AEPD - PS/00116/2020

From GDPRhub
AEPD - PS/00116/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 22(2) of the Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 03.11.2020
Fine: 3000 EUR
Parties: La Casa Comprometida, S. Coop.
National Case Number/Name: PS/00116/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) imposed a €3000 fine on La Casa Comprometida, S. Coop. for infringing its information duties related to cookies, as per Article 22(2) Spanish Law on Information Society Services (LSSI). This law regulates cookies, connected to Article 13 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the website by the defendant did not provide information on cookies, so it did not comply with the data protection.

Dispute[edit | edit source]

As the defendant refused to receive the notices by the AEPD, the AEPD carried out an investigation procedure, and it discovered that the website did not offer information enough on cookies (i.e. how to manage or disable them) nor any option to refuse all the cookies. The AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

Thus, the AEPD understood that the defendant has infringed its information duties in relation to cookies as per Article 22(2) LSSI, according to which, digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws. Consequently, after considering some aggravating circumstances [(i) the existence of intentionality, and (ii) the period of time the defendant has been infringing its duties, taking into account that the claim is dated October 2019], the AEPD decided to impose a fine of 3,000 € to the defendant, and, additionally, required the defendant to its website as per indicated in the recent AEPD guide on the use of cookies, within the period of one (1) month since this resolution.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                   1/5










     Procedure Nº: PS / 00116/2020

938-0419

                RESOLUTION OF SANCTIONING PROCEDURE




In the sanctioning procedure PS / 00116/2020, instructed by the Spanish Agency for
Data Protection, to the entity, LA CASA COMPROMETIDA, S.Coop. with CIF .:
F95964086, owner of the website *** URL.1, (hereinafter, "the claimed entity"),
by virtue of a complaint filed by D.A.A.A., and based on the following:




                                    BACKGROUND

FIRST: On 10/03/19, you have an entry in this Agency, complaint filed
by the claimant in which it indicated, among others, the following:

“The web *** URL.1, dedicated to the online sale of various products, does not comply with the
tual regulations on Data Protection due to, among others, the following circumstances

cias: Lacks proper information about the cookies used ”.
SECOND: In view of the facts set forth in the claim and the documents

provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the protection of the powers of investigation
tion granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (RGPD). Thus, dated 12/19/19 and 01/07/20, both requests are addressed
informative coughs to the claimed entity.

According to the certificate of the Electronic Notifications and Electronic Address Service
Authorized, of the Ministry of Territorial Policy and Public Administration, the requirement

The sent to the claimed entity on 12/19/19, through the Notific @ service, was re-
Chazado by the entity on 12/30/19.

According to a certificate from the State Postal and Telegraph Society, the request to send
do to the claimed entity on 01/07/20, through the SICER service, it was collected in
destination 01/15/20, being the receiver: B.B.B. (*** NIF.1).

THIRD: On 04/19/20 the website is consulted, checking the following
Three aspects about the privacy policy and the cookie policy of the website:

    A) Regarding the Privacy Policy:

At the bottom of the home page of the web, through the link to "Politics and Privacy
dad ”, you access the page *** URL.2, which provides, among others, information
tion about: the person responsible for the treatment, the collection, purpose, legitimation; the
legal basis that applies; the rights of users and the revocability of consent.
I lie; the purpose of the processing of personal data; the right to present a

claim; the security applied to personal data and on the destinations
natarios.
    B) About the Cookies Policy of the website:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








b.1.) When accessing the web page *** URL.3 (first layer), there is an information banner
information on cookies at the bottom of the page, with the following legend:

  “This store uses cookies and other technologies so that we can improve your experience.
                                rience on our sites ”-

                                     <<ACCEPT>>
b.2.) If you access the cookie policy (second layer), through the link “Term-
us and conditions ”, *** URL.4 provides, among others, information on: what are
the cookies; what they use cookies for and what data is obtained.




Regarding the management of cookies, the page does not provide any type of
information on how to manage cookies. There is also no power option
reject all cookies.



FOURTH: On 06/17/20, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the claimed entity, by virtue of

the powers established, for failing to comply with the provisions of article 22.2 of the LSSI, with
an initial penalty of 3,000 euros (three thousand euros).



FIFTH: Notified the initiation of the file on 06/29/20, to date, no
It is clear that any response has been given to the initiation of the file within the
period granted for this, for the appropriate legal purposes by the claimed entity.




Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:



                                 PROVEN FACTS


1º.- Regarding the Privacy Policy of the website denounced, it has been possible to
prove that it provides information about: the person responsible for the treatment, the
collection, purpose, legitimation; the legal basis that is applied; the rights of
users and the revocability of consent; the purpose of the data processing

personal, the right to file a claim; security applied to data
of a personal nature and the recipients of personal data.
2nd.- About the Cookies Policy of the website, it has been verified that, in the same-

ma, there is an information banner about cookies with the legend: “This store uses
cookies and other technologies so that we can improve your experience on our sites.
uncles"

If the cookie policy is accessed, through the corresponding link, the
provides information about: what cookies are or what they use cookies for, but, res-


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








Regarding the management of cookies, the page does not provide any information.
There is also no option to reject all cookies.


                              FOUNDATIONS OF LAW
                                               I

                                        Competition:

    - About the Privacy Policy:

The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in
the art. 47 of LOPDGDD.

    - About the Cookies Policy:
The Director of the Spanish Agency is competent to resolve this procedure

of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph
second, from the LSSI.
                                               II

The joint assessment of the documentary evidence in the procedure brings to the conclusion
knowledge of the AEPD a vision of the denounced action that has been reflected
It gives in the facts declared proven above related.



A) .- Of the actions carried out, in relation to the Privacy Policy of the page
na website claimed, it is found that, in the present case, according to the evidence

that are available at this time of the agreement to initiate the sanctioning procedure,
It is considered that the Privacy Policy of the claimed website is not contradicted
ce with the provisions of article 13 of the RGPD.



                                              III

B) .- Of the actions carried out, in relation to the Cookies Policy, of the page

website reported, it has been possible to verify that:



In the first Layer, (initial page): The banner about cookies that is displayed when accessing
der to the page provides information that is not very concise or intelligible.



In the second Layer, "Terms and conditions", through the corresponding link,
It is found that there is no information on the management of cookies or

the possibility of its configuration in a granular way and / or the possibility of accepting / re
reject all cookies.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








The facts presented suppose, on the part of the claimed entity, the commission of the
infraction of article 22.2 of the LSSI, classified as "slight" in article 38.4 g), of
the aforementioned Law, which may be sanctioned with a fine of up to € 30,000, in accordance with

Article 39 of the aforementioned LSSI.



After the evidence obtained in the preliminary investigation phase, and without prejudice to
whatever results from the instruction, it is considered that the sanction should be
ner in accordance with the following criteria established in art. 40 of the LSSI:



    - The existence of intentionality, an expression that must be interpreted as equi-

        value to degree of guilt according to the Judgment of the Hearing
        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent
        informed service that conforms to the mandate of the LSSI.



    - Period of time during which the offense has been committed, since it is the

        claim for the month of October 2019, (section b).



Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the
LSSI.



Therefore, in accordance with the foregoing, by the Director of the Spanish Agency

Data Protection Policy,

                                       RESOLVES

FIRST: IMPOSE the entity LA CASA COMPROMETIDA, S.Coop. with CIF .:
F95964086, owner of the website *** URL.1 a penalty of 3,000 euros (three thousand euros)
ros), for the violation of article 22.2) of the LSSI, regarding its Cookies Policy.

SECOND: REQUIRE the entity LA CASA COMPROMETIDA, S.Coop. for what,
within a month from this act of notification, proceed to take the measures

adequate to adapt the website of their ownership, in accordance with the current legislation
people, for which, you can use the information in the "Guide on Cookies"
edited by the Spanish Agency for Data Protection in November 2019.

THIRD: NOTIFY this resolution to the entity, THE HOUSE COMMITTED
DA, S.Coop.

Warn the sanctioned person that the sanction imposed must be effective once
this resolution is enforceable, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-
Public Ministries (LPACAP), within the voluntary payment period indicated in article

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened

on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.
Notification received and once executive, if the execution date is found

between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is
will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency

Spanish Data Protection Agency on the publication of its Resolutions.
Against this resolution, which puts an end to administrative proceedings, and in accordance with

established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative chamber of the National Court, in accordance with the provisions

set out in article 25 and section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing

addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the

Agency had no knowledge of the filing of the contentious-administrative appeal
trative within a period of two months from the day following notification of this
resolution, would terminate the precautionary suspension.


Mar España Martí

Director of the Spanish Agency for Data Protection.









C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es