AEPD - PS/00032/2020

From GDPRhub
AEPD - PS/00032/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(2) GDPR
Article 22(2) LSSI
Type: Complaint
Outcome: Upheld
Decided: n/a
Published:
Fine: 30000 EUR
Parties: n/a
National Case Number/Name: PS/00032/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined the airline Iberia €30000 for failing to give users of its website the option to reject all cookies upon visiting the website’s homepage.

English Summary[edit | edit source]

Facts[edit | edit source]

In October 2019, The complainant claimed that an airline obliged them to agree to their cookie policy in order to browse the airline’s website, and that the option of rejecting the installation of cookies on visiting Iberia’s homepage was not made available to them. The airline responded that in January 2020 they had been working to adapt the policy to GDPR and Spanish law requirements.

Dispute[edit | edit source]

Was the airline in breach of the GDPR or Spanish law?

Holding[edit | edit source]

The AEPD held that Iberia violated Article 22(2) of the Spanish Law on Information Society Services (LSSI) by failing to facilitate simple and/or free processes for users of their website to withdraw their consent. In its resolution, the AEPD held that following its own investigation in February 2020, Iberia was still not in conformity with several recommendations in the AEPD Guide on Cookies, nor was the option to reject all cookies available.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/24










     Procedure Nº: PS / 00032/2020

938-0419

                RESOLUTION OF SANCTIONING PROCEDURE




In the sanctioning procedure PS / 00032/2020, instructed by the Spanish Agency for
Data Protection, to the entity IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPE-
RADORA UNIPERSONAL (IBERIA) with CIF: A85850394, owner of the website:
*** URL.1, (hereinafter, “the claimed entity”), by virtue of the complaint filed
by Dª. A.A.A., (hereinafter, “the claimant”), and based on the following,


                                   BACKGROUND



FIRST: On 10/23/19, you had a written entry in this Agency, presented by
the claimant, in which it stated, among others, the following: “I denounce the company
Iberia since when looking for a trip it does not give me the option to reject cookies and it tells me

I have to accept them to continue browsing ”.



SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation

(EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). So,
dated 11/29/19, an informative request was addressed to the claimed entity.



THIRD: On 01/28/20, the claimed entity sends this Agency written in
which, among others, reports the following:




"Prior to receiving the letter requesting information, my client had
working since June 2019 on the design of the policy adaptation solution
of cookies to the requirements of the General Data Protection Regulation and the
New Organic Law on Data Protection and Guarantee of Digital Rights
following, in addition, the good practice guides issued by the authorities of

control and very especially the one issued by the Agency last November
2019.



At the time of receipt of the claim, Iberia was carrying out
final tests on the web page (*** URL.1) to put the

new information functionality and self-management of cookies trying to ensure the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/24








optimal compliance with the recommendations on this matter made by the
Agency in the Guide that has been published in this regard since November 2019.




It should be noted that since mid-January the Iberia website complies with the
current regulations and with the recommendations published by the Agency.



As already indicated above, at the time of receipt of the letter of the
Mr. Inspector, Iberia had been working with different suppliers for months to carry out

carry out the design and implementation of the ideal technical solution.



Once the Guide for the use of cookies has been published by the Agency and
verified the necessary adaptations in the design that had been prepared for
comply with the recommendations contained therein, the
operation of the new cookie banner with your configurator. Despite having

had the Christmas and New Years holidays in between, thanks to the efforts
made the new information and cookie configuration tool on the web
Iberia has been in operation since the middle of this month of January 2020.



Currently a banner is implemented that, in addition to informing about the

responsibility for the use of cookies on the page, which corresponds to Iberia, allows
configure the types of cookies found on the web, or accept all of them.



The web cookies are always activated and are configurable, being a
exception to this configuration those cookies of a technical nature that serve for the
performance of the web and that allow the user a correct visualization of the

herself.



In addition, as seen on the website itself, no cookie is loaded,
Except for the technical ones, without the user having accepted all the cookies or
has opposed those that he himself deems appropriate ".




FOURTH: On 01/31/20 and 02/06/20, in the course of the investigation carried out
by the General Subdirectorate of Data Inspection of this Agency, accessed by
Internet to the URL: *** URL.1, verifying that:



Cookies are loaded in the browser when accessing the web page in question:

(DoubleClick, Google, and among those of Iberia, Google analytics: _ga, _gid).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/24










The first layer cookie notice has the following content:



“Iberia L.A.E informs you that it stores cookies on your device to guarantee the

proper functioning and security of our websites, and offer you the best
browsing experience possible. Click Accept cookies if you agree to the use of
these cookies, or change the settings whenever you want in Settings
cookies. For more information, read the Iberia Cookies Policy ”.



In the same banner there is the option to "Accept cookies" and a link to the page of
"Cookie Settings".




a) .- If the "Cookies Policy" is accessed, information is offered on:



    - How and what are cookies used for.

    - What are cookies.

    - The types of cookies on the web and their purposes.

    - How to manage cookies.

    - To which recipients the data will be communicated.


    - Policy updates.

    - Cookies used.



b) .- If you access the "Cookies Configuration" through the link in the
first layer, information is provided in sections:



"User Privacy" section. It is reported that they can store or retrieve

browser information, mainly in the form of cookies. This information
it can be about the user, their preferences or their device and is mainly used
to make the site work as expected. Information is generally not
directly identifies, but can give you a more web experience
personalized. You can accept or reject the use of cookies for each

category by moving the selector that you will find at the end of each of the lines of
down. Every time you are offered to accept or reject the use of certain
cookies. If you click on "More Information" below, which leads to the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/24








"Cookie policy", verifying that a series of cookies are installed without
have formally accepted them.




Section "Technical Cookies". It is reported that they are necessary for the website
works and cannot be disabled (they are not configurable).



Section "Performance Cookies". It is reported that they allow to count visits and
traffic sources in order to evaluate the performance of our site and improve it.

Allows you to disable them by clicking on the blue switch located in the corner
Upper right.



Section "Targeted Cookies" (for targeted advertising). It is reported that they may be
set across the site by advertising partners. They can be used by those
companies to create a profile of their interests and show relevant ads. It allows

deactivate them by clicking on the blue switch located in the upper corner
right.



Section "Functionality Cookies". They are reported to allow the site to offer a
better functionality and customization. They can be established by the holder of the

page or by third parties whose services they have added to the page. Indicates that
if these cookies are not allowed, some of your services will not work
correctly.



FIFTH: In view of the facts denounced, the documentation provided by the
parties and in accordance with the evidence available, the Data Inspection

of this Spanish Agency for Data Protection considered that the performance of the
The claimed entity did not meet the conditions imposed by the regulations in force, therefore
that the opening of a sanctioning procedure proceeds.



Thus, dated 06/01/20, the Director of the Spanish Data Protection Agency

agreed to initiate a sanctioning procedure against the claimed entity, by virtue of the
established powers, for breaching the provisions of article 22.2) of the LSSI, sanctioning
nable in accordance with the provisions of art. 39.1.c) and 40) of the aforementioned Law, regarding its
Cookies Policy, imposing an initial penalty of 30,000 euros, arguing
what:




a) .- When accessing the page *** URL.1, in the first layer, the banner about cookies,
provides information that is not very concise, transparent or intelligible, using the expression
“(…) Stores cookies on your device to ensure proper functioning and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/24








security of our websites, and offer you the best possible browsing experience.
ble (…) ”, since they induce confusion by distorting the clarity of the message, (point

3.1.2.1 of the guide).



b) .- In the first layer, it is indicated that to "Accept" all cookies must be done
click on "accept", or if you want to change the cookie settings you must
Click on "Cookie Settings", but it is not reported that when you access
the page, without having performed any other action, cookies are loaded without having them

accepted. Nor is it reported whether the cookies are own or third-party, nor is it reported
tion on the type of data to be collected in the event of profiling
(behavioral advertising cookies). If the "accept" button or the button is not pressed
ton of "cookie settings", it is not allowed to continue browsing, so it is not
gives the user the option to reject the use of cookies (eg. 2, from point 3.1.2.2. guide).




c) .- Entering the second layer, through the link, "cookie settings" or the
"Cookies policy" page, the configuration of cookies in a granular way is allowed.
But third-party cookies are not identified and the period of con-
Serving cookies in the browser (except for those used to balance

brar the load on the website infrastructure).



SEVENTH: Notified the initiation agreement, the claimed entity, by writing of
dated 06/15/20, made, in summary, the following allegations:



"The facts on which the sanctioning procedure is initiated are not the same for

those who sent the request in file E / 11207/2019.



In the previous request indicated, we were given a transfer of a claim and we were
required information in relation to our cookie policy on the web www.ibe-
ria.com, and the use made of said cookies, as well as not including
sion of an option of opposition to the processing of personal data that is carried out by

through them.



In response to said request, sent to the Agency on January 28, since
the change and implementation of the new functionality and the banner infor-
mative and self-configuring.




It is clear and confirmed, in view of the terms of the communication letter of the
mentioned sanctioning procedure, that the information provided by IBERIA was
correct and true and that everything that was said on January 28 was true.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/24










Instead of parsing the terms of the functionality configuration tool,
information and self-management banner and, where appropriate, submit a new request
to request clarifications or modifications to the design thereof, the Agency has

erroneously proceeded to initiate a sanctioning procedure when the facts
that motivate the request sent at the end of November in the file
E / 11207/2019 are significantly different from those that serve as the basis for this new
dossier, which focuses on very specific aspects of the new functionality
put into operation in January this year without erasing the fact that

cha functionality, in general terms, complies with the provisions of article 22
LSSI whose violation is invoked in the legal grounds of the file initiated.



Regarding each of the items indicated in the communication at the beginning of the experiment
sanctioning tooth:



a) Regarding the First Layer: a.1.) When accessing the initial page and without having done-

After no action, it is verified that non-necessary cookies such as the ana-
Google policies: _ga, _gid), without any warning of said installation.



The aforementioned cookies that are loaded when accessing the iberia website (“Tag Mana-
gers ”) because they are necessary to manage the relationship between Iberia and
travel and plane ticket metasearch engines (eg: *** URL.2). Thanks to these

cookies (which do not store information about the IP from which you browse, but rather determine
They only mine if the origin of the session is in any of the websites of said meta-
search engines) the reference (“referal”) is obtained that allows to know if a session that
nally ends up in purchase had its origin in a metasearch engine, so that it
It allows both the metasearch engine and Iberia to carry out the correct billing between them

lative to the generation of business / online sales.



Tag Managers work in a similar way for what are called affair networks.
association, which are also in charge of bringing qualified traffic to the Iberia website and
They use the same Cost Per Acquisition (CPA) mode as metasearch engines.



If these cookies were inactive from the first moment, the information would be lost.

relational relationship and it would not be possible to manage and maintain the relationship between Iberia and
metasearch engines / affiliate networks. However, although they are active from the beginning
At the moment they do not send information of any kind until the user gives their
feeling. The existence of this type of cookies and the exchange of this type of information
training is included in our privacy policy in the third party section.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/24








Therefore, the relevant data for these purposes are: To fulfill its mission it is
It is necessary that the aforementioned cookies are active from the moment you access

the web for the correct treatment and identification of the session (not the team
from where you navigate); and - These cookies do not contain personal data.



Cookies can be rejected, and only send information at the time it is
they consent. This information would have been provided if, instead of initiating procedures,
The sanctioner would have sent an informative request.




a.2.) "The banner about cookies that is displayed, when accessing the page, provides
information that is not very concise or intelligible. By using expressions such as “(…) offer the
best possible browsing experience (…) ”lead to confusion…”



Besides the fact that the assertion is totally subjective and evaluative, the truth is that the

phrase used as example is the only phrase in all texts of the functionality
that could be the subject of that assessment. In any case, the structure and language of the
all of the self-management functionality is descriptive and intuitive enough to
that from an objective point of view the exact opposite is interpreted: that it is
sufficiently clear and informative. In any case, the indicated phrase has already been

modified, and if instead of having received a communication of the initiation procedure
sanction if a request for information or modification had been received
the text would have obtained the same result.



a.3.) It does not inform that the installed cookies are its own and that of third parties (point

3.1.2.2. c) of the guide), informing only that, “Iberia LAE informs you that it stores
cookies on your device (…) ”, checking that they install both their own and
from third parties even without taking any action.



On the last point of the affirmation, a due answer has already been given in the section
a.1.) above.




Although it is true that the first layer of information did not specify the existence of
both Iberia's own and third-party cookies (a circumstance that has already been specified
in the text, just as if a request had been received instead of an initial
sanctioning procedure), it is no less true that this information since

was patent and notorious with the texts of the second layer, as for example in the
case of “Targeted Cookies”, which are described as “These cookies can be this-
established through our site by our advertising partners. It can be used-
given by those companies to create a profile of your interests and show you ads on
other places…"


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/24










With all due respect, the Agency must not forget that the guides are indicative, not
regulations, and that although they are useful for the administered, they are not the only

co means to comply with the true regulation that they intend to implement.



a.3). "It is indicated that to accept all cookies you must click" accept ", or
well if you want to change the cookie settings you must click on "settings-
creation of cookies ”, but if you do not press the“ accept ”button or the“ configuration

cookies ", the user is not allowed to continue browsing ..."



Again, at this point the guide is confirmed not only as a possible form or pro-
in order to comply with the regulations, but as one that does not necessarily
respects the most common criterion or shared by the generality of European organizations
worst regulators. It is not allowed to continue browsing because that is precisely the

recommendation from the European Data Protection Board (EDPB) published on
last May (it is true, after the date of issuance of the communication)
initiation of the sanctioning file which is from March).



In any case, the configuration as it was established on January 31, 2020

makes precisely use of example 2 section 3.1.2.2 of the guide, which includes
only an acceptance button and later the possibility of configuring cookies
so that the user can accept or reject them as they consider, or even reject-
all with one click.



“To facilitate the selection, two buttons can be implemented on the panel, one for

accept all cookies and another to reject them all, this option being recommended
The higher the different number of cookies that are used, the greater the variable. If you use the
modality of "continue browsing" as a way of obtaining consent, you must-
A button will be included in the panel to reject all cookies, to respect the

I want it to be as easy to withdraw consent as it is to give it. "



Since January 2020, the Iberia website has a configuration panel
of cookies for acceptance and / or rejection. In addition, it is not allowed to continue browsing if
there has been no acceptance of the configuration, complete or customized by the client, or
complete rejection of all cookies. It is impossible to "continue browsing" without further ado, because

It is not a valid option as indicated in the EDPB guide (page 21). To pe-
All in all, the text has been modified to give it a little more clarity. Once
Furthermore, it does not seem that this reason serves to initiate a sanctioning proceeding instead
having given rise to a request for information or modification.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/24








b) Regarding the Second layer (cookie settings) "Accessing through the
link, "cookie settings", it is allowed to accept or reject the use of certain
mined categories of cookies such as: performance cookies, targeted cookies and

functionality cookies. Once the preferences on
cookies, the page allows you to continue browsing, and it is only then, when
You can access the "Cookies Policy" through the link located at the bottom of
the website." It is true that, for technical reasons, in some browsers the policy
ca cookies could not be accessed without previously accepting, configuring or rejecting the
cookies. However, this problem has been resolved / will be resolved in the pr-

Maximum update scheduled for the end of this month of June. Again, this cir-
This situation could also have been solved if instead of initiating a procedure
sanctioning action, the Agency would have issued a request for information or
identification of the Iberia website.



c) Regarding the Second layer, when accessing the page where information is provided on the

Cookies policy, it is verified that it gives information about: what are cookies; types
of cookies on the IBERIA website and its purposes; how to manage cookies; to what
recipients will communicate your data; Policy updates and cookies using
zadas on iberia.com. Effectively, that's right. But it is equally true that the greatest
Some of the same information is contained in the texts of the functionality of

self-management of cookies that precedes the text of the Cookies Policy itself di-
cho.



c.2.) On the cookies used in iberia.com the own cookies that
are installed, but not those of third parties, nor the time they remain active on the computer
terminal, (with the exception of those used to balance the load in the infrastructure of the

website, which expire at the end of the session) As already indicated, the information
on the existence of both own and third party cookies it was already enough-
detailed in the information made available to the user in the second layer
of the self-management functionality. Users have been deprived of information or
nor have they been misled in relation to the existence of third-party cookies.




