AEPD (Spain) - PS/00006/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 8 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | GROUP BC S.L. |
National Case Number/Name: | PS/00006/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The AEPD confirmed that a webpage's privacy policy lack of precision violated the GDPR.
English Summary
Facts
A citizen submitted a complaint before the AEPD stating that privacy policy of www.banderacatalana.cat did not comply with the GDPR. GRUP BC S.L. was the controller of the page. Especially, the complainant stated that the privacy policy did not include precise information regarding the specific purposes of the processing of personal data, the consent and the child’s consent as a legal basis of the processing.
Dispute
Does the lack of specific information regarding the purposes of processing, the consent and the child’s consent as a legal basis of the processing within a privacy policy, contravene Articles 13(1), 6(1)(a) and 8 GDPR?
Holding
The AEPD found that GRUP BC S.L violated Article 13(1), 6(1)(a) and 8 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
Product No.: PS/00006/2019 938-0419 DECISION ON DISCIPLINARY PROCEEDINGS From the procedure instructed by the Spanish Data Protection Agency and in consideration of the following BACKGROUND FIRST: On 27/08/2018 a complaint by Mr. A.A.A. was entered in the Register of the Spanish Data Protection Agency (AEPD). (hereinafter, the claimant) in which he states that page ***URL.1 does not comply with data protection regulations. The entity responsible for the web banderacatalana.cat is the company GRUP BC, S.L., with NIF B65880916 (from now on, the claimant). SECOND: In view of the claim formulated, the AEPD, in the framework of the file with reference E/7148/2018, by means of a letter dated 09/10/2018, notified electronically, gave notice of the claim to the reclaimed and requested information on the measures that had been adopted to put an end to the denounced irregular situation. The certificate issued by the FNMT in the file proves that the letter of transfer was made available to the defendant at the electronic site on 09/10/2018 and that the automatic rejection took place on 20/10/2018. The AEPD reiterated the notification to the respondent on 25/10/2018, this time through the postal mail that was delivered - as it is proved by the certificate issued by the Sociedad Estatal Correos y Telégrafos, S.A. - on 29/10/2018 at 10:37 am. The claimant was notified by post of a letter acknowledging receipt of his claim and informing him of the transfer to the respondent. On 31/10/2018 this letter was returned to the AEPD as it had not been removed from the post office where it was deposited after two attempts at delivery with no result. In accordance with the provisions of article 65.5 of the Organic Law 3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), on 12/12/2018 the agreement of admission to process this claim is signed. In accordance with article 67.1 of the LOPDGDD, the Data Inspectorate of the AEPD carries out the following actions in order to determine the facts and circumstances that justify the processing of the procedure On 31/01/2019 the Privacy Policy is accessed from page ***URL.1 and the following points are noted. - The web page ***URL.1 offers in the section called information ("Informaciò") and within it in the sub-section legal text ("Text Legal"), access to its Privacy Policy. - The Privacy Policy to which access is given informs that the person responsible for the processing of the data is "Grupo Bandera Catalana", Grup BC, S.L., (B65880916), with address in calle Venus 86 B, Terrassa 08228. - The Policy of Privacy of the claimed one dedicates two sections to these questions: The person responsible (i); the purposes, legitimacy and conservation of the treatment of the data sent through contact forms, e-mails and subscription to its newsletter (ii); the recipients of the data (iii); the rights in relation to their personal data (iv); cookies (v); security of their personal data (vi) and updating of their personal data (vii). - In turn, the second of the above-mentioned sections - purposes, legitimacy and conservation of the processing of data sent through contact forms, e-mails and subscription to your newsletter - details, depending on the means by which the owner has provided them, what the purpose of the processing is and what the legitimacy for the processing of personal data is. For each of the means of data collection used, the following legitimacy is stated ("Legitimaciò"): The user's consent when requesting information through our contact form. The user's consent when requesting information from us through the e-mail address. The user's consent when subscribing to our commercial mailings or newsletters. Later on, the legal information of the web page ***URL.1, in the same section destined to the purposes, legitimization and conservation of the treatment of the data