AEPD (Spain) - PS-00030-2022

From GDPRhub
AEPD - PS-00030-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 22(2) of the Spanish Law of Information Society Services and Electronic Commerce
Type: Complaint
Outcome: Upheld
Started: 26/09/2021
Decided:
Published: 09/09/2022
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: PS-00030-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: PL

The Spanish DPA fined a website €2,000 for violating Article 22(2) LSSI, a national law regulating cookies, regarding the implemented Cookies Policy.

English Summary[edit | edit source]

Facts[edit | edit source]

An individual (the complainant) filed a complaint with the AEPD indicating that the website owned by the controller violated data protection and information society services regulations, with regard to the implemented Cookies Policy. The complainant raised several issues regarding the use of non-technical and non-necessary cookies without consent, the lack of an appropriate cookie banner and the extent of information provided in the Cookies Policy.

The AEPD gave the controller an opportunity to contest the facts. The controller indicated that the complaint was unfounded given that users were able to navigate the site without accepting or rejecting the cookies. Additionally, the controller adopted the following measures: the elimination of cookies from the web, and the elimination of the warning banner, which used to make it impossible to read documents on the site. The controller further clarified that no personal data was stored through cookies.

Nevertheless, the AEPD initiated an investigation into the controller's website.

Holding[edit | edit source]

First, the AEPD recalled Article 22(2) LSSI, which establishes that users of websites must be provided with clear and complete information on the use of storage devices, data recovery and, in particular, on the purposes of data processing.

This provision applies also to the use of cookies on websites and requires the controller to obtain expressly stated consent whenever non-necessary or non-technical cookies are used. This can be done, for example, through clicking on an "Accept" button. There should be a possibility to withdraw consent at any time, as required also by Article 7 GDPR. Moreover, a cookie banner should inform the user of a website about the the identity of the controller, the purposes of using specific types of cookies, the data collected, the manner in which to either accept, reject or adjust the use of cookies. There should also be a link to a page including more detailed information on the Cookies Policy. In this regard, the DPA emphasised that the use of "Cookie Walls", that is pop-up windows which block access to a website unless the user accepts the use of cookies, is prohibited.

In the present case, the AEPD found that there was no cookie banner as such, no possibility to reject non-technical and non-necessary cookies, nor was there a control panel, where cookies could be managed.

Secondly, the AEPD investigated the compliance of the information provided in the Cookies Policy with Article 22(1) LSSI. It concluded that the policy implemented on the controller's website lacked information on the identity of the controller, the types of cookies (first-party or third-party) used, their functionality or the time they would be active for.

In consequence, the AEPD imposed on the controller a fine of €2,000, for the violation of Article 22(2) LSSI, regarding the Cookies Policy implemented on their website.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/10








     Procedure No.: PS/00030/2022 (EXP202104460)

                  RESOLUTION SANCTION PROCEDURE


Of the actions carried out ex officio by the Spanish Agency for the Protection of
Data before the entity PREICO JURÍDICOS, S.L., with CIF: B67071472, owner of the
website, https://www.preicojuridicos.com; for the alleged violation of the
data protection regulations: Regulation (EU) 2016/679, of the Parliament
European and Council, of 04/27/16, regarding the Protection of Natural Persons

regarding the Processing of Personal Data and the Free Circulation of
these Data (RGPD) and Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD), and against the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), and attending to the following:


                                  BACKGROUND

FIRST: Dated 09/26/21 D. A.A.A. (hereinafter, “the complaining party”),
files a claim with this Agency indicating that the indicated website
Previously, the data protection regulations and the services of the company are not complied with.

information society, with regard to the Cookies Policy implemented
since when trying to enter the web and reject all cookies, it is expelled from the
website making it impossible for you to continue browsing the website.

