AEPD (Spain) - PS/00036/2020

From GDPRhub
Revision as of 15:04, 8 August 2020 by Silvialoar (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00036/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 22(2) de servicios de la sociedad de la información y de comercio electrónico
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: AAA
JUST LANDED S.L.
National Case Number/Name: PS/00036/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López

Spanish DPA fines a company because its web site breached Article 13 GDPR, which lays down the information to be provided to the data subject when his/her personal data are collected.

English Summary

Facts

Although on the website there was information on terms and conditions of use, these were written only in English, being the entity based in Spanish territory.

Dispute

Does providing the privacy policy in a language other than that of the country where the company is based comply with Article 13 of the GDPR?

Holding

The Spanish DPA found that the facts constituted an infringement for violation of Article 13 of the RGPD, and imposed a reprimed to the company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION ON DISCIPLINARY PROCEEDINGS
In the sanctioning procedure PS/00036/2020, instructed by the Spanish
Data Protection, to the entity, JUST LANDED, S.L. with CIF: B83690131, holder of
the website, ***URL.1, (hereinafter "the contested entity"), by virtue of complaint
submitted by Mr. A.A.A., (hereinafter, "the Claimant"), and based on the following:
BACKGROUND
FIRST: Dated 25/02/19, you are admitted to this Agency, complaint filed
by the claimant in which he states, inter alia, the following:
"That there is no privacy policy defining the file where the
data collected. The owner of the file is also not defined, nor are the
ARCO rights. That cookies are collected on the web ***URL.1 and there is no policy of
cookies. That the terms and conditions are defined only in English".
SECOND: In view of the facts set out in the complaint and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to take action for clarification, under the investigative powers granted to the supervisory authorities in Article 57(1) of Regulation (EU)
2016/679 (RGPD). Thus, on 29/03/19 and 04/11/19, a request for information is addressed to the entity in question.
According to the certificate of the Electronic Notifications and Electronic Address Service
The request sent to the claimed entity on 29/03/19, through the Notific@ service, was accepted on 01/04/19 and the requirement
sent to the claimed entity on 04/11/19, was accepted at destination with date
04/11/19.
THIRD: Dated 03/11/19, by the Subdirectorate General for Data Inspection,
the following has been verified in relation to the website ***URL.1
1. There is NO banner or warning, in its first layer, related to the existence of
or the policy on them.
2. When you enter the website and without or perform any action, cookies are loaded into your browser, between
others, the following persistent cookies:
- IDE, expiring on November 27, 2020 and for advertising purposes according to ***URL.2
- gads, expiring on November 2, 2021 and for advertising purposes according to ***URL.2
- _ga, expiring on 2 November 2021 and for performance purposes
according to ***URL.2. According to ***URL.2 this cookie is associated with Google Analytics.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/6
- gid, expiring on November 4, 2019, and for performance purposes
according to ***URL.2. According to ***URL.2 this cookie is associated with Google Analytics.
3. The existence of an accessible privacy policy is checked in the url:
***URL.3, but written in English.
FOURTH: In view of the facts reported, and in accordance with the evidence
the Data Inspection of this Spanish Agency for the Protection of
Data considered that the action of the claimed entity did not meet the conditions
imposed by the rules in force, and it is therefore appropriate to initiate proceedings
sanctioning. Thus, on 12/03/20, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity complained of for infringement of Article 13) of the RGPD, punishable in accordance with the provisions of Article 83
of the above-mentioned rule, with respect to its Privacy Policy and for violation of the
22.2) of Law 34/2002, of 11 July, on Information Society Services and
Electronic Commerce (LSSI), punishable under articles 39) and 40)
of the mentioned Law, regarding the "Cookie Policy" in the denounced website.
FIFTH: Notification of the opening of the file on 31/03/20, as of today, no
it is recorded that no response has been given to the opening of the file within, the
period granted for this purpose, for the appropriate legal purposes by the claimed entity.
Of the actions carried out in the present procedure, of the information and documentation presented by the parties, the following have been accredited
PROVEN FACTS
1.- On the web: ***URL.3, there is information on terms and conditions of use but
is written in English. Inside this page, there is a link:
