AEPD (Spain) - PS/00234/2020

From GDPRhub
Revision as of 16:01, 3 December 2020 by SR (talk | contribs)
AEPD - PS/00234/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
22(2) of the Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 24.09.2020
Fine: 7800 EUR
Parties: Iweb Internet Learning, S.L.
Neptunos Formación, S.L.
National Case Number/Name: PS/00234/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) decided to conclude the sanction procedure against Iweb Internet Learning, S.L. (the defendant) for the infringement of Article 7 and Article 13 of the GDPR and of Article 22(2) of the Spanish Law on Information Society Services (LSSI) — amongst others, the Spanish law regulating cookies. The defendant agreed to an early resolution of the matter.

English Summary

Facts

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by the Spanish company Neptunos Formación, S.L. (the claimant). The main points of the complaint include the following: (i) the defendant had published copyrighted material in its website without the consent, (ii) the website did not include information on the identity of the defendant, (iii) the claimant requested the erasure of all the content through the contact form, (iv) all personal data obtained from such contact form were transferred to a third company (Formación Universitaria, S.L.) which directly contacted the claimant, (v) the claimant requested again all the erasure of the data during that phone call, without result, (vi) the comments provided in the contact form were published on the website without the user's consent.

Dispute

The AEPD assessed the controller's compliance with the applicable legislation. The Authority focused on whether or not: (i) the privacy policy included information on the data controller; (ii) the data subject was given an effective way to exercise his/her GDPR rights (as the email address provided refused each email received); (iii) the website offered an option to provide a specific and separate consent for the different purposes; (iv) the first layer of the website included any banner on cookies or information on their use.

Holding

The AEPD concluded that the defendant could have breached Article 13 GDPR, Article 7 GDPR and Article 22(2) LSSI: there was no identification of the data controller, no possibility to give a separate consent for each purpose, and there was not enough information on the use of cookies. Consequently, after considering some aggravating circumstances [(i) intentionality by the defendant, (ii) period of time in which the infringements had been happening], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 13,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision took place by agreeing to a voluntary payment of part of the fine and by acknowledging its liability. The defendant agreed and the sanction procedure was closed by the AEPD.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/23936-031219 Procedure Nº: PS / 00234/2020RESOLUTION R / 00431/2020 OF TERMINATION OF THE PROCEDURE BY PAYMENTVOLUNTARYIn the sanctioning procedure PS / 00234/2020, instructed by the AgencySpanish Data Protection to Iweb Internet Learning, SL , after the complaintpresented by NEPTUNOS FORMACION SL , and based on the following,BACKGROUNDFIRST: On September 1, 2020, the Director of the Spanish Agencyof Data Protection agreed to initiate a sanctioning procedure against Iweb InternetLearning, SL (hereinafter, the claimed), through the Agreement that is transcribed:<<Procedure Nº: PS / 00234/2020935-240719AGREEMENT TO INITIATE THE SANCTIONING PROCEDUREOf the actions carried out by the Spanish Data Protection Agency beforethe entity, IWEB INTERNET LEARNING SL with CIF: B64910011, owner of the pageweb *** URL.1 , (hereinafter, “the claimed entity”), by virtue of the complaint filedby Dª. AAA , on behalf of the entity NEPTUNOS FORMACIONSL, (hereinafter, "the claimant"), and based on the following:ACTSFIRST: On 02/13/20, you have an entry in this Agency, a complaint filedby the claimant in which it indicated, among others, the following:“The web *** URL.1 does not include information about who the data file is in standardsof use. That after seeing through google links that includes video materialhosted on the YouTube channel of the company Neptunos Formación SL., withoutauthorization of the brand, as legal representative of Neptunos I proceed to registerof the form to contact the company and request in good faith the elimination ofneptunos® contents (as it is not possible to locate the author of the web to report itI proceed to form registration. See: *** URL.2 and *** URL.3C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/23That after registering in the form "REQUEST MORE INFORMATION" they give the data to thecompany Formación Universitaria sl . who contacts users by phone.After requesting the immediate withdrawal of all Neptunos Training material and datapersonal, on 02/06/20 they tell me to send an email. I request through thePhone call removal and have ignored it.In turn, in the same contact form, "Request more information", I request the cancellationof everything related to the neptunos® company and I verify that the commentsof the form appear public in all city urls (Seville) and localities ofSeville.-See *** URL.4-See "Others interested in fp comment", without user consent.