AEPD (Spain) - PS/00057/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
mNo edit summary
Line 54: Line 54:
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that they load a big number of cookies without offering the corresponding basic layer information to the user.
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that load a big number of cookies without offering the corresponding basic layer information to the user.


=== Dispute ===
===Dispute===
The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.
The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.


=== Holding ===
===Holding===
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.


== Comment ==
==Comment==
In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.
In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 13:09, 30 July 2020

AEPD - PS/00057/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
22(2) of the Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.07.2020
Fine: 6.000 EUR
Parties: ESLORA PROYECTOS, S.L.
National Case Number/Name: PS/00057/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).

English Summary

Facts

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that load a big number of cookies without offering the corresponding basic layer information to the user.

Dispute

The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.

Holding

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.

Comment

In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/14936-031219 Procedure No.: PS / 00057/2020RESOLUTION R / 00283/2020 OF TERMINATION OF THE PAYMENT PROCEDUREVOLUNTARYIn the sanctioning procedure PS / 00057/2020, instructed by the AgencySpanish Data Protection to ESLORA PROYECTOS, SL , given the complaintpresented by D. AAA , and based on the following,BACKGROUNDFIRST: On April 2, 2020, the Director of the Spanish Agency forData Protection agreed to initiate sanctioning procedure to ESLORAPROYECTOS, SL (hereinafter, the claimed), through the Agreement thattranscribe:<<Procedure Nº: PS / 0057/2020166-240719PENALTY PROCEDURE STARTING AGREEMENTOf the actions carried out by the Spanish Agency for Data Protection beforethe entity, ESLORA PROYECTOS, SL, with CIF: B95608196 owner of the pagesweb: *** URL.1 , *** URL.2 and *** URL.3 (hereinafter “the claimed entity”), by virtueof complaint filed by D. AAA (hereinafter “the claimant”) and having asbase the following:ACTSFIRST: On 10/31/19, you have entered this Agency, complaint filedby the claimant indicating, among others, the following: ““The three websites that are the subject of the complaint leave cookies in the user's browser.Specifically, these: *** URL.1 _fbp _ga _gid; *** URL. 2 _ga _gat _gid*** URL. 3 PHPSESSID.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/14In all three cases, there is no initial notice anywhere on the website.that warns of this circumstance, so the user will receive cookies withoutnoticing except express search in the browser.Similarly, on all 3 websites there is a data submission form at the point ofContact menu, where personal data is collected. In all cases ofreference to a privacy policy where it is stated that the person responsible for thetreatment is Eslora Proyectos SL However, through access to the consultationresponsible for this website *** URL.4 there does not seem to be any responsiblenotified in the case of ESLORA ”.SECOND: In view of the facts set forth in the claim and the documentscontributed by the claimant, the General Sub-Directorate for Data Inspection proceededto carry out actions for its clarification, under the powers ofinvestigation granted to the control authorities in article 57.1 of the Regulation(EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). So,with dates 19/12/19 and 07/01/20, an informative request is addressed to the entityclaimed.THIRD: On 02/13/20, the claimed entity sends this Agency written inwhich, among others, reports the following:"The facts that motivate this claim before the AEPD:1) The lack of a first layer that reports on the installation of cookies in threewebsites: Miradorkossler.com, Kosslerbarria.es and Kossleratea.com.2) Lack of communication of the appointment of a Protection DelegateData (hereinafter "DPD") to the Spanish Agency for Data Protection.That, in relation to the first of the facts, on the date on which thecomplaint (October 31, 2019), ESLORA PROJECTOS was immersedin a project to adapt all the processes related to the activity of theCompany that will involve the processing of personal data, whose objectiveC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/14The main objective was to guarantee compliance with the requirements introduced by theGeneral Data Protection Regulation (hereinafter "RGPD").In this sense, the resources ESLORA PROYECTOS could dedicate to developmentof a first layer of information regarding cookies were limited sincethat in the adaptation phase in which the Company was in thatthen there were different tasks that required greater urgency whenface compliance with the basic principles established by the RGPD, soThese actions were given priority.In accordance with the foregoing, and particularly taking into account the controversy thatprevailed around how the duty of information should be faced withRegarding the interested parties that provide data through cookies -suscitatedmainly by the Judgment of October 1, 2019 in case C-673/17 of theEuropean Court of Justice, as well as contradictory pronouncements issuedby different European Control Authorities- decided not to address the development of afirst layer of cookies until the publication of recommendations or interpretationsby the Spanish supervisory authority on this particular issue.In this regard, it is important to note that the cookies installed throughthe indicated Websites, (i) mostly consisted of cookies necessary for thetheir proper functioning and, therefore, their installation does notsupposes a special invasion in the privacy of the users who visited them, (ii) nottreated a large volume of data, (iii) in no case did they treat informationespecially sensitive, (iv) the Company, in relation to the information generated byfrom the installation of the respective cookies, it has not exploited it nor has itenriched the database of users who have browsed it and (v) notIt has an aggressive commercial policy, hardly carrying out campaigns ofcommercial communications to the interested parties, being your regular clientlegal and consequently, not using the data collected by cookies withcommercial purposes.That, regarding the lack of appointment of a Data Protection Officer beforethe AEPD, it should be borne in mind that the main activity occupation of thecompany consists of the promotion and sale of real estate.