AEPD - PS/00092/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 58(2) GDPR Article 83(5)(b) GDPR Ley de servicios de la sociedad de la información y de comercio electrónico |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | AAA GROW BEATS S.L. |
National Case Number/Name: | PS/00092/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | Agencia Española de Protección de Datos (in ES) |
Initial Contributor: | n/a |
Spanish DPA fines a web site for not applying the provisions of Article 13 GDPR, which sets out the information to be provided to the data subject at the time his or her personal data is collected.
English Summary
Facts
The website referred in its privacy policy to the previous Spanish Data Protection Law, but it had not been adapted to the GDPR and did not provide the user with the information set out therein at the time of collection of their personal data.
Dispute
Holding
The Spanish DPA imposed a reprimand to the company for not complying with Article 13 GDPR, since it failed to even mention the GDPR in its Privacy Policy.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION ON DISCIPLINARY PROCEEDINGS In the sanctioning procedure PS/00092/2020, instructed by the Spanish Data Protection, before the entity, GROW BEATS SL, with CIF B02623601, holder of the website, ***URL.1 (hereinafter "the requested entity"), for alleged infringement of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/16, relating to the Protection of Individuals with regard to the Processing of Personal Data and the Free Circulation of such Data (RGPD) and for alleged infringement of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI), based on the following BACKGROUND FIRST: On 16/05/19, the following complaint was filed with this Agency by Ms. A.A.A., (hereinafter, "the complainant"), in which she indicated, among others, the following "On April 1, 2019, I placed an order for two pairs of headphones on the website ***URL.1. Nowhere on this website is the actual name of the company, the CIF, nor the physical address of the entity. Neither is there any reference to the data protection law that online stores are obliged to indicate. When you pay by card, you are not sent to a secure gateway". SECOND: In view of the facts set out in the complaint and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to take action for clarification, under the investigative powers granted to the supervisory authorities in Article 57(1) of Regulation (EU) 2016/679 (RGPD). Thus, on 12/07/19, 15/12/19 and 20/01/20, information requests are addressed to the requested entity. THIRD: On 25/02/20, the entity complained of presented a written statement to the Agency, in which, among other things, it indicates: "Sorry for the delay in responding to this but for various reasons it has been impossible for us to do so more promptly. Likewise, we appreciate the consideration of sending a copy of the same in paper format, since it is a The newly created entity is still in the process of adaptation in terms of new regulations on communication with the authorities. With respect to the information required by a claim filed with this AEPD on 16 May 2019, we have to report that the obligations imposed on Data Protection to those who own a web page in which personal data can be incorporated; having verified the fulfillment of the decalogue that You refer us yourselves. Likewise, they should not exist on the date when the complaint was made to the AEPD gaps or non-compliance on the website since it is hosted, and was developed, in C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 an internet platform (SHOPIFY) specialized in making available to freelancers or new entrepreneurs models of websites to open up trade to the internet, and we assumed that this tool already provided all the notices, models and warranties to serve the purpose for which it is offered. In this way, and as we are assured on the platform itself, if there were secure payment systems that would guarantee the privacy and protection of the users' data of the website and in fact, no breach or damage to any user has occurred. Even so, everything related to the payment platform has been improved by incorporating other secure payment platforms and have been reviewed and implemented on the web all the warnings and consents set out in the regulations. Without prejudice to all this, and to the fact that we understand that the regulations on data protection are being complied with, this entity has commissioned an evaluation of risks to a specialized company to carry out a diagnosis and propose corrective measures where appropriate. In any case, I would like to insist once again that it has been and is the will of this entity to act in accordance with data protection regulations, that we always trust in specialised entities in the sector and that there is a total predisposition to collaborate with the AEPD to guarantee the protection of our clientele's data and on this basis we would appreciate any guidance or recommendation that from the AEPD could make us". FOURTH: On 24/03/20, the web page is consulted, checking the following aspects of the website's privacy policy and cookie policy A) Regarding the Privacy Policy At the bottom of the home page of the website, through the "legal" link, you can access the page titled "Privacy", in which the part dedicated to the "privacy policy" provides the following information: 1 .- "In compliance with Law 34/2002 of Services of the Information Society and Electronic Commerce (LSSICE), we inform you that the ownership of the domain of our virtual store, ***URL.1, corresponds to Grow Beats SL with CIF B02623601 domiciled in ***ADDRESS.1. For any questions, you can contact Grow Beats in: ***EMAIL.1 Data processing: "In compliance with Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD), we inform you that proceed to provide their data through the website of Growbeats.com 1- Of the existence of a file and treatment of the data and information requested in this form, for the purpose of making possible the intermediation in the purchase of the products that Grow Beats offers on its website, as well as being able to send you information about the activities of the File Manager. Your email address and other personal data may be used as a means of communication to process your request, with your express consent, by providing us with your data, the treatment of the same and for the purposes indicated above. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 2- We inform you that your data will be communicated to the companies with which Grow Beats has signed a Collaboration Contract, specifically the courier company that is in charge of sending the goods to the applicants. 