-See "Higher Grade Professional Training - Higher Grade FPHIGHER DEGREE TRAINING CYCLE Development and Manufacture ofCeramic Products Nocturnoana: I REQUEST THE LOWERING OF EVERYTHINGRELATED TO NEPTUNES FORMATION OF THIS PORTAL THATIT BREACHES THE RGPD REGULATIONS AND IT WILL PROCEED WITH THERELEVANT AGENCY *** URL . 2 .SECOND: In view of the facts set forth in the claim and the documentsprovided by the claimant, the Subdirectorate General for Data Inspection proceededto carry out actions for its clarification, under the powers ofinvestigation granted to the control authorities in article 57.1 of the Regulation(EU) 2016/679 (RGPD). Thus, dated 03/27/20, an informative request is addressed tothe entity, FORMACION UNIVERSITARIA SL.THIRD: On 06/15/20, this Agency receives a letter from the FOR-MACION UNIVERSITARIA SL, in which, among others, it indicates that:That the web page to which the complainant refers, *** URL.1 is not ownedof FORMACIÓN UNIVERSITARIA, SL, nor has it ever been, so it does not knowC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/23We show the aforementioned incidents, since not being a UNIVER TRAINING website-SITARIA, SL, you cannot access its content, in the sense of modifying it,compose it in one way or another, upload or delete texts or content of anyclass, nor has it ever been able to upload the videos that are the subject of the claim. It should be added that,None of the links that appear on the page that is the subject of the complaint have beenresponsibility of our training entity, since as indicated, it is not a pa-gina owned by this company.FORMACIÓN UNIVERSITARIA, SL, cannot inform about the ownership of the datathat appear on the website that is the object of the complaint, nor can it deliver therequested, nor can he give any explanation of the facts related toted by the claimant, since University Training, turns out to be a third partyfallen and is not a party to the legal relationship between the claimant, Neptuno, SL and whoeverbe the owner of the web *** URL.1 ”.FOURTH: On 07/09/20, an informative request is addressed to the entity,CLOUD BUILDERS SA, in order to inform this Agency about the identityof the website owner, *** URL.1 ( *** IP.1 ), hosted on their systems.FIFTH: On 07/20/20, the entity CLOUD BUILDERS SA., Refers to this Agencywritten company, in which, it is indicated that the owner of the website *** URL.1 , corresponds to theentity, IWEB INTERNET LEARNING, SL. with CIF: B64910011; and address on the streetLlacuna 136, 4º — 2º, 08018 Barcelona.SIXTH: On 07/28/20, this Agency accesses the denounced website.checked by checking that, at the bottom of the home page, through the link, “Nor-More Usage ”, a window is displayed where information on the con-Terms of use of the page, its privacy policy and data protection:A) .- Regarding the "Conditions of Use", it is reported, among others, of:- The purpose of the website:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/23“The purpose of the website is to spread the services of Training Courses throughthrough the Website, the Internet and any other means of dissemination or communication that exist-te: the Website provides access to information related to Courses, Training Centers,and in general to content and services related to the training sector.tion. The User in the browsing process or using the tools and servicesoffered by the Website, as well as sending your data to Request More Informationis accepting compliance with the Conditions of Service and the Privacy Policycity ​​and Data Protection of the same.The use of this Website implies full acceptance of the provisions includedgiven in these General Conditions of Use in the version published by the Companyat the time the User accesses the Website.The data of registered users through the forms enabled for this purposeon the website are collected by the Website in order to facilitate the provisionof the services that the Company provides through said Website, which is notother than to facilitate communication between training centers and users, and informationmar on training courses, publications or other services that could beof the user's interest (…).- It is also informed of: - The conditions of access and use of the Website;Exclusion of guarantees and responsibility and of Intellectual and Industrial Propertysite trial.B) .- Regarding the "Privacy Policy", the following information is provided, among others.training:- Regarding the data of the person responsible for data processing, the following stands outinformation:cyclosformativosfp.com (the Company), puts at your disposal the additional informationconcerning the processing of your personal data, as established by the regulationson the matter: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT ANDOF THE COUNCIL of April 27, 2016 (RGPD). In this sense and aligned with theprivacy policy of MR Advertising LTD based on the information model by categorycountry or levels, then we collect additional information (second level) where-C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/23of the basic information related to the treatment of data thatmust know. Data Protection Officer : *** URL.5- Regarding the purpose of processing personal data, the following highlightsinformation:At cyclosformativosfp.com we treat the information provided by internal peopleresadas in accordance with the following purposes:a) Sending the request to the advertiser client (Training Center). We will put incontact user and center regarding the training offer