AEPD (Spain) - PS/00268/2020

From GDPRhub
Revision as of 11:30, 18 February 2021 by Mh (talk | contribs)
AEPD - PS/00268/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 22(2)of the Law on services of the information society and electronic commerce.
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.01.2021
Published: 16.02.2021
Fine: 2000 EUR
Parties: The Washpoint SL
National Case Number/Name: PS/00268/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a €2000 fine on The Washpoint SL for failing to provide a Privacy Policy on their website (Article 13 GDPR) and for the absence of a reject button on the second layer of their Cookie Policy (Article 22(2) LSSI).

English Summary

Facts

The claimant filed a complaint against The Washpoint SL on the basis that the company's website did not have a Privacy Notice nor a Cookie Notice.

The Spanish DPA (AEPD) when to verify the claims and highlighted that it was proven that, with regards to the Privacy Policy, there was no link to any document or page outlining this. There is therefore no information provided on processing of the users' personal data.

With regards to the Cookie Policy, the Spanish DPA also confirmed that there was no mechanism to reject cookies in the second layer of the Cookie Policy. There was only information available on how the user can configure browser settings in their terminal equipment.

Dispute

Does the lack of a Privacy Policy lead to a violation of Article 13 GDPR?

Does the absence of a reject button in the second layer of the cookie policy lead to a violation of Article 22(2) LSSI?

Holding

In relation to the Privacy Policy, the Spanish DPA (AEPD) held that there was a possibility for The Washpoint SL to collect information concerning the users' personal data. However, due to the lack of a link to any Privacy Policy or information on the processing of the users' personal data, the DPA held that there was a violation of Article 13 GDPR.

In relation to the missing reject button from the second layer of the Cookie Policy, the Spanish DPA held that this constituted a violation of Article 22(2) of the Spanish Law on services of the information society and electronic commerce (LSSI).

The DPA considered that the lack of a information or a privacy policy in breach of Article 13 GDPR should be sanctioned with a fine of €1000. Additionally, the DPA held that the violation of Article 22(2) LSSI due to the lack of a reject button in the cookie banner should be sanctioned with a fine of €1000 as well. Therefore, the overall fine imposed on The Washpoint SL amounted to €2000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/5








     Procedure No.: PS / 00268/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE

In the sanctioning procedure PS / 00268/2020, instructed by the Spanish Agency for

Data Protection to the entity, THE WASHPOINT S.L. with CIF .: B67354894,
owner of the website, http://thewashpoint.com/, (hereinafter, “the entity claims-
da ”), by virtue of a complaint filed by D.A.A.A., (hereinafter,“ the claimant ”), and
based on the following,


                                   BACKGROUND

FIRST: On 01/02/20, you have an entry in this Agency, a complaint filed
by the claimant in which it indicated, among others, the following:


"The website http://thewashpoint.com lacks a Legal Notice and Privacy Policy.
dad. It also does not have a cookie notice. Despite this, he uses a form to rec-
ger personal data ”.

SECOND: In view of the facts set forth in the claim and the documents
provided by the claimant, the SG of Data Inspection proceeded to carry out actions

tions for its clarification, in accordance with article 65.4 of the Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of rights
chos digital (LOPDGDD). Thus, on 02/07/20 and 02/18/20, he addressed two es-
Information request credits to the claimed entity.


According to the certificate of the Electronic Notifications and Electronic Address Service
Enabled, the request sent to the claimed entity on 02/07/20, through the
NOTIFIC @ service, was automatically rejected at the destination address,
on 02/18/20.


According to a certificate from the State Postal and Telegraph Society, the request to send
to the claimed association on 02/18/20, through the SICER service, it was returned
to origin with the annotation of "absent".

THIRD: On 09/08/20, by this Agency, the website is consulted
reported, verifying the following aspects of the privacy policy and

the cookie policy implemented on said page:

    A) Regarding the Privacy Policy:

It has been verified that, on the reported website, http://thewashpoint.com

(https://thewashpoint.com/es/franchise-lavanderias-autoservicio/), there is NO
link that redirects to the "privacy policy". It only exists, in the << contact tab
to >> the following information: ADDRESS: THE WASHPOINT S.L.U. C.I.F .:
B67354894; Calle dels Sentmenat 12; Sabadell, 08203 Barcelona Spain. PHONE
+34 693 00 88 71 E-MAIL: hola@thewashpoint.com


In addition, it is found that on said page it is required to provide the name, location,
the email and telephone number of the clients who wish to contact said entity
dad.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5









    B) Regarding the Cookies Policy:


b.1.- When accessing the main page of the web, http://thewashpoint.com, (first
layer), it is verified that, at the bottom of it, there is a banner with the following
following information:

 “We use our own and third party cookies to improve our services and show you
 advertising related to your preferences by analyzing your browsing habits

                      vegation ”. << Cookies policy >> - <<Ok>>

b.2.- If you access the "cookie policy" page, through the corresponding link
tooth, informs, among others, about: what are cookies and what types of cookies are used
za this web page.


Regarding the management of cookies, the website refers the user to configure the navigation.
gator used in your terminal equipment.

FOURTH: In view of the facts denounced from the verifications carried out by
this Agency, the Director of the Spanish Agency for Data Protection, dated

09/25/20, agreed to initiate a sanctioning procedure against the claimed person, in
under the established powers, for failing to comply with the provisions of article 22.2 of the
LSSI, regarding the cookie policy of its website.

FIFTH: Notified the initiation of the file on 10/09/20, to date, no

It is clear that any response has been given to the initiation of the file within the
period granted for this, for the appropriate legal purposes by the claimed entity.

Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:


                                 PROVEN FACTS

1º.- Regarding the “Privacy Policy” of the website http://thewashpoint.com,
it has been verified that, in the same there is the possibility of collecting information on
the personal data of the users but there is no link that redirects to the “policy

privacy policy ”or area where it is provided, the information that, according to the
current regulation on data protection is mandatory to offer the user in the
time to collect your personal data

2º.- Regarding the “Cookies Policy”, of the website, http://thewashpoint.com,

it has been verified that, in the second layer (cookie policy), there is no
mechanism that makes it possible to reject cookies, referring the user to configure the
browser used on your terminal equipment if you want to manage the use of the same
more.


                            FOUNDATIONS OF LAW

                                             I


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph
second, from the LSSI.

                                             II
The joint assessment of the documentary evidence in the procedure brings to the conclusion
knowledge of the AEPD a vision of the denounced action that has been reflected
It gives in the facts declared proven above related.

Of the actions carried out, in relation to the "Privacy Policy" and the

"Cookies Policy", of the claimed website, http://thewashpoint.com, has been
verified the following aspects:

Regarding the "Privacy Policy", it has been verified that there is the
possibility of collecting information about users' personal data, but not

There is no link that redirects to the "privacy policy" or area where it is provided.
ne, the information that, according to current legislation on data protection
It is mandatory to offer the user at the time of collecting their personal data.

In this sense, article 13 of the RGPD establishes the information that must be provided
cite the interested party at the time of collection of their personal data. Information

which should appear in the "privacy policy" of the website.

Therefore, the known facts could constitute an infringement, attributable
to the claimed, for violation of article 13 of the RGPD.


For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
prescription, “the omission of the duty to inform the affected party about the treatment of
your personal data in accordance with the provisions of articles 13 and 14 of the RGPD ”.

This offense can be sanctioned with a fine of a maximum of € 20,000,000 or,

for a company, of an amount equivalent to a maximum of 4% of the volume
total annual global business menu for the previous financial year, opting for the
higher amount, in accordance with article 83.5.b) of the RGPD.

In accordance with the indicated precepts, in order to set the amount of the penalty to
impose in the present case, it is considered that the sanction to be imposed should be adjusted

in accordance with the following aggravating criteria established in art. 83.2 of
GDPR:

    - The category of personal data affected by the infringement,
        (section g).


    - Due to the way in which this AEPD has learned of the infringement, through
        through the complaint filed by an individual, (section h).

The balance of the circumstances contemplated in article 83.2 of the RGPD, with respect to

Regarding the offense committed by violating the provisions of its article 13, it allows setting
a penalty of 1,000 euros, (one thousand euros), regarding the non-existence of a “policy of
emptiness ”, on the website denounced.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








                                              III
Regarding the "Cookies Policy" of the website, it has been verified that, in the
second layer (cookie policy), there is no mechanism that makes it possible to reject

set cookies, referring the user to configure the browser used on their computer
terminal if you want to manage the use of them.

The exposed facts suppose on the part of the claimed entity, the commission of a
violation of article 22.2 of the LSSI. This offense is classified as "minor" in the
Article 38.4 g), of the aforementioned Law, which considers as such: “Use al-

data storage and recovery when the information has not been provided
or obtained the consent of the recipient of the service in the terms required by
Article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, according to
with article 39 of the aforementioned LSSI.


Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 1,000 euros (one thousand euros), for the violation of article 22.2 of the LSSI,
Regarding the cookie policy carried out on the website of its ownership.

Thus, it is considered appropriate to impose on the claimed entity, a total sanction of
2,000 euros (two thousand euros) = 1,000 euros for violation of article 13 of the RGPD and

1,000 euros for violation of article 22.2 of the LSSI.

Therefore, in accordance with the foregoing, by the Director of the Spanish Agency
Data Protection Policy,

                                        RESOLVES

IMPOSE: to the entity, THE WASHPOINT S.L. with CIF .: B67354894, holder of the pa-
gina web, http://thewashpoint.com/, two sanctions, regarding the privacy policy
and regarding the cookie policy on the website of its ownership, consisting of:

    - 1,000 euros (one thousand euros), for the violation of article 13) of the RGPD, regarding
        the privacy policy of its website.

    - 1,000 euros (one thousand euros), for the violation of article 22.2) of the LSSI, regarding
        of its Cookies Policy.

REQUEST: to the entity, THE WASHPOINT S.L., so that, within a month
From this act of notification, proceed to take the necessary measures to:

    - Adapt the privacy policy of the website of its ownership to the stipulations
        side in article 13 of the RGPD.

    - The necessary information about cookies is incorporated into the website and it has been-
        bilite a mechanism that allows you to reject all cookies.

NOTIFY: this resolution to the entity THE WASHPOINT S.L.
Warn the sanctioned person that the sanction imposed must be effective once
this resolution is enforceable, in accordance with the provisions of article 98.1.b)

of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-
Public Ministries (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
when entering the restricted account number ES00 0000 0000 0000 0000 0000, opened

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5








on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 82 of Law 62/2003, of December 30-

of fiscal, administrative and social order measures, this Resolution is
will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification

fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative chamber of the National Court, in accordance with the provisions
set out in article 25 and section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following notification of this act, according to

the provisions of article 46.1 of the aforementioned legal text.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party

do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency had no knowledge of the filing of the contentious-administrative appeal
trative within a period of two months from the day following notification of this
resolution, would terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Agency for Data Protection.














C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es