AEPD (Spain) - EXP202307481
From GDPRhub
| AEPD - AI/00289/2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 60 GDPR Artículo 22 LSSI |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 11.10.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | CaixaBank S.A. |
| National Case Number/Name: | AI/00289/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | co |
The Spanish DPA (AEPD) issued a decision on the processing of personal data by CaixaBank S.A., the controller, holding that the design of a cookie banner respected its “Guidelines on the use of cookies” of 2020.
English Summary
Facts
A data subject visited the website of the controller, and a cookie banner displayed, showing the options “accept” and “configure or reject use of cookies” the first being included in a button, written in white against a blue background and the latter option is designed as a link in the text of the banner. By accepting cookies, several cookies were installed on the complainant’s device and unique identifiers about the data subject were stored on the controller’s servers and transmitted to third parties; by clicking on “configure or reject use of cookies”, the data subject was redirected to a second layer showing the different categories of non-necessary cookies that one can tick and accept or leave unticked and thus reject, and save the settings. The option to reject cookies is thus only available in the second layer of the banner. In light of these features, the data subject claimed that the way in which the cookie banner was designed violated the GDPR and the consent given through such a banner cannot be considered a valid consent under Article 6(1)(a) GDPR and Article 4(11) GDPR.
Further, upon accepting, there appears to be no easy way for withdrawing one’s consent, since this can only be done by clicking on a link at the bottom of the webpage, “cookie policy”, which leads to the second layer of the banner where the cookie settings were displayed and where there is an option to untick cookies and save settings. This, according to the complainant, constitutes a violation of Article 7(3) GDPR.
Accordingly, the data subject, represented by noyb (European Centre for Digital Rights) filed a complaint with the Austrian DPA (DSB) against the controller and asked the DSB to order the controller to stop all processing operations and delete the complainant’s personal data and inform the third party service providers about the deletion, as per Article 17 GDPR and Article 19 GDPR. The DSB forwarded the complaint to the AEPD as the Lead Supervisory Authority in this case, which handled the case in line with Article 60 GDPR.
Holding
The AEPD considered all the facts and submissions by both parties and assessed the legality of the cookie banner showed on the webpage based on its own visit of the site.
First of all, the AEPD noted that the new version of the Guidelines on the use of cookies of July 2023 is meant to integrate the principles set out by the EDPB in its “Guidelines 03/2022 on deceptive design patterns in social media platform interfaces: how to recognise and avoid them”, specifically, as regards the fact that the option to reject cookies should be included in the first layer of a cookie banner, so that it results as easy to grant as to reject consent. However, the AEPD stated that the new Guidelines will only be enforced from January 2024, at the latest, in order to allow for a transition period in which website operators will have time to adapt to them. In the meantime, the AEPD would continue to apply its Guidelines of 2020 .
As regards the fact that there was no reject button in the first layer of the cookie banner, the AEPD considered it lawful that the option to reject cookies is given in the second layer of the banner, since the “configure cookies” link leads to a layer where users have the chance to granularly choose the cookies to allow. This, the AEPD held, is in line with the provisions of the LSSI (Law of Information Society Services and Electronic Commerce). Also, the fact that the reject and accept options are presented, respectively, as a link and a button with higher contrast background, was not considered to be an issue by the AEPD, because, as submitted by the controller, these are accepted as valid design options in the 2020 Guidelines.
With respect to the possibility to withdraw one’s consent, the AEPD held that it is sufficient that the user of a webpage has access to a link redirecting to the cookie settings, in order for it to be compliant with Article 22 LSSI.
