AEPD (Spain) - PS/00603/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 53: Line 53:
}}
}}


The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a Privacy Policy, and for the use of non-essential cookies without an appropriate cookie banner.
The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a privacy policy, and for the use of non-essential cookies without providing appropriate information through a cookie banner.


== English Summary ==
== English Summary ==
Line 59: Line 59:
=== Facts ===
=== Facts ===
A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner.  
A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner.  
The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy.
The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy.
The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner.
The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner.
=== Holding ===
=== Holding ===
The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated [[Article 6 GDPR#1|Article 6(1) GDPR]].
The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated [[Article 6 GDPR#1|Article 6(1) GDPR]].


The AEPD also held that the online store had violated its obligation under [[Article 13 GDPR|Article 13 GDPR]] to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a Privacy Policy and not disclosing any details as to who the controller of that personal data would be.
The AEPD also held that the online store had violated its obligation under [[Article 13 GDPR|Article 13 GDPR]] to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a privacy policy and not disclosing any details as to who the controller of that personal data would be.
 
Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Law of Information Society Services (LSSI)], which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, as well as the possibility to reject non-essential cookies.


Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects.
Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total fine of €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to €1800.  


Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to €1800. The AEPD also ordered the owner of the store to incorporate an adequate Privacy Policy and Cookie Banner in order to comply with GDPR and national data protection provisions.
The AEPD also ordered the owner of the store to incorporate an adequate privacy policy and cookie banner in order to comply with GDPR and national data protection provisions.


== Comment ==
== Comment ==

Latest revision as of 16:47, 27 April 2022

AEPD (Spain) - PS/00603/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 13 GDPR
Article 22.2 Spanish Law of Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Started: 13.12.2020
Decided: 10.01.2022
Published: 18.04.2022
Fine: 1800 EUR
Parties: Lia's Clothes
National Case Number/Name: PS/00603/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA issued a fine of €1800 against an online clothes store for processing personal data without data subjects' consent, for failing to have a privacy policy, and for the use of non-essential cookies without providing appropriate information through a cookie banner.

English Summary

Facts

A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner.

The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy.

The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner.

Holding

The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated Article 6(1) GDPR.

The AEPD also held that the online store had violated its obligation under Article 13 GDPR to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a privacy policy and not disclosing any details as to who the controller of that personal data would be.

Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, as well as the possibility to reject non-essential cookies.

Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total fine of €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to €1800.

The AEPD also ordered the owner of the store to incorporate an adequate privacy policy and cookie banner in order to comply with GDPR and national data protection provisions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/18








     File No.: PS/00603/2021

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                    VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: On January 10, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against A.A.A. (onwards,
the claimed party), through the Agreement that is transcribed:


<<

Procedure No.: PS/00603/2021




            AGREEMENT TO START A SANCTION PROCEDURE



Of the actions carried out by the Spanish Data Protection Agency before

Mrs. A.A.A., with NIF.: ***NIF.1, owner of the website:
https://liasclothes.olistshops.com/, (hereinafter, "the claimed party"), under the
claim filed by the entity ZULMAR SANTAMARÍA, S.L., (hereinafter, “the

claimant party"), for the alleged violation of data protection regulations,
and taking into account the following:

                                      ACTS




FIRST: On 12/13/20, this Agency received a letter of
complaint, in which, among others, it indicated the following:




“We denounce the website https://liasclothes.olistshops.com/ for breaching both the RGPD
like LSSI. Specifically, it does not provide information about the Data Controller.

or your contact information. There is no LEGAL NOTICE with the owner's information.
Nor has it published its PRIVACY POLICY or COOKIES POLICY”.



SECOND: On 01/28/21, this Agency sent a letter to the party

claimed requesting information regarding the claim filed,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/18








in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5
December, on the protection of personal data and guarantee of digital rights,

(“LOPDGDD”).




THIRD: On 04/26/21, by the Director of the Spanish Agency for
Data Protection is dictated agreement of admission to processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible

reasonable indications of a violation of the rules in the field of competences
of the Spanish Agency for Data Protection.




FOURTH: On 11/03/21, the General Subdirectorate for Data Inspection
addressed an informative request to the claimed party, under the powers of
investigation granted to the control authorities in article 57.1 of the RGPD.




