AEPD (Spain) - PS/00291/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 51: Line 51:
|}}
|}}


The Spanish DPA warned an events' organizer, as a natural person, for failing to comply with cookies regulation, as their website did not provide clear information nor allowed to reject the cookies.
The Spanish DPA issued a warning to an events organiser whose website violated the Spanish law implementing the e-Privacy Directive because it did not provide clear information nor allowed the rejection of cookies. The DPA issued a warning rather than a fine because the event organiser was a natural and not a legal person.     


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' organizer related a the wedding of a cousin that they had attended, to which the events' organizer repsonded forwarding their comments together with identifying data of the data subject to the groom and bride without informing the data subject first.  
A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' organiser related a the wedding of a cousin that they had attended, to which the events' organiser repsonded forwarding their comments together with identifying data of the data subject to the groom and bride without informing the data subject first.  


The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' organizer, finding that they were using cookies without providing enough information to the users and there was no "reject" button.   
The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' organiser, finding that they were using cookies without providing enough information to the users and there was no "reject" button.   
=== Holding ===
=== Holding ===
The Spanish DPA held that this was a violation of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Act implementing the e-Privacy Directive] (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all.   
The Spanish DPA held that this was a violation of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Act implementing the e-Privacy Directive] (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all.   
Line 65: Line 65:


== Comment ==
== Comment ==
Surprisingly, the Spanish DPA does not analyze the actual complaint of the data subject which is that the company forwarded her comments and other identifying personal data to the bride and groom (relatives of the data subject) without having properly informing her about it. In my personal view, this would be a violation of Article 13(1)(c) and (e) GDPR.  
Surprisingly, the Spanish DPA does not analyse the actual complaint of the data subject which is that the company forwarded her comments and other identifying personal data to the bride and groom (relatives of the data subject) without having properly informing her about it. In my personal view, this would be a violation of Article 13(1)(c) and (e) GDPR.  


Furthermore, it is unclear from the decision of the Spanish DPA what is the link  the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects.
Furthermore, it is unclear from the decision of the Spanish DPA what is the link  the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects.

Revision as of 10:08, 28 April 2021

AEPD - PS/00291/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 6(1) GDPR
Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI)
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: PS/00291/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: E Rodriguez Montes

The Spanish DPA issued a warning to an events organiser whose website violated the Spanish law implementing the e-Privacy Directive because it did not provide clear information nor allowed the rejection of cookies. The DPA issued a warning rather than a fine because the event organiser was a natural and not a legal person.

English Summary

Facts

A data subject made a complaint to the Spanish DPA because they had submitted anonymous comments via Instagram to an events' organiser related a the wedding of a cousin that they had attended, to which the events' organiser repsonded forwarding their comments together with identifying data of the data subject to the groom and bride without informing the data subject first.

The Spanish DPA sent requests for information to the controller regarding the complaint of the data subject and did not receive an answer. In the course of the investigation of the complaint, the Spanish DPA checked the website of the events' organiser, finding that they were using cookies without providing enough information to the users and there was no "reject" button.

Holding

The Spanish DPA held that this was a violation of the Spanish Act implementing the e-Privacy Directive (LSSI), as the website did not inform clearly about the cookies it uses and does not allow the user to reject them all.

The Spanish DPA decided to issue a written warning instead of a economic fine because the website belonged to a natural person and not a legal person.

Comment

Surprisingly, the Spanish DPA does not analyse the actual complaint of the data subject which is that the company forwarded her comments and other identifying personal data to the bride and groom (relatives of the data subject) without having properly informing her about it. In my personal view, this would be a violation of Article 13(1)(c) and (e) GDPR.

Furthermore, it is unclear from the decision of the Spanish DPA what is the link the failure of providing appropriate information about cookies in the website of the company and actual complaint that was about forwarding comments and personal data of users of social media to third parties without properly informing the data subjects.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/4








     Procedure No.: PS / 00291/2020
938-0419
                RESOLUTION OF SANCTIONING PROCEDURE

In the sanctioning procedure PS / 00291/2020, instructed by the Spanish Agency for

Data Protection, before Ms. A.A.A. (*** COMPANY.1), with NIF: *** NIF.1, holder of the
website, *** URL.1, (hereinafter, "the person claimed"), by virtue of a complaint
presented by Ms. B.B.B., (hereinafter, “the claimant”), and having as
base the following:


                                  BACKGROUND:

FIRST: On 10/28/19, you have an entry in this Agency, a complaint filed
by the claimant in which it indicated, among others, the following:


“I come to report to the Data Protection Agency that my
rights on the part of the company *** COMPANY.1, destined for profit to the
organization of weddings and events, for disclosing, without my consent, my image, my
identity and personal data, as well as my opinion expressed privately on your network
social of Instagram (whose justification is attached Doc. No. 1).


