AEPD (Spain) - EXP202307483: Difference between revisions
From GDPRhub
mNo edit summary |
mNo edit summary |
||
| (3 intermediate revisions by one other user not shown) | |||
| Line 61: | Line 61: | ||
}} | }} | ||
The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish ePrivacy | The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish ePrivacy law applied instead of the GDPR and that the controller had brought its website into compliance. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user consent and did not provide an option to withdraw consent that would be as easy to use as the option to give | In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user to consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent. | ||
The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023. | The data subject, represented by ''noyb'' (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023. | ||
The AEPD found no violations and issued a | The AEPD found no violations and issued a decision archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020/2022 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn. | ||
On 11 December 2023, the data subject filed an internal appeal making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to [[Article 60 GDPR|Article 60 GDPR]], the Austrian DPA should been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the | On 11 December 2023, the data subject filed an internal appeal (''recurso de reposición'') making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to [[Article 60 GDPR|Article 60(8) GDPR]], the Austrian DPA should have been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the facts raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made more than two years after the data subject’s website visit occurred. Third, the data subject restated its argument that the controller had installed cookies without obtaining valid consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent in the first layer of the cookie banner. The AEPD’s cookie guidance should be interpreted according to this legal obligation, not the other way around. In addition, nudging users through colors, contrast, design and size was said to be unfair and not transparent. Finally, the data subject pointed out that the AEPD maintained contradictory criteria regarding the rejection of cookies in the first layer of the cookie banner. | ||
=== Holding === | === Holding === | ||
On 22 April 2024 the AEPD dismissed the appeal, concluding that only the Spanish [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 LSSI] (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR. | |||
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected | First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected the data subject’s argument about the GDPR being applicable. | ||
The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case. | The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case. | ||
Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the LOPDGDD, Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR. | Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 LOPDGDD], Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR. | ||
== Comment == | == Comment == | ||
| Line 88: | Line 88: | ||
The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners. | The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners. | ||
The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011678&Artikel=&Paragraf=165&Anlage=&Uebergangsrecht= § 165 TKG], which stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to one stop shop mechanism (see [[Article 56 GDPR]]). | The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of [https://www.ris.bka.gv.at/NormDokument.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20011678&Artikel=&Paragraf=165&Anlage=&Uebergangsrecht= § 165 TKG], which stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to the one stop shop mechanism (see [[Article 56 GDPR]]). During the appeal procedure, however, the AEPD claimed that only [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 22 LSSI] (which also stems from [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive]) is applicable. The AEPD did not directly address the data subject's argument that their data was processed as a result of the cookies installed without valid consent. It did not detail why only the LSSI applies in this case. | ||
The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both. | The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both. | ||
'''II. | '''II. What are the facts of the case and which moment is relevant?''' | ||
The AEPD did not investigate the individual situation of the complainant. While the complainant provided evidence to reconstruct each detail of their visit to the website through technical means, the AEPD did not consider such evidence and instead focused on its own experience with the webpage years after the data subject filed the complaint. | |||
The | It visited the website over two years after the data subject and, unsurprisingly, found changes to the website. The AEPD assessed the website on basis of these findings. This is unfortunately a common practice among some DPAs. However, DPAs need to take into account the situation of the complainant (see [[Recital 141 GDPR]], [https://www.edpb.europa.eu/our-work-tools/our-documents/internal-documents/internal-edpb-document-022021-sas-duties-relation_en Internal EDPB Document 02/2021] para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to change a website no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account. | ||
'''III. Current cookie banner of the website''' | |||
Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users who understandably would think that withholding consent would require them to take further steps of creating an account in order to use the website. This seems to be misleading. | |||
Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users | |||
== Further Resources == | == Further Resources == | ||
Revision as of 14:53, 30 April 2024
| AEPD - EXP202307483 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | LSSI |
| Type: | Internal Appeal |
| Outcome: | Rejected |
| Started: | 21.08.2021 |
| Decided: | 22.04.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Adevinta Spain, S.L. |
| National Case Number/Name: | EXP202307483 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA dismissed an internal appeal regarding a cookie banner decision, stating that the Spanish ePrivacy law applied instead of the GDPR and that the controller had brought its website into compliance.
