AEPD (Spain) - PS/00471/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
mNo edit summary
Line 61: Line 61:
}}
}}


The Spanish DPA fined a bank €2.500 for installing non-strictly necessary cookies in the user's terminal equipment without prior consent, in violation of Article 22(2) LSSI.
The Spanish DPA fined a bank €2.500 for installing non-strictly necessary cookies in the user's terminal equipment without prior consent in violation of Article 22(2) LSSI.


== English Summary ==
== English Summary ==

Revision as of 11:16, 14 March 2023

AEPD - PS/00471/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 22(2) LSSI
Type: Complaint
Outcome: Upheld
Started: 06.01.2021
Decided:
Published:
Fine: 2.500 EUR
Parties: Open Bank SA
National Case Number/Name: PS/00471/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Spanish DPA (in ES)
Initial Contributor: Bernardo Armentano

The Spanish DPA fined a bank €2.500 for installing non-strictly necessary cookies in the user's terminal equipment without prior consent in violation of Article 22(2) LSSI.

English Summary

Facts

A user filed a complaint with the Spanish DPA claiming that the Open Bank’s website installed cookies on their terminal equipment without prior consent. They argued that these cookies were not technical or strictly necessary and that Google was tracking their visits to the bank’s page. In turn, the bank alleged that the list of cookies presented by the data subject did not correspond to those loaded on its website. It claimed that these cookies were preloaded while the data subject was browsing Google's own websites. During the investigations, the DPA accessed the bank’s website after having cleared the CACHE memory of the terminal equipment. It verified that cookies belonging to the domain of Google.com were installed without consent and that these cookies were not technical or strictly necessary.

Holding

The DPA recalled that, according to Article 22.2 LSSI, users must be provided with clear and complete information on the use of data storage and data retrieval devices. In addition, where the use cookies makes it possible to identify the user, data controllers must comply with the requirements set out in the GDPR. In particular, they must inform the user/data subject of the purposes of the data processing. The DPA pointed out that only cookies that are necessary for the provision of a service that was expressly requested by the user are exempt from these obligations. For instance, "user input cookies" (those used to fill in forms or to manage a shopping basket); user authentication or identification cookies (session cookies); user security cookies (those used to detect repeated and erroneous attempts to connect to a website); media player session cookies; session cookies for load balancing; user interface customisation cookies; and some plug-in cookies for sharing social content. In any other case, service providers must inform users and obtain their prior consent, whether it is a first-party or third-party, session or persistent cookie. The DPA emphasized that, while consent can be inferred from an unequivocal action by the users, the mere inactivity, scrolling or browsing the website, shall never be considered for that purpose. For instance, where there is a second layer or cookie control panel, two buttons may be implemented: one to accept and one to reject all cookies. If users save their choice without having selected any cookie, it shall be understood that they rejected all cookies. Pre-ticked boxes can never be interpreted as accepting cookies. Likewise, users must be able to easily withdraw consent at any time. In the case at hand, even if the user chose to "reject all cookies" or not to activate any group of cookies by clicking directly on the option "save to computer" in the control panel, the website continued to use third-party cookies. Therefore, the DPA found a violation of Article 22(2) LSSI and imposed a fine of €2.500.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15








Procedure No.: PS/00471/2021

               RESOLUTION OF SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency before
the entity, OPEN BANK, S.A., with CIF.: A28021079 owner of the website, ***URL.1
(hereinafter, "the claimed party"), by virtue of the claim filed by D.
A.A.A., (hereinafter, "the complaining party"), for alleged violation of Law 34/2002,
of July 11, Services of the Information Society and Electronic Commerce

(LSSI), and based on the following:

                                  BACKGROUND:

FIRST: On 01/06/21, a letter of

claim, in which, among other things, it was indicated that the website ***URL.1, was not
would be obtaining informed consent for the installation of cookies not
strictly necessary. It denounces that Google is informed at all times of
the bank pages you access.

