AEPD (Spain) - PS/00132/2022

From GDPRhub
AEPD - PS-00132-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 13 GDPR
Recital 25 ePrivacy Directive (2002/58/EC)
Article 22.2 LSSI
Type: Complaint
Outcome: Upheld
Started: 07.04.2022
Decided: 26.04.2022
Published: 28.06.2022
Fine: 1,800 EUR
Parties: n/a
National Case Number/Name: PS-00132-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined the owner of a commercial website €1,800 for processing personal data and using of cookies without a legal basis and for not providing sufficient information to the data subject per Article 13 GDPR.

English Summary

Facts

On 7 April 2022, the data subject, Mr. B.B.B., filed a complaint with the Spanish DPA (AEPD) stating that the owner of a commercial website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law).

The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy.

The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (including name and email address). The website’s Privacy Policy did not disclose all the relevant information mentioned in Article 13 GDPR to the data subject, hence the controller did not fulfill their obligation to inform. The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. Furthermore, the data subject did not have the possibility to withdraw their consent regarding the cookies either. In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies.

Holding

The Spanish DPA imposed a fine on the controller amounting to €3.000.

The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of Article 6 GDPR - was fined with €1,000.

The violation of Article 13 GDPR in regards to the Privacy Policy was also fined with €1,000.

Article 22(2) LSSI holds that the data subject must be informed if the controller employs cookies and requires the controller to offer the data subject the opportunity to reject them. Thus, the use of cookies without expressed consent of the data subject violates Article 22.2 LSSI which was fined with €1,000 as well. The DPA further explained that the information provided to the user about the use of storage devices and data recovery as well as the purposes of processing (also about cookies) must be disclosed in accordance with the GDPR provisions. In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR.

On 26 April 2022, the controller paid the fine which was reduced to €1,800.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/14


    File No: PS/00132/2022


       DECISION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT
                                    VOLUNTARY

From the procedure carried out by the Spanish Data Protection Agency and on the basis of

on the basis of the following

                                  BACKGROUND

FIRST: On 7 April 2022, the Director of the Spanish Data Protection Agency (Agencia Española de
Protection Agency agreed to initiate disciplinary proceedings against A.A.A. (hereinafter,

(hereinafter, the respondent), by means of the Agreement transcribed below:

<<

Proceeding No.: PS/00132/2022


            AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS

From the proceedings carried out by the Spanish Data Protection Agency against
Ms. A.A.A., with tax identification number: ***NIF.1, owner of the web page, ***URL.1 (hereinafter "the party
(hereinafter "the respondent"), by virtue of the complaint lodged by Mr. B.B.B., for the alleged

violation of data protection regulations: Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27/04/16 on the Protection of Individuals with regard to the processing of personal data.
Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (EU
Circulation of Personal Data (GDPR) and Organic Law 3/2018, of 5 December, on Personal Data Protection and the
Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), and

against Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).
Electronic Commerce (LSSI), and in accordance with the following:

                                      FACTS


FIRST: On 20/04/21, this Agency received a letter presented by the claimant, in which he indicated, among other things, the following
the claimant, in which he indicated, among others, the following:

"The website ***URL.1, on which commercial promotions (books, etc.) and even health advice, are
and even health advice, lacks all the legal requirements currently in force.
currently in force. The website lacks legal information (Obligatory according to LSSI).

lacks information on the use of personal data. The website has a form
contact form at https://(...)/contact-2/ without the mandatory legal notice on the processing of personal data and without the
and without the possibility for the citizen to be aware of the processing of his or her personal data.
that their data may be processed, their rights and their acceptance of this processing.
It should be noted that according to a plugin that the website uses, cookies would be

deactivated if the user does not accept them, but both Google's cookies and those of other third parties
as well as those of other third parties, have access to the users of this website, deceiving the user who
user to reject all cookies except the functional ones".


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14



SECOND: On 03/06/21, the Director of the Spanish Data Protection Agency issued a decision admitting the complaint for processing.
Data Protection Agency issued a resolution admitting the complaint submitted for processing, in accordance with
in accordance with article 65 of the LPDGDD Act, on appreciating the possible

rational indications of a breach of the rules within the scope of the competences of the Spanish Data Protection Agency.
of the Spanish Data Protection Agency.