English Summary
Facts
In January 2021 a data subject accessed a website operated by Adevinta Spain, S.L. (the controller) which had a cookie banner. In the data subject’s view, the cookie banner did not offer a reject button in the first layer, used colors and contrasts to nudge user to consent and did not provide an option to withdraw consent that would be as easy to use as the option to give consent.
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. The Austrian DPA determined that the controller was Spanish and forwarded the case to the Spanish DPA (AEPD), which received it in June 2023.
The AEPD found no violations and issued a decision archiving the complaint on 8 November 2023. First, it agreed with the controller’s argument that providing one button to accept cookies and another to further configure settings in the first layer of the cookie banner, which then permitted you to reject cookies in the second layer of the banner, complied with the AEPD’s 2020/2022 Guidance on the use of cookies. Second, the AEPD noted that this guidance did not specify color or contrast settings. Though the updated 2023 guidance addressed dark patterns, it did not come into effect until 11 January 2024 and thus was not at issue in this case. Third, the AEPD observed that the panel to disable cookies was permanently located at the footer of the webpage and thus found that the option to withdraw consent was always accessible. Finally, based on its own investigation of the webpage, the AEPD determined that the webpage did not install any cookies prior to obtaining consent and verified their proper uninstallation once consent was withdrawn.
On 11 December 2023, the data subject filed an internal appeal (recurso de reposición) making five key arguments. First, it claimed that a procedural GDPR violation had occurred, arguing that the Austrian DPA transferred the complaint to the AEPD when pursuant to Article 60(8) GDPR, the Austrian DPA should have been the DPA to adopt and notify the resolution. Second, the data subject argued that the AEPD failed to properly examine the facts raised in the complaint. Rather than considering the data subject’s experience with the platform, the AEPD considered only its own examination of the webpage, which it made more than two years after the data subject’s website visit occurred. Third, the data subject restated its argument that the controller had installed cookies without obtaining valid consent. Because this implicates processing of personal data, the data subject argued, the GDPR applies. Fourth, the data subject emphasised that the GDPR and ePrivacy Directive both make clear that a controller must permit rejection of consent in the first layer of the cookie banner. The AEPD’s cookie guidance should be interpreted according to this legal obligation, not the other way around. In addition, nudging users through colors, contrast, design and size was said to be unfair and not transparent. Finally, the data subject pointed out that the AEPD maintained contradictory criteria regarding the rejection of cookies in the first layer of the cookie banner.
Holding
On 22 April 2024 the AEPD dismissed the appeal, concluding that only the Spanish LSSI (Spain’s implementation of the ePrivacy Directive) applies in this case – not the GDPR.
First, the AEPD rejected the data subject’s argument that the decision should have been issued by the Austrian DPA. Instead, it determined that only the LSSI applies in this case. Since there is no collaboration mechanism in the ePrivacy Directive as there is under the GDPR, the AEPD concluded that it is the only competent authority in this case. As a result, the AEPD rejected the data subject’s argument about the GDPR being applicable.
The AEPD subsequently determined that no LSSI violations could be found in this case because its statute of limitations had been exceeded. Pursuant to Article 45 LSSI, very serious infractions expire after three years, serious infractions expire after two years and minor infractions expire after six months. The AEPD considered that, at the time it was hearing the appeal, three years would have passed since the commission of any alleged violations. As a result, it concluded, it would no longer be possible for the AEPD to examine the merits of the case.
Finally, the AEPD noted that the website was updated since the time of the complaint’s filing and was now compliant with cookie banner requirements. It cited Article 65(6) of the LOPDGDD, Spain’s law implementing the GDPR, which authorises the AEPD to archive cases in which the controller has taken measures to comply with the GDPR.