published.b) Advertising and commercial prospecting activities for own products and services.We can also offer you opinion polls, promotions and free samples.tas of our services and / or products.c) Advertising activities (including opinion or satisfaction surveys) by mediaelectronic products and services of third parties related to the sectorof training and employment. For this purpose, the data may be transferred to those third partiesentities.d) Segmentation tasks. Segmentation or elaboration of per-files in order to direct the editorial content and advertising to be sent. In nin-In any case, the segmentation or profiling that the Company will carry out will havelegal or significant effects on the interested party.e) Respond to your requests and queries related to the Portal. Recommend to eachUser the most appropriate training for your needs.f) Facilitate the opinion of Users on training content, through any-any electronic opinion medium.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/23g) Study and analysis of the information provided by the Users to assess ouryou go trends and services.- Regarding the legitimacy for the processing of personal data, highlights the si-following information:The legal basis for the processing of your data is based on the consent grantedby completing any of the forms available to the Company. In the case ofClient (Center) legitimation is the contractual relationship between both.The prospective offer of own or third-party products and services is based on theconsent, although it is legitimized by the special regulations on societyof the information whenever it is related to services and products of the Companysa, without in any case the withdrawal of consent to send communicationPromotional promotions condition, where appropriate, your status as a registered user.- About the recipients to whom the personal data collected will be communicatedtwo, the following information highlights:If you are a user interested in the training offer published, the recipient will be theadvertising center. The purpose of the communication is that you can get in touchwith you to find out in more detail about the training (course) published.Certain service providers will also have access, in thiscase already as in charge of the treatment. These providers will only be able to accessthe data for the sole purpose of providing the contracted service, following the instructionspurposes of the Company and without being able to use them for any other purpose. All thesuppliers subscribe confidentiality commitments in the use of information towhich they access for their service in accordance with current regulations.- On the rights of users in relation to their personal data, it is indicatedAC:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/23Anyone has the right to request access to their personal data, theirrectification or deletion, or the limitation of its treatment, or to oppose the treatment,as well as the right to data portability. As well as the right to withdraw theconsent for any of its purposes.To do this you can:-send a letter to cyclosformativosfp.com or-by forwarding an email to *** URL.5indicating the right you wish to exercise. The identity of the applicant must be proven.tea,for example, accompanying a photocopy of the DNI.Likewise, we inform you that you have the right to file a claim with thecompetent control authority, if it considers that there has been some kind ofNeration in relation to the processing of your personal data.In the event that the limitation of the processing of your data is requested, only thewe will keep for the exercise or defense of claims and in cases of oppositionsition will stop processing the data, except for compelling legitimate reasons, or the exercisecio or the defense of possible claims.- Information is also provided on: how to obtain personal data;the time that the personal data or the rights of the users are keptrios about the processing of your personal data.The website reported collects personal data information: name; surnametwo, ID, nationality, date of birth, sex; address, telephone and email, throughfrom the link, "MORE INFORMATION" accessible from the training cycles tabslocated at the top, for example: *** URL.6 -> More-information.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/23C) .- About the "Cookies Policy" of the website:Indicate that on the website denounced, there is NO banner on the "policyof cookies ”. Nor is there any link or link that redirects to a page that caninform about the cookie policy implemented on the web.SEVENTH: In view of the facts denounced, in accordance with the evidenceavailable, the Data Inspection of this Spanish Agency for the Protection ofData considers the above, does not comply with current regulations, thereforethat the opening of this sanctioning procedure proceeds.FOUNDATIONS OF LAWICompetition:- About the Privacy Policy:By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the ParliamentCouncil and European Council, of 04/27/16, regarding the Protection of Natural PersonsRegarding the Processing of Personal Data and the Free Circulation of es-The Data (RGPD) recognizes each Control Authority and, as established in thearts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection ofPersonal Data and Guarantee of Digital Rights (LOPDGDD), the Director of theSpanish Data Protection Agency is competent to initiate this procedureI lie.Sections 