AEPD - PS/00116/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22(2) of the Spanish Law on Information Society Services (LSSI) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 03.11.2020 |
Fine: | 3000 EUR |
Parties: | La Casa Comprometida, S. Coop. |
National Case Number/Name: | PS/00116/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
The Spanish DPA (AEPD) imposed a €3000 fine on La Casa Comprometida, S. Coop. for infringing its information duties related to cookies, as per Article 22(2) Spanish Law on Information Society Services (LSSI). This law regulates cookies, connected to Article 13 GDPR.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen stating that the website by the defendant did not provide information on cookies, so it did not comply with the data protection.
Dispute
As the defendant refused to receive the notices by the AEPD, the AEPD carried out an investigation procedure, and it discovered that the website did not offer information enough on cookies (i.e. how to manage or disable them) nor any option to refuse all the cookies. The AEPD started the corresponding sanction procedure.
Holding
Thus, the AEPD understood that the defendant has infringed its information duties in relation to cookies as per Article 22(2) LSSI, according to which, digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws. Consequently, after considering some aggravating circumstances [(i) the existence of intentionality, and (ii) the period of time the defendant has been infringing its duties, taking into account that the claim is dated October 2019], the AEPD decided to impose a fine of 3,000 € to the defendant, and, additionally, required the defendant to its website as per indicated in the recent AEPD guide on the use of cookies, within the period of one (1) month since this resolution.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure Nº: PS / 00116/2020 938-0419 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00116/2020, instructed by the Spanish Agency for Data Protection, to the entity, LA CASA COMPROMETIDA, S.Coop. with CIF .: F95964086, owner of the website *** URL.1, (hereinafter, "the claimed entity"), by virtue of a complaint filed by D.A.A.A., and based on the following: BACKGROUND FIRST: On 10/03/19, you have an entry in this Agency, complaint filed by the claimant in which it indicated, among others, the following: “The web *** URL.1, dedicated to the online sale of various products, does not comply with the tual regulations on Data Protection due to, among others, the following circumstances cias: Lacks proper information about the cookies used ”. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the protection of the powers of investigation tion granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 12/19/19 and 01/07/20, both requests are addressed informative coughs to the claimed entity. According to the certificate of the Electronic Notifications and Electronic Address Service Authorized, of the Ministry of Territorial Policy and Public Administration, the requirement The sent to the claimed entity on 12/19/19, through the Notific @ service, was re- Chazado by the entity on 12/30/19. According to a certificate from the State Postal and Telegraph Society, the request to send do to the claimed entity on 01/07/20, through the SICER service, it was collected in destination 01/15/20, being the receiver: B.B.B. (*** NIF.1). THIRD: On 04/19/20 the website is consulted, checking the following Three aspects about the privacy policy and the cookie policy of the website: A) Regarding the Privacy Policy: At the bottom of the home page of the web, through the link to "Politics and Privacy dad ”, you access the page *** URL.2, which provides, among others, information tion about: the person responsible for the treatment, the collection, purpose, legitimation; the legal basis that applies; the rights of users and the revocability of consent. I lie; the purpose of the processing of personal data; the right to present a claim; the security applied to personal data and on the destinations natarios. B) About the Cookies Policy of the website: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 b.1.) When accessing the web page *** URL.3 (first layer), there is an information banner information on cookies at the bottom of the page, with the following legend: “This store uses cookies and other technologies so that we can improve your experience. rience on our sites ”- <<ACCEPT>> b.2.) If you access the cookie policy (second layer), through the link “Term- us and conditions ”, *** URL.4 provides, among others, information on: what are the cookies; what they use cookies for and what data is obtained. Regarding the management of cookies, the page does not provide any type of information on how to manage cookies. There is also no power option reject all cookies. FOURTH: On 06/17/20, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the claimed entity, by virtue of the powers established, for failing to comply with the provisions of article 22.2 of the LSSI, with an initial penalty of 3,000 euros (three thousand euros). FIFTH: Notified the initiation of the file on 06/29/20, to date, no It is clear that any response has been given to the initiation of the file within the period granted for this, for the appropriate legal purposes by the claimed entity. Of the actions carried out in this procedure, of the information and documents documentation presented by the parties, the following have been accredited: PROVEN FACTS 1º.- Regarding the Privacy Policy of the website denounced, it has been possible to prove that it provides information about: the person responsible for the treatment, the collection, purpose, legitimation; the legal basis that is applied; the rights of users and the revocability of consent; the purpose of the data processing personal, the right to file a claim; security applied to data of a personal nature and the recipients of personal data. 2nd.