3- You have the right of access, rectification, cancellation and opposition, which you may exercise by sending a written request, with a copy of your ID card, to the address of the File Manager, indicating the right or rights you want exercise. (…) B) About the Website's Cookie Policy: b.1.) When accessing the website, there is a banner at the bottom of the page with the following legend: "We use our own and third-party cookies, both persistent and session cookies. If you continue by browsing you accept its use" --- "More information" --- "I accept". b.2.) If you access to the cookies policy, through the link "more information", you will access again to the page of the "Privacy Policy", where the part dedicated to the use of cookies, indicates: "(...) Use of Cookies The Grow beats website uses Cookies and other similar tools. Cookies are files sent to your browser to record your activity and help you navigate. Cookies are only associated with an anonymous user and his/her computer and do not provide references that allow the user's personal data to be deduced. Types and functions of Cookies: There are session Cookies that expire when the user closes the browser and Permanent cookies are stored in the browser and can be deleted manually. Grow beats manages its website through Google analytics that installs Cookies from analytical character to allow anonymous identification, count the number of visitors, their trend over time, most visited contents... etc. How to disable Cookies: - Internet Explorer: Tools -> Internet Options -> Privacy -> Settings. For more information, you can consult Microsoft support or the Browser help. - Firefox: Tools -> Options -> Privacy -> History -> Settings Customized. For more information, you can consult Mozilla support or the browser Help Chrome: Settings -> Show advanced options -> Privacy -> Content settings For more information, you can check out the support for Google or your browser's Help. - Safari: Preferences -> Security. For more information, see the Apple support or browser help. FIFTH: In view of the facts reported and in accordance with the evidence of the Data Inspectorate of this Spanish Agency for the Protection of Data considered that the action of the claimed entity did not meet the conditions imposed by the regulations in force. Thus, on 03/04/20, the Director of the Agency Española de Protección de Datos agreed to initiate sanctioning proceedings against the entity complained of, for infringement of articles 13) of the RGPD, punishable in accordance with the provisions of article 83 of the aforementioned regulation, with respect to its Privacy Policy, and article 22.2) of the ISESA, punishable under articles 39) and 40) of the aforementioned Act, with respect to its Cookie Policy. FOURTH: On 13/06/20, the entity in question was notified of the initiation of proceedings and has not submitted any written document or allegation to this Agency, within of the period granted for this purpose. PROVEN FACTS 1.- Regarding the privacy policy of the reported website, it has been verified that the website, (***URL.1), has a specific "privacy" section: ***URL.2, in which, mentioning compliance with Organic Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD), the person responsible is identified and a contact is made, mentioning the existence of a file for the processing of the data obtained to meet the requests. 2.- Regarding the cookie policy of the denounced website, it has been verified that the web page, (***URL.1), has in its first layer (home page), a banner on Cookies with the following legend: "We use our own and third party cookies, both persistent and session cookies. If you continue to browse you accept their use", but without providing information on the purposes of the cookies to be used. In its second layer (cookie policy), information is provided on: what they are Cookies; types of cookies and their purposes, but NO information is provided about the identity and characteristics of the cookies that are installed and the time that remain active on the terminal equipment nor on third party cookies. For its management, it only refers to the browser installed on the terminal equipment, but does not even include a link to the different browsers. There is also no mechanism to reject all cookies. LEGAL FOUNDATIONS I Competition: As far as the Privacy Policy is concerned, it is competent to resolve this the Director of the Spanish Data Protection Agency, of in accordance with the provisions of art. 58.2 of the RGPD in art. 47 of LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 With regard to the Cookie Policy, the Director of the Spanish Data Protection Agency is competent to resolve this procedure, in accordance with the provisions of article 43.1 of the LSSI. II In the present case, two aspects of the website ***URL.1. On the other hand, in the privacy policy it still refers to the fulfillment of the Organic Law 15/1999, of December 13, on the Protection of Personal Data (LOPD), and without having yet applied the new RGPD, which according to its Article 99, would enter in force as of 25/05/18, it being noted that the claimed entity is NOT applying the provisions of Article 13 of the aforementioned RGPD, which establishes the information that must be provided to the interested party at the time of collection of its data personal. These facts constitute an infringement, attributable to the defendant, for violation of Article 13 of the RGPD, since his website was not adapted to the RGPD and not provide the user with the information set out therein, at the time of collection of your personal data. For its part, Article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of the omission of the duty to inform the affected person about the treatment of your personal data in accordance with Articles 13 and 14 of the GPRS'. This infringement is punishable by a fine of up to 20,000,000 euros or, in the case of a company, of up to 4 % of the total annual turnover of the previous financial year, whichever is the greater higher amount, in accordance with Article 83.5(b) of the GPRS. However, Article 58(2) of the GPRS provides that: 'Each supervisory authority shall have all the following corrective powers processing operations have infringed On the other hand, regarding the Cookie Policy of the claimed website, in its first Layer (home page), NO information on the purposes of cookies is provided that will be used and in the second layer (cookie policy), NO information is provided about the identity and characteristics of own cookies that are installed and of the time they remain active on the terminal equipment nor on the cookies from third parties and for its management it only refers to the browser that is installed on the