AEPD (Spain) - PS/00151/2021

From GDPRhub
AEPD (Spain) - PS/00151/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 28(3) GDPR
34/2002
3/2018
Type: Complaint
Outcome: Upheld
Started:
Decided: 23.06.2021
Published: 02.07.2021
Fine: 7000 EUR
Parties: n/a
National Case Number/Name: PS/00151/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mohamed Siddibeh Kurubally

The Spanish DPA fined a controller, Marbella Resorts, €7000 (reduced to €4200) for not having a data processing agreement with the processor and for infringing the Spanish Law regulating cookies by, among other things, placing unnecessary cookies without obtaining user consent.

English Summary

Facts

The decision is the consequence of a complaint submitted by a data subject with the Spanish DPA (AEPD) stating that, after being a guest in a hotel, they they were warned about their ID card having been found, along with their personal information, on an adults website.

Also, the data subject addressed an access request access to the hotel, that informed them that the day the data subject checked in, the reception desk was closed and the person who scanned their ID card was an employee of the building's owners association, that managed the entry/exit of the guests outside opening hours.

Additionally, the DPA, while verifying the controller's website, found that its cookie banner did not have a link to the cookie policy, nor sufficient information, and used unnecessary cookies before obtaining consent, as well as did not allow to reject consent only for the unwanted cookies.

Holding

The AEPD concluded that the defendant had infringed Article 28(3) of the GDPR, since the controller did not have a data processing agreement with the processor (building's owners association) to govern the processing of personal data. Consequently, the AEPD fined the controller €5000 for the infringement of Article 28(3) GDPR.

Besides that, AEPD fined the controller €2000 for infringing Article 22 of the Spanish Law implementing the e-Privacy Directive (LSSI), for not properly informing the users about the use of cookies and for placing unnecessary cookies without consent, without the possibility of individually rejecting them.

In total, the AEPD fined the controller €7000, that were reduced to €4200 due to early and voluntary payment and recognizing its responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/18










     Procedure No.: PS / 00151/2021


RESOLUTION R / 00479/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY

In the sanctioning procedure PS / 00151/2021, instructed by the Spanish Agency for

Data Protection to MARBELLA RESORTS, S.L., considering the complaint presented by
A.A.A., and based on the following,

                                 BACKGROUND

FIRST: On June 9, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against MARBELLA
RESORTS, S.L. (hereinafter, the claimed), through the Agreement that is transcribed:

<<
Procedure No.: PS / 00151/2021


            AGREEMENT TO START THE SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Agency for Data Protection before
the entity, MARBELLA RESORTS, S.L. with CIF .: B93169076, (hereinafter, “the part

claimed ”), by virtue of the complaint filed by Ms. A.A.A., (hereinafter,“ the party
claimant ”), and based on the following:

                                      FACTS

FIRST: On 11/23/20, you entered this Agency, written by

the claimant, in which it indicated, among others, the following:

“A reservation was made through the *** URL.1 portal, at the Marbella establishment
Resorts S.L. (XXXXXXXXX Suites). After leaving the establishment you receive
WhatsApp, where they warn you that they have found your ID along with information

your personal, on an adult content page.

A complaint is filed with the General Directorate of the *** LOCALIDAD.1 Police and
draws up minutes before the Notary on the different publications and their content in the
Web page


Access request is addressed to the person responsible for the processing of the data of the
hotel establishment, who reports the following:

       "On the day of the incident, when you check in, outside of opening hours
       establishment, the reception was closed and whoever performs the

       Scanning of the identity card of the affected person is the concierge of the company hired by the
       community of neighbors of the building to manage the entrance / exit outside the
       opening hours. The company contracted for this service is JUBASER
       DE CONTROL, S.L. This company has no connection with the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








       hotel establishment (Marbella Resorts SL- XXXXXXXXX Suites),
       only with the community of neighbors of the building ”.


