Editing AEPD - PS/00057/2020

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 54: Line 54:
 
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).
 
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that load a big number of cookies without offering the corresponding basic layer information to the user.
+
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that they load a big number of cookies without offering the corresponding basic layer information to the user.
  
===Dispute===
+
=== Dispute ===
 
The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.
 
The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.
  
===Holding===
+
=== Holding ===
 
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.
 
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.
  
==Comment==
+
== Comment ==
 
In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.
 
In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: