AEPD - PS/00185/2020

From GDPRhub
AEPD - PS/00185/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 10.11.2020
Fine: 3000 EUR
Parties: Miguel Ibáñez Bezanilla, S.L.
National Case Number/Name: PS/00185/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) fined Miguel Ibáñez Bezanilla, S.L. € 3000 for infringing, in its website, the duty of security of processing (Article 32 GDPR), the transparency principle (Article 13 GDPR) and its information duties related to cookies (Article 22(2) of the Spanish Law on Information Society Services; LSSI).

English Summary[edit | edit source]

Facts[edit | edit source]

The company Miguel Ibáñez Bezanilla is a car number plate online seller.

The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant) stating that (i) the defendant has not adopted any safety measures for its website, that (ii) such website did not offer any kind of data protection information on purpose, nor period of storage, and that (iii) the claimant has contacted the defendant in order to request him to adopt such measures, but he has received no answer.

Dispute[edit | edit source]

During the first research procedures, the AEPD proved that (i) in order to make an order, the website requires personal data such as name, surname, scanned copy of the Spanish national ID, driving licence, chassis number, car number plate and proof of payment, (ii) the website does not offer a safe "https" encryption protocol, making possible for other user to intercept any communications between the user and the server, (iii) the privacy policy is not updated and refers to the former Spanish data protection law LOPD 15/1999, (iv) there is no banner on cookies usage when accessing the website, and the detailed part of the website referring to cookies does not offer information on identity, features or length, nor possibility to refuse them. The defendant did not answer any requirements of the AEPD, so the AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

Thus, the AEPD understood that the defendant has infringed Article 32 GDPR, Article 13 GDPR and Article 22 LSSI, as the website is not technically safe, the privacy policy is not updated, and the cookies information is not sufficient. Consequently, the AEPD decided to impose a fine of € 3000 to the defendant; additionally, it required the defendant to solve all the infractions of the website within a period of one (1) month since the decision.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/6









     Procedure No.: PS / 00185/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 00185/2020, instructed by the Spanish Agency for
Data Protection, to the entity MIGUEL IBÁÑEZ BEZANILLA S.L., with CIF .:
B39730973 owner of the website *** URL.1, (hereinafter, "the claimed entity"), at
by virtue of the complaint filed by D. A.A.A. (hereinafter, "the person claimed"), and
based on the following:


                                   BACKGROUND

FIRST: On 05/01/19, you entered this Agency, complaint filed
by the claimant in which it indicated, among others, the following:


“On April 20, I detected that the web lacked security measures to
protect personal data such as (HTTPS). In addition, the web lacks information
regarding the processing of personal data and its purpose, as well as the period in which
which are stored. I have contacted the seller urging him to improve and adapt
the security of its website to current legislation and it has not responded to any email ”.


SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation

(EU) 2016/679 (RGPD). Thus, dated 06/26/19, 12/18/19 and 02/19/20, it is addressed
informative request to the claimed entity, resulting in:

According to the certificate of the Electronic Notifications Service Support and Address
Enabled Electronic, the request made to the claimed entity, dated

06/26/19, through the electronic notification service, it was rejected on
07/07/19.

According to the certificate of the Postal Service, the request made to the entity
claimed, dated 12/18/19, through the certified mail service (SICER), gave
as a result: 1st Delivery attempt on 02/06/20, Absent. 2nd Delivery attempt on

02/11/20, result Absent.

According to the certificate of the Postal Service, the request made to the entity
claimed, dated 02/19/20, through the certified mail service (SICER), gave
as a result: delivery on 02/24/20, the recipient being: Ms. B.B.B. - *** NIF.1


THIRD: On 06/15/20, when the website *** URL.1 was consulted, it was found
have the following characteristics regarding their security protocols, their "policy
of privacy ”and its“ policy of cookies ”:


“The denounced website sells vehicle registration plates, for sale online.
line. To purchase a set of license plates, users must enter their
personal data on the order form: name and surname; DNI; vehicle registration
lo and even VIN. In addition, they must scan and send in attached files
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6








cough, the vehicle's registration certificate; the DNI on both sides and the proof of
payment".