sent through contact forms, e-mails and subscription to the newsletter, indicates that the provision of personal data requires a minimum age of 13 years or if applicable, to have sufficient legal capacity to contract (the underlining is from the AEPD). Given that the ***URL.1 website, and therefore also the Privacy Policy, uses exclusively one of the co-official languages of Catalonia, Catalan, the information referred to is transcribed as offered, i.e. written in Catalan: "The supply of personal data requires a minimum age of 13 years or, if necessary, sufficient legal capacity to contract") (The underlining is from the AEPD) THIRD: On 06/02/2019, the Director of the Spanish Data Protection Agency agrees to initiate sanctioning proceedings against the defendant for the alleged infringement of Article 13.1, in relation to Articles 6.1(a) and 8.1 of the RGPD and in relation to Article 7 of Organic Law 3/2018, on Data Protection and Digital Rights Guarantees (LOPDGDD). Infringement referred to in Article 83.5 of the RGPD. FOURTH: The agreement to commence was notified to the defendant electronically, in accordance with the provisions of Article 14 of Law 39/2015 on Administrative Procedure Commonwealth of Independent States (LPACAP). The certificate issued by the FNMT's Electronic Notifications and Qualified Electronic Address Service, which is in the file, proves that the agreement to initiate was made available to the entity on 07/02/2019 and was rejected on 18/02/2019. This Agency reiterated the notification of the agreement to initiate the file by mail addressed to the registered office of the respondent. The certificate issued by the Sociedad Estatal Correos y Telégrafos certifies that the agreement to open the file was notified to the respondent, with the date of delivery being 10:33 on 04/03/2019. In accordance with Article 73.1 of the LPACAP, 'The formalities to be completed by the interested parties must be carried out within ten days of the date of notification of the corresponding act', except when the law establishes a different period. In the initiation agreement of PS /0006/2019, a period of ten working days was granted to formulate allegations and it was also stated, as provided in article 64.2.f) of Law 39/2015 that, in the event of not formulating allegations on the content of the initiation agreement within the time limit, the agreement may be considered a proposal for a resolution when it contains a precise pronouncement on the responsibility charged. This Agency is not aware that the claimant has made any allegations to the agreement to initiate the sanctioning procedure. By means of diligence dated 31/10/2019 the instructor of the file records the result of the access made on that date to the Privacy Policy of the web page banderacatalana.cat. The screenshots obtained of that web site demonstrate that in the section "Purpose, legitimization and conservation of the treatments of the data sent through: Contact form (...) Sending of e-mails (...) Subscription to our newsletter" of the legal information continues existing identical information that the one that appeared in date 31/01/2019: The provision of personal data will require a minimum age of 13 years or, in its case, to have sufficient legal capacity to contract. Likewise, the screenshots included in the certificate issued on 31/10/2019 prove that page ***URL.1 informs that "the new person in charge of the web site hosted in ***URL.2 and of the processing of personal data" is Mr. B.B.B. with tax identification number ***NIF.1 and fiscal address in calle ***DIRECCIÓN.1 Given that the defendant did not make any allegations to the agreement to initiate the sanctioning file, under Article 64.2.f) of the LPACAP, and given that the agreement to initiate the proceedings contained a specific and determined pronouncement on the liability of the defendant, the procedure to propose a resolution is omitted and the corresponding resolution will be issued The following are considered to be proven in these proceedings, FACTS 1.- On 31/01/2019 the site ***URL.2 informs that Grup BC, S.L., with NIF B65880916, is responsible for the processing of personal data. It provides its postal address (calle Venus 86 B, Terrassa 08228) and an e-mail address: ***EMAIL.1 2. On that date, 31/01/2019, the privacy policy that can be accessed from the above-mentioned website refers, among other matters, to the "Purposes, legitimacy and conservation of the processing of data sent through: contact forms (...) Sending of e-mails (...) Subscription to our Newsletter (...)". In this sub-section - "Subscription to our Newsletter" - the following is indicated: " Purpose: Sending our commercial newsletter, informative and advertising communications about our products or services that are of interest to you, including by electronic means (e-mail, SMS, etc). Legitimation: The user's consent when subscribing to our commercial mailings or newsletters. Conservation: Until the interested party revokes the consent and requests the cancellation of the service. Obligation to provide personal data and consequences of not doing so. "The provision of personal data requires a minimum age of 13 years or, where appropriate, have sufficient legal capacity to contract. (The underlining is from the AEPD) 3. The notification to the respondent of the agreement to open file PS/0006/2019 was made electronically on 07/02/2019 (date of availability) and was automatically rejected on 18/02/2019. This is confirmed by the FNMT certificate in the file. 4. On 04/03/2019, at 10.30 a.m., the complainant accepted the agreement to initiate PS/006/2019, since the SPEA reiterated the notification by post. The certificate issued by the Sociedad Estatal Correos y Telégrafos attesting to this is in the file. 5. There is no record in the Register of the AEPD of the fact that the complainant has made any allegations concerning the agreement to initiate PS/006/2019. 6. In date 31/10/2019, the web page banderacatalana.cat offers in matter of politics of privacy this information. In the section "Purpose, legitimacy and conservation of the treatments of the data sent through: Contact form (...) Sending of e-mails (...) Subscription to our newsletter" continues existing an identical information to the one that appeared in date 31/01/2019: The provision of personal data will require a minimum age of 13 years or, in its case, to have sufficient legal capacity to contract. 7. On 31/10/2019 the page ***URL.1 informs that "the new person in charge of the web hosted in ***URL.2 and of the processing of personal data" is Mr. B.B.B. with tax identification number ***NIF.1 and fiscal address in street ***DIRECTION.1 LEGAL BASIS I By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II The defendant is accused of violating Article 13(1) of the PGI, in relation to Articles 6(1)(a) and 8 of Regulation 2016/679. Infringement typified in Article 83.5 of the RGPD and, for the purposes of prescription, qualified by the LOPDGDD as a very serious infringement (Article 72.1.h). Article 13 of the RGPD, under the heading "Information to be provided when personal data are obtained from the interested party", establishes "Where personal data are obtained from a data subject, the data controller shall, at the time when the data are obtained, provide the data subject with all the following information a The identity and contact details of the controller and, where appropriate, his representative; a The contact details of the data protection representative, if any; (a) The purposes of the processing for which the personal data are intended and the legal basis of the processing;' (Emphasis added) In accordance with the above-mentioned precept, the data controller is obliged to inform the data subject whose personal data are collected of the "legal basis of the processing" he or she is going to carry out; this implies informing the data controller of the legitimacy of the entity collecting the data for the specific processing he or she intends to carry out. In this regard, Article 5.1.a) of the RLOPD mentions among the principles governing the processing of personal data that of "lawfulness". The "lawfulness of processing" is regulated in Article 6 of the RGPD, which states "1. Processing shall be lawful only if at least one of the following conditions is met the data subject has given his consent to the processing of his personal data for one or more specific purposes. (...) (Emphasis added by the AEPD) The transcribed provision is supplemented by Article 8 of the same legal text -RGPD- which deals with the "Conditions applicable to the child's consent to information society services": "Where Article 6(1)(a) applies in relation to the direct supply of information society services to children, processing of a child's personal data shall be considered lawful when the child is at least 16 years old. If the child is under 16 years of age, such consent shall be considered lawful only if and to the extent that it was given or authorised by the holder of parental authority or guardianship over the child. Member States may provide by law for a lower age for such purposes, provided that it is not lower than 13 years. 2. The controller shall make reasonable efforts to verify in such cases that the consent was given or authorised by the holder of parental authority or guardianship over the child, taking into account available technology. 