computer C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 terminal, but does not even include a link to the different browsers. There is no Also, no mechanism to reject all cookies. These facts constitute an infraction, attributable to the defendant, for violation of Article 22.2 of the LSSI, according to which "Service providers may use data storage and retrieval devices in the terminal equipment of the recipients, provided that the recipients have given their consent after the information has been provided clear and complete on its use, in particular on the purposes of the processing of the data, in accordance with the provisions of Organic Law 15/1999 of 13 December, of personal data protection. Where technically possible and effective, the consent of the recipient to accepting the processing of the data may be facilitated by the use of the appropriate browser or other applications. The above shall not preclude possible storage or access of a technical nature to the to effect the transmission of a communication over a communications network electronic or, to the extent strictly necessary, for the provision of an information society service expressly requested by the recipient". This infringement is classified as "minor" in Article 38.4 g) of the aforementioned law, which considers as such: "Use data storage and retrieval devices when the information has not been provided or the consent of the recipient of the service has not been obtained under the terms required by Article 22.2.", and may be subject to a fine of up to 30,000 euros, in accordance with Article 39 of the aforementioned ISESA. Following the evidence obtained in the preliminary investigation phase, it is considered that The penalty to be imposed should be graduated according to the following criteria established in Article 40 of the ISSA: - The existence of intentionality, an expression that must be interpreted as equivalent to the degree of guilt in accordance with the Court's ruling National Appeal of 12/11/07 filed under Appeal No. 351/2006, corresponding to the reported entity the determination of a system for obtaining informed consent that is consistent with the mandate of the ISSA. - The period of time during which the infringement has been committed, as the complaint was filed in May 2019, (section b). In accordance with these criteria, it is considered appropriate to impose on the entity complained of a penalty of EUR 3,000 (three thousand euros), for the infringement of Article 22(2) of LSSI. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, RESOLVED FIRST: IMPOSE on the entity, GROW BEATS SL, with CIF B02623601, holder of the website, ***URL.1, two sanctions, regarding the privacy policy and regarding its cookie policy, consisting of a- Warning, for the infringement of article 13) of the RGPD, regarding its Privacy Policy. b- 3,000 euros (three thousand euros), for the infringement of article 22.2) of the LSSI, regarding its Cookie Policy. SECOND: REQUIRING the entity GROW BEATS SL. so that, within a month from this act of notification, proceed to a. Take the appropriate measures to adapt the web page of its ownership to the new data protection regulations in force and include in the information about your "privacy policy" as set out or in Article 13 of the RGPD. b. Take appropriate measures to include in the website of your ownership (first layer), information on the purposes of the cookies to be used and in the second layer (cookie policy), information about the identity and characteristics of own cookies that are installed and of the time that they remain active in the terminal equipment; on the cookies of third parties and a mechanism that allows to reject all the cookies, being able to use for it, the existing information in the "Guide on Cookies", published by the Spanish Agency Data Protection Act in November 2019. THIRD: TO NOTIFY the present resolution to the entity GROW BEATS SL., and to claimant on the outcome of the claim. Warn the sanctioned party that the sanction imposed must be effective once enforce this decision in accordance with Article 98(1)(b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (LPACAP), within the voluntary payment period indicated in Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in connection with Article 62 of Law 58/2003 of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000, opened on behalf of the Spanish Data Protection Agency at CAIXABANK Bank, S.A. or otherwise, it will be collected during the enforcement period. Once the notification has been received and once it has been enforced, if the enforcement date is between the 1st and the 15th of each month, inclusive, the deadline for making the voluntary payment shall be the 20th of the following month or the next working month, and if it is between the 16th and the last day of each month, inclusive, the deadline for payment will be until the 5th of the second or immediately following month. In accordance with the provisions of Article 82 of Law 62/2003, of 30 December, on fiscal, administrative and social order measures, this Resolution is will make public, once it has been notified to the interested parties. The publication will be made in accordance with the provisions of the Agency's Instruction 1/2004 of 22 December Spanish Data Protection Agency on the publication of its resolutions. Against this resolution, which puts an end to the administrative procedure, and in accordance with established in Articles 112 and 123 of the LPACAP, the interested parties may, on an optional basis, lodge an appeal for reconsideration with the Director of the Spanish Agency of Data Protection within one month from the day following the notification of this decision, or, directly, an administrative appeal before the Sala de lo Contencioso-administrativo de la Audiencia Nacional, in accordance with disC/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 put in Article 25 and paragraph 5 of the fourth additional provision of the Act 29/1998, of 13/07, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to the provisions of Article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP may suspend the final resolution in administrative proceedings as a precautionary measure if the interested party expresses his intention to file a contentious-administrative appeal. If In this case, the person concerned must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronicaweb/], or to through one of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, 1 October. You must also send the Agency the documentation to prove the effective filing of the contentious-administrative appeal. If the Agency was not informed of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Data Protection Agency