the need for an evaluation of the
       individual situation of this part. In particular, the person responsible continues to try
       the personal data of this party unlawfully.

       6. In light of the configuration of the claim ex article 77(1) GDPR that

       “is conceived as a mechanism capable of effectively protecting the
       rights and interests of the interested parties” it is beyond any doubt that the
       AEPD should have responded to what was requested by this party. It
       directly agrees with the provisions of article 88(2) LPACAP. No
       However, the AEPD resolution does not provide a concrete response to this petition.
       part.


       7. Therefore, the resolution must be annulled in accordance with art 48(1)
       LPACAP.

       B. MATERIAL ASPECTS


       THIRD – The AEPD applies an erroneous criterion

       8. As stated above, this party visited the website of the controller and,
       in addition to not having an equivalent option to reject the use of the
       cookies in the first layer of the banner (violation type A, C, D, E), checked
       that there was no easy possibility to withdraw consent

       awarded (type K violation).

       9. On the other hand, in the appealed resolution the AEPD states that during its own
       visit the person responsible only installed strictly necessary cookies, so no
       It was not necessary to offer an option to reject cookies, nor an option
       to withdraw consent.


       10. However, upon checking this part again on the website
       https://www.warnertv.es/, it is observed that after selecting “Accept” in the
       banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed
       Analytics. These are cookies that can only be installed in the case of

       have obtained valid consent (Annex 1).

       11. Although the person responsible has implemented two equivalent options in
       its banner cookie, does not offer a permanently visible option that allows
       withdrawal of consent. At the bottom of the main page there is only one link

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8








       to the privacy policy, in which there is a link to the “Portal of
       request for individual rights” (in English). On this portal you can then
       send an email to withdraw consent. This does not represent

       a possibility to “revoke consent easily” and “at any time”
       moment” as required by article 7(3) GDPR and as provided in the
       AEPD in relation to the withdrawal of consent.2

       12. From the above it follows that the AEPD is based on a verification
       which turns out to be wrong. The controller uses Google Analytics cookies that do not

       They are strictly necessary. However, the person responsible still does not offer
       a simple possibility to withdraw consent once given.

       13. From what is stated in this FJ it follows that the criterion adopted in the resolution
       appealed is contrary to the legal system and must be annulled.


       By virtue of what is stated in this writing, and in accordance with the
       mentioned provisions, this part

       REQUESTS: I. That an APPEAL OF
       REPLACEMENT against the resolution of the Director of the Spanish Agency of

       Data Protection of January 24, 2024 within the framework of the procedure
       with file number EXP202301323, and, after admitting it, the
       investigative actions that are necessary, in accordance with the
       applicable procedural and material standards. II. That the nullity be declared
       of the resolution appealed for the reason stated in the

       legal basis first and that the continuation of the
       procedure. III. That, if full nullity is not declared,
       the appealed resolution is annulled for the reasons set out in the grounds.

                            FOUNDATIONS OF LAW


                                            Yo
                                      Competence.

The Director of the Spanish Agency is competent to resolve this appeal.
of Data Protection, in accordance with the provisions of article 123 of the Law

39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI.

                                            II
                             Response to the allegations


In relation to the statements made by the appellant, it is worth noting the
following:

First: The appellant alleges in the section “First, points 1-2”, of the FJ of

his writing that the resolution should have been made by the Austrian supervisory authority,
in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD
must be considered null and void, according to article 47(1)(b) LPACAP.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8








Well, with respect to this allegation, it must be clarified that Spanish Law governs
the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that,
There is a special standard (LSSI) and a general standard (RGPD) that regulate a

concrete fact, the first prevails over the second.

This principle does not mean that, in the event of application of both standards (one
general rule and another special one), the first is repealed, but the
simultaneous validity of both rules, although the special rule will be applied with
preference to the general rule in those cases contemplated in it.


Regarding the case at hand, there is such a coincidence, that is, in the Ordinance
Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and
another of a special nature, such as the LSSI that regulates the same facts.


If we look at what Article 1 of the GDPR establishes, its purpose is the following:

       1.This Regulation establishes the rules relating to the protection of
       natural persons with regard to the processing of personal data and
       rules relating to the free circulation of such data.


       2.This Regulation protects the fundamental rights and freedoms of
       natural persons and, in particular, their right to data protection
       personal.

       3.The free circulation of personal data in the Union may not be

       restricted or prohibited for reasons related to the protection of
       natural persons with regard to the processing of personal data.

While the object of the LSSI, established in its article 1, indicates that:


       1. The object of this Law is the regulation of the legal regime of the
       services of the information society and contracting via
       electronic, regarding the obligations of service providers
       including those who act as intermediaries in the transmission of content
       through telecommunications networks, commercial communications via
       electronic, information before and after the conclusion of contracts

       electronic devices, the conditions relating to their validity and effectiveness and the regime
       sanction applicable to service providers of the society of the
       information.

       2. The provisions contained in this Law will be understood without prejudice to the

       provided in other state or regional regulations outside the regulatory scope
       coordinated, or that have as their purpose the protection of health and safety
       public, including the safeguarding of national defense, the interests of the
       consumer, the tax regime applicable to the services of the society of the
       information, the protection of personal data and the regulations governing

       competition defense.

For its part, article 2 of the aforementioned standard (LSSI) establishes that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








       1. This Law will apply to the service providers of the society of
       the information established in Spain and the services provided by them.