On the other hand, trying to verify that the person responsible for the treatment had
guaranteed the confidentiality of the data, and applied the technical measures and
organizational to ensure compliance with data protection regulations,
it was found that data protection did not seem to be a priority, as
is reflected in its web page *** URL.2, where the previous Law continues to appear
Organic 15/99, and where the information required by Law 34/2002 is not contained,

of July 11, services of the information society and electronic commerce.
The same happens with the forms that do not have any clause of
Data Protection. Likewise, cookies are available without the proper configuration.
and cookies that allow an international transfer of data, such as those of
Facebook and Google ”.


SECOND: On 02/04/21, this Agency sent a request
informative to the claimed party, in accordance with the provisions of article 65.4
of Organic Law 3/2018, of December 5, on the protection of personal data and
guarantee of digital rights, ("LOPDGDD").


THIRD: On 03/04/21, the entity claims, sends a reply to the
requirement made by this Agency, in which, among others, it indicates:

“On June 23, 2020, we received an email from the claimant
to the entity's administration email *** EMAIL.1 in which it informs us that the

On June 6, 2020, he stayed at our establishment for one night and arrived
about 20:00. You tell us that you have discovered that the image of your ID along with
disparaging remarks about him have been posted on a website of
pornographic content (of which you send us as proof, a screenshot of
said publication) and informs us that you have made a complaint to the police station

*** LOCALITY. 1 (Málaga) that was already in process in the court of the
same locality, and that he is also writing a complaint to the AEPD. Us
requests then, to speak with the director or manager to address the issue in a
personal. On the same day, June 23, 2020, the claimant is answered from the
administration email of the entity, informing you that we are investigating what
occurred and that the manager or, failing that, the company's lawyer contacted him.


Within a few hours of that same day, June 23, 2020, the claimant responds
asking us to identify the person who gave him the keys to the
apartment and made a copy of his documentation and reiterates his desire to speak with the
responsible for the entity. At the time of receiving the first email from

of the claimant, we began to investigate what happened, and as soon as we started
we discovered the following;

We collect the information from the lady's reservation, specifically we check; to
through which channel your reservation arrived, means of payment for this, the invoice for

accommodation, which Suite the lady stayed in, etc. - The claimant stayed in our
apartments, specifically in Suite *** SUITE.1 the night of June 6, 2020
(Saturday) and that the claimant's arrival time was around 20:00, as she
herself informs us. - At the time of the claimant's arrival the receipt of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








our apartments were closed, so the person who attended the
claimant or not a worker of our entity, but of the concierge service
hired by the community of owners of the building.


On June 25, 2020, the lawyer hired by our entity, sends you a
e-mail to the claimant informing her that an investigation has been carried out if
some member of our entity has had something to do with the matter with effects
negative, since the person who attended you does not belong to our entity, but,
He is a member of the concierge service hired by the community of owners.

The entity's willingness to collaborate is reiterated to be able to clarify such
unpleasant affair.

On July 30, 2020, we received a burofax from the claimant requesting the
right of access, and in which you request certain information (…).


Our worker contacts the security manager of the concierge company and
informs you of the incident that occurred with the claimant and requests that you
Please confirm the identity of the janitor who worked that night. The head of security for the
concierge company confirms the identity of the concierge (providing us
simply a name) and tells us that he would try to find out what happened, question this

of which we have no record.

Having the name of the janitor who worked that night, you call the
concierge and asks him to tell him if he remembers any special incidents that occurred that
night and specifically with the clients staying in Suite *** SUITE.1, to which he

he answers reminding him that that night he himself called to convey the complaints
from the rest of the surrounding clients due to noise coming from the Suite *** SUITE.1, but
does not tell us anything in particular about the claimant and does not remember anything else about that
night.


On August 25, 2020, the claimant is sent the response to her request for
right of access, as well as the result of the internal investigation carried out by the
company through reliable electronic communication.

There is no direct contractual relationship between the concierge company and our
entity. The concierge company is hired by the Community of Owners

of the building, and therefore responsible for its operation. The legal relationship
between the apartment owner and our entity is based on a contract in the
It is specified that the concierge functions will be carried out by the contracted concierge
by the Community of Owners. In this case we provide a copy of the original contract
for rent with the owner of the Suite *** SUITE.1 in which the lady stayed.