SECOND: On 11/17/21 and 11/29/21, this Agency transferred the

claim to the party complained against so that it could respond to it,
in accordance with the provisions of article 65.4 of the LOPDGDD Law. attempts to
notification resulted in the following:

       a).- According to a certificate from the Electronic Notifications Service and Address

       Electronic, the shipment made to the claimed entity, on 10/18/21, through
       of the electronic notification service "NOTIFIC@", was rejected in
       destination on 11/28/21.

       b).- According to a certificate from the State Post and Telegraph Society, the shipment
       made to the claimed entity, on 11/29/21 through the service of

       Postal notification from Correos, was delivered at destination on 12/16/21, being the
       receiver: Mrs. B.B.B.. ***NIF.1.

THIRD: On 12/26/21, by the Director of the Spanish Agency for
Data Protection, an agreement is issued to admit the processing of the claim

presented, in accordance with article 65 of the LPDGDD Law, when assessing possible
reasonable indications of a violation of the rules in the field of competences
of the Spanish Agency for Data Protection.

FOURTH: On 02/17/22, by the Subdirectorate General for Inspection of

Data from this AEPD, the following preliminary investigation actions were carried out,
in accordance with the provisions of article 67 of the LOPDGDD, regarding the
characteristics presented by the Cookies Policy of the website,
https://www.preicojuridicos.com/inicio/, verifying the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10









1.- When entering the web for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies are used that are not technical or
necessary, whose domain belongs to third parties, but some of them, are
installed associated with the domain of the person in charge of the web:



Cookies Domain Type of Cookie

ssupp.visits .preicojuridicos.com technical cookie
ssupp.vid .preicojuridicos.com technical cookie

_pk_id. .preicojuridicos.com analytical cookie
_pk_ref. preicojuridicos.com analytical cookie
_gid .preicojuridicos.com analytical cookie
_gat_gtag_UA_1 .preicojuridicos.com analytical cookie
_pk_ses.3.796c .preicojuridicos.com analytical cookie

_ga .preicojuridicos.com analytical cookie
_fbp .preicojuridicos.com advertising cookie
_fr .preicojuridicos.com advertising cookie

2.- There is a banner about cookies on the main page of the website with the following
information:


    The website www.preicojuridicos.com uses its own and third-party cookies to
  collect information that helps optimize navigation on the website. I don't know
 will use cookies to collect personal information unless accepted
                             explicit by the user.


                             <<Accept>> <<Not accept>>

If you wish to reject all cookies that are not necessary or technical, by clicking
in the <<Do not accept>> option, it is verified that the user is expelled from the web.

If you choose to accept all cookies, by clicking on the <<Accept>> option, you will

check how the web no longer expels the user from it and continues to use the
cookies indicated above.

3.- If you access the "Cookies Policy" through the existing link in the part
bottom of the main page, the web redirects the user to a new page,
https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided

information to the user about what cookies are, what types of cookies the site uses
web, how to manage cookies through the browsers installed on the computer
user terminal. But there is no information or the cookies used are identified
the website, its functionality, whether they are their own or third-party or the time they will be
active.


FIFTH: On 02/24/22, the respondent entity files a written response
to the request made by this Agency, in which, among others, it indicates what
Next:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








       “The facts that motivate the claim is that the claimant states that
       Browsing on the website www.preicojuridicos.com would not be allowed if
       The installation of cookies has not been previously accepted.

       In addition, the information contained in the legal texts could not be accessed

       because the site visitor is expelled from the web if he does not accept the
       cookies.

       That the stated incidence is meaningless since without accepting or
       Reject the installation of cookies if navigation is allowed within the
       web www.preicojuridicos.com


       The measures adopted have been: the elimination of cookies from the web and the
       elimination of the cookie warning banner which makes it possible to read
       of legal texts. It is stated that they have not been stored or
       They store personal data through cookies.


       As for the decision adopted, as stated above, and
       In order to comply with current legislation, we have proceeded to eliminate
       of the cookies of the web www.preicojuridicos.com as well as the elimination of the
       warning banner.


SIXTH: On 03/01/22, this Agency carried out the following
verifications in, with respect to the characteristics that the Policy of
Cookies from the website, https://www.preicojuridicos.com/, checking what
Next:

1.- When entering the web for the first time, without accepting cookies or performing any action

on the page, it has been verified that cookies are used that are not technical or
necessary, whose domain belongs to third parties, but some of them, are
installed associated with the domain of the person in charge of the web:

Cookies Domain
CONSENT .google.com /

__Secure-ENID .google.com/
DV.google.com/
SOCS.google.com/
NID .google.com /
AEC .google.com


2.- There is no type of banner about cookies on the main page of the website.

