AEPD - PS/00100/2020

From GDPRhub
AEPD - PS/00100/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Art 22.2 Spanish LSSI
Type: Complaint
Outcome: Partly Upheld
Decided: n/a
Published: n/a
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS/00100/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD.es (in ES)
Initial Contributor: Pablo Rossi

AEPD decided to fine the company ARANOW PACKAGING MACHINERY, S.L in the amount of EUR 3000 for violating the rights of recipients of services, in particular for "using data storage and retrieval devices (cookies) without providing the necessary information prohibited by article 22.2 of the LSSI" (Spanish Law on Information Society Services and Electronic Commerce, which transposes into Spanish law the Directive 2000/31/EC on electronic commerce). However, the company made use of two attenuating factors from the LPACAP (Spanish Law on Common Administrative Procedure of Public Administrations). This led to a reduction of up to EUR 1200 in the amount of the penalty, setting the total amount of the fine in EUR 1800.

English Summary[edit | edit source]

Facts[edit | edit source]

On 03/10/19 AEPD received a complaint stating, inter alia, the following:

"The web page ***URL.1 does not comply with the current legislation on Data Protection as it does not have a Privacy Policy, nor a contact page, nor, even less, a Cookie Policy that complies with the aforementioned current legislation".

In view of the facts set out in the complaint and the documents provided by the complainant, AEPD proceeded to carry out actions for its clarification, specifically, to examine both the Privacy policy and the Cookie policy of the aforementioned web page.

Regarding the privacy policy, AEPD confirmed that the information found there was in line with the provisions of Article 13 GDPR, which governs the information that must be provided when personal data is collected directly from the data subject. Regarding the Cookie Policy, AEPD firstly checked the information contained therein (What are cookies - What do they use cookies for? - What data is obtained?- What are the cookies that are used?). It was also checked if there was any mechanism to reject all cookies, but none was found.


Dispute[edit | edit source]

Were ARANOW PACKAGING MACHINERY's Privacy and Cookie policies aligned with European and national regulations ? (Art 13 GDPR and art 22.2 LSSI)


Holding[edit | edit source]

With respect to the Privacy policy, AEPD considered that the Privacy Policy of the challenged website was not in contradiction with what is stipulated in article 13 of the GDPR. With regards to the Cookie policy, AEPD considered differently. The fact that there was no link to the different browsers to deactivate or delete cookies and the fact that there was no mechanism to reject all cookies was considered to be contrary to the legal provisions established in article 22.2 LSSI.

This Infraction is classified as "minor" in Article 38.4 g) of the aforementioned Law, and may be sanctioned with a fine of up to EUR 30,000 , in accordance with Article 39 of the LSSI. Two criteria (established in Article 40 of the LSSI) were applied to graduate the sanction: the existence of intentionality and the period of time during which the infraction was committed. Taking these criteria into account, the amount of the fine was calculated at EUR 3,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.

On June 22, 2020, ARANOW PACKAGING MACHINERY, S.L proceeded to pay the sanction in the amount of EUR 1800, applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.

Comment[edit | edit source]