Comment
I. Who decides if a case is a GDPR cross-border case? Issues when handling an ePrivacy and GDPR case
The decision of the AEPD offers an example of issues that arise in international data protection complaints involving cookie banners.
The Austrian DPA considered the complaint to fall under the GDPR (the Austrian DSB is not competent for the enforcement of § 165 TKG, which stems from Article 5(3) ePrivacy Directive) and forwarded it to the Spanish DPA, likely assuming that the case involved cross-border processing and needed to be dealt with according to the one stop shop mechanism (see Article 56 GDPR). During the appeal procedure, however, the AEPD claimed that only Article 22 LSSI (which also stems from Article 5(3) ePrivacy Directive) is applicable. The AEPD did not directly address the data subject's argument that their data was processed as a result of the cookies installed without valid consent. It did not detail why only the LSSI applies in this case.
The divergent approaches of the DPAs in this case shows how in practice it is unclear (i) which authority decides if a case is a one stop shop case and (ii) which authority decides if a case falls solely under the ePrivacy Directive, the GDPR or both.
II. What are the facts of the case and which moment is relevant?
The AEPD did not investigate the individual situation of the complainant. While the complainant provided evidence to reconstruct each detail of their visit to the website through technical means, the AEPD did not consider such evidence and instead focused on its own experience with the webpage years after the data subject filed the complaint.
It visited the website over two years after the data subject and, unsurprisingly, found changes to the website. The AEPD assessed the website on basis of these findings. This is unfortunately a common practice among some DPAs. However, DPAs need to take into account the situation of the complainant (see Recital 141 GDPR, Internal EDPB Document 02/2021 para. 68) and decide on this specific situation. Otherwise the rights of the data subject will in most circumstances not be safeguarded. Additionally, in cases as the one at hand, where a controller decides to change a website no responsibility for any previous action will be established if the situation of the moment of the alleged violation is not taken into account.
III. Current cookie banner of the website
Although the AEPD determined that the cookie banner is now compliant with cookie banner requirements, it in fact continues to use deceptive nudges in prompting users to accept or reject cookies. In the first layer, visitors of the webpage may either consent to all cookies by hitting a button labeled 'Agree and Close,' or they may select a second option to 'Disagree and create an account.' The 'Disagree and create an account' button functions as a 'reject all' button, but this is not clear to users who understandably would think that withholding consent would require them to take further steps of creating an account in order to use the website. This seems to be misleading.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
On April 22, 2024, the Director of the Spanish Agency for the Protection of Data has issued the following resolution signed electronically: File No.: EXP202307483 RESOLUTION OF REPLACEMENT APPEAL Examined the appeal for reconsideration filed by Noyb – European Center for Digital Rights in the name and representation of XXX (hereinafter, the party appellant), against the resolution issued by the Director of the Spanish Agency of Data Protection, dated November 8, 2023, and based on the following: FACTS FIRST: On June 1, 2023, it was entered into the Spanish Agency of Data Protection (hereinafter, AEPD) complaint letter with registration number registration REGAGE23e00035234524, presented by the appellant, for a alleged violation of Article 22.2 of Law 34/2002, of July 11, on security services the information society and electronic commerce (hereinafter, LSSI). In particular due to the following circumstances: The claim, filed with the Austrian Data Protection Authority in dated August 11, 2021, states that the way to obtain consent for installation of storage devices and data recovery (cookies) through the banner used on the website https://www.milanuncios.com/, not would comply with current regulations, mainly due to the following causes: 1. The option to reject the installation of cookies only exists in the second layer. In this way, accepting the treatment activities is done through a single click, but at least two are needed to reject said treatment. 2. The button colors are misleading because the "Accept and close" has more prominent colors than the "Configure" option, which would be indicating to the user that it is the expected option and the only easy way out of the banner. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/2/8 3. The contrast of the buttons is misleading since it highlights the option to accept about the configure, combined with the color style of the buttons. 