Lack of materiality for the initiation of a sanctioning file



We understand, therefore, that in light of the explanations provided, of the small
modifications carried out in the texts of the functionality and corrections
committed / performed techniques, as the case may be for each of the items in
those that are intended to substantiate the initiation of the disciplinary proceedings have

shown, on the one hand, that there is no such foundation and that the legal purpose and good
co protected by art. 22 LSSI has not been violated. In our opinion, it is not appropriate to
sanctioning proceedings against Iberia and should proceed to its ar-
goat.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/24








We request from the Inspector in charge of this File that he has received this
written together with the documentation that accompanies it, admits it and by virtue of it has
for having made the allegations contained therein, it deems them and by virtue of it proceed to

filing of the disciplinary proceedings initiated against Iberia ”.



EIGHTH: On 06/24/20, the test practice period began, agreeing-
be: a) .- to consider reproduced for evidentiary purposes the complaint filed by the
Advertiser and its documentation, the documents obtained and generated that form
part of file E / 11207/2019 and b) .- consider reproduced for evidentiary purposes, the

allegations to the agreement to initiate PS / 00032/2020, presented by the entity-
announced.

NINTH: On 07/24/20, the claimed entity is notified of the proposed reorganization

solution in which it is proposed that, by the Director of the Spanish Protection Agency
tion of Data the claimed entity, owner of the web page: *** URL.1,
for violation of art 22.2 of the LSSI, with a fine of 30,000 euros.

TENTH: After the notification of the proposed resolution, dated 08/07/20, the
The claimed entity presents a brief of allegations, in which, among others, it indicates:


“The reasons for this sanctioning procedure are not related to the fact that
It is stated in the complaint that it supposedly originates it and that it was corrected since January

2020. The reasons for alleged infringement alleged in this investigation phase have
reduced to two and yet the same proposal for a resolution is maintained.
tion and the amount of the fine. The sanction proposal is not properly founded
mentioned and is inconsistent with the instruction practiced. The dis-
put in articles 39bis and 40 LSSI neither by the Agency nor by Mr. Instructor




Of all the points that were indicated in the communication of initiation of this file
sanctioner, following the allegations presented by IBERIA on June 15 and
the new checks that the instructor would have carried out on July 22
of 2020, the proposed sanctioning resolution has been limited in its foundation
ment, exclusively, to two unique alleged breaches with respect to each
one of which we briefly advance our:




First, we transcribe section “b)” on page 15 of the communication from
proposed resolution: “b.- Regarding the information provided on the
cookies, the banner now provides concise and intelligible information, having modified
After the message that was used, as of 01/31/20, “(…) stores cookies on your dis-
positive to ensure the proper functioning and security of our websites,

and offer you the best possible browsing experience (…) ”, for the message used,
as of 07/20/20: “(…) We use analytical, personalization and advertising cookies
(own and third parties) to make profiles based on browsing habits and show
bring you useful content (…) ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/24










In this layer, it is indicated that to "Accept" all cookies you must click on
"Accept" and thus makes it possible to continue browsing. But, if the user wants to reject all
cookies you must access the "cookie settings" page and choose the option

de, << reject all cookies >>, allowing only, from then on, to follow na-
browsing the different pages of the web. Therefore, it continues without adapting to the
commended in example 2, of point 3.1.2.2. of the AEPD cookie guide. "



However, as we will explain later in these allegations, the tool
acceptance, rejection and / or configuration of cookies according to their typology that

Iberia established during the month of January 2020 it fulfilled in this regard already
by then with art. 22.2 LSSI and with the criteria of the European Data Protection
Board (EDPB), which the Spanish Agency itself has endorsed in the latest update.
tion of its Interpretive Guide published this past July.



- Second, we transcribe the resolution proposal on page 16. C: “c.-

Regarding the configuration of cookies, it is noted that the configuration of
tion of cookies in a granular way or the rejection of all cookies in a single
time, in the second layer, but, although there is information about own cookies and
from third parties, there is not enough information about the time they remain active
on the terminal equipment. "




As we will explain later and following the fully collaborative spirit of
IBERIA with the Agency, as of the date of submission of this brief of allegations,
has been incorporated into the cookie management tool by the interested parties,
through the information provided in the Iberia Cookies Policy, information
Detailed information on the time of active permanence of each of the cookies in the

Web.



We must focus on three fundamental ideas: - The complaint of the claimant that his-
It actually gives rise to this sanctioning procedure, it deals with a very
concrete (“I denounce the Iberia company since when looking for a trip it does not give me the option
to reject cookies and tells me that I have to accept them to continue browsing ”).

- The cookie management tools implemented by Iberia on its website
since January 2020, as previously reported to this Agency, they correct for
complete the denounced fact since they give the option to accept all cookies or al-
alternatively to configure them according to their typology; and in this second step, in addition,
the option is given either to reject them all, or to save the personal configuration
finalized for each type of cookie as indicated by the in-

teresado. Choose between any of these three options (accept all cookies, re-
select them all, or customize their configuration) is necessary to be able to follow na-
browsing on the Iberia website. Therefore, from the first requirement, the following was corrected
situation raised by the complainant, complying not only with art. 22.2 LSSI but

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/24








also with the criteria of the European Data Protection Board (EDPB), that the
Spanish Agency has endorsed in the latest update of its Interpretive Guide
published this past July. - Apart from what is indicated in section b) of the

sanctioning -although Mr. Instructor fully errs in his assertion as I have-
explained above and later we will prove- none of the irregularities
indicated by the Agency later, in the communication to initiate proceedings.
sanctioner and throughout his instruction until now has nothing to do with
with the fact that appears in the complaint that originates this procedure.




In another order of things and independently of the above, the instructor himself acknowledged
ce the effort made by IBERIA to comply with all the indicated indications
by the Agency to comply with art. 22.2 LSSI in light of the successive updates
zations of the Agency's Interpretative Guide on cookies.



