AEPD (Spain) - PS/00132/2022
| AEPD - PS-00132-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 13 GDPR Recital 25 ePrivacy Directive (2002/58/EC) Article 22.2 LSSI |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 07.04.2022 |
| Decided: | 26.04.2022 |
| Published: | 28.06.2022 |
| Fine: | 1,800 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00132-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined the owner of a commercial website €3,000 (reduced to €1,800) for the processing of personal data and the use of cookies without a legal basis and for not providing sufficient information to the data subject under Article 13 GDPR.
English Summary
Facts
On 7 April 2022, the data subject, Mr. B.B.B., filed a complaint with the Spanish DPA (AEPD) stating that the owner of a commercial website, Ms. A.A.A., herein the data controller, violated Article 6 GDPR and Article 13 GDPR, as well as Article 22.2 LSSI (Spanish national law).
The data subject complained about three aspects of the controller’s website: The contact form, the Privacy Policy and the Cookie Policy.
The contact form of the website (by which website user may contact the controller) did not provide the data subject with the possibility to consent to the processing of their personal data (including name and email address). The website’s Privacy Policy did not disclose all the relevant information mentioned in Article 13 GDPR to the data subject, hence the controller did not fulfill their obligation to inform. The three main issues identified by the AEPD in relation to the cookies were 1) the use of third-party cookies which were not necessary or functional, 2) the impossibility of rejecting those cookies and 3) the lack of information provided in the Cookies policy about the cookies in use. The cookie plugin of the website allowed the user to accept all cookies or to decline those which were not necessary or functional. However, Google cookies – which were considered neither necessary nor functional by the DPA - were already in use even before the data subject actively and expressly gave their consent or took action on the website. Furthermore, the data subject did not have the possibility to withdraw their consent regarding the cookies either. In addition to that, the Cookie Policy, which should give the data subject access to more detailed information regarding the features of the cookies used, neither disclosed the activity time, nor mission or the precise identification of the cookies.
Holding
The Spanish DPA imposed a fine on the controller amounting to €3.000.
The processing of personal data without consent of the data subject – thus without a valid legal basis and a violation of Article 6 GDPR - was fined with €1,000.
The violation of Article 13 GDPR in regards to the Privacy Policy was also fined with €1,000.
Article 22(2) LSSI holds that the data subject must be informed if the controller employs cookies and requires the controller to offer the data subject the opportunity to reject them. Thus, the use of cookies without expressed consent of the data subject violates Article 22.2 LSSI which was fined with €1,000 as well. The DPA further explained that the information provided to the user about the use of storage devices and data recovery as well as the purposes of processing (also about cookies) must be disclosed in accordance with the GDPR provisions. In addition to the fine, the owner had to adapt the website to the current requirements set out by the GDPR.
On 26 April 2022, the controller paid the fine which was reduced to €1,800.
Comment
Further Resources
Share blogs or news articles here!