3.- If you access the "Cookies Policy" through the existing link in the part
bottom of the main page, the web redirects the user to a new page,
https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided

information to the user about what cookies are, what types of cookies the site uses
web, how to manage cookies through the browsers installed on the computer
user terminal. But there is no information or the cookies used are identified
the website, its functionality, whether they are their own or third-party or the time they will be
active.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10









SEVENTH: On 03/01/22, by the Director of the Spanish Agency for
Data Protection, the initiation of the sanctioning procedure by the
alleged infringement of article 22.2 LSSI, due to the deficiencies detected in its
cookie policy, imposing an initial penalty of 2,000

euros (two thousand euros), based on the provisions of art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations
(LPACAP).

Attempts to notify the agreement to start the sanctioning file
obtained as a result:


    - According to a certificate from the Electronic Notifications Service and Address
       Electronic, the shipment made to the claimed entity, on 03/01/22, through
       of the electronic notification service "NOTIFIC@", was rejected in
       destination on 03/12/22.


Although the notification was validly made by electronic means, assuming
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of
informative, a copy was sent by mail that was reliably notified in
dated 06/15/22, signing the reception: Dª C.C.C.. ***NIF.2. In said notification,
recalled its obligation to interact electronically with the Administration, and

informed him of the means of access to said notifications, reiterating that, as far as
thereafter, you will be notified exclusively by electronic means.

EIGHTH: Notification of the initiation of the file to the entity claimed on 06/15/22, to
Today's date, there is no record in this Agency of the reception of any type of
brief of allegations to the initiation of the file.


In this sense, article 64.2.f) of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (LPACAP) -
provision of which the defendant was informed in the agreement to open the
procedure, establishes that, if allegations are not made within the stipulated period on
the content of the initiation agreement, when it contains a pronouncement

accurate about the imputed responsibility, it may be considered a proposal for
resolution. In the present case, the agreement to start the disciplinary proceedings
determined the facts in which the imputation was specified, the infraction of the
LSSI attributed to the claimed party and the sanction that could be imposed. Therefore, taking into
consideration that the respondent party has not made allegations to the agreement of
start of the file and in accordance with the provisions of article 64.2.f) of the LPACAP,

the aforementioned initial agreement is considered in the present case resolution proposal

                                PROVEN FACTS

Of the actions carried out in this procedure and of the information and

documentation presented by the claimant, the following have been accredited
characteristics regarding the Cookies Policy of the website
www.preicojuridicos.com



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








First: When entering the web for the first time, without accepting cookies or performing any
action on the page, it has been verified that cookies are used that are not technical
or necessary, whose domain belongs to third parties, but some of them, are
installed associated with the domain of the person in charge of the web:


Cookies Domain
CONSENT .google.com /
__Secure-ENID .google.com/
DV.google.com/
SOCS.google.com/
NID .google.com /

AEC .google.com

There is no type of banner about cookies on the main page of the website, nor
no type of control panel where you can manage the use of cookies, for
which is impossible to reject this type of cookies.


If you access the "Cookies Policy" through the link at the bottom
from the main page, the web redirects the user to a new page,
https://www.preicojuridicos.com/blog/politica-cookies/ where it is provided
information to the user about what cookies are, what types of cookies the site uses
web, how to manage cookies through the browsers installed on the computer

user terminal. But there is no information or the cookies used are identified
the website, its functionality, whether they are their own or third-party or the time they will be
active.

                           FOUNDATIONS OF LAW
I.- Competition:


It is competent to initiate and resolve this Sanctioning Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the
art. 43.1, second paragraph, of the LSSI Law.

II.- About the "Cookies Policy" of the website www.preicojuridicos.com


       a).- On the use of cookies in the terminal equipment prior to
       consent:

Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and

data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR. So,
when the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of

data.

