AEPD (Spain) - PS/00554/2021

From GDPRhub
AEPD - PS/00554/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 8 GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 25 GDPR
Article 30(1) GDPR
Article 22(2) LSSI
Type: Investigation
Outcome: Violation Found
Started: 11.03.2021
Decided:
Published:
Fine: 75.000 EUR
Parties: n/a
National Case Number/Name: PS/00554/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD launched an investigation and fined a pornographic website €75,000 for violation of Articles 5(1)(a), 5(1)(b), 5(1)(e), 13, 12(2), 30(1), 8 and 25 GDPR, as well as Article 22(2) LSSI.

English Summary[edit | edit source]

Facts[edit | edit source]

The Spanish DPA launched an investigation against the controller, owner of a pornographic website, due to possible processing of personal data and profiling of minors under fourteen years of age. During the investigations, several violations of the GDPR were found.

Firstly, the controller denied the processing of minors' personal data, except for basic contact information in a specific section where the user must register with a username, password and email. However, their privacy policy indicated otherwise. It actually prohibited minors under 14 years of age from providing their data and required parental consent for those under 18. Similarly, the controller denied performing any profiling and stated that their cookies analyze visits primarily to see where users navigate on their pages. However, in their privacy policy they admit collecting IP addresses, names, email addresses and other data to generate a user profile. This profile includes: location, gender, age, sexual preferences and media content.

Secondly, the DPA observed that when a user entered the website for the first time, a pop-up window asked them to declare that they were of legal age. However, by clicking anywhere outside the confirmation area access to the website was allowed without any restrictions. Personal data, such as name and email, were collected when the user registered on the site without any age verification. Registered users could then access and share videos, see profiles of other users and share their own profiles.

Thirdly, by accepting the legal notice on cookies, users implicitly accepted their use and there was no option to access the website while rejecting the cookies.

Fourthly, the DPA verified that the controller was processing data for purposes other than those established in their privacy policy which stated that data would be shared with "tax and accounting consultancy (in case of purchase through the website)." However, in the activity records submitted to the DPA, they also included the processing of data to maintain a contractual relationship with the user.

Fifthly, there was no information in their privacy policy as to the retention period, but the controller stated that personal data obtained from non-registered users were kept for 365 days for statistical and marketing purposes, while personal data obtained from registered users were kept for an indefinite period. Moreover, the controller was not able to present proper records of the processing activities nor a general description of the technical and organizational security measures adopted.

Finally, the DPA noted that the controller requested data subjects to present their national ID in order to exercise their rights.

Holding[edit | edit source]

Firstly, the DPA stressed that Article 5(1)(a) GDPR establishes that personal data must be processed lawfully, fairly and transparently. In the case at hand, the DPA noticed a lack of clarity about what user data were being collected and for which purposes. It stated that the provision of contradictory, unclear and incorrect information frustrated the transparency principle, even if the required information was technically provided in the privacy policy.

Secondly, the DPA pointed out that while the GDPR requires parental consent for children under 16 years old, the Spanish LOPDGDD requires it from children under 14. Provided that there were no effective mechanisms to verify the age of the users, the DPA also found a violation of Article 8 GDPR.

Thirdly, the DPA highlighted the need for a cookie banner on the website's first layer providing clear and concise information about the cookies being used and how users can accept, configure or reject their use. It also recalled that the user must give explicit consent for cookies that are not strictly necessary and that scrolling or navigating through the website shall not be considered for this purpose. In the case at stake, the DPA found that the absence of such banner on the website and the use of third-party cookies without prior consent violated Article 22(2) LSSI.

Fourthly, the DPA emphasized that the purpose limitation principle, provided for by Article 5(1)(b), requires that personal data be collected for specific, explicit, and legitimate purposes and not be processed in a way that is incompatible with those purposes. It held that the controller violated this principle by processing personal data for a purpose other than that stated in its privacy policy.

Fifthly, the DPA found a violation of Article 5(1)(e) for maintaining personal data of registered users indefinitely and a violation of Article 13 for not providing information about the retention period in their privacy policy.

Finally, the DPA considered that requiring the presentation of an ID as a condition for the exercise of data protection rights infringes Article 12(2) GDPR which establishes that controller shall facilitate it.

On top of that, the DPA considered that the systematic violation of data protection rules by the data controller constitutes also an infringement of the obligation to implement privacy by design and by default as provided for by Article 25 GDPR.

In view of the above, DPA fined the controller 75.000 euros for violating Article 5(1)(a), 5(1)(b), 5(1)(e), 13, 12(2), 30(1), 8 and 25 GDPR, as well as for violating Article 22(2) LSSI.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.