AEPD - PS/00057/2020
|AEPD - PS/00057/2020|
|Relevant Law:||Article 7 GDPR|
Article 13 GDPR
22(2) of the Spanish Law on Information Society Services (LSSI)
|Parties:||ESLORA PROYECTOS, S.L.|
|National Case Number/Name:||PS/00057/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD decision (in ES)|
|Initial Contributor:||Miguel Garrido de Vega|
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Eslora Proyectos, S.L. (the defendant) for the infringement its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.—, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (6,000 €) of the fine suggested by the AEPD (10,000 €).
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant is the owner of three (3) websites that they load a big number of cookies without offering the corresponding basic layer information to the user.
The defendant answered to the AEPD investigation requests stating that: (i) at the date of the complaint (October 31st, 2019) it was performing a data protection adaption to the GDPR, and it had limited resources to do such; (ii) due to the controversial CJEU judgement C-673/17 dated October 1st, 2019, the defendant decided not to install a basic layer regarding cookies until the publication of any guides or recommendations by the AEPD; (iii) the majority of cookies loaded at the three websites were necessary cookies that did not process a large volume of data (never special data), and the defendant had not capitalized such data nor developed aggressive commercial campaigns (as the majority of its customers are companies) with them. In its written answer, the defendant also specified that, due to the complaint, it had installed the basic information layer and it has updated the second information layer, following, in both cases, the recommendations at the guide by the AEPD on the usage of cookies dated November 8th, 2019. The AEPD checked the three websites afterwards and it understood that they do not comply yet with the legislation, so it started the corresponding sanction procedure.
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached its information duties in relation to cookies as per Article 22(2) of the LSSI (digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws): on the basis of the available evidences, the three websites still load not necessary cookies (even Facebook ones) without informing nor obtaining any consent from the user, and the basic layer is too much vague ("…in order to improve your browsing experience…") and does not follow the recommendations by the AEPD; besides, the second layer of the three websites provide generic information on the concept of cookies, but not specific information on which cookies and how long will they be installed at the user's device (in one of them, it even specify that the way to reject cookies "will change depending on your browser", but it does not include any link nor explanation on how), and they do not offer any way to reject all the cookies. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, (ii) the period of time in which the breach has been happening, and (iii) the acceptance by the defendant of the cookies guide of the AEPD], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 10,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (8,000 €) and early voluntary payment (6,000 €). The defendant agreed to both concepts, so it paid 6,000 € and the sanction procedure was closed by the AEPD.
In his/her complaint, the Spanish citizen also added a second reason besides the one specified above: he/she stated that, although the contact forms at the three websites specified the defendant as data controller, he/she had checked the DPO registry of the AEPD without any results of such (this is logical, taking into account that he/she mistook the concept of "data controller" for the concept of "data protection officer"). Although the AEPD did not speak out about this second reason of complaint, in its written answer, the defendant declared that it was not obliged to the appointment of a DPO [nor according Art. 37(1) GDPR nor Art. 34 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD)], but, due to the complaint and as an evidence of its respect to the accountability principle, he had decided to appoint one.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.