1) and 2) of article 58 of the RGPD, list, respectively, theinvestigative and corrective powers that the supervisory authority may have at the disposal of theeffect, mentioning in point 1.d), that of: “ notify the person in charge or commission of thetreatment of alleged infringements of this Regulation ” and in 2.i), that of:“ Impose an administrative fine in accordance with article 83, in addition to or instead of themeasures mentioned in this section, according to the circumstances of eachcase.".C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/23- About the Cookies Policy:In accordance with the provisions of art. 43.1, second paragraph, of the Law34/2002, of July 11, on Services of the Information Society and CommerceElectronic (LSSI), is competent to initiate and resolve this ProcedureSanctioner, the Director of the Spanish Agency for Data Protection.IIThe purpose of the website, *** URL.1 is to collect personal data frominterested in training courses and transfer them to training centers or academieswho impart them. Once the data is obtained, the training center gets in touchwith the interested person to offer their services. This practice of transferringData, from the entity that manages the website to the training center, is collected in theprivacy policy, which the interested party must accept before submitting the form. NotHowever, several anomalies have been found in the management of personal datamade by the web.IIIA) .- About the Privacy Policy.When the user wishes to receive extra information about the course in which he is interested,You must click on the link, << more information >>, displaying a form thatyou must fill in your personal data. In this form there is a box that theUser must obligatorily click to << accept the privacy policy andthe conditions of use >>.Apart from this, there is a link that redirects to the "privacy policy", through whicha page is displayed that provides information on aspects such as,purpose of data processing; the legitimacy for the treatment; therecipients to whom the data will be sent; the rights of users, etc.However, said page, the data controller is NOT identifiedpersonal data collected, nor the contact details thereof, which makes it impossible for theuser can contact him if he wishes to exercise his rights. In addition, the direction ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/23Email provided to contact the protection delegatedata ( *** URL.5 ), rejects the emails it receives, reporting an error message:“Your message was not delivered to *** URL.5 because the address was not found orit cannot receive e-mails ” , which means that the user is in a totaldefenseless against the treatment that may be carried out on your personal data.In this sense, article 13 of the RGPD establishes the information that must beprovide the interested party at the time of collection of their personal data. Inparticular it is indicated that:1.When personal data relating to him are obtained from an interested party, theresponsible for the treatment, at the time these are obtained, will provideall the information indicated below:a) the identity and contact details of the person in charge and, where appropriate, theirrepresentative; b) the contact details of the data protection officer,in your case; c) the purposes of the treatment to which the personal data are destinedand the legal basis of the treatment; d) when the treatment is based on theArticle 6, paragraph 1, letter f), the legitimate interests of the controller or athird; e) the recipients or categories of recipients of the datapersonal, if applicable; f) where appropriate, the intention of the person responsible to transferpersonal data to a third country or international organization and the existence orabsence of an adequacy decision by the Commission, or, in the case oftransfers indicated in articles 46 or 47 or article 49, paragraph 1,second paragraph, reference to adequate or appropriate guarantees and tomeans to obtain a copy of these or to the fact that they have been loaned.2.In addition to the information mentioned in section 1, the person responsible for thetreatment will facilitate the interested party, at the time the data is obtainedpersonal information, the following information necessary to guarantee data processingloyal and transparent:a) the period during which the personal data will be kept or, when notwhere possible, the criteria used to determine this deadline; b) existenceof the right to request access to the data from the data controllerpersonal data relating to the interested party, and their rectification or deletion, or the limitationof their treatment, or to oppose the treatment, as well as the right toC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/23data portability; c) when the treatment is based on article 6,paragraph 1, letter a), or Article 9, paragraph 2, letter a), the existence of theright to withdraw consent at any time, without affectingthe legality of the treatment based on the consent prior to its withdrawal; of theright to file a claim with a supervisory authority; e) if thecommunication of personal data is a legal or contractual requirement, or anecessary requirement to sign a contract, and if the interested party is obliged toprovide personal data and are informed of the possible consequencesnot to provide such data; f) the existence of automated decisions,including profiling, referred to in article 