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/14Taking into account the above, ESLORA PROYECTOS is not subsumed innone of the cases of compulsory designation included (i) in article 37.1RGPD, as well as (ii) in article 34 of the Organic Law on Data Protection andguarantee of digital rights (hereinafter “LOPDgdd”) and, therefore, theDesignation of a DPD is in no way prescriptive.That, in light of the facts and in line with the commitment of ESLORA PROYECTOSin compliance with data protection regulations, they are exposed toBelow are the measures that have been taken to prevent situations such asthat motivates this claim to occur again:Firstly, following the transfer of the facts that motivate the claim,ESLORA PROYECTOS has proceeded to correctly update the respectivefirst layers of the Websites as evidenced by Document Iattached to this answering brief.In this regard, once the different alternatives in this regard have been evaluated, theCompany chose to define and implement a first layer solutioninformation with the inclusion of a cookie configuration panel. SuchIn this way, it is guaranteed that users who visit the Company's web pagesare duly informed of the processing of personal data and, at the sametime, they can select what type of cookies they want to install on theirterminals. Likewise, the Company decided to implement this informative model offirst layer as it corresponds to the most guaranteed option (Example 1) proposed by theAEPD in the Guide on the use of Cookies.In turn, through this document, the AEPD is informed that the Company hasproceeded to update the second layer of information or Cookies Policy of thethemselves in order to promote the transparency required of them as responsible forthe data, providing additional information that may be useful to those interestedin accordance with the aforementioned Guide on the use of Cookies issuedrecently by the AEPD.• Second, in order to comply with the principle of responsibilityproactive and exceeding the due diligence required in this regard, despiteESLORA PROYECTOS, if not obliged to do so, has made the decision toappoint a Data Protection Delegate voluntarily. This decision hasC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/14as an ultimate object, avoid incidents such as those that occur and try at all times topromote an environment that advocates respect for the rights and freedoms ofinterested. In this regard, evidence of registration request is providedbefore the AEPD through Document II attached to this brief.• Likewise, as proof of the concern raised by the matter at ESLORAPROJECT, in addition to the aforementioned measures, has been decidedcontract ongoing advisory services from an external provider expert indata protection in order to guarantee exhaustive monitoring in theobservance and compliance with data protection regulations, for whichThey are currently exploring various options. For these reasons, to the AEPD ”.FOURTH: On 02/18/20, the services of the General Inspection Subdirectorateof the AEPD access the denounced web pages, checking in them whatfollowing1º.- In the URL: *** URL.1 :a) .- It is verified that the following cookies are loaded in the browser(Doubleclick.net, Facebook.com), Enter the cookies stored in the sectionmiradorkossler.com, there are some of analytical type: (_ga, _gid).b) .- The screen displayed in the mentioned URL includes a notice offirst layer cookies:"We use our own and third party" cookies "to improve your browsing. If you continuebrowsing accepts its use. ""Cookies Policy" and another "Accept".c) .- If you click on the “Cookies Policy” link , the web portal leads toa PDF document containing the privacy policy, accessible at the URL*** URL.1 .pdf. The content of the Cookies Policy section informs about,what are cookies or what types of cookies does this website use, informingC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/14of the meaning of technical Cookies, analysis Cookies and cookies ofthird parties.2º.- In the URL *** URL.2 :a) .- The following cookies are loaded in the browser: Enter cookiesstored under the heading kosslerbarria.es are some ofanalytic (_ga, _gid)b) .- The screen displayed in the mentioned URL includes a notice offirst layer cookies:"We use our own and third party" cookies "to improve your browsing. If you continuebrowsing accepts its use. ""Close" "More Information".If the second link is clicked, the web portal leads to a sectionAccessible at URL *** URL.2 -cookies /. The information provided makesreference to what are the cookies or cookies used on the web. On"Deactivation or deletion of cookies" only indicates that " In anyYou can now exercise your right to deactivate or delete cookiesfrom this website. These actions are carried out differently depending on thebrowser you are using ”.3º.- In the URL *** URL.3 :a) .- The following cookies are loaded in the browser: Enter cookiesstored under the heading kossleratea.com are some of theanalytic (_ga, _gid)b) .- The screen displayed in the mentioned URL includes a notice offirst layer cookies:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/14"We use our own and third party" cookies "to improve your browsing. If you continuebrowsing accepts its use. ""Cookies Policy" - "Accept".If you click on the first link "Cookies Policy", the web portal leadsto a PDF document containing the privacy policy, accessible at the URL*** URL . 