Consequently, the AEPD did not adopt any measures against the controller and archived the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13
NOYB - EUROPEAN CENTER FOR
DIGITAL RIGHTS (XXXXXXXX)
XXXXXXXXXXXXXXXXXX XXXXXXXX
On October 11, 2023, the Director of the Spanish Data Protection Agency has
issued the following resolution signed electronically:
File No.: EXP202307481 (AI/00289/2023)
RESOLUTION OF FILE OF ACTIONS
Of the actions carried out by the Spanish Data Protection Agency and having
as a basis the following:
FACTS
FIRST: On 06/02/23 this Agency received a written claim for
XXXXXXXXXXXXXXXXXXXX, through the EUROPEAN COMMISSION EXCHANGE SYSTEMS
INTERNAL MARKET (IMI- Austria). The claim was directed against the entity CAIXABANK,
S.A., XXXXXXXXXXXXXXXXXXXXXX, owner of the website, URL1., (hereinafter, the part
claimed), for the alleged violation of data protection regulations: Regulation
(EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, relating to Protection
of Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, on Protection
of Personal Data and Guarantee of Digital Rights (LOPDGDD), and against Law 34/2002,
of July 11, Information Society Services and Electronic Commerce (LSSI).
The reasons on which the claim was based were, with respect to the breaches in the
Cookies Policy of the page in question, the following:
- The “Reject Cookies” option only in the second layer:
While the banner provides a button to accept all activities of
relevant processing and a button that allows the interested party to access other
options, the controller deliberately concealed the option of
refuse relevant treatment activities.
To refuse treatment, the complainant had to click on the button that gives
place to the second layer. In other words: the complainant can accept the
relevant treatment activities with one click on the first layer, but you need
two (or more) clicks to deactivate and reject the relevant processing activities
in the second layer.
The person responsible has deliberately decided to hide a rejection option in the
first layer of the banner. There is no logical, technical or ethical reason to hide
the option of rejection beyond confusing the interested parties or making the
denials are more burdensome and unlikely.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13
- Design in the link:
The button that gives rise to the option to reject processing activities
relevant uses a link design (for example, bold text, underlined or
underlined), while the “ok” button uses a typical layout (context box
in it). Accept and continue browsing is a blue button with white text, while
“configure or decline” is just a link in the banner text, away from the button
"accept".
- Withdrawal of consent is not as easy as granting consent:
The option to accept relevant treatment activities occupies a place
featured on the banner; However, the complainant could not easily find the
option to withdraw consent. There was no prominent banner of
"withdrawal" or any similar option.
SECOND: On 07/05/23, in accordance with the provisions of article 65.4 of the
LOPDGDD, on behalf of this Agency, transferred said claim to the party
claimed, so that it could proceed with its analysis and report, within a period of one month, on what
was set out in the statement of claim.
THIRD: On 07/18/23, the claimed party sends a written response to this Agency
in which it states, among others, the following:
“This claim is based on the fact that the banner about consent to the use of
cookiesdoes not include a right cookie reject button on the first layer, but is included
a link to configure or reject the use of cookies in a second layer.
In relation to this claim, we would like to inform you that, in our opinion, the
configuration of the cookie banner of the aforementioned website is aligned with the
requirements and criteria established by the Spanish Data Protection Agency and more
specifically with the so-called “third option” identified in the Guide on the
use of cookies, issued by the Agency in June 2022, which is defined as the
possibility of offering the user two options, one to expressly accept the
cookies used and another to configure or reject the use of cookies (page 21 of the
referred Guide).
Below is a detail of the banner format on the use of cookies.
to which we are referring: If the user clicks on “MORE INFORMATION” or on
“CONFIGURE OR REJECT ITS USE” (note that these links are included in
capital letters, underlined and with another color highlighting them), the user is directed to the
second layer, the cookie policy, in which you can configure the use of cookies to your liking
own criteria (URL1.).
By default, all unnecessary cookies appear unchecked, so that the user
individually select the ones you want to install. If you do not select any,
understand that all non-necessary cookies are rejected (by clicking on the “Save” button
and continue").
In relation to the above, please inform us additionally that the banner
above and the configuration on the use of cookies was reviewed by Autocontrol in
May 2023, within its “Cookie advice” service, in which it was highlighted that this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13
configuration of the cookie banner and the acceptance and acceptance mechanisms
configure/reject the use of cookies were aligned with the applicable criteria
aforementioned.