SECOND: On 05/13/21, this Agency sent a letter of

request for information to the claimed entity, regarding the claim
received, in accordance with the provisions of article 65.4 of the Organic Law
3/2018, of December 5, protection of personal data and guarantee of data
digital rights, (“LOPDGDD”).


THIRD: On 06/09/21, this Agency received a written response to the
requirement made to the claimed party, in which the following is reported:

“That the Website informs users about the use of cookies that are treated
when they access it for the first time, as can be seen from

continuation in "Modal cookies" that has been translated into Spanish in the box
by the Openbank team of translators. In addition. it can be verified that said
Cookies Modal gives the user the option to accept, reject and/or configure the
same.

That in the event that the interested party wishes to access the "Configuration of

Cookies", this will obtain information on the classification and description of the
different cookies collected by the website: (i) technical. (ii) personalized, (iii)
analytics and (iv) behavioral advertising, as well as access to the Privacy Policy
Openbank cookies ("policy") through a hyperlink attached as
Annex I Cookies Policy in Spanish and German.


The following is a screenshot of the "Cookies Settings" screen that you have
been translated into Spanish in the box by the Openbank team of translators.

III. That Openbank carries out periodic controls to verify the behavior of

the cookies of the web page which allows validating if the acceptance, configuration or
rejection of them work correctly. Attached as Annex II: Evidence
of cookie control.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15








Taking into account the above, we consider that the users of the Website are
duly informed and that Openbank is obtaining their consent for the
installation of cookies as required by the regulations, taking into account the

following considerations:

Information Transparency: The Agency's Guide to the Use of Cookies
Spanish Data Protection, (hereinafter "Cookies Guide"), details the
requirements applicable to the provision to users of information regarding the use of
cookies: (i) the information must be concise, transparent and intelligible. (b) is to

Use clear and simple language. avoiding the use of phrases that lead to confusion
or distort the clarity of the message; and (o) The information must be easily accessible.

In this regard, as previously seen in the acceptance flow, it is
you can verify that Openbank uses clear and precise information. detailing the

different purposes in each of the cases and providing information
specific to the interested parties in each case. having used for its writing the
examples provided in the Cookie Guide. .

Informed consent: Following the provisions of the Cookies Guide,
reveals the following indications:


Cookies exempt from the consent requirement: Technical cookies are found
excepted from obtaining consent, although Openbank informs users
about its use and ownership.


Obtaining consent for necessary Cookies: The Cookie Guide establishes
that "for the use of non-excepted cookies it will be necessary in any case
obtain user consent. In the same way, the General Regulation of
Data Protection is defined as: "Any expression of free will,
specific, informed and unequivocal by you that the interested party accepts, either through

a statement or a clear affirmative action, the processing of personal data that
concern him."

Taking into account the above, Openbank has defined the following modalities for
Obtaining the consent that, it considers, comply with the requirements of the
regulations, as well as with the Cookies Guide:


"Accept and navigate or Reject all" mode: Users may lend their
consent after the first layer of information has been provided to them,
where the purpose of each cookie is detailed, as can be seen in the
"Moda! de Cookies". Such acceptance or rejection requires a clear affirmative action

by the user who must select the corresponding "accept" button or
"decline". The user's decision will be stored in the ConsentM6R cookie, as
You can see in the information provided in the Cookie Policy.

"Cookies configuration" modality: Just as users may accept or

reject cookies in a first layer may also express their agreement
separately and granularly for each of the purposes: personalized.
analytical and/or behavioral advertising as detailed on the screens
previous. After having selected the desired configuration, the user will press

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15








the buttons "Save" or "Accept All" and. your decision will be stored in the cookie
ConsentM6R, as can be seen in the Cookie Policy.

Configuration of consents: Users will be able to modify the
consent at any time in an easy way by accessing a link that
redirects directly to the “Fashion! of cookies" for its configuration as

informs in section 7 of the Cookies Policy For all the previously exposed
From Openbank we consider if you are informed and consent is obtained
of the Web Page and, we remain at your disposal for any clarification that
deem convenient.

FOURTH: On 07/20/21, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the complaint

presented by the complaining party, in accordance with article 65 of the Law
LPDGDD, when appreciating possible rational indications of a violation of the rules
within the scope of the powers of the Spanish Data Protection Agency.

FIFTH: On 08/16/21, this Agency carried out the following
checks on the website, ***URL.1, regarding its cookie policy:


1. When entering the web for the first time, without accepting cookies or taking any action
on the page, and having cleaned the CACHE memory of the terminal equipment, it has been
detected that third-party cookies are used, in this case, belonging to the
Google.com domain that are not technical or necessary:


Secure-3PSIDCC.google.com/__Secure-3PAPISID.google.com/
__Secure-1PAPISID .google.com/ __Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/
NID .google.com/SEARCH_SAMESITE .google.com/
CONSENT .google.com/DV .google.com/
OGPC 1151720448-1: google.com /

__Secure-3PSIDCC .google.com/SIDCC .google.com/
__Secure-3PAPISID .google.com/
SSID .google.com/__Secure-1PAPISID .google.com/
HSID .google.com/__Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/

NID .google.com/SEARCH_SAMESITE .google.com/
CONSENT .google.com/DV .google.com/
OGPC 1151720448-1:google.com/1P_JAR.google.com/
2. The banner about cookies that appears on the main page of the web, has the
following message:


“At Openbank, we use cookies or similar technologies from us or from third parties
to ensure the operation of the website and so that your login is
save when you register. With your consent, we may also improve and
personalize your browsing experience and show you advertising that is tailored to your
profile based on your usage habits.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15








  To accept all cookies, click on "Accept and navigate", to reject the
   cookies, click "Refuse Cookies". To configure cookies or for more
                    information, click "Set Permissions".


     <<Configure permissions>>- <<Refuse cookies>>-<<Accept and navigate>>

a).- If you choose to "reject all cookies" through the corresponding option,
<<Reject cookies>>, it is checked how the web continues to use the same ones
third-party cookies (from Google.com), indicated above.


b).- If the cookies control panel is accessed, through the corresponding link,
<<permissions configuration>>, the web displays the following control panel, where
groups of cookies can be managed in a granular way, these being
initially pre-marked in the <<disabled>> option, except cookies

necessary:

“These are the cookies that we may use on our website. you can set it
according to your wishes, taking into account that technical cookies are necessary to
that an interaction with Openbank may take place. of course, also
You can consult the <<cookies policy>> for more information.”.


Technical cookies "Always active"
Personalized Cookies OFFON
Analytical Cookies OFFON
Behavioral Advertising OFFON


                 <<Save to computer>>-- <<Accept all>>

If you choose not to activate any group of cookies, clicking on the option
<<save to computer>>, the settings and exit the control panel, with the

intention that third-party cookies are not used, it is verified that the web
It continues to use the same Google.com cookies, indicated above.

3.- If the "Cookies Policy" is accessed, through the existing link in the panel
control and at the bottom of the main page, the web redirects to a new page,
***URL.2, where information is provided about what cookies are, what types of

cookies exist, identifies the cookies used by the web page, (the identifier, its
domain, its purpose and the time that they will remain active), as well as the management of
cookies through browsers installed on terminal equipment.

In section 4 of the "Cookies Policy" that refers to the cookies used-

give on the website. In this section you can see, among others, how to indicate
ca the use of technical cookies, personalization and advertising or behavioral
tamental. Within this group, the web uses a group of cookies, especially
Google.com to control the behavior of the user in the navigation that he performs
on the entity's website.


