AEPD (Spain) - PS/00554/2021
|AEPD - PS/00554/2021
|Article 5(1)(b) GDPR
Article 5(1)(e) GDPR
Article 5(1)(a) GDPR
Article 8 GDPR
Article 12(2) GDPR
Article 13 GDPR
Article 25 GDPR
Article 30(1) GDPR
Article 22(2) LSSI
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
English Summary[edit | edit source]
Facts[edit | edit source]
The Spanish DPA launched an investigation against the controller, owner of a pornographic website, due to possible processing of personal data and profiling of minors under fourteen years of age. During the investigations, several violations of the GDPR were found.
Secondly, the DPA observed that when a user entered the website for the first time, a pop-up window asked them to declare that they were of legal age. However, by clicking anywhere outside the confirmation area access to the website was allowed without any restrictions. Personal data, such as name and email, were collected when the user registered on the site without any age verification. Registered users could then access and share videos, see profiles of other users and share their own profiles.
Thirdly, by accepting the legal notice on cookies, users implicitly accepted their use and there was no option to access the website while rejecting the cookies.
Finally, the DPA noted that the controller requested data subjects to present their national ID in order to exercise their rights.
Holding[edit | edit source]
Secondly, the DPA pointed out that while the GDPR requires parental consent for children under 16 years old, the Spanish LOPDGDD requires it from children under 14. Provided that there were no effective mechanisms to verify the age of the users, the DPA also found a violation of Article 8 GDPR.
Thirdly, the DPA highlighted the need for a cookie banner on the website's first layer providing clear and concise information about the cookies being used and how users can accept, configure or reject their use. It also recalled that the user must give explicit consent for cookies that are not strictly necessary and that scrolling or navigating through the website shall not be considered for this purpose. In the case at stake, the DPA found that the absence of such banner on the website and the use of third-party cookies without prior consent violated Article 22(2) LSSI.
Finally, the DPA considered that requiring the presentation of an ID as a condition for the exercise of data protection rights infringes Article 12(2) GDPR which establishes that controller shall facilitate it.
On top of that, the DPA considered that the systematic violation of data protection rules by the data controller constitutes also an infringement of the obligation to implement privacy by design and by default as provided for by Article 25 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.