In accordance with art. 13 RGPD, regarding the information that must be provided when the
personal data is obtained from the interested party, the
information to the interested parties, when the information is received directly from them,
both the identity and contact details of the Data Controller, the purposes

of the treatment, the recipients, the period of conservation of the data, the rights
that they can exercise (access, rectification, deletion, limitation, opposition and
portability), the right to withdraw consent at any time, the right
to file a claim with the Control Authority, if the communication of data

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








personal is a legal or contractual requirement, or a necessary requirement to subscribe
a contract and if the interested party is obliged to provide personal data and is
informed of the possible consequences of not providing such data and if there are

automated decisions.

In particular with regard to the information provided to users about the use
of cookies and the purposes of data processing, as well as the way to collect,
reject or withdraw consent for its use. Dates are also requested
implementation and controls carried out to verify its effectiveness We have proceeded to

the update on our website *** URL.2 regarding the information
provided to users about the use of cookies and the purposes of the treatment of
data, as well as the way to collect, reject or withdraw consent for its use
so that they are in accordance with the provisions of article 22.2 of the LSS). Has been implanted
dated February 12, 2021, and has been reviewed by our specialist lawyer

in data protection.

We have decided that the custodial staff (which, as noted, is unrelated to
our entity) does not make a copy of the clients' documentation, but rather,
just check on arrival who is the owner of the reservation to make them
delivery of the keys. It is our own staff who always take care of

copy / scan the documentation of our clients to be able to carry out the
corresponding sending of part of travelers to the police. In addition, we have requested the
community of owners of the building the review of the contract that joins the company
concierge, and more specifically, the data protection protocol, to
guarantee that incidents of this type do not occur in the future and, in any case,

preserve the rights and freedoms of the interested parties.

On the measures adopted to prevent similar incidents from occurring,
implementation dates and controls carried out to verify their effectiveness. We have
proceeded to carry out the measures: • Proceed with an update of the contracts that

establish the legal relationship with the apartment owners. • That he
staff of the entity that has access to personal data (nine, in principle)
take an information and training course on data protection
personal. In this case we provide a copy of the diplomas that certify the
completion of the course.


We want to record the full availability of our entity to clarify the
incident occurred, the effort and determination that has been implemented to be able to
carry out an investigation the fruit of which has revealed direct responsibility
of an employee of a company that provides services for the Community of
Owners where the rented apartment is located; and that all that information is

transferred the person concerned and has been transferred to the Courts and Tribunals where
the judicial investigation of what happened is being carried out ”.

FOURTH: On 03/30/21, by the Director of the Spanish Agency for
Data Protection an agreement is issued for the admission of processing of the claim

presented, in accordance with article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LPDGDD), considering that the response given by the claimed party to this


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








Agency in relation to the indicated facts does not accredit the legality in the treatment of
Personal information.


FIFTH: On 06/01/21, this Agency carries out the following
Checks on the reported website (*** URL.2):

    - A) .- On the processing of personal data:

1.- Through the link at the top of the main page,

<<contact>>, the web redirects the user to a new page, *** URL.3,
displaying a form where you can enter personal data, such as the
name and email. Before the form can be submitted, the user must
check the box that you have read and accepted the privacy policy and the legal notice.


    - B) .- About the "Privacy Policy":

1.- Through the link, << Privacy Policy >>, existing in the form and in the
bottom of the main page, the web redirects to a new page, *** URL.4,
where information is provided, in the privacy policy section, about: the
identification of the person responsible for data processing; the purpose of the collection

of the data and the legal basis for it; the possible recipients of the data; the
rights of users with regard to the processing of their personal data and
how to exercise them and about the security measures of the web, all this referred to the
new legislation in force (RGPD and LOPDGDD).


    - C) .- About the Cookies Policy:

1.- When entering the initial page of the web, (first layer), it is verified that without
perform any action or accept cookies, unnecessary cookies are used, both
own as third parties whose identifiers; domain, description and time of

activation are:

    - _thn_ss: *** URL.5 Sets an identifier for the session that allows the
        website obtain visitor behavior data for statistical purposes
        (activation 1 day).