4. Withdrawing consent is not as easy as giving it. The complaining party was unable to easily find an option to remove the consent. Did not find a featured removal banner or other option similar. Additionally, it should be noted that, examining the operation of the website, it is Note that non-excepted cookies are installed before granting consent for it. Furthermore, when the consent option is pressed through the consent manager, "disable all", checks that they are not removed from the user's terminal equipment non-excepted cookies installed when visiting the page or granting the consent for one or more of the purposes specified in the data manager consent, so said procedure does not comply with what is established in the regulations in force. SECOND: The mechanism prior to the admission for processing of the claims that are formulated before the AEPD, provided for in article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter, LOPDGDD), consists of transferring them to the delegates of data protection designated by those responsible or in charge of processing, or to these when they have not been designated. The fourth additional provision of the LOPDGDD also allows the aforementioned mechanism to be applied to claims that are filed for alleged violations of other laws that attribute powers to the Spanish Data Protection Agency. With the purpose indicated in the aforementioned article, the claim was transferred to ADEVINTA SPAIN, S.L. (hereinafter, the claimed party) to proceed with its analysis and provide a response within a period of one month. On September 21, 2023, the claimed party filed in the Registry Electronic AEPD response to the transfer action and request for information. THIRD: On September 1, 2023, in accordance with article 65.5 of the LOPDGDD, the claim presented is admitted for processing. FOURTH: On November 8, 2023, after analyzing the documentation that appeared in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, agreeing to file the claim. The resolution was notified to the appellant on November 8, 2023, as recorded accredited in the file. FIFTH: On December 11, 2023, the appellant presents a new written through the Electronic Registry of the AEPD, against the resolution issued to the file EXP202307483, in which he shows his disagreement with the resolution contested and requesting that the processing of the initial claim continue presented. The following apply to the above facts: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/3/8 FOUNDATIONS OF LAW Yo Competence On a preliminary basis, it should be noted that the new document presented by the appellant has not been classified as an appeal for reconsideration. However, the section 2 of article 115 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), establishes that the error or lack of qualification of the appeal by the appellant will not be obstacle to its processing, provided that its true character is deduced, therefore that the document presented will be processed as an appeal for reconsideration. The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the LPACAP and article 43 of the LSSI. II Response to the allegations presented In relation to the statements made by the appellant, which reiterate basically those already made in your claim, it should be noted that they have already were analyzed and rejected in the contested resolution, the foundations of which They remain fully in force. After transferring the claim, in accordance with article 65.4 and the provision fourth addition of the LOPDGDD, it was considered that the initiation of a sanctioning procedure as the claim had been attended to and that it was appropriate agree to file the claim made. In this sense, in response to the transfer action, the claimed party accompanied information from which it is inferred that the issues were resolved raised in the claim: The claimed party has stated that it adheres to the Transparency Consent IAB Framework (TCF) with the objective of ensuring transparency and complying with the obligations derived from the LSSI and the RGPD. Consider that the measures adopted linked to the duty to inform and regarding consent, are in line with the criteria of the Guide on the use of cookies 2020 valid until the 11th July 2023, date after the claim filed by NOYB. Note that both the Cookies Policy and the consent manager are accessible to the user through the footer of the page. With respect to obtaining and rejecting consent, you agree to follow the recommendations established by the Guide on the use of cookies 2020, through a button to accept cookies and another to configure that redirects to the panel in which consent can be managed. This panel is accessible from the link in the footer page and from there the consent can be revoked at any time C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/4/8 granted. Additional information is also provided in the Cookies Policy, in which The link to the configuration panel is also provided. Regarding the design, "it has been arranged in the site's own colors and contrasts, and taking into account that the 2020 Cookies Guide did not necessarily provide for the same." However, the entity's willingness to comply with the requirements established by the guides on the use of cookies, having created working groups with the objective of adapting the mechanisms of consent to these guidelines. As far as this Agency is concerned and after the analysis carried out within the powers attributed to it, it has been determined that the consent manager is aligned with the recommendations established in the Guide on the use of cookies from June 2022, following one of the examples provided. The Information shown in the first layer is completed with additional information from the control panel accessed through