"Privacy policy", which redirects to another page about the "privacy policy", but
also written in English.
2.- To register for the services provided by the claimed entity, you must
registration in a questionnaire accessible through the web, introducing personal data and
accepting the entity's terms of use.
3.- On the web page, ***URL.1, there is NO banner or warning, in its first layer,
concerning the existence of cookies, but if cookies are loaded without
previous action. Nor is there any link or mechanism to accept, reject
or manage the installation of cookies.
LEGAL FOUNDATIONS
I
Competition:
- About the Privacy Policy:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/6
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the RGPD in
Article 47 of the LOPDGDD.
- About the Cookie Policy:
The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of Article 43.1, paragraph
second, from the LSSI.
II
The joint evaluation of the documentary evidence in the proceedings gives the AEPD a view of the action reported, which has been reflected in the facts declared as proven above.
In the present case, two situations are reported. Firstly, on the website
***URL.1, there is NO policy on cookies and secondly, the terms and conditions of its privacy policy are written only in English, being the
entity based in Spanish territory.
It has been verified by this Agency that, on the website: ***URL.3, there is
information on terms and conditions of use but is written in English. Within this page, there is a link: "Privacy policy", which redirects to
another page on the "privacy policy", but also written in English.
It has also been verified on the web, ***URL.1, that there is NO banner or warning, in its first layer, regarding the existence of cookies, nor is there any link
or mechanism to accept, reject or manage the installation of cookies, but
cookies are loaded without any prior action.
III
So, the known facts, about the privacy policy of the website
denounced, constitute an infringement, attributable to the defendant, for violation of Article 13 of the RGPD, which establishes the information to be provided
to the person concerned at the time of collection of their personal data.
For its part, Article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
the omission of the duty to inform the affected person about the treatment of
your personal data in accordance with Articles 13 and 14 of the GPRS"
This infringement is punishable by a fine of up to EUR 20,000,000 or, in the case of an undertaking, of up to 4% of the total annual turnover of the previous financial year, whichever is the greater
higher amount, in accordance with Article 83.5(b) of the GPRS.
However, Article 58(2) of the GPRS provides that: 'Each supervisory authority shall have all the following corrective powers
processing operations have infringed the provisions of this Regulation;
(...); (i) impose an administrative fine pursuant to Article 83 in addition to or instead of
of the measures referred to in this paragraph, depending on the circumstances of
Each individual case, therefore, the sanction that may correspond would be a warning, without prejudice to what may result from the investigation of this file.
IV
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/6
The facts exposed, about the policy of cookies, in the denounced web, suppose the
commission of an offence, as stipulated in Article 22.2 of the ISESA, according to which
"Service providers may use data storage and retrieval devices in terminal equipment of recipients, provided that the recipients have given their consent after the information has been provided
clear and complete on its use, in particular on the purposes of the processing of
the data, in accordance with the provisions of Organic Law 15/1999 of 13 December,
of personal data protection.
Where technically possible and effective, the consent of the recipient to
accepting the processing of the data may be facilitated by the use of the
appropriate browser or other applications.
The above shall not preclude possible storage or access of a technical nature to the
to effect the transmission of a communication over a communications network
electronic or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the recipient".
This infringement is classified as "minor" in Article 38.4 g) of the aforementioned law, which
considers as such: "Use data storage and retrieval devices
when the information has not been provided or the consent of the recipient of the service has not been obtained under the terms required by Article 22.2.", and may be subject to a fine of up to 30,000 euros, in accordance with Article 39 of the aforementioned ISESA.
Following the evidence obtained, it is considered that the sanction to be imposed should be graduated
in accordance with the following criteria established in article 40 of the LSSI:
- The existence of intentionality, an expression that must be interpreted as equivalent to the degree of guilt in accordance with the Sentence of the Hearing