    - DV: www.google.com. It is used to provide services and extract information
        about navigation (stay 1 day).

    - NID: www.google.com The purpose of this cookie is to store information
        on the preferences of the users (stay 6 months).


    - CONSENT: www.google.com. Control the acceptance of cookies. (permanent)

    - _hj: *** URL. 2. Control user behavior when browsing the
        web (1 year stay).


    - thn_id: *** URL.6 This cookie is created to identify users with an ID
        single (stay 2 years).


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18








    - 1P_JAR: www.google.com. Cookie used to personalize the ads according to
        the interests of the user (stay of one month).


    - IDE: *** URL. 7. It is used to display advertising related to navigation
        (stay 1 year).

    - _hjid: *** URL. 2. Used to obtain visitor behavior data
        for statistical purposes (stay 1 year).


    - _ga: *** URL. 2. Used to identify users (stay 2 years).


    - _fbp: *** URL. 2. Used to offer a series of advertising products,
        as real-time offers from third-party advertisers (stay 1 day).


    - _gat: *** URL. 2. Used to control the request rate (permanence 1
        day).

    - _gid: *** URL. 2. Used to identify users (stay 2 years).


    - __thn_ss: *** URL. 6. This cookie allows you to personalize the user experience
        (session cookie).

2.- The banner about cookies that appears on the main page provides the following
information:


  “Our website uses cookies to improve your browsing experience and to
  offer content tailored to your needs. By clicking "Allow" you accept the
     cookie storage. For more information, please see our
                         << privacy policy >> - <<accept>>


3.- If the "Privacy Policy" is accessed, through the link in the
banner or through the link at the bottom of the main page,
<< policies >>, the web redirects to a new page, *** URL.3, where it is provided
information, in the cookies section, about: what are cookies and the types of
Cookies that exist but no information is provided or cookies are identified

who uses the page.

On how to manage cookies, the page refers to the user when configuring the
browser installed on your terminal equipment and there is no
mechanism that allows rejecting all cookies or managing them in a granular way.


SIXTH: In view of the facts denounced and in accordance with the evidence of
that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers that the aforementioned does not comply with current regulations,
Therefore, the opening of this sanctioning procedure proceeds.


                             FOUNDATIONS OF LAW

                                      I.- Competition:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18









    - On the treatment of personal data and on the "Policy of
        Privacy ”of the website of your ownership:


It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Data Protection Agency, by virtue of the powers that art 58.2
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16,
Relating to the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of this Data (RGPD) recognizes each

Control Authority and, as established in arts. 47, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD),

Sections 1) and 2), of article 58 of the RGPD, list, respectively, the

investigative and corrective powers that the supervisory authority may provide to the
effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the
treatment of alleged infringements of this Regulation ”and in 2.i), that of:
“Impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each
case.".


    - About the "Cookies Policy" of the website of your ownership:

It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the

art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI), is competent to initiate
and resolve this Penalty Procedure, the Director of the Spanish Agency for
Data Protection.
                                             II

    - On the management in the treatment of personal data:

In the present case, the complaining party made a reservation for a room, at
through the *** URL.1 portal, in the hotel establishment, Marbella Resorts S.L.
(XXXXXXXXX Suites). After leaving the establishment he learned that his
DNI along with your personal information were included in a page of

adult content.

For its part, the entity responsible for the hotel establishment alleged that on the day of
incident, the "check in" was carried out outside the opening hours of reception of travelers
and that the person who scanned the ID of the affected person was the company's concierge

hired by the community of neighbors of the building, where the
hotel establishment. That this company has no connection with them,
only with the community of neighbors of the building and that, from the incident
denounced have: “(…) decided that the concierge staff should not make a copy of the
customer documentation, but simply check upon arrival that it is

the holder of the reservation to hand over the keys (…) ”.

Article 4 of the RGPD defines the "person responsible for the processing of personal data"
as: “the natural or legal person, public authority, service or other body that,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18








alone or together with others, determine the purposes and means of the treatment (…) ”; and defines the
"Person in charge of the treatment" as: "the natural or legal person, public authority,
service or other body that processes personal data on behalf of the person responsible for the

treatment".

The first section of article 28 of the RGPD establishes that:

“1.When a treatment is to be carried out on behalf of a person responsible for the treatment
ment, this will only choose a manager who offers sufficient guarantees to

apply appropriate technical and organizational measures, so that the treatment
complies with the requirements of this Regulation and guarantees the protection of
the rights of the interested party ”.

While the third section of the aforementioned article establishes:


"3.The treatment by the person in charge will be governed by a contract or other legal act with
according to the law of the Union or of the Member States, that binds the person in charge
with respect to the person in charge and establish the object, duration, nature and end of
nature of the treatment, the type of personal data and categories of interested parties, and the obligations
responsibilities and rights of the person in charge. Said contract or legal act shall stipulate, in part,

particular, that the person in charge: a) will treat personal data only following instructions
documented actions of the controller, including with respect to transfers of
personal data to a third country or an international organization, unless it is
obliged to do so under the law of the Union or of the Member States that
apply to manager; In this case, the person in charge will inform the person responsible for this requirement.

legal force prior to the treatment, unless such Law prohibits it for important reasons.
public interest factors; b) will guarantee that the persons authorized to process data
personnel have committed to respecting confidentiality or are subject to
an obligation of confidentiality of a statutory nature; c) take all the measurements
necessary days in accordance with article 32; d) will respect the conditions indicated

given in sections 2 and 4 to contact another person in charge of the treatment; e) attend the
responsible, taking into account the nature of the treatment, through technical measures
appropriate and organizational arrangements, whenever possible, so that it can meet
with its obligation to respond to requests that are intended to exercise
the rights of the interested parties established in chapter III; f) will help the person in charge
capable of guaranteeing compliance with the obligations established in articles 32 to

36, taking into account the nature of the treatment and the information available to the
in charge; g) at the discretion of the person in charge, it will delete or return all personal data
final once the provision of treatment services is completed, and will suppress the
existing pias unless the preservation of personal data is required in
under the law of the Union or of the Member States; h) make available to the

responsible for all the information necessary to demonstrate compliance with the
guidelines established in this article, as well as to allow and contribute to the
performance of audits, including inspections, by the controller or another
auditor authorized by said person in charge. 4.5.2016 L 119/49 Official Gazette of the Union
European ES In relation to the provisions of letter h) of the first paragraph, the person in charge of

do will immediately inform the controller if, in their opinion, an instruction violates
this Regulation or other provisions on data protection of the
Union or Member States ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








Therefore, the known facts could constitute an infringement, attributable
to the claimed party, for violation of article 28.3 of the RGPD.


Article 73.k) of the LOPDGDD classifies, for prescription purposes, as “serious” the:
"Entrusting the processing of data to a third party without the prior formalization of a contra-
to or other written legal act with the content required by article 28.3 of the Regulation
ment (EU) 2016/679 ".

This offense can be sanctioned with a fine of € 10,000,000 maximum or,

in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for the
of greater amount, in accordance with article 83.4.a) of the RGPD.

In accordance with the indicated precepts, and without prejudice to what results from the

instruction of the procedure, in order to fix the amount of the sanction to be imposed in
In this case, it is considered that the sanction to be imposed should be adjusted according to
with the following aggravating criteria established in article 83.2) of the RGPD:

    - the seriousness of the infringement, taking into account the level of damages
        damages caused, (section a);


    - Negligence in the infringement, when verifying the lack of due diligence of the
        entity in fulfilling its obligations with respect to the management of the
        personal data of your customers, (section b).


The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of its article 28.3), of
in accordance with the provisions of article 83 of the RGPD, allows setting a sanction
initial of 5,000 euros, (five thousand euros).


                                             III
    - About the "Privacy Policy" of the website of its ownership:

According to the claim, on the website *** URL.1, the previous Law continues to appear
Organic 15/99, does not contain the information required by Law 34/2002, of 11
July, services of the information society and electronic commerce and the

The same happens with the forms since they do not have any protection clause
of data.