22, paragraphs 1 and4, and, at least in such cases, significant information on the applied logic,as well as the importance and expected consequences of such treatmentfor the interested party.Thus, the known facts could constitute an infraction,attributable to the respondent, for violation of article 13 of the RGPD, by the NOidentification of the person responsible for data processing, which makes it impossible to exerciseof the rights recognized in the RGPD.For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes ofprescription, “ the omission of the duty to inform the affected party about the treatment ofyour personal data in accordance with the provisions of articles 13 and 14 of the RGPD "This offense can be sanctioned with a fine of € 20,000,000 maximum or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting for theof greater amount, in accordance with article 83.5.b) of the RGPD.In accordance with the indicated precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the sanction to be imposed inIn the present case, it is considered that the sanction to be imposed should be adjusted according towith the following criteria established in article 83.2 of the RGPD:- The intentionality or negligence in the infraction. In the present case we arein the event of unintentional negligent action, (section b).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 12
12/23- The categories of personal data affected by the infringementThe data processed in this case are of a marked personal nature, (sectiong).- The way in which the supervisory authority learned of the infringement. TheThe way in which this AEPD has learned has been by filingthe complaint by the claimant, (section h).In accordance with the indicated precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the sanction to be imposed inIn the present case, it is considered that the sanction to be imposed should be adjusted according towith the following criteria established in article 76.2 of the LOPDGDD:- The linking of the offender's activity with the performance of treatment ofpersonal data, (section b).The balance of the circumstances contemplated in article 83.2 of the RGPD, withRegarding the offense committed by violating the provisions of Article 13, it allowsset a penalty of 3,000 euros, (three thousand euros).IIIB) .- On the consent given by the interested parties and the exercise of theirrights:b.1.) As indicated above, the purpose of the website is to"Disseminate the services of Training Courses through the Website, Internet andany other existing means of dissemination or communication: the Website provides theaccess to information related to Courses, Training Centers and in general tocontent and services related to the training sector ” .However, when the user clicks on the acceptance box of the privacy policyprivacy, prior to being able to send the questionnaire, it is also implicitlyconsenting to the processing of your personal data for purposes other than thepurpose of the web, and this is indicated on the page itself:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 13
13/23"In cyclosformativosfp.com we treat the information that people provide usinterested parties in accordance with the following purposes: a) Sending the request to theCustomer (Training Center) advertiser. We will put the user and the center in contactregarding the training offer published. b) Advertising and prospecting activitiescommercial of own products and services. We can also offer you surveysopinion, promotions and free samples of our services and / or products. c)Advertising activities (including opinion or satisfaction surveys) by the mediaelectronic products and services of third parties related to the sectorof training and employment. For this purpose, the data may be transferred to those third partiesentities. d) Segmentation tasks. Segmentation orprofiling in order to direct the editorial content and theadvertising to send. In no case will the segmentation or profiling thatcarried out by the Company will have legal or significant effects on the interested party. and)Respond to your requests and queries related to the Portal. Recommend to eachUser the most appropriate training for your needs. f) Facilitate the opinion ofUsers on training content, through any means of opinionelectronic. g) Study and analysis of the information provided by Users toassess new trends and services (…) ”.b.2.) On the other hand, if the user wishes to exercise their rights, such as access,rectification, limitation or opposition to the processing of your data, the web indicates thatyou can: "send a letter to cyclosformativesfp.com" or "send an email todata@ciclosformativosfp.com ” .Well, about sending the letter, as there is NO information about the owner of thewebsite, such as your identification or your postal address, it is not possibleaddress him, and regarding the sending of an email to *** URL.5 , this addressIt is NOT valid, as it rejects the emails received, returning the notificationnext: “Your message was not delivered to *** URL.6 because theaddress or it cannot receive mail ” .b.3.) It has also been detected that, to request information about a certain coursedata such as sex, date of birth,DNI or nationality, if you want the form to be sent, in breach of it, thePrinciple of minimization of the data contained in article 5.1.c) of the RGPD: “the datacollected will be adequate, relevant and limited to what is necessary in relation to thepurposes for which they are treated ”.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 14