THIRD: The Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative
preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation
by virtue of the powers of investigation granted to the authorities of the Spanish Data Protection Agency.

authorities in Article 58.1 of the GDPR and in accordance with the provisions of Title VII, Chapter I, Section 2, Section 2, of the GDPR.
VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following points regarding the website
of the following points concerning the website, ***URL.1:

       a). - On the collection of users' personal data:


1º.- Through the link: <<contact>>, located on the left-hand side of the home page, the website
home page, the website redirects to a new page https://(...)/contact-2/ where users can enter their personal
personal data of the users such as name, e-mail address and subject.
address and subject.


To send the form, the user simply clicks on the <<send>> option.

       b). - About the "Privacy Policy":

1º.- If you access the "Privacy Policy" of the website, through the link at

at the bottom of the home page, <<privacy>>, the website displays a banner with the following information
the following information:

"Your privacy is important to us and our partners we store or
we store or access information on a device, such as cookies, and we process data

data, such as unique identifiers and standard information sent by a device, for personalised
device, for personalised ads and content, ad and content measurement and audience information, as well as
content and audience information, and to develop and improve our products.
products.
With your permission, we and our partners may use precise geographic location and identification data through the
precise geographic location and identification data through device features.


You can click to grant your consent to us and our partners to carry out the processing
to carry out the processing described above. Alternatively, you can
Alternatively, you can access more detailed information and change your preferences before you
before giving or withholding your consent.


Please note that some processing of your personal data may not require your consent, but you have the right to refuse such processing.
your consent, but you have the right to refuse such processing. Your
preferences will apply only to this website. You can change your preferences at any time by
at any time by re-entering this website or by visiting our privacy policy.

privacy policy".

       c). - About the Cookies Policy:


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14

1.- When entering the ***URL.1 website for the first time, once the terminal equipment has been cleaned, without accepting cookies or performing any other action.
browsing history and cookies, without accepting cookies or performing any action on the website, it has been checked, through the
on the website, it has been checked, through the tool
"tool of the Google Chrome browser, it has been verified that the following cookies are used
following cookies from the Google provider are used, installed in association with the domain of the

responsible for the website, which are not technical or necessary:

Cookie Provider

_gat_gtag_UA_49758120_1 1 1 (...) /
_gid (...) /

_ga (...) /

2.- There is an information banner about cookies on the home page with the following message: _gat_gtag_UA_49758120_1
following message:


"Your privacy is important to us and our partners we store or
access information on a device, such as cookies, and process personal data, such as unique identifiers and standard
data, such as unique identifiers and standard information sent by a device, for personalised
device, for personalised ads and content, ad and content measurement and audience information, as well as
content and audience information, and to develop and improve our products.
products.

With your permission, we and our partners may use precise geographic location and identification data through the
precise geographic location and identification data through device characteristics.

You can click to grant your consent to us and our partners to carry out the processing
to carry out the processing described above. Alternatively, you can
Alternatively, you can access more detailed information and change your preferences.

before giving or withholding your consent.

Please note that some processing of your personal data may not require your consent, but you have the right to refuse such processing.
your consent, but you have the right to refuse such processing. Your
preferences will apply only to this website. You can change your preferences at any time by
at any time by re-entering this website or by visiting our privacy policy.

privacy policy".
                         <<More Options>> <<Accept>>.

3.- If you access the cookies control panel via the link <<More Options>>,
the website displays a page or control panel with the following characteristics:


    - Precise geolocation data and identification through the
       device characteristics: OFF

    - Personalised ads and content, ad and content measurement,
       audience insights and product development:  OFF


    - Storing or accessing information on a device: OFF

                       <<Lock all>> <<Accept all>>


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14


If you choose "Reject all cookies", without sliding any of the pre-checked options and clicking on the <<block all>> option, you will see how the website
options and clicking on the <<block all>> option, you will see that the website continues to use the
continues to use the Google cookies indicated above.


4.- There is no "Cookies Policy", or link on the homepage that redirects the user to a new page where the
user to a new page where the cookies that are used are identified and their characteristics are
information on their characteristics.
                           BASIS OF LAW


I.- Jurisdiction:

    - On the processing of personal data and the "Privacy Policy":

The Director of the Agency is competent to initiate and resolve this procedure.

Spanish Data Protection Agency, by virtue of the powers that art. 58.2 of the RGPD recognises each Control Authority
recognises to each Control Authority and, in accordance with the provisions of arts. 47, 64.2 and 68.1 of the LOPD Act, the Director of the Spanish Data Protection Agency is
68.1 of the LOPDGDD Act.