       It will be understood that a service provider is established in Spain
       when your residence or registered office is in Spanish territory,
       as long as these coincide with the place where it is actually
       centralized administrative management and direction of its businesses. In other
       case, the place where said management or direction is carried out will be taken into account.


Therefore, in application of the “Principle of Regulatory Specialty”, the
application of the specific standard, that is, the LSSI, on the general standard, the RGPD,
by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.:
B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es).


Regarding the jurisdiction to hear the case, article 43.1 of the LSSI,
establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency
Data on the imposition of sanctions for the commission of infractions classified in the
articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,


While article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


And the fourth additional provision of said standard establishes, with respect to the
powers attributed to the AEPD by other laws, which: "The provisions of Title VIII
and in its development regulations will be applicable to the procedures that the Agency
Spanish Data Protection Agency had to process in exercise of its powers

that were attributed to it by other laws."

Therefore, since the claimed entity has its registered office in Spanish territory, it is
competent to hear the claim, the Spanish Data Protection Agency,
based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and
Fourth additional provision of said rule to the detriment of the control authority

Austrian

Second: The appellant states in the section “Second, points 3-7” of the
FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances
specific to the visit to the appellant's website, based solely,

for the resolution of the file, in the verification that the AEPD itself made of the
information banner that appears on the website, without responding to what was requested
in the claim, forgetting the requests made by the appellant…”

To respond to this allegation, we must start from the principle that governs all

judicial or administrative procedure such as the “Principle of Presumption of
Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not
is based on a previous evidentiary activity on which the body
competent person can base a reasonable judgment of guilt, and entails, among

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8








other demands, that of the Administration proving and, therefore, motivating, not only the
facts constituting the infringement, participation in such facts and the
circumstances that constitute a graduation criterion, but also guilt

that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26;
14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14
February).

Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the
administration that proves guilt because "it is not the interested party who has to

prove lack of guilt."

The presumption of innocence, a fundamental right of citizenship according to art 24.2
of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights,
It is expressly included in our regulations for the procedures

administrative sanctions where among the rights of the interested party in the
disciplinary administrative procedure will have the right "To the presumption of not
existence of administrative responsibility until the contrary is proven."

And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the
right to the presumption of innocence, which applies without exception in the field of

administrative sanctioning procedure, according to the Constitutional Court in
ruling 66/2007, of March 27, means that "no sanction can be imposed
"any that is not based on a previous lawful evidentiary activity", and implies
also the recognition of the right to an administrative sanctioning procedure
due or with all the guarantees, that respects the principle of contradiction and in which the

alleged perpetrator has the opportunity to defend his own positions,
prohibiting the initiation of disciplinary proceedings when it is appreciable
unequivocally or manifests the absence of rational indications that it has been
committed an infringing conduct, or in which illegality or illegality is absent.
culpability"


What the Public Administration cannot is raise administrative responsibility in
the facts presented by the complaining party, without first verifying the veracity of the
themselves. In the case at hand, this verification was based on the review of the
website object of the claim (https://www.canaltnt.es), where it was verified
that it no longer existed, redirecting the user to a new web page

belonging to a different owner.

Third: The appellant states in the section “Third.- points 8 to 13” that at
check the new website https://www.warnertv.es/, it is observed that after
Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed

of Google Analytics, which are not strictly necessary and that there is no
possibility of withdrawing consent once given.

First of all, we must mention that the website https://www.warnertv.es, to which
which the appellant mentions in her appeal for reconsideration, the website was not the object of

initial claim, so its analysis is not appropriate within the scope of this appeal.
replacement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8








However, having said the above, it is worth remembering that, although this new website
(https://www.warnertv.es) comes up due to the fact that when trying to access the
web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the
user to the new page.


Now, the appellant states that, on this new web page
https://www.warnertv.es observes that, when the user gives consent, the
website begins to use two new cookies that are not of a technical nature (“_ga” and
“_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the
possibility of withdrawing consent once given by requesting this Agency
that the investigative actions that are necessary to be carried out

clarify the facts you claim.

Therefore, this is a new fact not mentioned in the initial claim. The
The appellant cannot claim that at the appeal stage the
facts that he did not express in a previous procedural phase.


The LPACAP provides in its article 118 the following procedural rule: “No
account in the resolution of the resources, facts, documents or allegations of the
appellant, when, having been able to provide them in the processing of allegations, he does not
I've done. Nor may the taking of evidence be requested when the lack of
realization in the procedure in which the appealed resolution was issued outside

attributable to the interested party.” This standard contains a rule that is nothing more than the
positive concretion for the common administrative sphere of the general principle that the
The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle
Its purpose, among others, is to prevent the processing of allegations from being useless and
evidence of the application procedures, as would result if the interested parties
could choose, at their discretion, the moment at which to present evidence and allegations,

since this would be contrary to an elementary procedural order.

All of this, without prejudice to the possibility of submitting a new claim if you consider
that such events violate regulations that confer powers on the Spanish Agency
of Data Protection.
                                           III

                                      Conclusion

Consequently, in the present appeal for reconsideration, the appellant has not
provided new facts or legal arguments that allow reconsideration of the validity
of the contested resolution.


Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection
                                     RESOLVES:

FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through

THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS
(IMI- Austria), against the archiving resolution issued by the Director of the Agency
Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023,



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8









SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION
INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the
art. 77.2 of the GDPR.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative route, it may be filed in the

period of two months counting from the day following the notification of this act
as provided in article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the

provided in article 25 and in section 5 of the fourth additional provision of the
referred legal text.



Sea Spain Martí
Director of the Spanish Data Protection Agency.









































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es