In this sense, article 13 of the RGPD establishes the information that must be
provide the interested party at the time of collection of their personal data:


"1.When personal data relating to him are obtained from an interested party, the
Responsible for the treatment, at the time these are obtained, will provide: a)
the identity and contact details of the person in charge and, where appropriate, of their
representative; b) the contact details of the data protection officer, in his / her

case; c) the purposes of the treatment to which the personal data are destined and the basis
legal treatment; d) when the treatment is based on article 6, paragraph 1,
letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or
the categories of recipients of the personal data, if applicable; f) where appropriate, the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








intention of the person in charge of transferring personal data to a third country or
international organization and the existence or absence of an adequacy decision
of the Commission, or, in the case of transfers indicated in articles 46 or 47 or

Article 49 (1), second subparagraph, reference to adequate guarantees or
appropriate and the means of obtaining a copy of these or the fact that
have borrowed.

2.In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained

personal information, the following information necessary to guarantee data processing
loyal and transparent: a) the period during which the personal data will be kept or,
when this is not possible, the criteria used to determine this period; b) the
existence of the right to request the data controller for access to the data
personal data relating to the interested party, and their rectification or deletion, or the limitation of their

treatment, or to oppose the treatment, as well as the right to the portability of the
data; c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal; d) the right to file a claim with
a supervisory authority; e) if the communication of personal data is a requirement

legal or contractual, or a necessary requirement to enter into a contract, and if the
interested party is obliged to provide personal data and is informed of the
possible consequences of not providing such data; f) the existence of decisions
automated, including profiling, referred to in article 22,
paragraphs 1 and 4, and, at least in such cases, significant information on the logic

applied, as well as the importance and expected consequences of such treatment
for the interested party ”.

In the present case, this Agency has been able to verify, regarding the policy of
privacy of the reported website that, through the link in the part

top of the main page, <<contact>>, the web redirects the user to a form
where you can enter personal data, such as name, email.
Before being able to send the form, the user must check the box that they have read and
Accepted the privacy policy and the legal notice.

For its part, on the "Privacy Policy" page of the web, it is provided

information on the identification of the data controller; the
purpose of data collection and the legal basis for it; the possible recipients
of the data; the rights of users with regard to the treatment of their
personal data and how to exercise them and on the security measures of the web, toto
this based on the legislation in force at this time.


Therefore, according to the evidence available at this time, according to
of initiation of the sanctioning procedure, it is considered that the "Privacy Policy",
of the claimed website, does not contradict the provisions of article 13 of the
GDPR.


                                            IV
    - About the "Cookies Policy" of the website of your ownership:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








    a) .- On the installation of cookies on the terminal equipment prior to consent:

Article 22.2 of the LSSI establishes that information must be provided to users

clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR. Therefore,
When the use of a cookie involves a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of

data.

However, it is necessary to point out that they are exempt from compliance with the
Obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of the terminals and the network and those that provide a service

expressly requested by the user.

In this sense, the GT29, in its Opinion 4/201210, interpreted that among cookies
excepted would be the User's input Cookies ”(those used to
fill in forms, or as a management of a shopping cart); cookies from
authentication or user identification (session); user security cookies

(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance
load; cookies for customization of the user interface and some of
complement (plug-in) to exchange social content. These cookies would remain
excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be

necessary to inform or obtain consent on its use.

On the contrary, it will be necessary to inform and obtain the prior consent of the user
before the use of any other type of cookies, both first and
third party, session or persistent.