For all of the above, we consider that there is no basis for the claim made before
CaixaBank, since the banner on the use of cookies and their configuration is
are aligned with the applicable criteria defined by the Spanish Agency for
Data Protection.
The configuration on the use of cookies has been reviewed and adapted to the criteria
published by the Spanish Data Protection Agency as they have been
been updating. The latest relevant adaptation of the cookie banner and policy
of cookies was carried out in 2022 on the occasion of the adaptation to the Guide on the use of
cookies from June 2022, having carried out periodic reviews also with
Self-control, the last of them in May 2023, as indicated before.”
FOURTH: Dated 08/23/23, by the Director of the Spanish Protection Agency
of Data, an agreement is issued to admit the processing of the claim presented,
in accordance with article 65 of the LPDGDD Law, when appreciating possible rational indications of
a violation of the rules within the scope of the powers of the Spanish Agency for
Data Protection.
FOURTH: On 09/19/23, this Agency accessed the website, URL1.,
filling out the following characteristics about its “Cookies Policy”:
1.- Regarding the use of non-necessary cookies, before the user provides their
consent:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without accepting new cookies or performing any action on the page
website in question, the use of the following cookies is detected:
utag_main
Tealium storing an id
unique, records a timestamp of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13
When the user visits the site, the
better user experience.
userAgentlnfo
different devices.
2.- About the cookie information banner in the first layer:
When entering the website for the first time, once the terminal equipment has been cleaned of history
navigation and cookies, without performing any action on the website, a banner appears
information about cookies at the bottom of the main page with the following
message:
statistical, personalization (e.g., language) and advertising, including showing you
Personalized advertising based on a profile created based on your browsing.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13
Click to have <<MORE INFORMATION>> or to <<CONFIGURE OR REJECT ITS USE>>.
You can also accept all cookies by clicking the “Accept and continue browsing” button.
<<accept and continue browsing>>
a.-If you choose to accept cookies that are not necessary techniques by clicking on the option
<<Accept and Continue Browsing>>, check how the website begins to use the following
own and third-party cookies that are not technical or necessary:
b.- If you wish to continue browsing without authorizing the use of cookies that are not technical or
necessary, you must first access the second layer, clicking on the <<CONFIGURE option
ORDEJECTUSSO>>, through which, the website displays a control panel where it appears,
among other information, the following legend:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13
URL2. “(…)
OWN COOKIES: These are those with respect to which CaixaBank S.A. is responsible for the
information that is being treated. On this website we use our own cookies with the following
purposes:
_
Personalization: allow you to customize some features of the site
website to differentiate the experience of one user from that of others (for example
For example, define the navigation language and wallpaper,
remember the last searches performed in the search engine, etc.).
_ Analysis: collect information about user behavior during the
navigation (most visited pages, time spent on the website, etc.) to,
based on the analysis of that information, introduce improvements in the contents and services
offered (for example, optimizing response times in the most
visited in CaixaBankNow).
THIRD PARTY COOKIES: These are those with respect to which third parties other than CaixaBank S.A. are
responsible for the information being processed. Below are details of both the third parties
such as the purposes for which the information is used:
_Personalization: allow you to customize some features of the website to
differentiate the experience of one user from that of others (for example, defining the language of
navigation, remember the last searches performed in the search engine, etc.).
• Adobe Target More information
• YouTube More information
• Adobe More information
• Adobe Audience Manager More information
• Trade Desk More information
• Sizmek More information
_ Analysis: collect information about user behavior during the
navigation (most visited pages, time spent on the website, etc.) to, at
based on the analysis of this information, introduce improvements in content and services
offered
• Adobe Target More information
• YouTube More information
• Adobe More information
• Facebook More information
• Adobe Audience Manage More information
• Trade Desk More information
• Sizmek More information
• Adobe Analytics More information
_ Behavioral advertising: they store information about the behavior of the
user, obtained by observing their browsing habits (for example, what
pages visited), to develop a specific profile that allows you to show advertising
personalized based on your tastes and interests.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13
• Doubleclick More information
• Google More information
• Facebook More information
• Adobe Audience Manager More information
• Linkedin More information
• Trade DeskMore information
• Sizmek More information
It is verified that the groups of cookies (own and third parties) that are not technical or
necessary are not pre-marked when accessing the control panel.