the "Setup" button. Additionally, the panel It is permanently accessible through the footer of the website. This panel has the necessary mechanisms through which you can enable or disable all cookies, or do it manually on a granular basis. I don't know install any storage device if it has not been enabled, since They are disabled by default as indicated in the guide. About the contrast of the buttons, in the Guide on the use of cookies from June 2022, no recommendations were indicated in this regard, although the update of the July 2023 guide adapts its content to the Guidelines of the European Committee of Data protection on dark patterns. With reference to the withdrawal of consent, it is noted that in the footer of the website there is a permanent link to the configuration panel, allowing in at all times the user rejects the use of non-excepted cookies in their browser. Additionally, the Cookies Policy provides additional information on how eliminate them through the configuration of the most common browsers including links to said information. Finally, it is noted that the website does not install cookies not excepted with character prior to obtaining consent and the correctness is verified operation of the mechanism to uninstall them, so that, after having accepted installation, these are deactivated when consent is withdrawn through the configuration panel. In the appeal for reconsideration, he alleges that a procedural violation has occurred, since The Austrian Authority forwarded the claim to the AEPD under article 56 of the REGULATION (EU) 2016/679 of the European Parliament and of the Council, of April 27 of 2016, relating to the protection of natural persons with regard to processing of personal data and the free circulation of these data and by which repeals Directive 95/46/EC (General Data Protection Regulation) (in forward, GDPR). Points out that, in accordance with the single window mechanism and in accordance to article 60 of the GDPR, the Austrian Authority is the one who should have adopted and notified of the resolution. Therefore, it considers that the AEPD was incompetent to carry out C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/5/8 such action is carried out, and, by failing to comply with the procedural regulations, it is null and void. void. Likewise, it considers that the AEPD has limited itself to examining the processing of data made by the claimed party in a generic manner by examining its website, without entering to examine the specific circumstances of the appellant, specifically, the situation during the visit to the appellant's website. Therefore, it would occur a lack of consistency with the initial claim, by resolving in the abstract on the adaptation of the website to the regulations but without responding to the substance of the claim. The appellant also points out that the claimed party processed his personal data when installing cookies without consent, so that the RGPD applies, and this was considered by the Austrian Authority when referring the claim to the AEPD. On the other hand, it also highlights that both the RGPD and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 regarding the treatment of personal data and the protection of privacy in the communications sector electronic communications (Directive on privacy and electronic communications) (in (hereinafter, ePrivacy Directive) also provide that the rejection of the treatment in the “simplest possible” way, and that the regulations cannot be interpreted European Union in accordance with the AEPD Cookies Guide, but the Guide must be interpreted in accordance with the applicable European regulations. Finally, consider that the AEPD has maintained a criterion that is contradictory to regarding the need to allow the rejection of cookies in the first layer. On the applicability of the single window mechanism and the lack of competition, it is It should be noted that, regardless of the criteria of the Austrian Authority, in the In this case it is concluded that the RGPD is not applicable, but rather that we are only We are facing a possible violation of the ePrivacy Directive. This standard is is transposed into the Spanish legal system by the LSSI (among others norms), and, as the appellant itself acknowledges, it does not have a collaboration mechanism such as the RGPD, and must therefore process the claim only by the AEPD, the competent authority that resolved and notified the file that is the subject of this appeal in accordance with the law. Therefore, it is not possible to appreciate non-compliance with the applicable regulations, and this reason for resource. On the other hand, in relation to the examination of the specific infringement object of the initial claim, produced at the time of the visit on January 25, 2021 by the appellant, it is necessary to highlight that, in accordance with article 45 of the LSSI: Very serious infractions will expire after three years, serious ones after two. years and mild ones at six months; sanctions imposed for very serious offenses serious offenses will expire after three years, those imposed for serious offenses after two years and those imposed for minor offenses per year. Therefore, regardless of whether there may have been an infringement that occurred On the aforementioned date, said infraction would be currently prescribed, not being C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/6/8 