According to a certificate from the State Post and Telegraph Society, the requirement
sent to the claimed party, on 11/03/21 through the SICER service, was

delivered at destination, on 11/10/21, being the receiver, Mr. B.B.B.. ***NIF.2.




FIFTH: On 12/15/21, this Agency carried out the following
checks on the reported website, https://liasclothes.olistshops.com/:




       a).- Regarding the processing of personal data:



1. The web works as a "virtual catalog", where the user who wants to make

any purchase must enter your personal data, in the "purchase" form,
https://liasclothes.olistshops.com/checkout, such as name, address, phone or
email.




Once all the personal data has been entered, you must click on the option
<<send order>>, there being no acceptance box for the “Privacy Policy”.

Privacy” on the form. It only exists, at the bottom of the form there is
The next message:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/18








“After receiving your order, we will contact you to confirm your information and

arrange payment. As we do not yet offer payment through the website, we
We will contact you by WhatsApp, phone or email to organize the
delivery and payment of your purchase. need help? get in touch: 34685792696

infozapatones@gmail.com”.




       b).- About the Privacy Policy:



There is no “Privacy Policy”, nor any type of link that redirects the user to a

second layer where you are informed of the necessary aspects about the treatment of
your personal information. On the web there is only the following information about the
Responsible for the website: “contact: 34685792696 infozapatones@gmail.com”




There is a link to "Legal Notice" located at the bottom of the page, through the

which, the website displays a banner with the following information:



"Legal notice: "Olist Shops" is a provider of content, via "virtual catalog", for use

free, being the total responsibility of the advertiser the publication of products and/or
services, marketing and delivery, exempting the developers from any
responsibility for misuse of the application.




       c).- About the Cookies Policy:




1.- When entering the web for the first time, without accepting cookies or performing any action
on the page, it has been verified that cookies are used that are not technical or

necessary, whose domain is Google Analytics: (_ga, _gid, _gat), but that is
installed associated with the domain of the web manager.




2.- There is no type of banner that informs about cookies on the main page or
first layer of the web.







C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/18








3.- There is no mechanism that makes it possible to reject cookies that are not
technical or necessary. There is also no cookie control panel that

enable the management of these, in a granular way or by groups.




4.- There is no "Cookies Policy", or link that redirects the user to the second layer
where you are informed in more detail about cookies.




SIXTH: In view of the facts denounced, in accordance with the evidence of
that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers the above, does not comply with current regulations, therefore

that the opening of this sanctioning procedure proceeds.



                           FOUNDATIONS OF LAW




I.- Competition:




    - About the "Privacy Policy":

It is competent to initiate and resolve this Sanctioning Procedure, the Director of
the Spanish Agency for Data Protection, by virtue of the powers that art 58.2

of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16,
regarding the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of these Data (RGPD) and, as

established in arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5,
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD),




Sections 1) and 2), of article 58 of the RGPD, list, respectively, the
investigative and corrective powers that the supervisory authority may provide to the

effect, mentioning in point 1.d), that of: "notifying the person in charge or in charge of the
treatment of alleged infringements of these Regulations” and in 2.i), that of:
“impose an administrative fine under article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each
case.".




    - About the Cookies Policy:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/18








It is competent to initiate and resolve this Sanctioning Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the

art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI).




II.- On the non-existence of an acceptance box, which generates a record of the con-
feeling in the purchase form.




It has been verified that in the "purchase" form, https://liasclothes.olistshop-
s.com/, once the personal data has been entered, there is no acceptance box.

tion of the "Privacy Policy", being able to send personal data directly
clicking on the link: <<send order>>, therefore, there is no possibility of
give consent through an affirmative, clear and voluntary act for the transaction

treatment of personal data.



In this sense, article 6.1.a) of the RGPD, establishes, on the legality of the treatment

of personal data, that the treatment of these will only be lawful if at least
one of the conditions indicated in point 1, among which is: a) the

interested party gave their consent for the processing of their personal data for
one or several specific purposes (...)”.




Consent must be given through an affirmative, informed and free act The silence
pre-checked boxes or inaction are not considered “having given consent”.
implicit treatment”, for the treatment of personal data. Therefore, it is compulsory

compliance with the fact that in order to obtain the consent of the users, they are provided with a
blank box or similar mechanism where you can give the consent of a

affirmative, informed and free manner.