For granular cookie management, the user can mark cookie groups
you want to allow or not check any.
Then the website offers the following box to continue browsing once the user has
decided which cookies you allow or not:
- If you wish to reject all cookies that are not technical or necessary, you must click
directly in the option <<Save and Continue>>
- If you wish to allow the use of a certain group of cookies other than
technical or necessary, once you accept the group of cookies, you must also click
in the <<Save and Continue>> option.
- There is also the possibility of accepting all cookies that are not technical or
necessary by clicking on the option <<Enable all and continue browsing>>
(…)”.
3º.- About the information provided in the “Cookies Policy”:
If you access the “Cookie Policy” through the existing link in the information banner
about cookies <<More information>> or through the link at the bottom of the page
main page, the website redirects the user to a new page URL3. where provided
information about: what cookies are; What is the purpose of the information collected through the
cookies; What type of cookies exist and what cookies the website uses. Also
provides information on how to manage cookies through existing mechanisms
in the browser installed on the terminal equipment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13
Along with this information, the cookie control panel indicated in point also appears.
above where you can manage, in a granular way, the different groups of cookies.
4º.- Regarding the possibility of modifying the consent given regarding cookies, in
any time of web browsing.
If the user has given initial consent for the website to use cookies that are not
technical or necessary and wish, at a certain time, to modify said consent,
there is the possibility of accessing the cookie control panel permanently located in
the bottom of the page <<Cookie Policy>>.
If you click on this option, the cookie control panel shown above appears
with the groups of cookies that have been allowed to use marked.
The user can uncheck all cookie groups, or only those they do not want
Use again. Then you must click on the <<Save and Continue>> option, checking
that the website stops using cookies that have been rejected.
FOUNDATIONS OF LAW
YO.
Competence.
Regarding the “Cookies Policy” of the URL1. website, you are competent to initiate and
resolve this Procedure, the Director of the Spanish Data Protection Agency, of
in accordance with the provisions of art. 43.1, second paragraph, of the LSSI.
The fourth additional provision of the LOPDGDD establishes, on the "Procedure in relation
with the powers attributed to the Spanish Data Protection Agency by other laws",
that: "The provisions of Title VIII and its implementing regulations will apply to the
procedures that the Spanish Data Protection Agency had to process in
exercise of the powers attributed to it by other laws."
II.-
Previous note
The Spanish Data Protection Agency has updated the Guide on the use of cookies
to adapt it to the Guidelines 03/2022 on misleading patterns of the European Committee of
Data Protection (CEPD).
The European Data Protection Board published Guidelines 03/2022 in February 2023
on deceptive patterns in social networks. The Agency incorporates the new version of the Guide
the criteria of the European Committee, which states that the actions of accepting or rejecting cookies
must be presented in a prominent place and format, and both actions must be at the
same level, without it being more complicated to reject them than to accept them. The Guide includes new
examples on how these options should be displayed offering indications on, among other things,
others, the color, size and place in which they appear.
The criteria included in the Guide must be implemented no later than January 11,
2024, thus establishing a transitional period of six months to introduce the changes
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13
necessary for the use of cookies. In the meantime, the criteria will continue to be applied
marked in the Guide on the use of cookies published in 2020.
III.-
About the “Cookies Policy” of the URL1 website.
Establishes article 22 of the LSSI, regarding the “Rights of recipients of services
of the information society and electronic commerce” the following: 1. The recipient
may revoke at any time the consent given upon receipt of
communications com
ercials with the simple notification of your will to the sender.
To this end, service providers must enable simple and
free so that recipients of services can revoke the consent they
they would have lent. When the communications have been sent by mail
electronic means, said means must necessarily consist of the inclusion of a
email address or other valid electronic address where you can
exercise this right and it is prohibited to send communications that do not
include that address.