Despite having been drastically reduced in number and importance, the
certain aspects contrary to the regulations revealed by the Agency and the

recognition of the willingness shown by IBERIA to collaborate and correct all
those aspects that - in the opinion of the Agency - required it, the sanction finally
proposed by the Instructor is exactly the same as at the beginning of the procedure,
which is to say that for the Agency both one thing and the other have been totally
irrelevant for the purpose of assessing the offense and setting the amount of the penalty

that it was to carry. Clearly, the proposal raised by Mr. Instructor
in this case is contrary to law, and especially contrary to what the
The Law of Services of the Information Society (LSSI) establishes in the matter of information
fractions and penalties:



- The instructor proposes a penalty amounting to 30,000 euros, which is the maximum amount

maximum contemplated at the beginning of the file. - However, the only two points have
two finally into account would constitute in the worst case, for the purposes of the article
38.4.g) LSSI, a single minor offense (however, in the defenselessness of IBERIA, the
motion for a resolution says nothing at all in this regard). - Article 39.1.c)
LSSI provides that minor offenses are punishable by a fine of "up to 30,000

euros ”.



- The instructor has not applied any type of reduction in the amount of the penalty for
placed despite the fact that Iberia has met all the criteria of article 40 LSSI:
i) has not had intentionality in the facts (on the contrary, has observed will to
comply before and after receiving even the first communication at the end of

2019); ii) the alleged infractions would have been committed during only a few
weeks; iii) does not record in its history any type of recidivism in matters of
cookies (this is the first incident recorded); iv) neither the nature of the
za or the damages caused to the interested parties with their activity / alleged non-compliance
I lie - because in reality there have been no such damages-; v) none have been obtained


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/24








some type of benefit for the infringement; and vi) the business volume corresponding to
the alleged offense committed is zero.



- Finally, both the Agency and the instructor respectively, considering that

we are in any case - before and after the motion for a resolution
issued- before the alleged commission of a SLIGHT infraction, they have not complied with the
provided in article 39.bis LSSI ("Moderation of sanctions"), sections .1 (apply
the amount of the sanction from the scale of the preceding class of offenses) or .2 (no
even initiate sanctioning procedure and replace it with a warning with ac-

tions to be fulfilled within a certain term), despite the fact that: i) IBERIA complies with all
two the requirements of art. 40 ("Graduation of sanctions") mentioned above, to
the application of said article 39bis; and ii) IBERIA has diligently regularized,
one by one, all the alleged deficiencies reported by the Agency (without prejudice
of what will be said later in this writing regarding the lack of information on
on the time of active permanence of cookies and on under what conditions are allowed

whether or not to continue browsing the Iberia website);



Therefore, we understand, as a starting point for these allegations, that: - The proposal
sanction is not properly substantiated, since it does not indicate what type of
infringement has been committed according to the corresponding legal precept, nor does it enter
evaluate the graduation criteria of the applicable sanction but is limited to applying it

in its maximum degree; - In line with the foregoing, the penalty proposal is inconsistent-
you with the allegations, inquiries and proven facts in the investigation phase,
as well as against the own acts of the Agency and Mr. Instructor; - The proposal of
The sanction goes against the provisions of the LSSI itself with regard to the
mation of the amount of the proposed penalty, in view of the instruction made; Y -

As we have maintained from the outset, the initial sanctioning procedure
cied in itself goes against the provisions of art. 39.bis.2 and -except that in this
concrete case in the spirit of the Agency, the collection spirit prevails through
sanctioning powers- should never have been initiated since: i) the only
alleged breach alleged in the instruction that really corresponds to the
complaint that would have originated it in no case is such a breach since

since January 2020 a user is not obliged to accept cookies to be able to se-
continue browsing, but has to choose between accepting them all, rejecting them all or
figure them according to their typology at your convenience; and ii) as all other assumptions are
manifestly different breaches and, in the best of cases, accessories to the
main default and never susceptible as a whole to a higher rating

Beyond a slight violation of the LSSI, a request for correction would have been more
sufficient to obtain the correction of the alleged situation contrary to the
LSSI but, in the best of cases, to the criteria of the Interpretive Guide on the
use of cookies promulgated by the Agency, which on the other hand has been recent-
subject to updating by the Agency itself.




The existing cookie management tool on the Iberia website since January
2020 complies with art. 22.2 LSSI and with the criteria of the European Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/24








Board (EDPB), which the Spanish Agency itself has endorsed in the latest update.
tion of its Interpretive Guide published this past July




Indeed, when accessing *** URL.1 for the first time, the following message was obtained:
The browser allowed (and allows) to scroll up and down but does not allow clicking so-
Open any action button or navigate within the page.



To this day the only difference is that this sandwich now appears at the bottom of

the screen: In this way, the user can find out about the cookie policy, and
either accept all of them or proceed to customize your settings, in which case you get
the following screen:



That is: - With just one click the interested party can accept all cookies, - With just
two clicks can reject them all; - Customizing them would take one to three more clicks

only. The foregoing is fully consistent with what is recommended in the “Guide
on the use of cookies ”published by the Agency itself, in its recent update.
tion of last July 2020, which on pages 20 and 21 indicates the following:
... Another valid example of a first layer, with the same type of cookies, would be the following:
tea:




As in the previous example, if the “OK” button is not pressed, the user is not auto-
curing the use of cookies (therefore, the use of cookies is not legitimized if the user
Rio does not press the button to accept cookies).



It will be necessary for the user to perform an action that can be qualified as a clear

affirmative action for consent to be considered validly granted.