    - About the "Cookies Policy":


The Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure, in accordance with the provisions of art. 43.1 of the Spanish Data Protection
Spanish Data Protection Agency, in accordance with the provisions of art. 43.1,
second paragraph, of the LSSI Law.

II.- On the processing of personal data from the website ***URL.1:


When accessing the website, it is noted that it is possible to enter personal data of users who wish to contact the
personal data of users who wish to contact the owner of the site,
through the link <<contact us>>, but there is no possibility to provide the necessary consent for the processing of personal data.
provide the necessary consent for the processing of personal data.

offered, nor the possibility to read and accept its privacy policy.

In this regard, Article 6.1 of the GDPR, on the lawfulness of the processing of personal data, states the following
personal data, the following:

"The processing of personal data shall be lawful if, it complies with one of the following.

(a) the data subject has given his or her consent to the processing of his or her personal data for one or more specified purposes
(b) the processing is necessary for the performance of a contract to which the data subject is a party.
(b) the processing is necessary for the performance of a contract to which the data subject is a party or for the implementation at his or her request of pre-contractual
request of the data subject; (...).


The fact that the controller of the website may obtain personal data from users without first obtaining their consent
users without having previously obtained their consent to the processing thereof, by means of a clear affirmative act
by means of a clear and voluntary affirmative act, may constitute an infringement of Article 6(1) of
infringement of Article 6.1 of the GDPR.


Article 72.1.b) of the LOPDGDD, for its part, considers as very serious, for the purposes of
the processing of personal data without meeting any of the conditions of lawfulness of the processing established in Article 6.1 of the RGPD.
conditions of lawfulness of the processing established in Article 6 of the Regulation".


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14



This infringement is punishable by a fine of up to €20,000,000 or,
in the case of an undertaking, an amount equivalent to a maximum of 4 % of the total annual aggregate turnover of the previous financial year.
total annual aggregate turnover in the preceding financial year, whichever is the greater.

whichever is greater, in accordance with Article 83(5)(b) of the GDPR.

The balance of the circumstances envisaged, with respect to the infringements committed, in violation of the provisions of Article 83(5)(b) of the GDPR.
committed, in violation of the provisions of Article 6.1 of the GDPR, allows for an initial sanction of 1,000 euros (one thousand euros).
1,000 euros (one thousand euros).


In addition, and in accordance with Article 58.2 of the GDPR, the corrective measure that could be imposed on the website
the owner of the website would consist of ordering it to take the necessary measures to bring it into compliance with the RGPD.
the necessary measures to bring it into line with current legislation, with the inclusion of a warning message on the website
of a warning message to read the "Privacy Policy" prior to sending personal data and a warning message to
the sending of their personal data and a mechanism that enables users to provide their personal data to the website.

consent to the processing of their personal data, in an affirmative and voluntary way, prior to the
affirmative and voluntary, prior to sending it.

III.- About the "Privacy Policy" on the website ***URL.1:

It has been verified that, if one accesses the "Privacy Policy" of the website, to

through the link on the main page of the website <<privacy>>, the web
displays a banner with information on the storage and processing of personal data for personalised advertisements and content
personal data for personalised ads and content, ad and content measurement and audience
content and audience information, as well as for developing and improving products without
products without providing information about the identity and data of the user.

contact details of the controller and, where applicable, his or her representative; the purposes of the processing for which the personal data are
purposes for which the personal data are intended to be processed and the legal basis for the processing; the legitimate interests of the data controller or the rights
legitimate interests of the controller or the rights of the user of the website in relation to the
in relation to the processing of his or her personal data.


In this regard, Recital (61) of the GDPR states that: 'Data subjects should be provided with information about the processing of their personal data.
data subjects must be provided with information on the processing of their personal data at the time it is
time when it is obtained from them or, if obtained from another source, within a reasonable period of time, depending on the circumstances of the case.
depending on the circumstances of the case. If the personal data
data may legitimately be disclosed to another recipient, the data subject should be informed at the time of disclosure.
data subject at the time when it is first disclosed to the recipient. The

controller who intends to process the data for a purpose other than that for which the data were collected must
purpose for which the data were collected should provide the data subject, prior to such further processing, with information on that other purpose.
further processing, information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided
of the personal data cannot be provided to the data subject because several sources have been used, general information should be provided.
sources, general information should be provided.