The cookies detected when visiting the website on 08/16/21, which coincide with those that the
entity claims to use are the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15








(…) 4.4. "Behavioral advertising" cookies: Advertising cookies
tamental collect information about your behavior according to your browsing habits.
tion and allow us to more effectively manage the appropriate advertising spaces.
Add the content to your specific profile:


SAPISID .google.com / behavioral
SID .google.com / behavioral
SSID .google.com / behavioral
CONSENT .google.com/behavioral
OGPC .google.com/behavioral
1P_JAR .google.com/behavioral


SIXTH: On 10/26/21, the Director of the Spanish Agency for the Protection of
Datos agreed to initiate disciplinary proceedings against the entity claimed, by virtue of
the established powers, for the alleged violation of article 22.2 of the LSSI, with
an initial penalty of 5,000 euros (five thousand euros), for the use of cookies

third parties, in this case from the Google.com domain, that were not necessary or technical
without the prior consent of the users and the impossibility that existed to eliminate
remove them from the equipment when their use was refused.

SEVENTH: Once the start-up agreement has been notified to the claimed entity, the latter by writing
dated 11/12/21, made, in summary, the following allegations:


According to his letter dated October 26, 2021, which communicates the
agreement to initiate the disciplinary procedure of reference PS/OO471/2021 in
relation to the claim filed by a German citizen against OPEN
BANK, S.A. (hereinafter, "Openbank"), owner of the website ***URL.1 ,
We proceed to deliver in person the documentation corresponding to the

Annex I, which is complementary to the reply sent on November 11,
2021 electronically through its electronic Registry.

The information is provided by means of a USB that contains the evidence in format
video to make it reproducible, as well as the information that we have already sent to
through the electronic Registry that consists of the response to your request

together with Annexes 2 and 3. In this way, we have provided the entire
documentation related to the procedure indicated above. We are at your disposal
for any additional information or clarification you may require.

EIGHTH: On 12/12/21, the test practice period began, agreeing-
be: a).- consider reproduced for evidentiary purposes the complaint filed by the de-

complainant and its documentation, the documents obtained and generated that form
part of file E/00096/2021 and b).- consider reproduced for evidentiary purposes, the
allegations to the start agreement of PS/00471/2021, presented by the entity.

NINTH: On 01/22/22, this Agency carried out the following

checks on the website, ***URL.1, regarding the alleged infringement
committed in relation to its cookie policy:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15








1.- When entering the web for the first time, without accepting cookies or taking any action
on the page, it has been detected that cookies that are not technical or
necessary, that are from third parties.


2. The banner about cookies that appears on the main page of the web, has the
following message:

“At Openbank, we use cookies or similar technologies from us or from third parties
to ensure the operation of the website and so that your login is

save when you register. With your consent, we may also improve and
personalize your browsing experience and show you advertising that is tailored to your
profile based on your usage habits.

  To accept all cookies, click on "Accept and navigate", to reject the

   cookies, click "Refuse Cookies". To configure cookies or for more
                   information, click "Set Permissions".

    <<Configure permissions>>- <<Refuse cookies>>-<<Accept and navigate>>

a).- If you choose to "reject all cookies" through the corresponding option,

<<Reject cookies>>, it is checked how the web continues without using cookies from
third parties, which are not technical or necessary.

TENTH: On 01/27/21, the requested entity is notified of the proposal
resolution, in which it is proposed that, by the Director of the Agency

Spanish Data Protection Agency is sanctioned for the infringement of article 22.2
of the LSSI. However, when verifying that the claimed entity no longer used cookies
from third parties without the prior consent of the user, a reduction of the
penalty to be imposed, in this case, 50%, which would remain at 2,500 euros (two thousand
five hundred),


ELEVENTH: Once the proposed resolution has been notified to the claimed party, the latter, with
dated 02/09/22, presents a written statement of allegations, indicating, among others, the following:

In response to your letter dated February 27, 2022 with number
procedure PS/OO471/2021 in relation to the admission of the claim for processing

presented by a German citizen (hereinafter the "Interested Party") before OPEN
BANK, S.A. ("'Openbank") in which it states that on our website ***URL.1
Informed consent for the installation of cookies would not be obtained
not strictly necessary and on which you state you have made
different verifications dated August 16, 2021, we proceed to provide you with

the following information in relation to the list of cookies that mention that they are
has uploaded to the domain of the Website and which is detailed below:

We have consulted directly with Google if it would be possible for the cookies to which
referenced in the requirement would have been loaded directly on the page

Openbank website and they have confirmed that they are not. Shown below are the
screenshots of the response to the query posed to Google,



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








“regarding the specific case of the consent cookie “CONSENT google.com /
DV google.com", in which they confirm the need for the user to have visited
any of the Google domains”.