Obtaining consent through user behavior other than a
acceptance button, but consisting of a clear affirmative action, will be admissible
provided that the conditions in which the behavior occurs offer sufficient certainty

that informed and unequivocal consent is given and it can be proven that
such conduct has been carried out. In any case, the mere fact of staying alive
Scrolling, scrolling or browsing the website will not be considered a
clear affirmative action under any circumstances.



The information in the first layer will need to be completed with a system or

configuration panel in which the user can choose whether or not to accept cookies
in granular form, or a link that leads to said system or panel.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/24








The user can also be given a third option, consisting of including two buttons.
nes, to accept or configure / reject cookies:



A paragraph later, the guide says verbatim (shading is added by no-

us): The link or button to manage preferences must take the user directly-
the configuration panel, without having to scroll through large amounts of
search for the information, which must remain accessible in a
permanent. The panel may be integrated into the second informational layer.



To facilitate the selection, two buttons can be implemented on the panel, one for

accept all cookies and another to reject them all, this option being recommended
The higher the different number of cookies that are used, the greater the variable. If you use the
second or third example as a way of obtaining consent, must include-
There is a button on the panel to reject all cookies, to respect the requirement of
that it is as easy to withdraw consent as it is to give it.




The configuration of the first layer implemented by Iberia since January 2020 continues
the “Example number 3” indicated in the Guide: it allows you to choose between “accept
all cookies "or" configure them "to suit the user; and the button "configuration
cookies ”leads directly to what the Guide refers to as“ configuration panel ”.
And finally, in addition, in said configuration panel a button is clearly visible
to "Reject all" - again complying with what is recommended in the guide - and

another to "Confirm my preferences" once the user has established them.



Therefore, the fact denounced by “the claimant” was originally complete.
completely corrected with the implantations carried out in January 2020 and THERE IS NO IN-
COMPLIANCE with art. 22.2 LSSI in this sense by IBERIA, since the
implanted cookie management tool then strictly complies with the requirements

recommendations issued in its Guide updated by the Agency itself, which must
obviously be extended to all lights with retroactive effects to last January.



As has been said, with the only exception related to being able to view the
Iberia cookies in compliance with the duty of information required by both art.
22.2 LSSI such as the NLOPD and GDPR, by reference, the user must necessarily

choose between any of the three options made available to you (accept all
cookies, reject them all, or configure them) in order to continue browsing the web.
With this, you are assured - in accordance with the most recent recommendations of the
pia Spanish Agency for Data Protection- the requirement that the client provide a
duly informed and unconditional consent, having therefore sub-

healed since January 2020 the reason for the complaint by “the claimant” (as
as this has been defined in the motion for a resolution).


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/24








As of the date of presentation of this brief of allegations, it has already been incorporated into the
cookie management tool, through the information provided in the Policy
of Iberia Cookies, detailed information on the time of active permanence of

each of the cookies on the Iberia website



In the first place we must insist once again that the lack of information on the
time of active permanence of cookies was not the subject of the complaint that originated
this sanctioning procedure.



In any case, we are pleased to inform the Agency that at the time of presentation-

tion of this brief of allegations has been incorporated into the information policy on
About the cookies on the iberia.com website, in section “6. Cookies used in ibe-
ria.com ”, a detailed breakdown of the different subgroups of cookies and the time
of active permanence of each one of them in the user's computer:



BY WAY OF CONCLUSIONS:




    - It has been verified according to the indications contained in the Second Allegation
        of this writing that since January 2020 that the way they are offered
        of the month of January 2020 to the user of the web www.iberia.com the different
        possibilities of configuring cookies (in accept all mode, reject
        zar all, or confirm custom settings) conforms to the criteria

        most recent published by the Agency.



    - The reason for the complaint of the claimant that causes the initiation of this experience
        sanctioning tooth (we rewrite it: “I denounce the Iberia company and
        that when looking for a trip it does not give me the option to reject cookies and tells me
        I have to accept them to continue browsing ") had already been dili-

        people remedied by IBERIA.



    - All other considerations and alleged breaches of the indications
        of the Agency Guide as a whole were not covered in the complaint.
        presented by “the claimant” and were not contemplated in the
        complaint issued by the Agency at the end of 2019, and those that do not constitute

        they would have as a whole and in the worst case more than a SINGLE INFRACTION-
        LEVE TION of the LSSI regulations.



    - Meeting the requirements established in art. 39bis.2 LSSI (constituent facts
        minor infraction guidelines and the existence of a clean historical record by

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/24








        IBERIA regarding cookies and LSSI offenses) diligent action by
        part of the Agency would have consisted in issuing a warning, rather than
        initiate sanctioning procedure, in similar terms and grant a period of

        correction to the warn proceeded Having accredited, the
        Article 39bis.2 of the LSSI.



    - Having raised this same allegation in the brief presented at the
        ment in which the Agency communicated the initiation of the sanctioning procedure, the
        The Agency has not been able to provide a reasoned answer to why it initiated the procedure.

        sanctioning instead of opting for this other route, just as effective and much
        less burdensome for my client.



    - It has been proven in the investigation phase that each and every one of the su-
        posts breaches of the recommendations of the Cookie Guide of the
        Agency had already been rectified by IBERIA before even having
        issued the sanction proposal, except for the display of information

        about the period of active permanence of cookies that required a
        greater technical and analytical effort and that, in light of the circumstances
        We have been suffering since last March due to the pandemic
        mia COVID19 and the state of alarm decreed and finalized in the month of June
        It has not been possible to correct earlier, although today the website of

        IBERIA also complies with the Agency's Cookie Guide.