14/23Thus, article 6.1 of the RGPD indicates that the treatment will only be lawful if theinterested party gave their consent , “for the processing of their personal data forone or more specific purposes ”,For its part, article 7 of the RGPD indicates, regarding consent, that:"one. When the treatment is based on the consent of the interested party, the person in chargemust be able to demonstrate that he consented to the processing of his datapersonal.2. If the consent of the interested party is given in the context of a written statementthat also refers to other matters, the request for consent will be submittedsuch that it is clearly distinguished from other subjects, intelligibly and clearlyeasy access and using clear and simple language. No part will be bindingof the declaration that constitutes an infringement of these Regulations.3. The interested party will have the right to withdraw their consent at any time. TheWithdrawal of consent will not affect the legality of the treatment based on theconsent prior to its withdrawal. Before giving consent, the interested partywill be informed of it. It will be as easy to withdraw consent as it is to give it.4. When evaluating whether consent has been freely given, it will be taken into account in theas much as possible the fact whether, among other things, the performance of a contract,including the provision of a service, is subject to consent to the treatment ofpersonal data that are not necessary for the execution of said contract ”.In relation to these two cited articles, the recital should be taken into account(32) of the RGPD, as it indicates that:“Consent must be given through a clear affirmative act that reflects afree, specific, informed, and unequivocal manifestation of the interested partyaccept the processing of personal data that concerns him ... Therefore, thesilence, checked boxes, or inaction should not constitute consent. HeC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 15
15/23Consent must be given for all processing activities carried out with thesame or the same ends. When the treatment has several purposes, theconsent for all of them ... "Likewise, article 6.2 of the LOPDGDD indicates, on the treatment based on theconsent of the affected party, that: “2. When it is intended to establish the treatment ofdata in the consent of the affected person for a plurality of purposes will beIt must be specifically and unequivocally stated that said consent isgrants for all of them.Well, in accordance with everything previously expressed, the data processingrequires the existence of a legal basis that legitimizes it, as in this case, theconsent of the interested party validly given. But this consent mustbe given for each and every one of the purposes. It is NOT valid, therefore, mark theacceptance box of the privacy policy thereby accepting, in ageneric, all the purposes of data processing, without giving the option to give aindividualized consent for each of them.In addition, as has been verified in the privacy policy of the web, theThe interested party does NOT have the possibility to withdraw their consent whenever they wish, sincethere is identification of the person responsible for the treatment, nor is there the possibility of sendingan email to the indicated address.Thus, the known facts could constitute an infraction,attributable to the defendant, for violation of article 7 of the aforementioned RGPD, tocarry out the collection of consent through a generic action for allpurposes of data processing and the impossibility of revoking the consent given.For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes ofprescription, "Failure to comply with the requirements of article 7 of the RGPD".This offense can be sanctioned with a fine of € 20,000,000 maximum or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting for theof greater amount, in accordance with article 83.5.b) of the RGPD.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 16
16/23In accordance with the indicated precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the sanction to be imposed inIn the present case, it is considered that the sanction to be imposed should be adjusted according towith the following aggravating criteria established in article 83.2 of the RGPD:- The intentionality or negligence in the infraction. In the present case we arein the event of unintentional negligent action, (section b).- The categories of personal data affected by the infringementThe data processed in this case are of a marked personal nature, (sectiong).- The way in which the supervisory authority learned of the infringement. TheThe way in which this AEPD has learned has been by filingthe complaint by the claimant, (section h).- Any other aggravating factor applicable to the circumstances of the case, such asexcess personal data collected based on the ultimate purpose to which it iswill use the data and the use of said data for other purposesThird parties to whom the interested party has given their consent, (section k).In accordance with the indicated precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the sanction to be imposed inIn the present case, it is considered that the sanction to be imposed should be adjusted according towith the following criteria established in article 76.2 of the LOPDGDD:- The linking of the offender's activity with the performance of treatment ofpersonal data, (section b).The balance of the circumstances contemplated in article 83.2 of the RGPD, withRegarding the offense committed by violating the provisions of Article 13, it allowsset a penalty of 5,000 euros, (five thousand euros).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 17