Based on this specific example, our hypothesis that the
browser used by you in the tests carried out, you could have browsed
previously by Google's own websites and, therefore, that part or all of
the cookies in the list provided come directly from those websites and not from
our website.


Likewise, after analyzing Google's Privacy Policy, we have detected that
Certain cookies on the aforementioned list may have a functional purpose and/or
security, as detailed below:


    - Cookie NID (google.com) SEARCH_SAMESITE google.com): is a cookie
       functional whose purpose is to generate a unique ID that Google uses to
       remember preferences and other user information such as language

       preferred, the number of search results you want displayed
       per page (for example, 10 or 20) and if they want the SafeSearch filter of
       Google is on or off. The "NID" cookie expires 6 months after its

       last use.


    - "SID" and "HSID" cookies (SID .google.com ! _Secure-1PAPISID.QOOQIe.c0m !

       HSID .google.com I_Secure-3PSID .google.com II): it is mentioned that the
       "SID" and "HSID" cookies contain digitally signed and encrypted records
       of the most recent login time, and the Google account ID of

       an user. The combination of these cookies allows them to block many
       types of attacks, such as attempts to steal the content of the
       forms that are submitted in Google services.



The previously mentioned, we have also been able to observe by having navigated
for the first time in Google, where we have verified that certain cookies of the
mentioned, specifically: NlD, CONSENT, 1P_JAR and ANID, are preloaded
even by rejecting their consents modal. We pass you the flow below:


Based on the foregoing, we understand that Openbank has not taken any action
related to the loading of the cookies that are mentioned in the requirement, if not that
They come from a third party (Google.com), which would be the one who, where appropriate, would have
installed them on the user's device without their consent or information.


Due to the foregoing, we once again require the Spanish Agency for
Data Protection, which resolves the administrative procedure without imposing a penalty
some.

Lastly, in the event that it is considered that the evidence provided is not

enough to clarify the situation, we would appreciate it if you would please take note of
that Openbank requests through this letter an extension of 10 business days,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15








in order to obtain additional evidence from the provider Google, taking
take into account that as of the date of this writing, it is pending that we be
provide a report on the subject. In this way, we would give additional answer in
the extension period before February 23, 2022.

                              PROVEN FACTS


1º.- As indicated in the claim filed with this Agency on 01/06/21, in
the website: ***URL.1, informed consent would not be obtained for the
installation of cookies not strictly necessary.

2º.- Consulted the page claimed by this Agency, dated 08/16/21, it
checked, through the "inspect Application" option of the web browser

Google Chrome that, when entering, for the first time, without accepting cookies or making any
action on the page, on the web***URL.1, after having erased the memory of the
cache and cookies of the terminal equipment, third-party cookies were used that are not
technical or necessary, whose domain belongs to Google.com:

Secure-3PSIDCC.google.com/__Secure-3PAPISID.google.com/

__Secure-1PAPISID .google.com/ __Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/
NID .google.com/SEARCH_SAMESITE .google.com/
CONSENT .google.com/DV .google.com/
OGPC 1151720448-1: google.com /

 __Secure-3PSIDCC .google.com/SIDCC .google.com/
__Secure-3PAPISID .google.com/
SSID .google.com/__Secure-1PAPISID .google.com/
HSID .google.com/__Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/
NID .google.com/SEARCH_SAMESITE .google.com/

CONSENT .google.com/DV .google.com/
OGPC 1151720448-1:google.com/1P_JAR.google.com/

4º.- Initiated the disciplinary procedure against the entity responsible for the web page
in question, for the alleged violation of article 22.2 of the LSSI, when using cookies
not necessary or technical without the prior consent of the users and the impossibility

to eliminate them, the entity, on 11/12/21, made allegations in which it indicated-
ba, among others, that:

"(...) Openbank wants to point out that the previously mentioned list of cookies does not
corresponds, nor has it corresponded to cookies loaded on our website.
even, in the event that the cookies of the Openbank website are accepted, the

previously listed cookies would not be loaded on our page.