possible for the AEPD to examine the substance of the matter at present, since the On January 25, 2024, three years would have passed since its commission. Finally, on the adequacy of the website of the complained party to the regulations currently in effect, as discussed in the archival resolution and has now been reiterated, the claimed party has adapted, after the visit object of the initial claim, its website, so that it currently complies with the requirements indicated for a cookie banner. Article 65.6 of the LOPDGDD provides: “After admission for processing, if the person responsible or person in charge of the treatment demonstrate that they have adopted measures for the compliance with applicable regulations, the Spanish Data Protection Agency may resolve the file of the claim, when in the specific case there are circumstances that advise the adoption of other more moderate solutions or alternatives to corrective action, provided that no actions have been initiated prior investigation or any of the procedures regulated in this law organic”. Likewise, the fourth additional provision of the LOPDGDD provides that “What provided in Title VIII and in its development regulations will apply to the procedures that the Spanish Data Protection Agency had to process in the exercise of the powers attributed to it by other laws.” In it In this case, after the transfer of the claim, the claimed party has adopted measures for compliance with regulations. Therefore, the file resolution It is in accordance with the law, and the present appeal must be dismissed. III Conclusion In short, in view of the transfer actions carried out by the AEPD, it has been verified that the claim has been addressed by the claimed party. In this regard, it should be noted that, although the documentation presented deduces a possible initial discordance between the action or inaction of the party claimed and the provisions of the applicable regulations, the processing of the claim in accordance with the provisions of article 65.4 and the fourth additional provision of the LOPDGDD, has led to the solution of the issues raised, without the need to clarify administrative responsibilities within the framework of a procedure sanctioner. In this sense, it is worth mentioning the exceptional nature of the procedure sanctioning, from which it follows that - whenever possible - the choice must be made prevalence of alternative mechanisms in the event that they are protected by the current regulations, as occurs in the case subject to this appeal for replacement. In summary, the principles applicable to the procedure must be brought up sanctioner. The AEPD exercises the sanctioning power ex officio. Therefore, it is exclusive competence of the AEPD to assess whether there are administrative responsibilities that must be purged in a sanctioning procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/7/8 elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, as indicated in the appealed resolution and in the present appeal for reconsideration. Therefore, given that, in the present appeal for reconsideration, no new facts, documents or legal arguments that allow reconsideration of the validity of the contested resolution, it is appropriate to agree to reject it. IV Untimely resolution Due to reasons of operation of the administrative body, therefore not attributable to the appellant, to date the mandatory statement of this Agency regarding this appeal. In accordance with the provisions of article 24 of the LPACAP, the meaning of silence administrative in the procedures for challenging acts and provisions is dismissive. However, and despite the time that has passed, the Administration is obliged to dictate express resolution and to notify it in all procedures regardless of their form of initiation, as provided in article 21.1 of the aforementioned LPACAP. In cases of rejection due to administrative silence, the resolution expresses After the expiration of the term, it will be adopted by the Administration without binding any to the meaning of silence, as provided in article 24.3 of the same law. Therefore, it is appropriate to issue the resolution that finalizes the appeal procedure. reinstatement filed. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by XXX against the resolution of this Agency issued on November 8, 2023, by the that it is agreed to file the claim referred to ADEVINTA SPAIN, S.L. SECOND: NOTIFY this resolution to the appellant. Against this resolution, which puts an end to the administrative route, it may be filed in the period of two months counting from the day following the notification of this act as provided in article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the referred Law. 1179-260324 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es Secure Verification Code: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | You can verify the integrity of this document at the following address: https://sedeagpd.gob.es/validar-csv/ CSV: AEPD-8c94-52d5-3216-2609-ed1e-1bd9-82a3-0067 | Date: 04/23/2024 Reference: EXP202307483 | Validation URL: https://sedeagpd.gob.es/validar-csv/8/8 What is notified for appropriate purposes in accordance with art. 40 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (BOE 2-10) and as established in art. 29.2, section b) of the Real Decree 389/2021, of June 1, approving the Agency Statute Spanish Data Protection