Article 13 of the GDPR, for its part, details the information that must be provided to the data subject when the data are collected directly from him or her.
provided to the data subject when the data are collected directly from him/her,
it establishes the following:


"1. Where personal data relating to a data subject are collected from him or her, the data controller shall, at the time the data are
1. Where personal data are obtained from a data subject relating to him or her, the controller shall, at the time the data are obtained, provide him or her with: a)
(a) the identity and contact details of the controller and, where applicable, his or her representative
(b) the contact details of the data protection officer, if any; (c) the contact details of the data protection officer, if any; and

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14



(c) the purposes of the processing for which the personal data are intended to be processed and the legal basis for the processing
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party; and
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party

(e) the recipients or categories of recipients of the personal data, if any
(f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the
(f) where applicable, the controller's intention to transfer personal data to a third country or an international organisation and the existence or absence of an adequacy decision
(f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in lArticles 46 or 47 or
the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and to the
appropriate safeguards and the means of obtaining a copy of those safeguards or the fact that a copy of those safeguards is

provided.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the data are
controller shall provide the data subject, at the time when the personal data are obtained, with the following information
the following information necessary to ensure data processing

(a) the period during which the personal data will be kept or,
(a) the period for which the personal data will be kept or, where this is not possible, the criteria used to determine this period
(b) the existence of the right to request from the controller access to, and rectification of, personal data relating to the data subject; and
(b) the existence of the right to request from the controller access to personal data relating to the data subject, and their rectification or erasure, or the restriction or limitation of their
(b) the existence of the right to request from the controller access to personal data relating to the data subject, and their
(c) where the processing is based on Article 6(1)(a) or Article 6(1)(b) or Article 6(1)(c) of the GDPR

Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any
(d) the right to lodge a complaint with a supervisory authority; and
(e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement, or
(e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and if the

(e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and
(f) the existence of automated decisions, including the processing of personal data, and the
(f) the existence of automated decisions, including profiling, as referred to in Article 22,
(f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic
(f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic applied and the significance and expected consequences of such processing

for the data subject.

Therefore, the fact that the "Privacy Policy" on the website does not disclose all of the above-mentioned aspects may be
all of the above aspects may constitute a breach of Article 13 of the GDPR.
Article 13 of the GDPR.


In this regard, Article 72.1.h) of the LOPDGDD, considers as very serious, for the purpose of
the omission of the duty to inform the data subject about the processing of his or her personal data in accordance with the provisions of Article 13 of the RGPD.
of his or her personal data in accordance with the provisions of Articles 13 and 14 of the GDPR".

This infringement can be sanctioned with a fine of up to €20,000,000 or,

20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual aggregate turnover for the financial year.
total annual aggregate turnover for the preceding financial year, whichever is the greater, in accordance with the
whichever is greater, in accordance with Article 83(5)(b) of the GDPR.

The balance of the circumstances contemplated, with respect to the offence committed,

in violation of the provisions of Article 13 of the GDPR, allows an initial sanction of
1,000 euros (one thousand euros).



C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14




In addition, and in accordance with Article 58.2 of the GDPR, the corrective measure which could be imposed on the website
the owner of the website would consist of ordering it to take the necessary measures to bring it into compliance with the regulations in force, with the inclusion of the information required by law.
necessary measures to bring it into line with current legislation, with the inclusion of the information required.

the necessary information that it must provide to users of the website, in accordance with the provisions of Article 13 of the
stipulated in Article 13 of the GDPR.

IV.- About the Cookies Policy of the website ***URL.1:

       a). - About the installation of cookies in the terminal equipment prior to the

       consent:

Article 22.2 of the LSSI stipulates that users must be provided with clear and complete information on the use of the storage and
and complete information on the use of data storage and retrieval devices and, in particular, on the purposes of data processing.
data storage and retrieval devices and, in particular, on the purposes of the data processing.

This information must be provided in accordance with the provisions of the GDPR.

Therefore, where the use of a cookie involves a processing operation that makes it possible to
identification of the user, data controllers must ensure that the requirements of the GDPR are
compliance with the requirements set out in the data protection regulations.
data protection regulations.


However, it is necessary to point out that the following are exempt from compliance with the
obligations established in article 22.2 of the LSSI are exempted from the obligations established in article 22.2 of the LSSI.
for the intercommunication of terminals and the network and those that provide a service expressly requested by the user.
expressly requested by the user.