In this sense, we consider that it would only be possible for said cookies to appear
pre-loaded on the Openbank website, if the user had browsed beforehand
priority and through the same browser on other web pages that have loaded
said cookies and that they had not been eliminated before doing the test (...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15









5º.- After the transfer of the proposed resolution to the requested entity, it
presents justification from the Google entity stating that said entity has

answered that it would not be possible for the cookies referred to to be
load directly on the Openbank website without the user having visited
previously other Google domains.

However, the query made by the Openbank entity to Google only makes
reference to the cookie "CONSENT" and so specified in the email sent

from the claimed entity to Google:

 "(...) To get to the point and make the question more concrete, is there any way that the
cookie "CONSENT" is saved from our website using Google products without
have gone through the Google website before as Google.es? We intuit that no, that the

The only way for this cookie to be saved is having previously browsed a website
of Google since it is responsible for managing the consents of the companies themselves.
Google websites. But we would like to confirm it and clearly demonstrate it (…)”

Google's response to the claimed entity is as follows:


“The cookie you mention “CONSENT” represents the consent status of the user.
user… (note: here the photocopy attached by the claimed entity is cut off and continues
en)... you comment it will be necessary to visit one of Google's domains (Google.com;
youtube.com, etc.).


The following attached photocopy of the emails exchanged between Openbank and
Google this is unreadable. However, the entity states below that:

“after attaching Based on this concrete example confirms our
hypothesis that the browser used by you in the tests carried out could

have previously browsed Google's own websites and, therefore, which part
o all the cookies on the list provided come directly from those sites
website and not from our website (…)”.

                           FUNDAMENTALS OF LAW


I.- Competition:

It is competent to initiate and resolve this Disciplinary Procedure, the Director of
the Spanish Data Protection Agency, in accordance with the provisions of the
art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the

Information Society and Electronic Commerce (LSSI).

II.- on the allegations presented by the entity claimed to the proposal for re-
solution:


The defendant entity states in its allegations that: "(...) after attaching
Based on this specific example, our hypothesis that the
browser used by you in the tests carried out, you could have browsed
previously by Google's own websites and, therefore, that part or all of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15








the cookies in the list provided come directly from those websites and not from
our website (…)".

Notwithstanding the foregoing, the query made by the Openbank entity to Google
It only refers to the "CONSENT" cookie and that is how it is specified in the email

email sent from the claimed entity to Google:

 "(...) To get to the point and make the question more concrete, is there any way that the
cookie "CONSENT" is saved from our website using Google products without
have gone through the Google website before as Google.es? We intuit that no, that the
The only way for this cookie to be saved is having previously browsed a website

of Google since it is responsible for managing the consents of the companies themselves.
Google websites. But we would like to confirm it and clearly demonstrate it (…)”

Being Google's response:


“The cookie you mention “CONSENT” represents the consent status of the user.
user.. (note: here the photocopy attached by the claimed entity is cut off and continues
en)... you comment it will be necessary to visit one of Google's domains (Google.com;
youtube.com, etc.).

There is not even an answer about advertising cookies or

behavioral, detected from google.com, when visiting the web (SAPISID; SID;
SSID; CONSENT; OGPC and 1P_JAR) and that match those that the entity affirms
used to carry out behavioral studies of users.