For all the above we REQUEST:



    - Declare ex officio the NULLITY of the disciplinary proceedings initiated for being
        based on a prior request from the Agency to IBERIA that has
        would have been attended to in a timely manner, the reason for the

        complaint on which said requirement was based.



    - Failing that, declare ex officio the NULLITY of the sanctioning file initiated
        due to non-compliance with the provisions of article 39.bis.2 in relation to the
        rest of the alleged breaches mentioned in the initiation communication
        of said sanctioning file




    - Failing that, proceed to file said file without imposing a penalty.
        responsibility of IBERIA for: i) it has been proven that the reason for the
        complaint that gives rise to the sanctioning procedure had already been remedied
        prior to its start; and ii) the rest of the alleged breaches by parties
        of IBERIA, totally unrelated to the aforementioned complaint, would have also already been


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/24








        paid by IBERIA, without there being a reason for such experience
        tooth.



                                 PROVEN FACTS




1.- On 10/23/19, the claimant denounces that, on the web *** URL.1, “if you like
continue browsing the cookie policy must be accepted by not giving
any option to reject them ”, therefore, on 11/29/19, said
announces to the claimed entity, indicating in the letter that, “In the IBE web portal-
RIA does not provide the option to object or not consent to the treatment.

to personal data made through "cookies", these being installed from the moment
ment that the visit to the home page occurs ”and requiring the company to enter
form of the decision taken regarding the claim; the measures taken
to avoid similar incidents, implementation dates and the consequences
trolls performed to check their effectiveness.




2.- On 01/28/20, the claimed entity, in response to the request of this
Agency, acknowledges that, “it had been working since June 2019 on the design of the
solution to adapt the cookie policy to the requirements of the RGPD and the LO-
PDGDD; and that since mid-January the Iberia website complied with the norm
valid policy and with the recommendations published by the Agency, (guide on
cookies, published in November 2019) ”.




3.- However, on 01/31/20 and 02/06/20, in the course of the actual investigation
certified by the Subdirectorate General for Data Inspection of this Agency,
proved that the first layer cookie banner provided information
not very concise, not very transparent and intelligible, contrary to what is recommended in point
3.1.2.1 of the AEPD guide. Also, if the “accept” button or the button was not pressed

ton of "cookie settings", it was not allowed to continue browsing, so it was not
gives the user the option to reject the use of cookies, as recommended in the
Example 2, from point 3.1.2.2. of the AEPD guide.



On the other hand, if the second layer was entered, through the link, "configuration of
cookies ”or on the“ cookie policy ”page, the configuration of the

cookies in a granular way but the rejection of all cookies was not allowed at the
time.



In this second layer, third-party cookies were not identified, nor were they
Maba of the retention period of cookies in the user's browser, (ex-
of those used to balance the load on the website infrastructure), such as

and as recommended in point 3.1.1 of the guide published by the AEPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/24










3.- However, after initiating the sanctioning file PS / 0032/2020 for the
facts indicated above, dated 07/22/20, it has been verified, by

the Subdirectorate General of Data Inspection of this Agency that, the policy on
website cookies *** URL.1, is the following:



3.1.- In the first layer (initial page) a banner about cookies appears, in the part
central page, with the legend:




  "Cookies are important to you, they influence your browsing experience. Uses-
 We use analytical, personalization and advertising cookies (own and third-party) to
  make profiles based on browsing habits and show you useful content. You can
accept this type of cookies by pressing the "Accept" button or configure them or reject their
                use in Cookie Settings ”. For more information,


       << read Iberia's Cookies Policy >> << Accept all cookies >>



3.2.- If you access the "cookie settings" page, through the link
corresponding, a new page is displayed with different sections:



    - 3.2.1.- "User Privacy" section. It is reported:




“Because we respect your privacy, you can accept or reject our use of
cookies for each category of cookies by moving the selector that you will find at the end
of each of the lines below. Every time you are offered to accept or reject the
use of certain categories of cookies, we will provide you with the information

essential you need to know to make your choice. However, if you block some
types of cookies, your experience of using the web may be affected and
also the services we can offer you. For more information on the
management of cookies carried out by Iberia, access our policy. More information".



If you click on "More Information", the website redirects to "cookie policy". In the

bottom of the section there are two options:



       << Confirm my preferences >> << Reject them all >>





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/24








    - 3.2.2.- Section "Technical and Necessary Cookies". They are reported to be active
        you always go and that:



“These cookies are necessary for the website to function and cannot be deactivated.

var in our systems. They are configured in response to your actions taken by
bid services, such as setting your privacy preferences, logging in, or compiling
fill out forms. You can configure your browser to block or alert about these
cookies, but some areas of the site will not work. These cookies do not store any
guna personally identifiable information ”. At the bottom there are two options:




       << Confirm my preferences >> << Reject them all >>



    - 3.2.3.- Section "Performance Cookies". It is reported that they allow counting
        visits and traffic sources to be able to evaluate the performance of our site and
        improve it.



It allows deactivating them by clicking on the blue switch located in the upper corner.

upper right. At the bottom of the section there are two options:



       << Confirm my preferences >> << Reject them all >>



    - 3.2.4.- Section "Targeted Cookies" (for targeted advertising). It is reported that
        can be set through the site by advertising partners. They may be

        used by those companies to create a profile of their interests and show
        relevant ads.