In this regard, the WG29, in its Opinion 4/2012, interpreted that among the cookies
would include "user input cookies" (those used to fill in forms, or to manage the user's
filling in forms, or as a shopping basket management); user authentication or identification cookies
authentication or user identification cookies (session cookies); user security cookies; user authentication or user identification cookies (session cookies); user security cookies (session cookies).

(those used to detect repeated and erroneous attempts to connect to a website); player session cookies
session cookies; media player session cookies; session cookies for load balancing; load balancing
load balancing; user interface personalisation cookies; and some plug-in cookies for
plug-ins for sharing social content.

These cookies would be excluded from the scope of application of Article 22(2) of the

LSSI, and, therefore, it would not be necessary to inform or obtain consent for their use.
use. On the contrary, it will be necessary to inform and obtain the prior consent of the user before using any other type of cookie.
prior to the use of any other type of cookies, whether first-party or third-party, session or persistent cookies.
third party, session or persistent cookies.


In the verification carried out by this Agency on the website complained of, it was possible to
When entering the main page and without performing any action on the website or accepting the cookies, it was found that, upon entering the
or accepting the cookies, the following non-necessary cookies were used:

On entering the website for the first time, without accepting cookies or taking any action on the website, the following unnecessary cookies were used

on the page, it has been verified that third party cookies (from Google) are being used
which are not technical or necessary.

       b). - On the consent to the installation of cookies on the terminal equipment:

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14



For the use of non-excepted cookies, it will be necessary to obtain the user's express consent.
express consent of the user. This consent can be obtained

by clicking on, "accept" or by inferring it from an unequivocal action performed by the user which
user that denotes that the consent has been unequivocally given. For
Therefore, the mere inactivity of the user, scrolling or browsing through the website, shall not be
be considered, for these purposes, a clear affirmative action under any circumstances and shall not imply the
imply the provision of consent in itself. Similarly, access to
the second layer if the information is presented in layers, as well as the navigation

necessary for the user to manage his or her cookie preferences in the control panel, is also not
the control panel, is also not considered as active behaviour from which acceptance of cookies can be derived.
acceptance of cookies.

Nor is the existence of "Cookie Walls", i.e., windows, allowed.

blocking the content and access to the website, forcing the user to accept the use of cookies in order to access the website.
to accept the use of cookies in order to access the page and continue browsing without offering the user any alternative
offering users any type of alternative that allows them to freely manage their preferences on the use of cookies.
preferences regarding the use of cookies.

If the option is to go to a second layer or control panel for cookies, the link

should take the user directly to that configuration panel. To facilitate the
In addition to a granular cookie management system, the panel may be implemented with two additional
management system, two further buttons, one to accept all cookies and one to reject all cookies, may be implemented on the panel.
reject all cookies. If the user saves his choice without having selected any cookie, it will be understood that he has rejected all cookies.
cookie, it will be understood that he/she has rejected all cookies. In relation to this second

In no case are pre-ticked boxes in favour of accepting cookies admissible.
cookies.

If, for the configuration of cookies, the website refers to the configuration of the browser installed on the terminal equipment, this option could be considered as complementary.
installed on the terminal equipment, this option could be considered complementary to the configuration of the browser.

to obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also, and in any case, offer a mechanism that allows the use of cookies to be
to refuse the use of cookies and/or to do so in a granular manner.

On the other hand, the withdrawal of the consent previously given by the user
must be possible at any time. To this end, the publisher must offer a

mechanism that makes it possible to withdraw consent easily at any time.
at any time. Such a facility shall be deemed to exist, for example, when the user
user has easy and permanent access to the cookie management or configuration system.
cookies.


If the publisher's cookie management or configuration system does not make it possible to prevent the use of third-party cookies once they have been accepted by the user, it shall be
the use of third-party cookies once they have been accepted by the user, information will be provided on the tools provided by the browser and the third
information on the tools provided by the browser and third parties,
should the user accept third-party cookies and subsequently wish to delete them, he/she must do so from his/her own browser.
delete them, they must do so from their own browser or the system enabled by the third parties.

third parties for this purpose.