3 .pdf. The content of the Cookies Policy section informs about,what are the cookies or what types of cookies does the web use, informingmeaning of technical cookies, analysis cookies; Third party cookies.FIFTH: In view of the facts denounced, in accordance with the evidence ofthat is available, the Data Inspection of this Spanish Agency for the Protection ofData considers that the cookie policy that is made by the claimed entity, notmeets the conditions imposed by current regulations, so theopening of this sanctioning procedure.FUNDAMENTALS OF LAWIIn accordance with the provisions of art. 43.1, second paragraph, of the Law34/2002, of July 11, on Services of the Information Society and CommerceElectronic (LSSI), is competent to initiate and resolve this ProcedureSanctioner, the Director of the Spanish Agency for Data Protection.IIIn the present case, when accessing the web pages *** URL.1 , *** URL.2 and *** URL.3 , andapplying the recommendations set out in the “Guide to the Use of Cookies”, edited byThis AEPD, in November 2019, verifies that:a) .- First Layer (initial page).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/14a.1.) When accessing the initial pages, and without having carried out any action,Check that unnecessary Google, _ga and _gid cookies are loaded, in additioncookies from Facebook and Doubleclick-Google, and without having reported it and withouthave obtained permission from the user.a.2.) The cookie banner that is displayed when accessing the pages,provides information that is not concise or understandable. When using expressions like,"(...) to improve your navigation (...)", they lead to confusion, distorting theclarity of the message (point 3.1.2.1 of the guide). According to point 3.1.2.2. of theguide, the information to be provided in this layer is ageneric identification of the purposes of the cookies to be used, such asfor example: “ we use cookies to make profiles based on navigationof users ”or,“ to know user behavior through analysisof your browsing for advertising purposes ”.b) Second Layer, through the link, "more information" or "cookie policy":b.1.) In the three pages generic information is provided about, what arethe cookies or the types that exist, but no information is provided about theidentity and characteristics of own cookies that are installed and the timethat remain active in the terminal equipment. Nor about the cookies ofthird parties that are installed, indicating only that " this website usesGoogle Analytics cookies ”.b.2.) In the URL *** URL.2 -cookies / it is indicated that for the deactivation ordeletion of cookies: “ At any time you can exercise your right todeactivation or removal of cookies from this website. These actions areperformed differently depending on the browser you are using ", notincluding not even, in link to the different browsers, not existingnor, in the three web pages, any mechanism that allows to rejectall cookies.IVThe exposed facts could suppose on the part of the entity demanded the commissionof the infringement of article 22.2 of the LSSI, according to which: “The providers ofservices may use data storage and recovery devices interminal equipment of the recipients, provided that they have given theirconsent after clear and complete information has been provided to themC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/14on its use, in particular, for the purposes of data processing, withpursuant to the provisions of Organic Law 15/1999, of December 13, on protectionof personal data.When technically possible and effective, the recipient's consent toAccepting the data processing may be facilitated by using the parametersbrowser or other applications. The above will not prevent the possiblestorage or access of a technical nature for the sole purpose of transmittinga communication by an electronic communications network or, to the extent thatit is strictly necessary, for the provision of a service of the company of theinformation expressly requested by the recipient ”.This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, whichconsiders as such: “Use data storage and recovery deviceswhen the information had not been provided or the consent of therecipient of the service in the terms required by article 22.2. ", and may besanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementionedLSSI.VAfter the evidence obtained in the preliminary investigation phase, and without prejudice towhatever results from the instruction, it is considered appropriate to graduate the sanction toimpose in accordance with the following criteria established by art. 40 of the LSSI:- The existence of intentionality, an expression to be interpreted asequivalent to degree of guilt according to the Judgment of theNational Hearing of 11/12/07 relapse in Resource no. 351/2006,corresponding to the entity denounced the determination of a system ofObtaining informed consent that is appropriate to the LSSI mandate.- Period of time during which the offense has been committed, as it is theclaim October 2019, (section b).- Adherence by the entity to the guide on cookies published by itAgency in November 2019 (section g).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/14In accordance with these criteria, it is considered appropriate to impose on the entity claimeda penalty of 10,000 euros (ten thousand euros), for the violation of article 22.2 of theLSSI.Therefore, in accordance with the foregoing, by the Director of the AgencySpanish Data Protection,HE REMEMBERS:START: PENALTY PROCEDURE for the entity ESLORA PROJECTOS,SL, with CIF: B95608196 owner of the web pages: *** URL.1 , *** URL.2 and *** URL.3 ,for violation of article 22.2) of the LSSI, punishable in accordance with the provisions of theart. 