Despite the fact that the Directive 2000/31/EC on electronic commerce has been introduced into the legal systems of the Member States in a harmonized manner, each Member State has its own administrative sanctioning procedures. This underlines the importance of knowing the administrative sanctioning procedures of each Member State, where small particularities can mean big differences from one State to another.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00100/2020
RESOLUTION R/00268/2020 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT
In the sanctioning procedure PS/00100/2020, instructed by the Spanish Data Protection Agency to ARANOW PACKAGING MACHINERY, S.L., having regard to the complaint submitted by Mr. A.A.A., and on the basis of the following,
BACKGROUND
FIRST: On 9 June 2020, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against ARANOW PACKAGING MACHINERY, S.L. (hereinafter, the claimed), by means of the Agreement that is transcribed:
<<
Procedure No.: PS/00100/2020 935-240719 AGREEMENT TO START PENALTY PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency before the entity ARANOW PACKAGING MACHINERY, S.L. with CIF B63294359, owner of the website, ***URL.1 (hereinafter, "the claimed entity"), by virtue of the complaint presented by Mr. A.A.A., (hereinafter, "the claimant"), and based on the following:
FACTS
FIRST: On 03/10/19, a complaint was filed with this Agency by the claimant stating, among other things, the following: "The ***URL.1 website does not comply with current legislation on Data Protection as it does not have a Privacy Policy or a contact page, let alone a Cookie Policy that complies with the aforementioned legislation".
SECOND: In view of the facts set out in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the investigative powers granted to the control authorities in Article 57.1 of Regulation (EU) 2016/679 (RGPD). Thus, on 15/11/19, a request for information was addressed to the entity in question.
According to the certificate of the Electronic Notifications Service and Authorized Electronic Address, of the Ministry of Territorial Policy and Public Administration, the request sent to the claimed entity on 15/11/19, through the Notific@ service, was accepted by the entity on the same day 15/11/19. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
2/9
THIRD : On 19/04/20 the web page is consulted, checking the following aspects about the privacy policy and the cookies policy of the web page:
A) Regarding the Privacy Policy:
At the bottom of the home page of the website, through the link "Policy and Privacy", you can access the page ***URL.2, which provides, among others, information on:
- Information on the person responsible for processing, the collection, purpose, legitimacy and conservation time of personal data - Commercial information on customer service - On quality surveys - Information on the legal basis that applies. - Data conservation periods - Users' rights: of access; of rectification; of suppression/right to forget; of limitation; of portability; of opposition. - On automated individual decisions. - On the right to lodge a complaint with the AEPD. - Information on the data of minors - Information on the security applied to personal data. - On the changes in the privacy policy
A) About the Website's Cookie Policy: b.1.) When you access the ***URL.1 (first layer) website, there is a cookie information banner at the bottom of the page with the following legend:
"We use our own and third party cookies to provide our services, collect statistical information and include advertising. If you continue to browse you accept their use and usage. You can change the settings or obtain more information about our Privacy Policy".
b.2.) If you access the cookie policy (second layer), through the link "Privacy Policy", ***URL.3, you provide, among others, information about:
- What are cookies - What do they use cookies for? - What data is obtained - What are the cookies used, both their own and those of third parties, their purpose and time spent on the terminal equipment.
With regard to the management of the cookies, the page informs that: 
"if you want to deactivate (or reactivate) them, you have to do it yourself through your browser. Below, we provide information about how to activate and deactivate cookies in the main web browsers:

- If you are using Microsoft Internet Explorer, under the menu option Tools > Internet Options > Privacy > Settings. - If you use Firefox, under the menu option Tools > Options > Privacy > Cookies. - If you use Google Chrome, from the Settings > Privacy menu option - If you use Safari, from the Preferences > Security menu option
If your browser is not listed above, you will find instructions on how to change the settings in the "Help" section of your browser.
You should be aware that blocking cookies or limiting their installation may cause some of the website's features not to work or may make them more complicated or slow to access.
An alternative to blocking cookies would be to activate the private mode of your browser. This mode allows you to browse through the pages, but the pages will not be recorded in the browser history, in the cookie store or in the search history once the user has closed all the incognito tabs. Here are some links explaining how to activate incognito mode in the main browsers:
- Internet Explorer: InPrivate - FireFox: Private Browsing - Google Chrome: Incognito - Safari: Private Browsing - Opera: Private Browsing
For more information, ARANOW recommends reading the browser's help section.
FIFTH: In view of the facts reported, in accordance with the evidence available, the Data Inspectorate of this Spanish Data Protection Agency considers that the above-mentioned facts do not comply with the regulations in force, and therefore this sanctioning procedure should be opened.
LEGAL GROUNDS 
I Competition:
 
