AEPD (Spain) - PS/00132/2022: Difference between revisions
No edit summary |
No edit summary |
||
| Line 74: | Line 74: | ||
The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy. | The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy. | ||
The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (name and email address | The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (including name and email address). The website’s Privacy Policy did not disclose all the relevant information mentioned in [[Article 13 GDPR]] to the data subject, hence the controller did not fulfill their obligation to inform. The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. Furthermore, the data subject did not have the possibility to withdraw their consent regarding the cookies either. | ||
The website’s Privacy Policy did not disclose all the relevant information mentioned in [[Article 13 GDPR]] to the data subject, hence the controller did not fulfill | |||
The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. | |||
The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. | |||
In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies. | In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies. | ||
| Line 88: | Line 80: | ||
The Spanish DPA imposed a fine on the controller amounting to €3.000. | The Spanish DPA imposed a fine on the controller amounting to €3.000. | ||
The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of [[Article 6 GDPR|Article 6 GDPR]] - was fined with €1,000. | The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of [[Article 6 GDPR|Article 6 GDPR]] - was fined with €1,000. | ||
The violation of [[Article 13 GDPR]] was also fined with €1,000. | The violation of [[Article 13 GDPR]] was also fined with €1,000. | ||
The use of cookies without expressed consent of the data subject – | The use of cookies without expressed consent of the data subject – Article 22.2 LSSI – was fined with €1,000 as well. The DPA explained that Article 22.2 LSSI takes reference to the GDPR. The information provided to the user about the use of storage devices and data recovery as well as the purposes of processing must be disclosed in accordance with the GDPR provisions. That is because the use of a cookie entails the possible identification of the user | ||
In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR. | In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR. | ||
| Line 98: | Line 91: | ||
== Comment == | == Comment == | ||
'' | |||
# personal darta | |||
''article 72.1.b) of the LOPDGDD considers it very seriousour comments here!'' | |||
2. privacy policy : , '''article 72.1.h) of the''' '''LOPDGDD''', considers it very serious | |||
== Further Resources == | == Further Resources == | ||
Revision as of 13:36, 13 July 2022
| AEPD - PS-00132-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 13 GDPR Recital 25 ePrivacy Directive (2002/58/EC) Article 22.2 LSSI |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 07.04.2022 |
| Decided: | 26.04.2022 |
| Published: | 28.06.2022 |
| Fine: | 1,800 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00132-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined the owner of a commercial website €3,000 (reduced to €1,800) for the processing of personal data and the use of cookies without a legal basis and for not providing sufficient information to the data subject under Article 13 GDPR.
English Summary
Facts
On 7 April 2022, the data subject, Mr. B.B.B., filed a complaint with the Spanish DPA (AEPD) stating that the owner of a commercial website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law).
The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy.
The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (including name and email address). The website’s Privacy Policy did not disclose all the relevant information mentioned in Article 13 GDPR to the data subject, hence the controller did not fulfill their obligation to inform. The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. Furthermore, the data subject did not have the possibility to withdraw their consent regarding the cookies either. In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies.
Holding
The Spanish DPA imposed a fine on the controller amounting to €3.000.
The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of Article 6 GDPR - was fined with €1,000.
The violation of Article 13 GDPR was also fined with €1,000.
The use of cookies without expressed consent of the data subject – Article 22.2 LSSI – was fined with €1,000 as well. The DPA explained that Article 22.2 LSSI takes reference to the GDPR. The information provided to the user about the use of storage devices and data recovery as well as the purposes of processing must be disclosed in accordance with the GDPR provisions. That is because the use of a cookie entails the possible identification of the user
In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR.
On 26 April 2022, the controller, paid the fine which was reduced to €1,800.
Comment
- personal darta
article 72.1.b) of the LOPDGDD considers it very seriousour comments here!
2. privacy policy : , article 72.1.h) of the LOPDGDD, considers it very serious
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1 / 14 File No.: PS/00132/2022 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Dated 7...