Likewise, they must provide information accessible by electronic means on said
procedures.
2. Service providers may use storage devices and
recovery of data on terminal equipment of the recipients, provided that
they have given their consent after they have been provided with
clear and complete information on its use, in particular, on the purposes of the
processing of data, in accordance with the provisions of Organic Law 15/1999, of 13
December, protection of personal data.
Where technically possible and effective, the recipient's consent to
Accepting data processing may be facilitated by using the parameters
browser or other applications.
The foregoing will not prevent possible storage or access of a technical nature to the sole
purpose of carrying out the transmission of a communication over a communications network
electronically or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the
addressee.
Well, in application of the provisions of article 22 of the LSSI and taking into account the
established in the Guide on Cookies- 2020, we can verify the following, regarding the
“Cookie Policy” of the website,
URL1.
a).- Regarding the installation of cookies on the terminal equipment prior to consent:
Article 22.2 of the LSSI establishes that users must be provided with clear and
Complete information on the use of data storage and recovery devices
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13
and, in particular, about the purposes of data processing. This information must be provided
in accordance with the provisions of the GDPR.
Therefore, when the use of a cookie involves processing that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by data protection regulations.
However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those cookies necessary for the
intercommunication of terminals and the network and those that expressly provide a service
requested by the user.
In this sense, the GT29, in its Opinion 4/2012, interpreted that among the cookies excepted
would be the user input Cookies” (those used to fill out forms, or
such as managing a shopping cart); authentication or user identification cookies
(session); user security cookies (those used to detect attempts
erroneous and repeated connections to a website); player session cookies
multimedia; session cookies for load balancing; customization cookies
user interface and some plug-ins for exchanging social content.
These cookies would be excluded from the scope of application of article 22.2 of the LSSI, and, therefore
Therefore, it would not be necessary to inform or obtain consent regarding its use. For him
Otherwise, it will be necessary to inform and obtain the user's prior consent before the
use of any other type of cookies, both first and third party, session
or persistent.
In the verification carried out by this Agency on the website in question, it was possible to verify
that, upon entering the website for the first time, without accepting cookies or performing any action on
same, 3 cookies are used, two of which have been detected as strictly
necessary (“utag_main” and “userAgentlnfo”) and another (__bg_cxbnk_fpcachecc), whose purpose is not
has been able to be detected.
Therefore, in the present case, no evidence has been obtained from which it can be inferred that the
use of cookies by the website in question, prior to the consent of the
user, contradicts what is stipulated in the LSSI.
b).- About the cookie information banner existing in the first layer (page
major):
The cookie banner of the first layer must include information regarding the
identification of the editor responsible for the website, in the event that its identifying data
does not appear in other sections of the page or its identity cannot be detached
evident from the site itself. It must also include a generic identification of the purposes
of the cookies that will be used and whether they are our own or also from third parties, without it being
It is necessary to identify them in this first layer. In addition, it must include generic information
about the type of data to be collected and used in case of profiling
users and must include information and how the user can accept, configure
and reject the use of cookies, with the warning, if applicable, that, if a
certain action, it will be understood that the user accepts the use of cookies.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13
In the case at hand, in the information banner about cookies existing in the first
layer of the web, identifies in a generic way, the purposes for which the
cookies and whether these are our own or also from third parties.
“(…) CaixaBank uses its own and third-party cookies to analyze your browsing for
statistical, personalization (e.g., language) and advertising, including showing you advertising
personalized from a profile created based on your navigation (…)”.
Therefore, in the present case, in accordance with the evidence available at this time,
It is considered that the information provided about the “cookie policy” in the banner of
information existing on the main page does not contradict what is stipulated in the LSSI.
c).- Regarding consent to the installation of cookies on the terminal equipment:
For the use of non-excepted cookies, it will be necessary to obtain the consent of the
user expressly. This consent can be obtained by clicking, “accept”.
or inferring it from an unequivocal action carried out by the user that denotes that the
consent has been produced unequivocally. Therefore, the mere inactivity of the user,
scrolling or browsing the website will not be considered, for these purposes, a clear action
affirmative under any circumstances and will not imply the provision of consent by itself.
same.