In this case, the banner on the first layer makes it possible to accept all cookies or to manage them in the control panel.
cookies or manage them in the control panel. However, if you go to the

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14



control and you choose "reject all cookies", in the existing option you will see that the website still
the website continues to use third party cookies that are not technical or necessary.
necessary.


       c). - Regarding the information provided in the second layer (cookies policy): c).
cookies):

In the second layer or "cookie policy" more de-
more detailed information on the characteristics of cookies, including information on, for example, the definition of

and generic function of cookies (what cookies are); on the type of cookies used and their purpose (what types of cookies are used on the
used and their purpose (what types of cookies are used on the website); the identification of who uses the cookies, i.e., what types of cookies are used on the website; the
identification of who uses the cookies, i.e. whether the information obtained by the cookies is processed only by the
cookies is processed only by the publisher and/or also by third parties with identification of the latter; the period for which the cookies are kept; and the type of information collected by the cookies.
the latter; the period for which the cookies are stored on the terminal equipment; and whether it is the

information on data transfers to third countries and profiling involving the taking of personal data.
profiling involving automated decision-making.

In the case in question, the information on cookies provided in the control panel does not identify the cookies used.
control panel does not identify the cookies used on the website, nor their purpose, nor how long they will be active.
time they will be active, only generic information is provided on their purpose.

cookies.

       d). - Qualification and penalties that may be applicable with respect to the
       infractions committed in the Cookies policy:


Of the deficiencies detected, with respect to the cookies policy, on the website in question: the use of third-party cookies that are not technical or necessary
the use of third party cookies that are not technical or necessary; the impossibility of rejecting third party cookies and the
impossibility of rejecting third-party cookies and the lack of information in the "cookies policy
"cookies policy", could lead to the defendant committing an infringement of Article 22.2 of the
infringement of Article 22.2 of the LSSI, as it establishes that:


"Service providers may use data storage and retrieval devices in the terminal equipment of the user".
data storage and retrieval devices on recipients' terminal equipment, on condition that
the recipients have given their consent after they have been given clear and complete information on their use, and
clear and comprehensive information on their use, in particular on the purposes of the data processing, in accordance with the
processing of the data, in accordance with the provisions of Organic Law 15/1999 of 13 December 1999.

December 1999 on the protection of personal data.

Where technically possible and effective, the consent of the recipient to accept the processing of data may be provided by
data processing may be provided through the use of appropriate settings in the browser or other applications.
browser or other applications.


This shall not prevent the possible storage or access of a technical nature for the sole
for the sole purpose of carrying out the transmission of a communication over an electronic communications network or, to the extent strictly necessary, for the
or, to the extent strictly necessary, for the provision of an information society service expressly requested by the
an information society service expressly requested by the user, or to the extent strictly necessary for the provision of an information society service expressly requested by the user.

the addressee'.

This infringement is classified as "minor" in Article 38.4 g), of the aforementioned Law, which
The following is considered as such: "Using data storage and retrieval devices

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14



where the information has not been provided or the consent of the recipient of the service has not been obtained as required by Article 22.2.
of the recipient of the service under the terms required by Article 22.2.
sanctioned with a fine of up to 30,000 €, in accordance with article 39 of the aforementioned law.

LSSI.

Following the evidence obtained during the preliminary investigation phase, and without prejudice to
the results of the investigation, it is considered that the sanction to be imposed should be graded according to the following criteria
imposed in accordance with the following aggravating criteria, as established in art. 40 of the LSSI
the LSSI: The existence of intentionality, an expression that must be interpreted as

equivalent to the degree of culpability in accordance with the National High Court Judgment of 12/11/07, handed down in
Judgment of the Audiencia Nacional of 12/11/07 in Appeal No. 351/2006, and it is the responsibility of the entity
the defendant entity to determine a system for obtaining informed consent that complies with the mandate of the
informed consent that complies with the mandate of the LSSI.


In accordance with these criteria, it is considered appropriate to impose an initial sanction of
1,000 euros (one thousand euros), for the infringement of Article 22.2 of the LSSI, with respect to the
cookies policy on the website owned by the company.

Therefore, in view of the foregoing, by the Director of the Spanish Data Protection Agency
Spanish Data Protection Agency,

                                    IT IS AGREED:

TO INITIATE: PENALTIATING PROCEDURE against Ms. A.A.A., with NIF: ***NIF.1,
owner of the website ***URL.1 for:


a). - Infringement of Article 6.1 of the RGPD due to the lack of a mechanism which
users to give their consent to the processing of their personal data.

b). - Infringement of Article 13 of the RGPD, due to the lack of necessary information in the "Privacy Policy", as established in the aforementioned
b) Infringement of Article 13 of the GDPR, due to the lack of necessary information in the "Privacy Policy", as established in said article,


c). - Infringement of Article 22.2 of the LSSI, due to the deficiencies detected on its website with regard to the
website with regard to the "Cookies Policy".