Before providing personal data and giving consent to their processing,

It would be desirable that the interested party be recommended to read and understand the privacy policy.
emptiness Also, it would be considered good practice to remind the user of their choice
of permissions and request a confirmation of your consent, in the same way that

many times a second confirmation is requested when the user unsubscribes from
an online service or advertising communications.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/18








Thus, article 72.1.b) of the LOPDGDD considers it very serious, for the purposes of
prescription, “The processing of personal data without the concurrence of any of the

conditions of legality of the treatment established in article 6 of the Regulation”.




This infraction can be sanctioned with a maximum fine of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the

of greater amount, in accordance with article 83.5.b) of the RGPD.



The balance of the circumstances contemplated, with respect to the infraction committed,

by violating the provisions of article 6.1 of the RGPD, and considering that the owner of
the claimed web page is a natural person, it allows setting an initial sanction of
1,000 euros, (one thousand euros), when carrying out an illicit treatment of personal data

obtained from the "purchase" form of the web page of its ownership.



Along with this and in accordance with article 58.2 of the RGPD, the corrective measure that

could be imposed on the owner of the web page would consist of ordering him to take the
necessary measures to adapt it to current regulations, with the inclusion of a

mechanism that enables users of this to provide their consent for the
treatment of your personal data, in a clear, affirmative and voluntary way.




III.- About the "Privacy Policy" of the website:



On the web page in question, personal data of users can be obtained through

through the "purchase" form. However, it has been found that there is no
“Privacy Policy”, nor any type of link that redirects the user to a second
layer where you are informed of the necessary aspects about the processing of your data

personal. On the web there is only the following information about the person in charge
from the page: “contact: 34685792696 infozapatones@gmail.com”.




Article 13 of the RGPD establishes the information that must be provided to the
interested in the moment of obtaining your personal data:






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/18








“1. When personal data relating to him is obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide: a)

the identity and contact details of the person in charge and, where appropriate, of their
representative; b) the contact details of the data protection officer, in his
case; c) the purposes of the treatment to which the personal data is destined and the basis

legal treatment; d) when the treatment is based on article 6, paragraph 1,
letter f), the legitimate interests of the person in charge or of a third party; e) the recipients or
the categories of recipients of personal data, if any; f) where appropriate, the

intention of the controller to transfer personal data to a third country or
international organization and the existence or absence of an adequacy decision

of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or
Article 49, paragraph 1, second paragraph, reference to adequate guarantees or
appropriate and the means to obtain a copy of them or the fact that

have lent.



2. In addition to the information mentioned in section 1, the person in charge of the

treatment will facilitate the interested party, at the moment in which the data is obtained
personal, the following information necessary to guarantee data processing
fair and transparent: a) the period during which the personal data will be kept or,

when this is not possible, the criteria used to determine this period; b) the
existence of the right to request access to data from the data controller
related to the interested party, and its rectification or deletion, or the limitation of its

treatment, or to oppose the treatment, as well as the right to the portability of the
data; c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in

any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal; d) the right to file a claim with

a control authority; e) if the communication of personal data is a requirement
legal or contractual, or a necessary requirement to enter into a contract, and if the
The interested party is obliged to provide personal data and is informed of the

possible consequences of not providing such data; f) the existence of decisions
you automate, including profiling, referred to in article 22,
paragraphs 1 and 4, and, at least in such cases, significant information about the logic

applied, as well as the importance and expected consequences of said treatment
for the interested party”.




For its part, article 72.1.h) of the LOPDGDD considers it very serious, for the purposes of
prescription, “the omission of the duty to inform the affected party about the treatment of
your personal data in accordance with the provisions of articles 13 and 14 of the RGPD”




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/18








This infraction can be sanctioned with a maximum fine of €20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5.b) of the RGPD.




The balance of the circumstances contemplated, with respect to the infraction committed,
by violating the provisions of article 13 of the RGPD, and considering that the owner of

the claimed web page is a natural person, it allows setting an initial sanction of
1,000 euros, (one thousand euros), for the lack of information on the website of its ownership
Regarding the treatment of personal data obtained through the form of

buy.