39.1.c) and 40) of the aforementioned Law, regarding its Cookies Policy.NAME: as Instructor to D. BBB , and Secretary, where appropriate, to Ms. CCC ,indicating that any of them may be challenged, if applicable, in accordance with theestablished in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regimeof the Public Sector (LRJSP).INCORPORATE: to the sanctioning file, for evidentiary purposes, the claimfiled by the claimant and its documentation, the documents obtained andgenerated by the General Sub-Directorate for Data Inspection during theinvestigations, all of them part of the present administrative file.WHAT: for the purposes provided in art. 64.2 b) of law 39/2015, of October 1, of theCommon Administrative Procedure of Public Administrations, the sanction thatcould correspond would be a fine of 10,000 euros for the violation of the article22.2 of the LSSI, without prejudice to what results from the instruction.REQUIRE: the entity ESLORA PROYECTOS, SL to take the measuresadequate to remedy the deficiencies indicated in point II of the Fundamentalsof Law, following the indications stipulated in the edited Guide on Cookiesby the AEPD, (Nov. 2019).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/14NOTIFY: this agreement to initiate sanction proceedings against the entityESLORA PROYECTOS, SL granting you a hearing period of ten business daysso that it formulates the allegations and presents the evidence that it considers convenient.If, within the stipulated period, no allegations are made to this initial agreement, the samemay be considered a resolution proposal, as established in the article64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure ofPublic Administrations (hereinafter, LPACAP).In accordance with the provisions of article 85 of the LPACAP, in the event that thesanction to impose were a fine, you can recognize your responsibility within theterm granted for the formulation of allegations to this initial agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthe present procedure, equivalent in this case to 2,000 euros. With the appof this reduction, the sanction would be established at 8,000 euros, resolving theprocedure with the imposition of this sanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichwill mean a reduction of 20% of the amount thereof, equivalent in this caseat 2,000 euros. With the application of this reduction, the sanction would be established in8,000 euros and its payment will imply the termination of the procedure.The reduction for the voluntary payment of the sanction is cumulative to the one that correspondsapply for the acknowledgment of responsibility, provided that this acknowledgmentof the responsibility is revealed within the term granted to formulateallegations to the opening of the procedure. Voluntary payment of the referred amountin the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions were to apply, the amount of the sanction would beestablished at 6,000 euros (six thousand euros).In any case, the effectiveness of any of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or resource in processadministrative against the sanction.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 12
12/14If you choose to proceed to the voluntary payment of any of the amounts indicatedpreviously, you must make it effective by entering the account number ES000000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection ofData in Banco CAIXABANK, SA, indicating in the concept the number ofprocedure reference in the heading of this document and thecause of reduction of the amount to which it is accepted.Likewise, you must send the proof of income to the General Subdirectorate ofInspection to continue the procedure in accordance with the quantityentered.The procedure will have a maximum duration of nine months from thedate of the initiation agreement or, if applicable, the draft initiation agreement.After this period will expire and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD. ByLastly, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act.
Mar España Martí
Director of the Spanish Agency for Data Protection.
>>SECOND : On June 26, 2020, the requested party has paid thesanction in the amount of 6,000 euros making use of the two planned reductionsin the Initiation Agreement transcribed above, which implies the recognition of theresponsibility.THIRD : The payment made, within the period granted to make allegations tothe opening of the procedure, implies the renunciation of any action or recourse in processadministrative against the sanction and the recognition of responsibility in relation tothe facts referred to in the Home Agreement.FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5 ofDecember, on Personal Data Protection and guarantee of digital rights (inC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 13
13/14hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, GeneralTelecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of theinformation and electronic commerce (hereinafter LSSI), as provided in the article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the heading" Termination in sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceed.2. When the sanction is solely pecuniary or fitsimpose a pecuniary and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the alleged responsible, inany time prior to the resolution, will imply the termination of the procedure,except with regard to the replacement of the altered situation or the determination of thecompensation for the damages caused by the commission of the offense.3. In both cases, when the sanction is solely pecuniary in nature,the competent body to resolve the procedure will apply reductions of, toless, 20% on the amount of the proposed sanction, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditioned to the withdrawal orwaiver of any administrative action or recourse against the sanction.The reduction percentage provided in this section may be increasedby regulation.According to what was stated,the Director of the Spanish Agency for Data Protection RESOLVES :FIRST: DECLARE the termination of procedure PS / 00057/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to ESLORA PROYECTOS, SL .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-administrative Chamber of theNational Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months fromC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 14
14/14day after notification of this act, as provided in article 46.1 of thereferred Law.
Mar España Marti
Director of the Spanish Agency for Data Protection