- On the Privacy Policy: By virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27/04/16, on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (RGPD) recognizes to each Control Authority and, as established in art. 47, 64.2 and 68.1 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure.
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
4/9
Article 58(1) and (2) of the GPRS list respectively the investigative and remedial powers which the supervisory authority may have for this purpose, mentioning in point 1(d) 'to notify the controller or processor of the alleged infringements of this Regulation' and in point 2(i) 'to impose an administrative fine pursuant to Article 83 in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the case'.
- On the Cookie Policy:
In accordance with the provisions of article 43.1, second paragraph, of Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this Penalty Procedure.
II
A) - The following can be seen from the actions carried out in relation to the Privacy Policy of the website in question: In this case, it has been verified that the ***URL.1 website has a specific "privacy" section: ***URL.2 in which, mentioning compliance with current legislation on data protection, information is provided on: the person responsible for processing, the collection, purpose, legitimacy and conservation time of personal data; commercial information on customer service; on quality surveys; information on the legal basis applied; data conservation periods; user rights; on automated individual decisions; on the right to file a complaint with the AEPD; information on the data of minors; information on the security applied to personal data; on changes in the privacy policy
In this sense, article 13 of the RGPD, establishes the information that must be provided to the interested party at the time of collection of their personal data. In particular, it states that:
Where personal data are collected from a data subject, the data controller shall, at the time of collection, provide the data subject with all the following information: a) the identity and contact details of the data controller and, where appropriate, his representative; b) the contact details of the data protection officer, if any; c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; d) where the processing is based on in Article 6(1)(f), the legitimate interests of the controller or of a third party (f) where applicable, the controller's intention to transfer personal data to a third country or international organisation and the existence or absence of a decision on adequacy from the Commission or, in the case of transfers referred to in Articles 46 or 47 or in the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy thereof or the fact that they have been provided. 
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
5/9
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data (b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted or to object to their processing and the right to the storage of data; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal; (e) whether the communication of personal data is a legal or contractual requirement, or a requirement for entering into a contract, and whether the data subject is under an obligation to communicate personal data and is informed of the possible consequences of not communicating such data 
In the present case, according to the evidence available at this time of the agreement to initiate the sanctioning procedure, it is considered that the Privacy Policy of the website complained of does not contradict what is stipulated in Article 13 of the RGPD. III
B) The following anomalies have been observed in relation to the Cookie Policy of the website in question:
1.- When accessing the page where information is provided on the cookie policy (second layer), through the link: "Privacy Policy", ***URL.3, it is reported that: "the deactivation or elimination of cookies must be done through the browser that is installed on the terminal equipment", but it does not include any link that links to the different browsers. Neither does this page contain any mechanism that allows the rejection of all cookies, so that it is just as easy to give consent as to revoke it. 
The facts set out above could lead to the claimed entity committing an infringement of Article 22.2 of the LSSI, according to which 
"Service providers may use data storage and retrieval devices on the terminal equipment of the recipients, provided that the recipients have given their consent after being provided with clear and complete information on their use, in particular on the purposes of data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, on the protection of personal data.
Where technically possible and effective, the recipient's consent to accept the processing of the data may be provided through the use of appropriate browser or other application parameters.
This shall not prevent any storage or access of a technical nature for the sole purpose of carrying out the transmission of a communication over an electronic communications network or, to the extent strictly necessary, for the provision of an information society service explicitly requested by the recipient".
This infringement is classified as "minor" in Article 38.4 g) of the aforementioned Law, which considers as such: "Using data storage and recovery devices when the information has not been provided or the consent of the recipient of the service has not been obtained under the terms required by Article 22.2.
Following the evidence obtained in the preliminary investigation phase, and without prejudice to the results of the investigation, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established in Article 40 of the ISESA
- The existence of intentionality, an expression that must be interpreted as equivalent to the degree of culpability in accordance with the National Court's ruling of 12/11/07 in Appeal No. 351/2006, with the accused entity being responsible for determining a system for obtaining informed consent that complies with the mandate of the LSSI.