Similarly, access to the second layer if information is presented in layers, as well as
the navigation necessary for the user to manage their preferences in relation to the
cookies in the control panel, it is not considered an active conduct that can
derive the acceptance of cookies.
The existence of “Cookie Walls”, that is, pop-up windows, is also not permitted.
that block the content and access to the website, forcing the user to accept the use of the
cookies to be able to access the page and continue browsing without offering the user any type
alternative that allows you to freely manage your preferences regarding the use of the
cookies.
If the option is to direct a second layer or cookie control panel, the link must be
the user directly to said configuration panel. To facilitate selection, in the panel
In addition to a granular cookie management system, two more buttons can be implemented,
one to accept all cookies and another to reject all. If the user saves his
election without having selected any cookie, it will be understood that you have rejected all
cookies. In relation to this second possibility, in no case are the boxes admissible
pre-marked in favor of accepting cookies.
If for the configuration of cookies, the website refers to the configuration of the installed browser
in the terminal equipment, this option could be considered complementary to obtain the
consent, but not as the only mechanism. Therefore, if the editor opts for this
option, must also offer and in any case, a mechanism that allows rejecting the use of
cookies and/or do it in a granular way.
In the case at hand, although there is no button on the information banner of the first
layer that makes it possible to reject all cookies that are not technical or necessary, if possible
reject them all at once through the control panel or do it on a granular basis.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13
Therefore, in the present case, in accordance with the evidence available at this time,
It is considered that the management of cookies that are not technical or necessary for the website is not
contradicts what is stipulated in the LSSI.
d).- The possibility of withdrawing the consent previously given regarding the
use of cookies
The withdrawal of the consent previously given by the user may be carried out in
any moment. To this end, the publisher must offer a mechanism that makes it possible to withdraw the
consent easily at any time. It will be considered that this facility exists,
for example, when the user has simple and permanent access to the management system or
cookie settings.
If the editor's cookie management or configuration system does not allow you to avoid its use
of third-party cookies, once accepted by the user, information will be provided about the
tools provided by the browser and third parties, and must warn that, if the
user accepts third-party cookies and subsequently wishes to delete them, they must do so from
your own browser or the system enabled by third parties for this purpose.
In the case at hand, if it is possible to modify said consent given to the use
of non-technical or necessary cookies at any time while browsing the web, through the
link <<Cookie Policy>>, existing at the bottom of the website, through which
The cookie control panel appears to be able to modify the selection initially
done.
Therefore, in the present case, in accordance with the evidence available at this time,
the possibility of withdrawing the consent given at any time through the link
existing at the bottom of the website <<Cookie Policy>> does not contradict what is stipulated
in article 22 of the LSSI.
Therefore, in accordance with what was indicated, by the Director of the Spanish Protection Agency
of data,
HE REMEMBERS:
FIRST: PROCEED TO THE ARCHIVE of these proceedings.
SECOND: NOTIFY this resolution to the entity CAIXABANK, S.A and the party
claimant.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution is
will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by art.
114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations, and in accordance with the provisions of arts. 112 and 123 of the
cited Law 39/2015, of October 1, interested parties may optionally file
appeal for reconsideration before the Director of the Spanish Data Protection Agency in the
period of one month counting from the day following the notification of this resolution or
directly administrative contentious appeal before the Contentious Chamber -
administrative of the National Court, in accordance with the provisions of article 25 and the
section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13
the Contentious-Administrative Jurisdiction, within a period of two months from the day
following the notification of this act, as provided for in article 46.1 of the aforementioned Law.
XXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX Spanish Data Protection Agency
What is notified for appropriate purposes in accordance with art. 40 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations (BOE
of 2-10) and as established in art. 29.2, section b) of Royal Decree 389/2021, of 1
June, by which the Statute of the Spanish Data Protection Agency is approved.
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXX Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