3. Paragraph 1 shall be without prejudice to general provisions of the contract law of the Member States, such as rules concerning the validity, formation or effect of contracts in relation to a child. (Emphasis added by the ECDPA) Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as LOPDGDD), which entered into force on December 7 (Final Provision Sixteen), has made use of the authorization granted by Article 8.1., last paragraph, of the RGPD to Member States to determine the age at which it is lawful for a person under 16 years of age to give his or her consent to the processing of his or her data in connection with the direct provision of information society services. The LOPDGDD, within the limits of Regulation 2016/697, sets the age for consenting to the processing of data at 14 years of age. Article 7 of the LOPDGDD under the heading "Consent of Minors", states "1. The processing of the personal data of a minor may only be based on his/her consent when he/she is over fourteen years of age. Exceptions are made in cases where the law requires the assistance of the holders of parental authority for the conclusion of the legal act or transaction in the context of which consent to processing is sought. 2. The processing of the data of minors under fourteen years of age, based on consent, shall be lawful only if the consent of the holder of parental authority or guardianship is given, to the extent determined by the holders of parental authority or guardianship". (The underlining is from the AEPD) III The ***URL.1 web page offers the telematic sale of various products and offers the possibility to those who wish to subscribe to its commercial bulletin or newsletter with the aim of receiving informative and advertising communications about its products or services; communications that - it says - will also be received by electronic means "(E-mail, SMS, etc)". The website details that the legal basis for the processing of personal data through the sending of commercial bulletins is the consent given by the user when he or she subscribes to these mailings. The website states as follows: "Obligation to provide your personal data and consequences of not doing so The provision of personal data requires a minimum age of 13 years or, where appropriate, have sufficient legal capacity to contract. The personal data requested are necessary to manage your requests and/or provide you with the services you may contract, so that, if you do not provide them, we will not be able to attend to you correctly or provide the service you have requested". It seems appropriate to recall - for the purposes of applying Article 8 of the GPRS - that commercial bulletins sent by electronic means constitute an information society service. In this respect, we refer to the definition given in the Annex to Law 34/2002 on Information Society Services (LSSI): "For the purposes of this Law, it is understood that: a. Information society services or services: any service normally provided for payment, at a distance or by electronic means and at the individual request of the recipient. (...)Information society services are, among others and provided that they represent an economic activity, the following: The contracting of goods and services by electronic means (...) 4. The sending of commercial communications. (...)" (Emphasis added) The Privacy Policy of the web page banderacatalana.cat., in compliance with the obligation imposed by article 13.1 of the RGPD, provides information about the identity and contact details of the person responsible for the treatment (section a, of the precept). The person responsible who on the date of the opening of the agreement to initiate the sanctioning process was Grup BC, S.L., with NIF B65880916. It also informs - as required by section b, of article 13.1, of the RGPD - of the purposes of the data processing and of the legitimacy of the processing it carries out. This information is provided by distinguishing three hypotheses that correspond to the three ways in which the Privacy Policy of the site provides for the collection of data from third parties: the contact forms, the sending of emails or the subscription to the news magazine (newsletter). The Privacy Policy examined always identifies "consent" as the origin or cause of the legitimacy of the data processing - for the three cases or hypotheses it contemplates. It therefore states, respectively for each of these cases, that the legitimacy is based on consent "when requesting information from us through the contact form", or "when requesting information from us through your e-mail address" or "when subscribing to your commercial mailings". Thus, the legality of the processing of personal data of third parties is protected by Article 6.1.a) of the RGPD. At this point, it should be stressed that Article 6 of the GPRS is linked to Article 8 of the same legal text, which warns that when the data subject's consent (Article 6(1)(a) of the GPRS) is applied in relation to the direct provision of Information Society services to children, processing is lawful only if the minor is at least 16 years old, and Member States may set a lower age limit provided that the minor has reached the age of 13. It should be remembered that the LOPDGDD has set this age at 14 (Article 7 of the LOPDGD). However, the Privacy Policy of the website states that the provision of personal data requires a minimum age of 13 years or, if appropriate, having sufficient