However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








for the intercommunication of the terminals and the network and those that provide a service
expressly requested by the user.


In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies
excepted would be the user input Cookies” (those used to
filling in forms, or managing a shopping cart); cookies from
user authentication or identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance

load; user interface customization cookies and some of
plugin (plug-in) to exchange social content. These cookies would remain
excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be
necessary to inform or obtain consent on its use.


On the contrary, it will be necessary to inform and obtain the prior consent of the user.
before the use of any other type of cookies, both first and
third party, session or persistent that are not technical or necessary.

In our case, when entering the web for the first time, without accepting cookies or performing
no action on the page, it has been verified that cookies are used that are not

technical or necessary, whose domain is Google Analytics.

       b).- About the existing cookie information banner in the first layer
       (Homepage):


The banner on cookies of the first layer must include information regarding the
identification of the editor responsible for the website, in the event that your data
identifiers do not appear in other sections of the page or that their identity cannot
obvious detachment from the site itself. It must also include a
Generic identification of the purposes of the cookies that will be used and if they are

own or also third parties, without it being necessary to identify them in this first
layer. In addition, it must include generic information on the type of data to be collected.
collect and use in case user profiles are created and must include
information and the way in which the user can accept, configure and reject the
use of cookies, with the warning, where appropriate, that if a
certain action, it will be understood that the user accepts the use of cookies.


Apart from the generic information about cookies, in this banner there must be a
clearly visible link to a second informative layer on the use of the
cookies. This same link can be used to lead the user to the control panel.
cookie configuration, provided that access to the configuration panel is direct,

that is, that the user does not have to navigate inside the second layer to
locate it.

In the case at hand, it has been found that there is no type of banner
of information about cookies on the main page of the web.


       b).- Regarding consent to the use of unnecessary cookies:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








For the use of non-excepted cookies, it will be necessary to obtain the consent
expressly stated by the user. This consent can be obtained by doing
click on, “accept” or inferring it from an unequivocal action performed by the user that

denotes that consent has unequivocally occurred. Therefore, the mere
user inactivity, scrolling or browsing the website, will not be considered
effects, a clear affirmative action in any circumstance and will not imply the
provision of consent itself. Similarly, access to the second
layer if the information is presented in layers, as well as the necessary navigation to
that the user manage their preferences in relation to cookies in the panel of

control, nor is it considered an active behavior from which the
acceptance of cookies.

The existence of "Cookie Walls" is not allowed either, that is, windows
pop-ups that block the content and access to the web, forcing the user to

accept the use of cookies to be able to access the page and continue browsing.

If the option is to go to a second layer or cookie control panel, the link
it should take the user directly to that configuration panel. To facilitate se-
lesson, the panel can be implemented, in addition to a granular management system
of cookies, two more buttons, one to accept all cookies and another to reject-

all of them If the user saves his choice without having selected any cookie,
You will understand that you have rejected all cookies. Regarding this second possibility,
In no case are the pre-marked boxes in favor of accepting cookies admissible.

If for the configuration of cookies, the web refers to the browser configuration

installed in the terminal equipment, this option could be considered complementary
to obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also offer, and in any case, a mechanism that
allows you to reject the use of cookies and/or do it in a granular way, on your own page.
web page


On the other hand, the withdrawal of the consent previously given by the user de-
It should be able to be done at any time. To this end, the publisher must offer a
mechanism that makes it possible to withdraw consent easily at any time.
unto This facility will be considered to exist, for example, when the user has access to
so simple and permanent to the cookie management or configuration system.


If the editor's cookie management or configuration system does not allow to avoid the
use of third-party cookies once accepted by the user, information will be provided
training on the tools provided by the browser and third parties, de-
being aware that, if the user accepts third-party cookies and later wishes to

delete them, you must do it from your own browser or the system enabled by the
third parties for it.