APPOINT: Mr. C.C.C. as Instructor, and Ms. D.D.D. as Secretary, as the case may be,
indicating that either of them may be challenged, where appropriate, in accordance with the provisions of this

established in articles 23 and 24 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector (LRJSP).
of the Public Sector (LRJSP).

INCORPORATE: into the sanctioning file, for evidentiary purposes, the complaint
complaint lodged by the claimant and its documentation, the documents obtained and

generated by the Subdirectorate General for Data Inspection during the investigation phase, all of which form part of the present file.
investigations, all of which form part of the present administrative file.

WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of the
Common Administrative Procedure of the Public Administrations, the sanction that

would be

a) - 1,000 euros (one thousand euros), for the infringement of article 6.1 of the GDPR, without prejudice to
whatever may result from the investigation of the present case.

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14

b) - 1,000 euros (one thousand euros), for the infringement of Article 13 of the GDPR, without prejudice to the outcome of the
(b) 1,000 euros (one thousand euros), for infringement of Article 13 of the RGPD, without prejudice to the outcome of the investigation of this case.


c).- 1,000 euros (one thousand euros), for infringement of Article 22.2 of the LSSI, without prejudice to the results of the
of the LSSI, without prejudice to the outcome of the investigation of the present case.

The total sanction that could correspond would be: 3,000 euros (three thousand euros).


TO NOTIFY: this agreement to initiate disciplinary proceedings against Ms. A.A.A.,
granting her a period of ten working days in which to make any allegations and present any
allegations and present the evidence that she considers appropriate.

If she does not make any allegations within the stipulated period of time, this agreement to initiate the proceedings will

may be considered a proposal for a resolution, in accordance with the provisions of article
64.2.f) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (hereinafter referred to as the
Public Administrations (hereinafter, LPACAP).

Pursuant to the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed is a
sanction to be imposed is a fine, he/she may acknowledge his/her responsibility within the

period granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of the fine.
which will entail a reduction of 20% of the sanction to be imposed in the present procedure, equivalent in this case to the
in these proceedings, equivalent in this case to 600 euros. With the application of
this reduction, the sanction would be set at 2,400 euros, and the procedure would be resolved with the imposition of this sanction.
2,400, the procedure being resolved with the imposition of this sanction.


Similarly, he may, at any time prior to the resolution of this procedure, make voluntary payment of the proposed penalty, which will
the present procedure, make voluntary payment of the proposed sanction, which will entail a 20% reduction of
will result in a reduction of 20% of the amount of the penalty, equivalent in this case to
600 euros. With the application of this reduction, the sanction would be set at

2,400 euros and its payment will imply the termination of the procedure.

The reduction for voluntary payment of the penalty can be accumulated to the one that corresponds to the one that corresponds
for acknowledgement of liability, provided that this acknowledgement of liability is made clear within
of liability is made manifest within the period granted for making allegations to the opening of the procedure.
allegations to the opening of the procedure. Voluntary payment of the amount referred to

in the previous paragraph may be made at any time prior to the decision. In
in this case, if both reductions were to be applied, the amount of the sanction would be
1,800 euros (one thousand eight hundred euros).

In any case, the effectiveness of either of the two aforementioned reductions will be

conditional on the abandonment or waiver of any administrative action or appeal against the sanction.
administrative action or appeal against the sanction.

If you choose to proceed to voluntary payment of any of the aforementioned amounts, you will have to pay them into the account
above, it must be paid into the account number ES00

0000 0000 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the Banco CAIXABANK, S.A., S.A.
at Banco CAIXABANK, S.A., indicating in the concept the reference number of the
the reference number of the procedure that appears in the heading of this document and the
the reason for the reduction of the amount to which you are applying.

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14

It must also send proof of payment to the Subdirectorate General for Inspection in order to continue with the procedure in accordance with the amount due.
Inspection in order to continue with the procedure in accordance with the amount of the

deposited.

The procedure will have a maximum duration of nine months from the date of the
date of the agreement to initiate the procedure or, where appropriate, the draft agreement to initiate the procedure.
Once this period has elapsed, the procedure will lapse and, consequently, the proceedings will be archived.
proceedings; in accordance with the provisions of Article 64 of the LOPDGDD.