17/23IVC) .- Of the actions carried out, in relation to the "Cookies Policy", of theclaimed website, it is found that:- In the first Layer, (initial page), there is NO banner about cookies, norinformation about it.- There is NO link or link that redirects to the cookie policy.The exposed facts could suppose on the part of the claimed entity the commissionof the violation of article 22.2 of the LSSI, according to which:“Service providers may use storage devices anddata recovery on recipient terminal equipment, provided thatthey have given their consent after they have been providedclear and complete information on its use, in particular, on the purposes of thedata processing, in accordance with the provisions of Organic Law 15/1999, of 13December, protection of personal data.When technically possible and effective, the consent of the recipient toaccept the data processing may be facilitated by using the parametersfrom the browser or other applications.The foregoing will not prevent possible storage or access of a technical nature to onlyin order to carry out the transmission of a communication over a communication networkelectronic or, to the extent strictly necessary, for the provision ofa service of the information society expressly requested by theaddressee".This offense is classified as minor in article 38.4 g), of the aforementioned Law, whichconsiders as such: “Use data storage and recovery deviceswhen the information had not been provided or the consent of the recipient was obtained.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 18
18/23natario of the service in the terms required by article 22.2. ”, which may be sanctionednothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.After the evidence obtained in the preliminary investigation phase, and without prejudice towhatever results from the instruction, it is considered that the sanction should bener in accordance with the following criteria established in art. 40 of the LSSI:- The existence of intentionality, an expression that must be interpreted as equi-value to degree of guilt according to the Judgment of the HearingNational of 11/12/07 relapse in Appeal no. 351/2006, corresponding tothe entity denounced the determination of a system for obtaining consentinformed service that conforms to the mandate of the LSSI.- Period of time during which the offense has been committed, since it is theclaim of February 2020, (section b).Based on these criteria, it is deemed appropriate to impose on the claimed entitya penalty of 5,000 euros (five thousand euros), for the violation of article 22.2 of theLSSI.Therefore, based on the foregoing, by the Director of the AgencySpanish Data Protection,HE REMEMBERS:START: SANCTIONING PROCEDURE against the entity, IWEB INTERNET LEAR-NING, SL. with CIF: B364910011, owner of the website *** URL.1 , for the followinginfractions:- Infringement of article 13) of the RGPD, due to the failure to identify the person responsibleof the data processing that makes it impossible to exercise the rights recognizedknown in the RGPD.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 19
19/23- Violation of article 7 of the RGPD, when collecting consentthrough a generic action for all data processing purposesand the impossibility of revoking the consent given.- Infringement of article 22.2) of the LSSI, punishable in accordance with the provisions ofthe art. 39) and 40) of the aforementioned Law, regarding the non-existence of the “Policy ofCookies ”on the website of your ownership.APPOINT: DBBB as Instructor , and Secretary, if applicable, Ms. CCC , indicatingWhereas any of them may be challenged, if applicable, in accordance with the provisionscido in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of thePublic Sector (LRJSP).INCORPORATE: to the sanctioning file, for evidentiary purposes, the inter-put by the claimant and its documentation, the documents obtained and generatedby the Subdirectorate General for Data Inspection during the investigation phasenes, all of them part of the present administrative file.WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, onCommon Administrative Procedure of Public Administrations, the sanction thatcould correspond would be:- 3,000 euros (three thousand euros), for the violation of article 13 of the RGPD.- 5,000 euros (five thousand euros), for the violation of article 7 of the RGPD.- 5,000 euros (five thousand euros), for the violation of article 22.2) of the LSSI.Therefore, the total penalty that would correspond for the three infractions would be13,000 (thirteen thousand euros).WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that couldto impose itself on the entity, IWEB INTERNET LEARNING, would consist of ORDERINGto take the necessary measures on:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 20