Regarding the security protocols used:

When accessing the reported website, it is verified that the address is accessed:
*** ADDRESS.1, with "http" security protocol, thus making it possible for other users to
may intercept the information that is transferred from the customer's terminal to the
web server, since the information provided by users is not transferred from

secure (encrypted) way.

    - Regarding the "Privacy Policy":

At the bottom of the home page of the website, through the link "Legal Notice", you can access

yields to the page: *** PAGE 1, in which, among others, information about
bre: the person responsible for the treatment, collection, purpose, legitimation of the data
of a personal nature; general conditions and requirements for the use of the website and
on the intellectual property rights of the web.

    - On the protection of personal data, the page informs:


"In compliance with Law 15/1999 on the Protection of personal data, Miguel
Ibáñez Bezanilla S.L., informs you that the data that has been collected through
this website will be entered into an automated file, in order to manage
online consultations and requests for information related to one or more of the

services offered by Miguel Ibáñez Bezanilla S.L. through its website, manage your request
process, process your request for information for the course, as well as for sending information
business training.

You have the possibility to exercise your rights of access, rectification, cancellation and

opposition to the person responsible for the file, by letter or e-mail, together with the photo-
copy of your ID to the following address: *** HOME. 1

Miguel Ibáñez Bezanilla S.L. guarantees the custody of the data contained in this document
file, for which it will adopt the measures aimed at avoiding its alteration, loss and
unauthorized access, always in accordance with the state of technology in each

moment.

If you do not want to receive commercial communications, please send us a message.
Email to the address *** EMAIL. 1 or if you prefer, by post to Miguel
Ibáñez Bezanilla S.L. C / *** DOMICILE. 2. "


    - Regarding the "Cookies Policy":

When accessing the web page (first layer), there is NO type of banner that informs
me about the use of cookies on the reported website.


However, if you access the "Legal Notice" page, there is a section where you can
informs about cookies, indicating that:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6








"Miguel Ibáñez Bezanilla S.L. can use cookies when a user browses the
Web sites and pages. Cookies are files sent to a browser by me-
gave of a web server to record user activities on the web.


The cookies used by Miguel Ibáñez Bezanilla S.L. are only associated with a
anonymous user and their computer, and do not provide the name and surname of the
user. Thanks to cookies, it is possible that Miguel Ibáñez Bezanilla S.L. reco-
Know registered users after they have registered for the first time.
seldom, without having to register for each visit to access the areas, services

services, promotions or contests reserved exclusively for them. They are also used
to measure audience and traffic parameters, monitor progress.

The user has the possibility to configure their browser to be notified on the screen
of the reception of cookies and to prevent their installation on your hard drive. Please,

consult the instructions and manuals of your browser for further information.
To use the Web it is not necessary for the user to allow the installation of the
cookies sent by Miguel Ibáñez Bezanilla S.L., or the third party acting on his behalf
bre, without prejudice to the need for the user to start a session as such in
each of the services whose provision requires prior registration or login.


The Web servers of Miguel Ibáñez Bezanilla S.L. automatically detect the
IP address and domain name used by the user. All this information is
recorded in a server activity file that allows subsequent processing
data in order to obtain statistical measurements that allow us to know
close the number of page impressions, the number of visits made to the services

cios Web.

FOURTH: On 06/24/20, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the claimed entity, by virtue of
the powers established, for failing to comply with the provisions of current regulations and

nding the following sanctions: 1,000 euros (one thousand euros), for the violation of article
32 of the RGPD, due to the security policy carried out on the website of its ownership.
1,000 euros (one thousand euros), for the violation of article 13 of the RGPD, for the policy of
privacy made on the website of its ownership. 1,000 euros (thousand euros), for the
infringement of article 22.2 of the LSSI, due to the cookie policy installed on the page
Web.


FIFTH: Notified the initiation of the file on 07/05/20, to date, no
It is clear that any response has been given to the initiation of the file within the
period granted for this, for the appropriate legal purposes by the claimed entity.


Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:

                                 PROVEN FACTS


1º.- The website denounced sells vehicle registration plates, for
online sale. To purchase a set of plates, users must enter their data
personal in the order form: name and surname; DNI; vehicle registration and


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








including chassis number. In addition, they must scan and send in attached files, the
Vehicle registration certificate; the DNI on both sides and the proof of payment.