In our case, it has been found that there is no possibility of rejecting cookies
that are not technical or necessary nor is there any type of control panel

where they can be managed granularly or by groups.

       c).- On the information provided in the second layer (Policy of
Cookies):

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10









More detailed information about cookies should be provided in the Cookies Policy.
characteristics of cookies, including information about, the definition and general function
cookie information (what are cookies); about the type of cookies used and
its purpose (what types of cookies are used on the website); the identification of

who uses the cookies, that is, if the information obtained by the cookies is treated
only by the publisher and/or also by third parties with identification of the latter; the period-
do of conservation of the cookies in the terminal equipment; and if it is the case, information
on data transfers to third countries and the elaboration of profiles that im-
Apply automated decision making.


In our case, it has been found that in the "Cookies Policy" of the website there is no
information or identify the cookies used by the site, their functionality, if they are
own or third party or the time they will be active.

III.- Qualification and sanction that corresponds with respect to the infraction committed with respect to

to the Cookies Policy:

The deficiencies detected in the verification of the web page
www.preicojuridicos.com are:

    - The use of cookies that are not technical or necessary, without the prior

        consent of users.
    - The non-existence of an information banner about cookies on the page
        website main.
    - The impossibility of rejecting cookies that are not technical or necessary or
        make it granular.
    - The lack of information in the "Cookies Policy" about the cookies used

        the web and the time they will be active.

All the anomalies indicated, with respect to the cookie policy suppose, for
part of the claimed, the commission of the infraction of article 22.2 of the LSSI:

       “Service providers may use storage devices and

       recovery of data in terminal equipment of the recipients, on condition
       that they have given their consent after they have been
       provided clear and complete information on its use, in particular, on
       the purposes of data processing, in accordance with the provisions of the Law
       Organic 15/1999, of December 13, on the protection of personal data
       staff.


       Where technically possible and effective, the recipient's consent
       to accept the treatment of the data may be facilitated through the use of the
       appropriate parameters of the browser or other applications.


       The foregoing will not prevent the possible storage or access of a technical nature
       for the sole purpose of carrying out the transmission of a communication over a network of
       electronic communications or, to the extent strictly
       necessary, for the provision of a service of the information society
       expressly requested by the recipient.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10









This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and retrieval devices

when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.

In accordance with the criteria indicated above, it is considered appropriate to impose a

sanction of 2,000 euros, (two thousand euros) to the claimed party, for the infraction of the
article 22.2 of the LSSI, regarding the Cookies Policy made on your page
Web.





In view of the foregoing, the following is issued:

                                      RESOLVES:


FIRST: IMPOSE the entity PREICO JURÍDICOS, S.L., with CIF: B67071472,
owner of the website, https://www.preicojuridicos.com, a fine of 2,000 euros
(two thousand euros), for the infringement of article 22.2 LSSI, regarding the Policy
implemented on your website.


SECOND: NOTIFY this resolution to the entity PREICO JURÍDICOS,
S.L., and report the result to the complaining party.

Warn the sanctioned party that the sanction imposed must be made effective once it is
enforce this resolution, in accordance with the provisions of article 98.1.b)

of Law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-
Public Administrations (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulations, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
upon deposit in the restricted account Nº ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,

S.A. or otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
will be until the 20th day of the following month or immediately after, and if

is between the 16th and last day of each month, both inclusive, the term of the payment
It will be valid until the 5th of the second following month or immediately after.

In accordance with the provisions of article 82 of Law 62/2003, of December 30,
bre, of fiscal, administrative and social order measures, this Resolution is

will make public, once it has been notified to the interested parties. The publication is made
will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection on the publication of its Resolutions.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10








Against this resolution, which puts an end to the administrative procedure, and in accordance with the
established in articles 112 and 123 of the LPACAP, the interested parties may interpose

have, optionally, an appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly contentious-administrative appeal before the
Contentious-administrative Chamber of the National High Court, in accordance with the provisions

placed in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following the notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party
do states its intention to file a contentious-administrative appeal. If it is-
In this case, the interested party must formally communicate this fact in writing

addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer to the Agency the documentation
that proves the effective filing of the contentious-administrative appeal. If the

Agency was not aware of the filing of the contentious-administrative appeal
tive within two months from the day following the notification of this
resolution, would end the precautionary suspension.

Sea Spain Marti

Director of the Spanish Agency for Data Protection.






























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es