In the verification carried out by this Agency on the claimed website, it was possible to
verify that, when entering the main page and without taking any action on the
itself and without accepting cookies, unnecessary cookies were used, both own
as third parties.


       b) .- On the cookie information banner existing in the first layer
       (Homepage):

The first layer cookie banner must include information regarding the
identification of the editor responsible for the website, in the event that your data

identifiers do not appear in other sections of the page or that your identity cannot
detach in an obvious way from the site itself. It should also include a
Generic identification of the purposes of the cookies that will be used and if they are
own or also from third parties, without it being necessary to identify them in this first
cap. In addition, it must include generic information about the type of data to be

collect and use in the event that user profiles are drawn up and must include
information and the way in which the user can accept, configure and reject the
use of cookies, with the warning, where appropriate, that, if a
certain action, it will be understood that the user accepts the use of cookies.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18









Apart from the generic information about cookies, in this banner there must be a
clearly visible link directed to a second informational layer on the use of the

cookies "Cookies Policy". This same link may be used to lead to the
user to the "Configuration Panel" of cookies, provided that access to the panel of
configuration is direct, that is, the user does not have to navigate within the
second layer to locate it.

In the case that concerns us, the banner of information on cookies existing in the

first layer of the web does not inform that they will use their own cookies and
third parties.

       c) .- On consent to the use of unnecessary cookies:


For the use of non-necessary cookies, it will be necessary to obtain the
express consent of the user. This consent can be obtained
by clicking on, "accept" or inferring it from an unequivocal action performed by the
user that denotes that the consent has been unequivocally produced.

Therefore, the mere inactivity of the user, scrolling or browsing the website, is not

will consider for these purposes, a clear affirmative action in any circumstance and not
will imply the provision of consent by itself. Similarly, access to
control panel, if the information is presented in layers, as well as the navigation
necessary for the user to manage their preferences in relation to cookies in
the control panel, it is not considered an active behavior that can

derive the acceptance of cookies.

If the option is to go to the cookie control panel (second layer) for management
of cookies in granular form, there should be two more buttons, one for
<<accept>> all cookies or, where appropriate, save the chosen cookie selection and

another to <<reject>> all cookies.

If the user saves their choice without having selected any group of cookies, the
you will understand that you have rejected all cookies. In relation to this possibility, in
In no case are the boxes pre-marked in favor of accepting cookies admissible.


If for the configuration of cookies, the web refers to the configuration of the browser
installed in the terminal equipment, this option is considered complementary to
obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also offer and in any case, a mechanism that
allow you to reject the use of cookies and / or do it in a granular way.


The withdrawal of the consent previously given by the user must be able to be
done at any time. To this end, the publisher must offer a mechanism that
allow permanent access to the management or configuration system of cookies.


If the management system or configuration of the publisher's cookies does not allow to avoid the
use of third-party cookies once accepted by the user, it will be facilitated
information about the tools provided by the browser and third parties,
It should be noted that, if the user accepts third-party cookies and subsequently wishes to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18








delete them, you must do it from your own browser or the system enabled by the
third parties for it.


In the present case, the banner on the main page redirects the user to the
"Cookie policy" (second layer), for more information, but in this
second layer, the web refers to the user when configuring the browser installed on their
terminal equipment to manage cookies, there being no, on this page, any
mechanism that allows rejecting all cookies or managing them in a granular way.


       d) .- On the information provided in the second layer (Policy of
Cookies):

The web pages that use unnecessary cookies must have a page of
"Cookies Policy", where more detailed information about the

characteristics of cookies, including information on, definition and function
generic cookies (what are cookies); about the type of cookies used
and its purpose (what types of cookies are used on the website); the identification of
who uses cookies, that is, if the information obtained by cookies is processed
only by the publisher and / or also by third parties with identification of the latter; the
period of conservation of cookies in the terminal equipment; and if it is the case,

information on data transfers to third countries and the preparation of
profiles that involve automated decision making.

In the present case, the privacy policy of the website does not provide
information or identification of the cookies that will be used.


                                          IV-bis
The facts presented could suppose on the part of the claimed entity the commission
of the violation of article 22.2 of the LSSI, regarding the cookie policy in its
website, according to which:


"Service providers may use storage devices and
data recovery on recipients' terminal equipment, provided that
they have given their consent after it has been provided to them
clear and complete information on its use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13

December, on the protection of personal data.

When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters
from the browser or other applications.


The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network
electronic devices or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the

addressee".

This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2. ”, which may be
sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned

LSSI.