2º.- Regarding the security protocols used:

When accessing the reported website, it is verified that the address is accessed:
*** ADDRESS.1, with "http" security protocol, thus making it possible for other users to
may intercept the information that is transferred from the customer's terminal to the
web server, since the information provided by users is not transferred from

secure (encrypted) way.

3º.- Regarding the “Privacy Policy”:

At the bottom of the home page of the website, through the link "Legal Notice", you can access

yields to the page: *** PAGE 1, in which, among others, information about
bre: the person responsible for the treatment, collection, purpose, legitimation of the data
of a personal nature; general conditions and requirements for the use of the web;
on the intellectual property rights of the web.

4º.- On the protection of personal data, the page informs referring to the

"Compliance with Law 15/1999 on Protection of personal data

5º.- Regarding the “Cookies Policy”:

When accessing the web page (first layer), there is NO type of banner that informs

me about the use of cookies on the reported website. However, if you access
the "Legal Notice" page, there is a section where information is provided on various aspects
of cookies.
                             FOUNDATIONS OF LAW
                                              I

                                       Competition:

About the Privacy Policy:

The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in

the art. 47 of LOPDGDD.

About the Cookies Policy:

The Director of the Spanish Agency is competent to resolve this procedure

of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph
second, from the LSSI.
                                              II
The joint assessment of the documentary evidence in the procedure brings to the conclusion
knowledge of the AEPD a vision of the denounced action that has been reflected

It gives in the facts declared proven above related.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








a) .- Of the actions carried out, in relation to the "Security Policy" of the
website reported, it is found that it collects personal data from users
using a "http //" security protocol, lacking a minimum level of security.


b) .- Of the actions carried out, in relation to the "Privacy Policy", of the
website reported, it has been found that it still refers to the
LOPD repealed, so it has not yet been adapted to the new regulations in force
on protection of personal data.


c) .- Of the actions carried out, in relation to the "Cookies Policy", in the
website complaint, it has been found that, in the first Layer, (initial page), NO
There is no type of banner about cookies that provides generic information
about the installation of cookies on the terminal equipment and on the second Layer, through
of the link: "legal notice", there is a section where certain information is provided

generic information about cookies, but no information about the identity and
characteristics of own cookies that are installed, nor the time they remain
active on the terminal equipment. Neither about third-party cookies. Also, in this
second layer there is NO possibility to reject all cookies.

Therefore, in accordance with the foregoing, by the Director of the Spanish Agency

Data Protection Policy,
                                       RESOLVES

FIRST: IMPOSE the entity MIGUEL IBÁÑEZ BEZANILLA S.L., with CIF .:
B39730973 owner of the website *** URL.1 for Infringement of articles 32 and 13

of the RGPD regarding the security policy and regarding the privacy policy
respectively and for the violation of article 22.2) of the LSSI, with respect to its Policy
ca de Cookies, a penalty of 3,000 euros (three thousand euros = 1,000 euros (art. 32
RGPD) + 1,000 euros (art. 13 RGPD) + 1,000 euros (art. 22.2 LSSI).


SECOND: REQUIRE the entity MIGUEL IBÁÑEZ BEZANILLA S.L., so that, in
within a month from this act of notification, take the appropriate measures to
modify on the website of its ownership in the following points:

    - Modify your security policy by installing security protocols.
        security that guarantee the transmission of personal data in a secure way between

        between the user's terminal and the web server.
    - Adapt the website to the current regulations on personal data protection.
        (RGPD), including in the same the information that article 13 of the ci-
        This Regulation stipulates.
    - Include the banner about cookies from the first layer and include a second layer

        the necessary information about cookies and a mechanism that allows rejection
        Set all cookies.

THIRD: NOTIFY this resolution to the entity, MIGUEL IBÁÑEZ BEZA-
NILLA S.L.


Warn the sanctioned person that the sanction imposed must be effective once
this resolution is enforceable, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6








Public Ministries (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-

when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-

luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-

of fiscal, administrative and social order measures, this Resolution is
will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with

established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative chamber of the National Court, in accordance with the provisions

set out in article 25 and section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to

through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency had no knowledge of the filing of the contentious-administrative appeal
trative within a period of two months from the day following notification of this

resolution, would terminate the precautionary suspension.

Mar España Martí
Director of the Spanish Agency for Data Protection.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es