Lastly, it should be noted that in accordance with the provisions of Article 112.1 of the
LPACAP, no administrative appeal may be lodged against this act.

Mar España Martí

Director of the Spanish Data Protection Agency.


>>


SECOND: On 26 April 2022, the defendant has paid the fine in the amount of
the penalty in the amount of 1800 euros, making use of the two reductions provided for in the above-transcribed
in the initiation agreement transcribed above, which implies acknowledgement of liability.
liability.


THIRD: The payment made, within the period granted to make allegations at the time of
the initiation of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the
against the sanction and the recognition of responsibility in relation to the facts referred to in the
the facts referred to in the Agreement of Initiation.


LEGAL GROUNDS

                                           I


In accordance with the provisions of article 43.1 of Law 34/2002, of 11 July 2002, of
information society and electronic commerce services (hereinafter referred to as the
LSSI), the powers that Article 58.2 of Regulation (EU) 2016/679 (Regulation

General Data Protection Regulation (hereinafter GDPR), grants to each supervisory authority and as established in
authority and in accordance with the provisions of Articles 47 and 48.1 of Organic Law 3/2018, of 5 December on Data
5 December, on the Protection of Personal Data and guarantee of the rights of individuals with regard to their personal data

rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
procedure is the Director of the Spanish Data Protection Agency.

Likewise, Article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU)
in Regulation (EU) 2016/679, in this Organic Law, in the provisions


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14



regulations issued for their implementation and, insofar as they do not contradict them, in the
subsidiary, by the general rules on administrative procedures".


Finally, the fourth Additional Provision "Procedure in relation to the competences attributed to the
competences conferred on the Spanish Data Protection Agency by other provisions.

laws" establishes that: "The provisions of Title VIII and in its implementing regulations
shall be applicable to the procedures that the Spanish Data Protection Agency may have to process in the exercise of its powers".
Data Protection Agency has to process in exercise of the powers conferred on it by other laws".

other laws.


                                            II


Article 85 of Law 39/2015, of 1 October 2015, on the Common Administrative Procedure of the Public Administrations
Administrative Procedure for Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides as follows:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his or her responsibility, the procedure may be terminated with the imposition of a fine,
the procedure may be terminated with the imposition of the appropriate sanction.


2. Where the sanction is of a pecuniary nature only or where both a pecuniary and a non-pecuniary sanction may be imposed.
financial penalty and a non-financial penalty but it has been justified that the latter is not
the latter has been justified, voluntary payment by the alleged offender, at any time prior to the
at any time prior to the decision, shall terminate the proceedings,

except with regard to the reinstatement of the altered situation or the determination of the compensation for the
compensation for damages caused by the commission of the infringement.

3. In both cases, where the sanction is solely of a pecuniary nature, the body responsible for the
3. In both cases, where the penalty is of a pecuniary nature only, the body responsible for deciding on the procedure shall apply reductions of at least

20 % of the amount of the proposed penalty, which may be cumulated.
Such reductions shall be specified in the notification of the initiation of the procedure and their
of the procedure and their effectiveness shall be conditional on the abandonment or waiver of any administrative
any administrative action or appeal against the penalty.

The percentage reduction foreseen in this section may be increased by

by regulation.

In accordance with the foregoing,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: TO DECLARE the termination of procedure PS/00132/2022, pursuant to the provisions of Article 85 of the LPACAP.
pursuant to the provisions of Article 85 of the LPACAP.

SECOND: TO NOTIFY this resolution to A.A.A..


In accordance with the provisions of Article 50 of the LOPDGDD, the present
Resolution will be made public once it has been notified to the interested parties.

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14









Against this decision, which puts an end to administrative proceedings in accordance with the provisions of art.
art. 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure

Administrations, the interested parties may lodge an appeal for judicial review before the Administrative
administrative appeal before the Contentious-Administrative Chamber of the National High Court, pursuant to
Audiencia Nacional, in accordance with the provisions of Article 25 and section 5 of

of the fourth additional provision of Law 29/1998, of 13 July 1998, regulating the contentious-administrative
Administrative Jurisdiction, within two months of the day following notification of this act.
day following notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law.
aforementioned Law.



                                                                                  936-240122
Mar España Martí
Director of the Spanish Data Protection Agency


C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es