legal capacity to contract (the underlining is from the AEPD). According to this statement, it seems that the person over thirteen and under fourteen years of age can consent to the processing of their personal data. Information that is contrary to the provisions of Article 8 of the RGPD, in relation to its Article 6.1.a, and Article 7.1 of the LOPDGDD. The information provided by the website coincides with the criterion initially adopted by the draft Organic Law on Data Protection and which, in the end, was not reflected in the Law. On the contrary, the LOPDGDD of 5 December, which came into force on 7 December, sets the lower limit for the minor of age consents to the processing of their data in 14 years old. It should be added to the above that the claimant, in addition to not having made any allegations to the agreement to start the file, despite the fact that it is proven that he has received it (see Proven Facts), has not rectified the information provided in his Privacy Policy. In short, as article 13.1.c) of the RGPD requires that the person responsible for the processing of the data, when these are obtained directly from the data subject, informs about the legal basis of the processing and, given that the information that the Privacy Policy of the Catalan flag website.cat provides in relation to the legal basis of the processing of personal data for commercial purposes - data that is collected when filling out the form in the newsletter - contravenes the RGPD - articles 6.1.a in relation to article 8.1- and the LOPDGD -Article 7-, the information provided on the website ***URL.1, for which GRUP BC, S.L. was responsible on the date on which the agreement to commence was notified, infringes Article 13(1)(c) of the RGPD. IV Article 58.2 of the RGPD states: "Each supervisory authority shall have all the following corrective powers as set out below: (…) to punish any controller or processor with a warning where processing operations have infringed the provisions of this Regulation. (…) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case, (…)” On the appropriateness of opting, in the present case, for the penalty of a fine provided for in Article 83(5) of the GPSD or for the penalty of a warning under Article 58(2)(b), recital 148 of Regulation 2016/679 should be referred to, which offers the following reflection: "In case of a minor infringement, or if the fine likely to be imposed would constitute a disproportionate burden on a natural person, a warning may be imposed instead of a penalty in the form of a fine. However, particular attention should be paid to the nature, gravity and duration of the infringement, its intentional nature, the measures taken to mitigate the damage suffered, the degree of liability or any previous relevant infringement, the manner in which the supervisory authority became aware of the infringement, compliance with measures ordered against the person responsible or entrusted, adherence to codes of conduct and any other aggravating or mitigating circumstances" (emphasis added by the AEPD) Having analysed the circumstances of the case in question, since the examination of the Privacy Policy of the respondent shows that in December 2018, in general, it had been updated to the terms of the RGPD and that the erroneous information provided regarding the age at which a minor could consent to the processing of his or her personal data could be caused by the fact that it adopted the criterion that the draft Organic Law on Data Protection initially set - according to which the age limit was 13 years - and did not rectify it later - when the LOPDGDD was approved and changed the criterion of the draft establishing 14 years as the minimum age - it is considered appropriate to punish the infringement of the RGPD for which it is responsible with a warning and not with the fine provided for in Article 83.5 RGPD, as this decision is more in line with the spirit of the RGPD in the light of recital 148. Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE on GRUP BC S.L. (BANDERACATALANA.CAT), with NIF B65880916, for an infringement of Article 13(1), in connection with Articles 6(1)(a) and 8 of Regulation (EU) 2016/679, General Data Protection Regulation (RGPD), and Article 7 of the LOPDGDD, as defined in Article 83(5) of the RGPD, a warning sanction provided for in Article 58(2)(b) of the RGPD) SECOND: TO NOTIFY this resolution to GRUP BC S.L. (BANDERACATALANA.CAT). THIRD: In accordance with the provisions of Article 50 of the LOPDPGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to article 48.6 of the LOPDPGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly file an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of the LPACAP, the firm resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. He must also send to the Agency the documentation that accredits the effective filing of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Data Protection Agency