III.- About the "Cookies Policy" of the web:


       a).- Regarding the installation of cookies in the terminal equipment prior to the
       consent:

Article 22.2 of the LSSI establishes that users must be provided with information
clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.

This information must be provided in accordance with the provisions of the GDPR. Therefore,
When the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the
compliance with the requirements established by the regulations on the protection of
data.


However, it is necessary to point out that they are exempted from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of terminals and the network and those that provide a service
expressly requested by the user.


In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies
excepted would be the user input Cookies" (those used to
fill in forms, or as management of a shopping cart); cookies from
authentication or user identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15








Web); media player session cookies; session cookies to balance
load; user interface customization cookies and some of
complement (plug-in) to exchange social content. These cookies would remain
excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be
necessary to inform or obtain consent about its use.


On the contrary, it will be necessary to inform and obtain the prior consent of the user
before the use of any other type of cookies, both first and second
third party, session or persistent.

In our case, when entering the web for the first time, without accepting cookies or making
no action on the page, and having cleaned the CACHE memory of the equipment
terminal, it has been detected that third-party cookies are used, in this case,

belonging to the Google.com domain that are not technical or necessary:

Secure-3PSIDCC.google.com/__Secure-3PAPISID.google.com/
__Secure-1PAPISID .google.com/ __Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/

NID .google.com/SEARCH_SAMESITE .google.com/
CONSENT .google.com/DV .google.com/
OGPC 1151720448-1: google.com /
__Secure-3PSIDCC .google.com/SIDCC .google.com/
__Secure-3PAPISID .google.com/
SSID .google.com/__Secure-1PAPISID .google.com/

HSID .google.com/__Secure-3PSID .google.com/
__Secure-1PSID .google.com/SID .google.com/
SAPISID .google.com/APISID .google.com/
NID .google.com/SEARCH_SAMESITE .google.com/
CONSENT .google.com/DV .google.com/
OGPC 1151720448-1:google.com/1P_JAR.google.com/


For its part, in section 4 of the "Cookies Policy" ***URL.2, which refers to
Reference to the cookies used on the website. In this section you can see
among others, how to indicate the use of technical cookies, personalization and
advertising or behavioral. Within this last group, the website indicates that it uses
a series of cookies, in total 33 cookies, mainly from Google.com to control the
User behavior when browsing the entity's website.


The cookies detected when visiting the website on 08/16/21, which coincide with those that the
entity indicates that it uses are the following:

(…) 4.4. "Behavioral advertising" cookies: Advertising cookies
tamental collect information about your behavior according to your browsing habits.

tion and allow us to more effectively manage the appropriate advertising spaces.
Add the content to your specific profile:

SAPISID .google.com / behavioral
SID .google.com / behavioral
SSID .google.com / behavioral

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15








CONSENT .google.com/behavioral
OGPC .google.com/behavioral
1P_JAR .google.com/behavioral

       b).- Regarding consent to the use of non-necessary cookies:


For the use of non-excepted cookies, it will be necessary to obtain the consent
user's consent expressly. This consent can be obtained by doing
clicking on, "accept" or inferring it from an unambiguous action carried out by the user that
denote that consent has been unequivocally produced. Therefore, the mere
inactivity of the user, scrolling or browsing the website, will not be considered to be

all effects, a clear affirmative action in any circumstances and will not imply the
provision of consent itself. Similarly, access to the second
layer if the information is presented in layers, as well as the necessary navigation to
for the user to manage their preferences in relation to cookies in the control panel
control, it is not considered an active behavior from which the

cookie acceptance.

If the option is to go to a second layer or cookie control panel, the link
it should take the user directly to said settings panel. To facilitate the se-
lesson, the panel can be implemented, in addition to a granular management system
of cookies, two more buttons, one to accept all cookies and another to reject-

the all. If the user saves his choice without having selected any cookie, it will be
You will understand that you have rejected all cookies. Regarding this second possibility,
In no case are pre-marked boxes admissible in favor of accepting cookies.