National Appeal of 12/11/07 filed under Appeal No. 351/2006, corresponding to
the reported entity the determination of a system for obtaining informed consent that is consistent with the mandate of the ISSA.
- The period of time during which the infringement has been committed, as the complaint was filed in February 2019, (section b).
In accordance with these criteria, it is considered appropriate to impose on the entity complained of
a penalty of 3,000 euros (three thousand euros).
Having regard to the above and other provisions of general application, the Director of the Agency
Spanish Data Protection.
RESOLVED
FIRST: To impose to the entity JUST LANDED, S.L. with CIF: B83690131, holder of
the website, ***URL.1 a sanction of:
a- Warning, for the infringement of article 13) of the RGPD, regarding its Privacy Policy.
b- 3,000 euros (three thousand euros), for the infringement of article 22.2) of the LSSI, regarding its Cookie Policy.
SECOND: TO REQUIRE JUST LANDED, S.L. so that, within a
month from this act of notification, proceed to
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/6
a- Take the appropriate measures to include in the website of their ownership,
information on its "privacy policy", in Spanish, in line with
with the provisions of article 13 of the RGPD.
b- To take the appropriate measures to include in the web page of its ownership,
information about the cookies that are installed and a mechanism to enable or reject all cookies and/or to enable cookies in a granular form,
that allows you to manage user preferences, for which you can use
the existing information in the "Guide to Cookies" published by the Spanish Data Protection Agency in November 2019. You are also required to
to take the necessary measures so that NO cookies are installed simply by accessing the website.
THIRD: TO NOTIFY the present resolution to the entity JUST LANDED, S.L and to
claimant on the outcome of the claim.
Warn the sanctioned party that the sanction imposed must be effective once
enforce this decision in accordance with Article 98(1)(b)
of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (LPACAP), within the voluntary payment period indicated in Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005,
of 29 July, in connection with Article 62 of Law 58/2003 of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000, opened
on behalf of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A. or otherwise, it will be collected during the enforcement period.
Once the notification has been received and once it has been enforced, if the enforcement date is
between the 1st and the 15th of each month, inclusive, the deadline for making the voluntary payment shall be the 20th of the following month or the next working month, and if it is between the 16th and the last day of each month, inclusive, the deadline for payment
will be until the 5th of the second or immediately following month.
In accordance with the provisions of Article 82 of Law 62/2003 of 30 December on fiscal, administrative and social order measures, this Resolution is
will make public, once it has been notified to the interested parties. The publication will be made in accordance with the provisions of the Agency's Instruction 1/2004 of 22 December
Spanish Data Protection Agency on the publication of its resolutions.
Against this resolution, which puts an end to the administrative procedure, and in accordance with
established in Articles 112 and 123 of the LPACAP, the interested parties may, on an optional basis, lodge an appeal for reconsideration with the Director of the Spanish Agency
of Data Protection within one month from the day following the notification of this decision, or, directly, an administrative appeal before the
Administrative Chamber of the National Court, in accordance with Article 25 and paragraph 5 of the fourth additional provision of the Law
29/1998, of 13/07, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to
the provisions of Article 46.1 of the aforementioned legal text.
Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP
may suspend the final resolution in administrative proceedings as a precautionary measure if the interested party expresses his intention to file a contentious-administrative appeal. If
In this case, the person concerned must formally communicate this fact in writing
addressed to the Spanish Data Protection Agency, submitted through ReC/Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/6
Electronic registration of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or
through one of the other registers provided for in Article 16.4 of the aforementioned Law
39/2015, 1 October. You must also send the Agency the documentation
to prove the effective filing of the contentious-administrative appeal. If the
Agency was not informed of the lodging of the contentious-administrative appeal within two months of the day following notification of this
resolution, I would terminate the precautionary suspension.
Mar Spain Martí
Director of the Spanish Data Protection Agency.