Along with this and in accordance with article 58.2 of the RGPD, the corrective measure that

could be imposed would consist in ordering him to take the necessary measures on
the web page of its ownership to adapt it to current regulations, with the inclusion

on the website of its ownership of a "Privacy Policy", adapted to the norm
tive in force, that is, to the RGPD.




IV.- About the "Cookies Policy" of the website:



       a).- Regarding the installation of cookies in the terminal equipment prior to

       consent:



Article 22.2 of the LSSI establishes that users must be provided with information

clear and complete information on the use of storage devices and
data recovery and, in particular, on the purposes of data processing.
This information must be provided in accordance with the provisions of the GDPR. Therefore,

when the use of a cookie entails a treatment that enables the
identification of the user, those responsible for the treatment must ensure the

compliance with the requirements established by the regulations on the protection of
data.




However, it is necessary to point out that they are exempt from compliance with the
obligations established in article 22.2 of the LSSI those necessary cookies
for the intercommunication of the terminals and the network and those that provide a service

expressly requested by the user.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/18










In this sense, the GT29, in its Opinion 4/201210, interpreted that among the cookies

excepted would be the user input Cookies” (those used to
filling in forms, or managing a shopping cart); cookies from

user authentication or identification (session); user security cookies
(those used to detect erroneous and repeated attempts to connect to a site
Web); media player session cookies; session cookies to balance

load; user interface customization cookies and some of
plugin (plug-in) to exchange social content. These cookies would remain
excluded from the scope of application of article 22.2 of the LSSI, and, therefore, it would not be

necessary to inform or obtain consent on its use.



On the contrary, it will be necessary to inform and obtain the prior consent of the user.

before the use of any other type of cookies, both first and
third party, session or persistent.




In the verification carried out on the claimed website, it was found that, when
enter the main page and without performing any action on it and without accepting

cookies, non-necessary cookies were used.



        b).- About the existing cookie information banner in the first layer

        (Homepage):



The banner on cookies of the first layer must include information regarding the

identification of the editor responsible for the website, in the event that their identifying data
tives do not appear in other sections of the page or that their identity cannot be disclosed.
obvious attachment to the site itself. You must also include an ID

generic of the purposes of the cookies that will be used and if these are own or
also from third parties, without it being necessary to identify them in this first layer. Ade-

Furthermore, it should include generic information about the type of data to be collected
and used in the event that user profiles are created and must include informa-
tion and the way in which the user can accept, configure and reject the use of

cookies, with the warning, where appropriate, that if a certain action is carried out,
It will be understood that the user accepts the use of cookies.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/18








Apart from the generic information about cookies, in this banner there must be an en-
clearly visible link directed to a second informative layer on the use of the

cookies. This same link can be used to take the user to the configuration panel.
guration of cookies, as long as the access to the configuration panel is direct, this

is, that the user does not have to navigate inside the second layer to locate it.



In the case at hand, it has been found that there is no type of banner

that informs about cookies on the main page or first layer of the web.



       c).- Regarding consent to the use of unnecessary cookies:




For the use of non-excepted cookies, it will be necessary to obtain the consent
expressly stated by the user. This consent can be obtained by doing

click on, “accept” or inferring it from an unequivocal action performed by the user that
denotes that consent has unequivocally occurred. Therefore, the mere
user inactivity, scrolling or browsing the website, will not be considered

effects, a clear affirmative action in any circumstance and will not imply the
provision of consent itself. Similarly, access to the second

layer if the information is presented in layers, as well as the necessary navigation to
that the user manage their preferences in relation to cookies in the panel of
control, nor is it considered an active behavior from which the

acceptance of cookies.



The existence of "Cookie Walls" is not allowed either, that is, windows

pop-ups that block the content and access to the web, forcing the user to
accept the use of cookies to be able to access the page and continue browsing.




If the option is to go to a second layer or cookie control panel, the link
it should take the user directly to that configuration panel. To facilitate se-

lesson, the panel can be implemented, in addition to a granular management system
of cookies, two more buttons, one to accept all cookies and another to reject-
all of them If the user saves his choice without having selected any cookie,

You will understand that you have rejected all cookies. Regarding this second possibility,
In no case are the pre-marked boxes in favor of accepting cookies admissible.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/18








If for the configuration of cookies, the web refers to the browser configuration
installed in the terminal equipment, this option could be considered complementary

to obtain consent, but not as the only mechanism. Therefore, if the publisher
opts for this option, it must also offer, and in any case, a mechanism that

allows you to reject the use of cookies and/or do it in a granular way, on your own page.
web page




On the other hand, the withdrawal of the consent previously given by the user de-
It should be able to be done at any time. To this end, the publisher must offer a
mechanism that makes it possible to withdraw consent easily at any time.

unto This facility will be considered to exist, for example, when the user has access to
so simple and permanent to the cookie management or configuration system.