- About the Cookies Policy of the website, it has been verified that, in the same- ma, there is an information banner about cookies with the legend: “This store uses cookies and other technologies so that we can improve your experience on our sites. uncles" If the cookie policy is accessed, through the corresponding link, the provides information about: what cookies are or what they use cookies for, but, res- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 Regarding the management of cookies, the page does not provide any information. There is also no option to reject all cookies. FOUNDATIONS OF LAW I Competition: - About the Privacy Policy: The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in the art. 47 of LOPDGDD. - About the Cookies Policy: The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph second, from the LSSI. II The joint assessment of the documentary evidence in the procedure brings to the conclusion knowledge of the AEPD a vision of the denounced action that has been reflected It gives in the facts declared proven above related. A) .- Of the actions carried out, in relation to the Privacy Policy of the page na website claimed, it is found that, in the present case, according to the evidence that are available at this time of the agreement to initiate the sanctioning procedure, It is considered that the Privacy Policy of the claimed website is not contradicted ce with the provisions of article 13 of the RGPD. III B) .- Of the actions carried out, in relation to the Cookies Policy, of the page website reported, it has been possible to verify that: In the first Layer, (initial page): The banner about cookies that is displayed when accessing der to the page provides information that is not very concise or intelligible. In the second Layer, "Terms and conditions", through the corresponding link, It is found that there is no information on the management of cookies or the possibility of its configuration in a granular way and / or the possibility of accepting / re reject all cookies. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 The facts presented suppose, on the part of the claimed entity, the commission of the infraction of article 22.2 of the LSSI, classified as "slight" in article 38.4 g), of the aforementioned Law, which may be sanctioned with a fine of up to € 30,000, in accordance with Article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigation phase, and without prejudice to whatever results from the instruction, it is considered that the sanction should be ner in accordance with the following criteria established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equi- value to degree of guilt according to the Judgment of the Hearing National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to the entity denounced the determination of a system for obtaining consent informed service that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, since it is the claim for the month of October 2019, (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Spanish Agency Data Protection Policy, RESOLVES FIRST: IMPOSE the entity LA CASA COMPROMETIDA, S.Coop. with CIF .: F95964086, owner of the website *** URL.1 a penalty of 3,000 euros (three thousand euros) ros), for the violation of article 22.2) of the LSSI, regarding its Cookies Policy. SECOND: REQUIRE the entity LA CASA COMPROMETIDA, S.Coop. for what, within a month from this act of notification, proceed to take the measures adequate to adapt the website of their ownership, in accordance with the current legislation people, for which, you can use the information in the "Guide on Cookies" edited by the Spanish Agency for Data Protection in November 2019. THIRD: NOTIFY this resolution to the entity, THE HOUSE COMMITTED DA, S.Coop. Warn the sanctioned person that the sanction imposed must be effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad- Public Ministries (LPACAP), within the voluntary payment period indicated in article C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, me- when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK, S.A. or otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found between the 1st and the 15th of each month, both inclusive, the deadline for making the vo- luntario will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of December 30- of fiscal, administrative and social order measures, this Resolution is will be made public, once it has been notified to the interested parties. The publication is made- It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency Spanish Data Protection Agency on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may interpose ner, optionally, appeal for reconsideration before the Director of the Spanish Agency of Data Protection within a period of one month from the day following the notification fication of this resolution, or, directly administrative contentious appeal before the Contentious-administrative chamber of the National Court, in accordance with the provisions set out in article 25 and section 5 of the fourth additional provision of the Law 29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the two months from the day following notification of this act, according to the provisions of article 46.1 of the aforementioned legal text. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do manifests its intention to file a contentious-administrative appeal. Of being In this case, the interested party must formally communicate this fact in writing addressed to the Spanish Agency for Data Protection, presenting it through the Re- Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency had no knowledge of the filing of the contentious-administrative appeal trative within a period of two months from the day following notification of this resolution, would terminate the precautionary suspension. Mar España Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es