20/23- Adapt the privacy policy of the website of its ownership to the stipulationsside in article 13 of the RGPD.- Adapt the website of its ownership so that it collects the consent ofstakeholders, differentiated for each of the purposes to which they aredata processing will be finalized.- Include on the website of its ownership, the cookie policy, for which,You can follow the recommendations indicated in the "Guide on Cookies" edited.given by the Spanish Data Protection Agency, in November 2019.NOTIFY: the present agreement to initiate the sanctioning file to the entity,IWEB INTERNET LEARNING, granting you a hearing period of ten business daysto make the allegations and present the evidence it deems appropriate.If within the stipulated period it does not make allegations to this initiation agreement, the sameIt may be considered a resolution proposal, as established in article64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations (hereinafter, LPACAP).In accordance with the provisions of article 85 of the LPACAP, in the event that thepenalty to be imposed would be a fine, you may recognize your responsibility within theterm granted for the formulation of allegations to the present initiation agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthe present procedure, equivalent in this case to 2,600 euros. With the appof this reduction, the penalty would be set at 10,400 euros, resolving theprocedure with the imposition of this sanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichwill mean a reduction of 20% of the amount thereof, equivalent in this caseat 2,600 euros. With the application of this reduction, the sanction would be established in10,400 euros and its payment will imply the termination of the procedure.The reduction for the voluntary payment of the penalty is cumulative to the correspondingapply for the recognition of responsibility, provided that this recognitionof responsibility is made manifest within the period granted to formulateallegations at the opening of the procedure. The voluntary payment of the referred amountC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 21
21/23in the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions should be applied, the amount of the penalty would beestablished at 7,800 euros (seven thousand eight hundred).In any case, the effectiveness of either of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or remedy inadministrative against the sanction.If you choose to proceed to the voluntary payment of any of the amounts indicatedpreviously, you must make it effective by entering account number ES000000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection ofData in Banco CAIXABANK, SA, indicating in the concept the number ofreference of the procedure in the heading of this document and thecause of reduction of the amount to which it is accepted.Likewise, you must send proof of admission to the Subdirectorate General ofInspection to continue the procedure according to the quantityentered.The procedure will have a maximum duration of nine months from the date ofdate of the initiation agreement or, where appropriate, the draft initiation agreement.After this period, its expiration will occur and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD.Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act.Mar Spain MartíDirector of the Spanish Agency for Data Protection.>>SECOND : On September 11, 2020, the defendant has made the paymentof the sanction in the amount of 7,800 euros making use of the two reductionsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 22
22/23provided for in the Initiation Agreement transcribed above, which implies theacknowledgment of responsibility.THIRD : The payment made, within the period granted to formulate allegations tothe opening of the procedure, entails the waiver of any action or appeal in the processadministrative against the sanction and the recognition of responsibility in relation tothe facts to which the Initiation Agreement refers.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5December, Protection of Personal Data and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, Generalof Telecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of theinformation and electronic commerce (hereinafter LSSI), as provided in article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the rubric" Termination of sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceeds.2. When the sanction is solely of a pecuniary nature or it fitsimpose a pecuniary and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the presumed responsible, inany time prior to the resolution, will imply the termination of the procedure,Except for the replacement of the altered situation or the determination of thecompensation for damages caused by the commission of the offense.3. In both cases, when the penalty is solely of a pecuniary nature,the competent body to resolve the procedure will apply reductions of, atless, 20% on the amount of the proposed penalty, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditional on the withdrawal orwaiver of any action or appeal in administrative proceedings against the sanction.The percentage of reduction foreseen in this section may be increasedregulations.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 23
23/23In accordance with the above,the Director of the Spanish Agency for Data Protection RESOLVES :FIRST: DECLARE the termination of procedure PS / 00234/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to Iweb Internet Learning, SL .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.
Mar España Martí
Director of the Spanish Agency for Data Protection