If the editor's cookie management or configuration system does not allow to avoid the
use of third-party cookies once accepted by the user, information will be provided

training on the tools provided by the browser and third parties, de-
being aware that, if the user accepts third-party cookies and later wishes to
delete them, you must do it from your own browser or the system enabled by the

third parties for it.



In the present case, it has been verified that there is no mechanism that

makes it possible to reject cookies that are not technical or necessary. neither exists
no control panel that would allow the management of cookies in a way
granular or by groups.




       d).- On the information provided in the second layer (Policy of

Cookies):



More detailed information about cookies should be provided in the Cookies Policy.

characteristics of cookies, including information about, the definition and general function
cookie information (what are cookies); about the type of cookies used and
its purpose (what types of cookies are used on the website); the identification of

who uses the cookies, that is, if the information obtained by the cookies is treated
only by the publisher and/or also by third parties with identification of the latter; the period-
do of conservation of the cookies in the terminal equipment; and if it is the case, information

on data transfers to third countries and the elaboration of profiles that im-
Apply automated decision making.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/18










In the case at hand, it has been found that there is no "Cookies Policy",

or link that redirects the user to the second layer where the user is informed about
the necessary characteristics of cookies.




V- Violation of the Cookies Policy



The known facts could constitute an infraction, attributable to the

responsible for the web, for violation of article 22.2 of the LSSI, since it establishes
what:




“Service providers may use storage devices and
recovery of data in terminal equipment of the recipients, provided that

they have given their consent after they have been provided
clear and complete information on its use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13

December, on the protection of personal data.



Where technically possible and effective, the recipient's consent to

Accepting the processing of the data may be facilitated through the use of the parameters
from the browser or other applications.




The foregoing will not prevent the possible storage or access of a technical nature to the sole
purpose of effecting the transmission of a communication over a communications network

electronic or, to the extent that is strictly necessary, for the provision of
a service of the information society expressly requested by the
addressee".




This Infraction is typified as "minor" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and retrieval devices

when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2.”, and may be

sanctioned with a fine of up to €30,000, in accordance with article 39 of the aforementioned
LSSI.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/18










After the evidence obtained in the preliminary investigation phase, and without prejudice to

whatever results from the investigation, it is considered appropriate to graduate the sanction to
impose in accordance with the following aggravating criteria, established by art. 40 of

the LSSI:



    - The existence of intentionality, an expression that must be interpreted as

        equivalent to a degree of guilt according to the Judgment of the
        National High Court of 11/12/07 relapse in Appeal no. 351/2006,
        corresponding to the denounced entity the determination of a system of

        Obtaining informed consent that is in accordance with the mandate of the LSSI.



In accordance with these criteria, it is considered appropriate to impose an initial sanction of

1,000 euros (one thousand euros), for the infringement of article 22.2 of the LSSI, regarding the
cookie policy made on the website in question.




Along with this, the corrective measure that could be imposed would consist of ordering that,
take the necessary measures on the web page of its ownership to adapt it to

current regulations, with the inclusion of a mechanism that makes it impossible to use
of non-necessary cookies before the user gives his consent; including a
mechanism that makes it possible to reject all cookies or do it in a granular way to

through a control panel; including a homepage banner with information
tion about cookies and a "Cookies Policy" with more detailed information in a
Second layer.




VI-Initial total sanction:




In accordance with the criteria set out in the previous points, the total initial sanction to be
impose would be 3,000 euros (three thousand euros): 1,000 euros (one thousand euros) for the infraction

of article 6.1 of the RGPD; 1,000 euros (one thousand euros), for the infringement of article 13 of the
RGPD and 1,000 euros (one thousand euros), for the infringement of article 22.2 of the LSSI.




Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/18








                                      HE REMEMBERS:




START: PUNISHMENT PROCEDURE against Ms. A.A.A. with NIF.: ***NIF.1, holder
of the website: https://liasclothes.olistshops.com/, for the following infractions:



    - Violation of article 6.1 of the RGPD, due to the illicit use of data

        obtained from the “purchase” form on the website of your
        ownership, without the possibility of the user giving their consent.


    - Violation of article 13 of the RGPD, due to the non-existence of a “Privacy Policy”.
        Privacy”, on the website.

    - Violation of article 22.2 of the LSSI, regarding irregularities

        detected in the "Cookies Policy" of the website.



APPOINT: D. R.R.R. as Instructor, and Secretary, if applicable, Ms. S.S.S., indi-
stating that any of them may be challenged, where appropriate, in accordance with the provisions

ed in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).




INCORPORATE: to the disciplinary file, for evidentiary purposes, the international claim
put by the claimant and their documentation, the documents obtained and generated

by the Subdirectorate General for Data Inspection during the investigation phase.
nes, all of them part of this administrative file.



WHAT: for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the

Common Administrative Procedure of the Public Administrations, the sanction that
could correspond would be:




    - 1,000 euros (one thousand euros), for the infringement of article 6.1 of the RGPD, without prejudice
        of what results from the investigation of this file.

    - 1,000 euros (one thousand euros), for the infringement of article 13 of the RGPD, without prejudice

        of what results from the investigation of this file.

    - 1,000 euros (one thousand euros) for the infringement of article 22.2 of the LSSI, without
        prejudice to what results from the investigation of this file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/18










NOTIFY: this agreement to initiate sanctioning proceedings to Ms. A.A.A.

granting him a hearing period of ten business days to formulate the allegations.
tions and submit the evidence you deem appropriate.




If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed was a fine, it may recognize its responsibility within the
zo granted for the formulation of allegations to this initial agreement; what

will be accompanied by a reduction of 20% of the sanction to be imposed in the
present procedure, equivalent in this case to 600 euros. With the application of

this reduction, the sanction would be established at 2,400 euros, resolving the problem
ceding with the imposition of this sanction.




Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which supposes
There will be a reduction of 20% of the amount of this, equivalent in this case to 600 euros.

ros. With the application of this reduction, the sanction would be established at 2,400 euros.
ros and its payment will imply the termination of the procedure.




The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate

arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In

In this case, if it were appropriate to apply both reductions, the amount of the penalty would be
set at 1,800 euros (one thousand eight hundred euros).




In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the withdrawal or waiver of any action or resource in the administrative process.
deal against the sanction.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/18








If you choose to proceed to the voluntary payment of any of the amounts indicated

above, you must make it effective by depositing it in account Nº ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the item the reference number

ence of the procedure that appears in the heading of this document and the cause
of reduction of the amount to which it avails itself.




Likewise, you must send proof of income to the General Subdirectorate of Ins-
request to continue with the procedure in accordance with the amount entered.

gives.



The procedure will have a maximum duration of nine months from the date of

page of the start-up agreement or, where appropriate, of the draft start-up agreement. elapse-
do this period will produce its expiration and, consequently, the filing of actions;

in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA-

CAP, against this act there is no administrative appeal.



Sea Spain Marti


Director of the Spanish Agency for Data Protection.












>>

SECOND: On February 4, 2022, the claimed party has proceeded to pay
of the sanction in the amount of 1800 euros making use of the two reductions

provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/18








administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.






                           FOUNDATIONS OF LAW


                                            I

In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, of
services of the information society and electronic commerce (hereinafter

LSSI), the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), grants each authority of
control and according to the provisions of articles 47 and 48.1 of Organic Law 3/2018, of

December 5, Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this

procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


Finally, the fourth additional provision "Procedure in relation to the
competences attributed to the Spanish Data Protection Agency by other
laws" establishes that: "The provisions of Title VIII and its implementing regulations

will apply to the procedures that the Spanish Agency for the Protection of
Data would have to be processed in the exercise of the powers attributed to it by
other laws."



                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric

"Termination in sanctioning procedures" provides the following:

"one. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/18








except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.

The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.

The reduction percentage provided for in this section may be increased

regulations."

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: TO DECLARE the termination of procedure PS/00603/2021, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to A.A.A.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.



                                                                                 936-240122
Sea Spain Marti
Director of the Spanish Data Protection Agency
















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es