- The period of time during which the infraction has been committed, as the complaint was filed in October 2019, (section b).
In accordance with these criteria, it is considered appropriate to impose a penalty of 3,000 euros (three thousand five hundred euros) on the entity complained of, for the infringement of Article 22.2 of the ISESA. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,
Therefore, in view of the above, by the Director of the Spanish Data Protection Agency, it is AGREED:
TO START: PENALTY PROCEDURE to the entity ARANOW PACKAGING MACHINERY, S.L., with CIF B63294359, owner of the web page, ***URL.1 for Violation of article 22.2) of the LSSI, punishable in accordance with the provisions of articles 39) and 40) of the aforementioned Law, regarding its Cookie Policy. APPOINTMENT: as Instructor, Mr. B.B.B., and Secretary, if applicable, Ms. C.C.C., indicating that any of them may be challenged, if applicable, pursuant to the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal System of the Public Sector (LRJSP).
INCORPORATE: to the sanctioning file, for evidential purposes, the interhe documents obtained and generated by the S.D.G. for Data Inspection during the investigation phase, all of which are part of this administrative file, are placed by the claimant and their documentation.
WHAT: for the purposes of article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the sanction that may correspond would be 3,000 Euros (three thousand Euros), for the infringement of article 22.2) of the LSSI, with respect to its Cookie Policy, without prejudice to what may result from the investigation of the present case.
REQUIRE: the entity ARANOW PACKAGING MACHINERY, S.L. to take the appropriate measures to include in its website (second layer) a mechanism to reject all cookies.
NOTIFY: the present agreement to start the sanctioning file to the entity ARANOW PACKAGING MACHINERY, S.L., giving it a period of hearing of ten working days to make the allegations and present the evidence it considers appropriate.
If within the stipulated period no allegations are made to this agreement to begin with, it may be considered a proposed resolution, as established in Article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of Article 85 of LPACAP, if the penalty to be imposed is a fine, it may acknowledge its liability within the time limit granted for the submission of arguments to this agreement to initiate proceedings; this will be accompanied by a 20% reduction of the penalty to be imposed in this procedure, equivalent in this case to 600 euros. 600. With the application of this reduction, the penalty would be set at
Similarly, at any time prior to the resolution of this procedure, the Commission may carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of the amount of the penalty, equivalent in this case to 600. With the application of this reduction, the sanction would be set at
The reduction for the voluntary payment of the penalty can be cumulated with that for the recognition of liability, provided that this recognition of liability is shown within the time allowed for making representations at the opening of the proceedings. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions were to be applied, the amount of the penalty would be set at 1,800 euros (one thousand eight hundred euros).
In any case, the effectiveness of any of the two above-mentioned reductions shall be conditioned on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
8/9
If you choose to proceed with the voluntary payment of any of the amounts indicated above, you must make it effective by paying it into account No. ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount. 
Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.
The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act.
Mar España Martí Director of the Spanish Data Protection Agency.
SECOND : On June 22, 2020, the claimant has proceeded to pay the penalty in the amount of 1800 euros by making use of the two reductions provided for in the Agreement transcribed above, which implies the recognition of liability. THIRD: The payment made, within the period granted for making allegations on the opening of the proceedings, entails the waiver of any action or appeal in administrative proceedings against the penalty and the acknowledgement of liability in relation to the facts referred to in the Agreement of Initiation.  
LEGAL GROUNDS
I
By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84. 3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on information society services and electronic commerce (hereinafter LSSI), in accordance with the provisions of article 43.1 of said Law.
C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es
9/9
II
Article 85 of Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), under the heading 'Termination in penalty proceedings' provides that: '1. 2. Where the penalty is only pecuniary in nature or where it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter is justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for the damage caused by the commission of the offence. 3. In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or renunciation of any administrative action or appeal against the penalty. The percentage of reduction provided for in this paragraph may be increased by regulation.
In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES FIRST: TO DECLARE the termination of procedure PS/00100/2020, in accordance with the provisions of Article 85 of the LPACAP. SECOND: TO NOTIFY this resolution to ARANOW PACKAGING MACHINERY, S.L..
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as provided for in article 114.1. c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46. 1 of the aforementioned Act.
Mar España Martí Director of the Spanish Data Protection Agency