After the evidence obtained in the preliminary investigation phase, and without prejudice to
Whatever results from the instruction, it is considered that the sanction should be
impose in accordance with the following aggravating criteria, established in art. 40 of
the LSSI:


    - The existence of intentionality, an expression that must be interpreted as
        equivalent to degree of guilt according to the Judgment of the
        National Court of 11/12/07 relapse in Appeal no. 351/2006,
        corresponding to the entity denounced the determination of a system of

        obtaining the informed consent that conforms to the mandate of the LSSI.
    - Period of time during which the offense has been committed, (section
        b).

Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 2,000 euros (two thousand euros), for the violation of article 22.2 of the

LSSI, regarding the cookie policy carried out on the website of its ownership.

                                            V
In accordance with the criteria set out in the previous sections, it is considered appropriate
impose on the claimed entity a total initial penalty of 7,000 euros (seven thousand

euros): 5,000 euros for the violation of article 28.3 of the RGPD and 2,000 euros for the
infringement of article 22.2 of the LSSI.

In accordance with the foregoing, by the Director of the Spanish Agency for
Data Protection,

                                     HE REMEMBERS:

START: SANCTIONING PROCEDURE against the entity, MARBELLA RESORTS,
S.L. with CIF .: B93169076 in accordance with the provisions of articles 63 and 64 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP), for the alleged infraction:


    - Infringement of article 28.3) of the RGPD, due to the lack of diligence demonstrated in
        the management of the personal data of its clients.
    - Infringement of article 22.2) of the LSSI, regarding the cookie policy in its
        Web page.


APPOINT: instructor to D. B.B.B. and, as secretary, to Dª C.C.C., indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of the
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


INCORPORATE: to the sanctioning file, for evidentiary purposes, the claim
filed by the claimant and his documentation, the documents obtained and


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18








generated by the Subdirectorate General for Data Inspection during the
research.


WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations, the sanction that
could correspond would be a fine of

    - 5,000 euros (five thousand euros), for violation of article 28.3) of the RGPD, without
        detriment of what results from the instruction.

    - 2,000 euros (two thousand euros), for violation of article 22.2) of the LSSI, without
        detriment of what results from the instruction.

WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that could
to impose itself on the claimed party would consist of ORDERING HIM to take the necessary measures

necessary to adapt the cookie policy of the website of your ownership
through:

    - A mechanism that makes it impossible to use cookies that are not necessary before
        that the user gives their consent.
    - A mechanism that makes it possible to reject all cookies so that it is as

        easy to reject them as to accept them.
    - Detailed information about cookies is included on the website in a
        second layer or "Cookies Policy".
    - Information about what is being used in the banner of the main page
        They will use their own and third-party cookies.


NOTIFY: this agreement to the entity, MARBELLA RESORTS, S.L.
granting him a hearing period of ten business days to formulate the
allegations and present the evidence you deem appropriate.


If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure, equivalent in this case to 1,400 euros. With the app
of this reduction, the penalty would be set at 5,600 euros, resolving the

procedure with the imposition of this sanction.

In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of the amount thereof, equivalent in this case

to 1,400 euros. With the application of this reduction, the sanction would be established in
5,600 euros and its payment will imply the termination of the procedure.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18








The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate

allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be
established at 4,200 euros (four thousand two hundred euros).

In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.

If you choose to proceed to the voluntary payment of any of the amounts indicated
previously, you must make it effective by entering account No. ES00

0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the concept the number of
reference to the procedure in the heading of this document and the
cause of reduction of the amount to which it is accepted.

Likewise, you must send the proof of admission to the Subdirectorate General of

Inspection to continue the procedure according to the quantity
entered.

The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


Mar Spain Martí
Director of the Spanish Agency for Data Protection.




>>

SECOND: On June 16, 2021, the defendant has proceeded to pay the
sanction in the amount of 4,200 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the

responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








                            FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said

Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article

43.1 of said Law.

                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric

"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00151/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to MARBELLA RESORTS, S.L ..



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18









In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                       936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection












































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es