If for the configuration of cookies, the web refers to the browser configuration
installed in the terminal equipment, this option could be considered complementary

to obtain consent, but not as the only mechanism. Therefore, if the editor
opts for this option, it must also offer and in any case, a mechanism that
allows you to reject the use of cookies and/or do it in a granular way, on your own page.
gina web.

On the other hand, the withdrawal of the consent previously given by the user de-

It should be able to be done at any time. To this end, the publisher must offer a
mechanism that makes it possible to easily withdraw consent at any time
to. This facility will be considered to exist, for example, when the user has access to
It is simple and permanent to the cookie management or configuration system.

If the editor's cookie management or configuration system does not allow avoiding the

use of third-party cookies once accepted by the user, will be facilitated in-
training on the tools provided by the browser and third parties, de-
Please note that if the user accepts third-party cookies and subsequently wishes to
delete them, you must do so from your own browser or the system enabled by the
third parties for it.


In our case, if you choose to "reject all cookies" through the option
corresponding, <<Refuse cookies>>, existing in the banner of the page
It is verified how the web continues to use the same third-party cookies.
(from Google.com), listed above.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15









If you access the cookie control panel, through the corresponding link,
<<permission settings>>, and you choose not to activate any group of cookies,

clicking directly on the <<save to computer>> option, the
configuration and exit the control panel, with the intention that cookies are not used
from third parties, it was verified that the website continued to use the same cookies as the
Google.com, listed above.

IV- Violation of the "Cookies Policy":


The use of cookies that are not technical or necessary without the prior
consent of the user could suppose on the part of the entity claimed the
commission of the infringement of article 22.2 of the LSSI, since it establishes that:


“Service providers may use storage devices and
recovery of data on terminal equipment of recipients, provided that
they have given their consent after they have been provided with
clear and complete information on its use, in particular, on the purposes of the
treatment of data, in accordance with the provisions of Organic Law 15/1999, of 13
December, protection of personal data.


When technically possible and effective, the recipient's consent to
Accepting the processing of the data may be facilitated by using the parameters
browser or other applications.


The foregoing will not prevent the possible storage or access of a technical nature to the sole
in order to carry out the transmission of a communication over a communications network
electronic or, to the extent that it is strictly necessary, for the provision of
a service of the information society expressly requested by the
addressee".


This infraction is typified as "mild" in article 38.4 g), of the aforementioned Law, which
considered as such: "Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.", and may be
sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned

LSSI.

After the evidence obtained, it is considered appropriate to graduate the sanction to be imposed
In accordance with the following aggravating criteria, established by art. 40 of the LSSI:
“The existence of intentionality, an expression that must be interpreted as equivalent

to degree of guilt in accordance with the Judgment of the National Court of
11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity
denounced the determination of a system for obtaining consent
informed that fits the mandate of the LSSI”.


In accordance with said criteria, it is deemed appropriate to impose a penalty of 2,500
euros (two thousand five hundred euros), for the violation of article 22.2 of the LSSI, regarding
of the cookie policy carried out on the web page in question.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,


                                   HE REMEMBERS:

FIRST: IMPOSE the entity, OPEN BANK, S.A., with CIF.: A28021079 holder of
the web page, ***URL.1 a penalty of 2,500 euros (two thousand five hundred) for the
violation of article 22.2 of the LSSI, regarding the deficiencies detected in the
"Cookies Policy", of the website.


SECOND: NOTIFY this resolution to the entity OPEN BANK S.A.

THIRD: Warn the sanctioned party that the sanction imposed must be made effective by a
Once this resolution is enforceable, in accordance with the provisions of Article

Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the

Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in
executive period.

Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file

appeal for reversal before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the
article 25 and in section 5 of the fourth additional provision of Law 29/1998, of

July 13, regulating the Contentious-administrative Jurisdiction, within the period of
two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,

of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15









writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.

Mar Spain Marti

Director of the Spanish Data Protection Agency.



















































28001 – Madrid 6 sedeagpd.gob.es