It allows deactivating them by clicking on the blue switch located in the upper corner.
upper right. At the bottom of the section there are two options:



       << Confirm my preferences >> << Reject them all >>




    - 3.2.5.-Section "Functionality Cookies". It is reported that they allow the si-
        tio offer better functionality and customization. Can be established
        by the owner of the page or by third parties whose services have been added to
        the page. It is indicated that if these cookies are not allowed, some of their services
        cios will not work properly.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 21/24










It allows deactivating them by clicking on the blue switch located in the upper corner.
upper right. At the bottom of the section there are two options:




       << Confirm my preferences >> << Reject them all >>



3.3.- If the "Cookies Policy" is accessed, through the corresponding link, there is
tente on the home page or through the link (more information), existing on the page
gina of "cookie settings", the web redirects to a new page where it offers-
ce information on:




    - How and what are cookies used for.

    - What are cookies.

    - The types of cookies on the web and their purposes.

    - To which recipients the data will be communicated.

    - Policy updates.

    - Cookies used.



    - In the option “how to manage cookies” the following information is provided

        mation:



You can allow, block or delete the cookies installed on your computer through the
configuration of your Internet browser options. In case it does not allow
After the installation of cookies in your browser, you may not be able to access al-
some of the services and that your experience on our website may be less knowledgeable.

satisfactory.



How do I refuse or do not give my consent for the use of cookies?



You can refuse to accept cookies by modifying your browser settings from In-
ternet (for example, Internet Explorer, Chrome, or Firefox). Please note that if not

allows the use of cookies in some areas of our website, it is possible that the
content is not accessible or does not work properly.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 22/24








In the following links you have at your disposal all the information to configure or
disable your cookies in each browser (…):



Finally and in case you have any problem related to the use of the

cookies on this Website, or you want to exercise your rights of access, rectification, su-
pressure, limitation, opposition and portability you can contact us through the following
Email address *** EMAIL. 1.


                            FOUNDATIONS OF LAW



                                             I


The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in
the art. 47 of LOPDGDD.

                                             II

The joint assessment of the documentary evidence in the procedure brings to
knowledge of the AEPD, a vision of the denounced action that has been

strapped in the facts declared proven above related. However, it is necessary to
agree on the factual grounds for which the entity is sanctioned and which are:


In October 2019, it was reported that the website of the claimed entity *** URL.1
did not provide the option to reject the cookies that were installed on the ter-
minal and that if any user wanted to continue browsing the page, they had to accept
obligatorily tar cookies, so it was in breach of current regulations.

Due to these facts, in November of that year, information was required from the entity
to explain about the facts denounced being the response of the entity,
two months later, that is, in January 2020, that: “I had been working since June
2019 in the design of the solution for adapting the cookie policy to the requirements

agencies of the General Data Protection Regulation and the New Organic Law of
Data Protection and Guarantee of Digital Rights, also following the guides
of good practices issued by the control authorities and very especially the
issued by the Agency last November 2019 (…) ”.

It also informed this Agency, in January 2020, that: “(…) it was implemented
a banner that in addition to informing about the responsibility of the use of cookies in the
page, which corresponds to Iberia, allows you to configure the types of cookies that are
can be found on the web, or accept all ”.



However, a few days later, on 02/06/20, to verify the veracity or not of the
information provided by the entity claimed to this Agency, it was verified that,
on the website *** URL.1, in addition to still not offering the option to reject all
cookies, as reported, it was also found that, several points of the
The page's cookie policy did not conform to the recommendations made by

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 23/24








this Agency in its Guide on Cookies, thus checking that the entity has not-
had complied with what was stated a few days before, so based on this, we proceeded to the
opening of this sanctioning file and it is not until the claimed entity

receives the initiation of the sanctioning file PS / 0032/2020 for non-compliance with
stipulated in the LSSI Law, with a proposed penalty of 30,000 euros, when
proceeds to modify the web page, in relation to the cookie policy and thus
verified by this Agency, on 07/22/20.



Regarding the latest allegations presented by the claimed entity in which

indicates that: “(…) the diligent action by the Agency would have consisted of
to issue a warning, instead of initiating a sanctioning procedure, in terms
millaries and grant a period of correction to the warnings proceeded.
dited to resume the path of article 39bis.2 LSSI ”would have been the right thing to do if the entity
dad had made or attempted to make the changes you indicated were made in January
of 2020 and that this Agency verified, in February, that they were not really made.




Therefore, in light of the foregoing, By the Director of the Es-
data protection cloth,

                                      RESOLVES:




FIRST: TO IMPOSE IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPE-
RADORA UNIPERSONAL (IBERIA) with CIF: A85850394, owner of the website:
*** URL.1 a penalty of 30,000 euros (thirty thousand euros), for violation of article
22.2. of the LSSI.

SECOND: NOTIFY this resolution to the entity IBERIA LÍNEAS AÉREAS
DE ESPAÑA, S.A. UNIPERSONAL OPERATOR (IBERIA) and INFORM the claimant
about the outcome of the claim.

THIRD: Warn the sanctioned that the sanction imposed must make it effective
once this resolution is enforceable, in accordance with the provisions of the

Article 98.1.b) of Law 39/2015, of October 1, on the Administrative Procedure Co-
of the Public Administrations (LPACAP), within the voluntary payment period that
points out Article 68 of the General Collection Regulations, approved by Royal De-
creto 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by entering the restricted account number ES00 0000 0000 0000 0000

0000, opened in the name of the Spanish Agency for Data Protection in the Bank
CAIXABANK, S.A. or otherwise, it will be collected in an exemplary period
cultural.

Notification received and once executive, if the execution date is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 24/24








In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is

will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the

Contentious-administrative chamber of the National Court, in accordance with the provisions
set out in article 25 and section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party

do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency had no knowledge of the filing of the contentious-administrative appeal
trative within a period of two months from the day following notification of this
resolution, would terminate the precautionary suspension.


Mar Spain Martí


Director of the Spanish Agency for Data Protection






















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es