“I attended as a guest at the wedding organized by the company *** EMPRESA.1, which
It has a social network on Instagram and where it privately admits opinions
about the event that it organizes, that is, opinions can be expressed that remain
reserved between me and said company. Recognizing that my opinions, no
were favorable to the wishes of said company, opinions at all times referred to

to the organization of the event I attended, and always with the aim of improving so much
their appearance as the service they provide for future events, I find that the
opinion that I issued privately in the space that they have reserved for it,
has been transmitted with my photograph and personal identification via the internet with
screenshot (whose justification is attached to Doc. No. 2) included in a

intentionally and in bad faith to the bride and groom, that is, to my first cousin sending them and
this without my authorization, which has generated a serious family problem difficult to
solve, which has led me to file the corresponding complaint for the
violation of my rights by the company *** COMPANY.1, I have to
to state that this company organizes the events for profit and there is no
reflected your CIF on the internet ".


SECOND: In view of the facts presented in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation

(EU) 2016/679 (RGPD). Thus, dated 12/11/19 and 02/24/20 they are addressed
informative requirements to the claimed person.

According to the certificate of the State Postal and Telegraph Society, the requirement
sent to the claimed entity, on 12/11/20, through the SICER service, was

returned to origin by the postal service with the message "absent" and "not picked up
of the mailing list service ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/4








According to the certificate of the State Postal and Telegraph Society, the requirement
sent to the claimed person, on 02/24/20, through the SICER service, was
collected at destination by A.A.A. (*** COMPANY.1) *** NIF.1, on 03/09/20.


THIRD: On 09/20/20, by this Agency, the website is consulted
reported, checking the following aspects of the privacy policy and
the cookie policy implemented on said page:

A) .- Regarding the Privacy Policy:


a.1.) .- It has been verified that, on the web page *** URL.1, through the tab
<<contact>>, there is the following information: “Call, write or send us signs of
smoke, but get in touch that the dates fly ”: Telephone: *** TELEPHONE.1;
Email: *** EMAIL.1; Address: *** ADDRESS.1, *** LOCATION.1 © 2020

*** COMPANY.1 - << Legal notice >>

a.2.) .- The only way that the website has to collect personal data from the
interested persons is through e-mail, so, in principle, the
The only data that is provided to the web is the email address of the
interested party, in addition to the data that he, of his own accord, provides within the

email message sent. However, there are also links to your profile in the
social networks, through which the entity can be contacted.

a.3.) .- Through the existing link "legal notice", both on the <<contact>> page
as in the main page, the web redirects to a page where it is provided

information on: the identification data of the owner of the website; the legislation
applicable; the identification of the person responsible for the treatment; the legitimation of
data treatment; the time of conservation of the data; the possible transfer of
data; the rights of the interested party; where to exercise rights; the measurements of
safety; treatment based on the consent of the affected party; The duty of

confidentiality and the right to complain to the AEPD.

B) .- Regarding the Cookies Policy:

b.1.- When accessing the main page of the web, *** URL.1, (first layer), there is a
banner at the bottom of it, with the following message:


     “This website uses cookies, you can see the cookie policy here. If you continue
                    By browsing you are accepting it ”<<ACCEPT>>

b.2.) .- If the "cookie policy" is accessed through the link in the

banner, the web redirects to a page where information is provided about: what are
cookies and what types of cookies this website uses.

    - To disable cookies, the page provides the following information:

    "You can allow, block or delete the cookies installed on your computer

    by configuring the browser options installed on your
    computer. Most web browsers offer the possibility of
    allow, block or delete cookies installed on your computer. Then,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/4








    You can access the settings of the most frequent web browsers to
    accept, install or deactivate cookies (…) ”.


FOURTH: Notified of the initiation of the file, on 10/20/20, to date, no
It is clear that any response has been given to the initiation of the file, within the
period granted for this, for the appropriate legal purposes by the claimed entity.

Of the actions carried out in this procedure, of the information and documents
documentation presented by the parties, the following have been accredited:


                                 PROVEN FACTS

1.- It has been verified that, on the website *** URL.1, personal data can be collected
sonals of the interested persons through the emails sent to the
claimed person.

2.- Through the link << legal notice >> the web redirects to a page where it is provided-
provides information on: the identification data of the owner of the website; the legisla-
applicable tion; the identification of the person responsible for the treatment; the legitimation of the tra-
data storage; the time of conservation of the data; the possible transfer of data;
the rights of the interested party; where to exercise rights; security measures; the

treatment based on the consent of the affected party; the duty of confidentiality and the
right to claim before the AEPD.

3.- Regarding the Cookies Policy:
3.1.- When accessing the main page of the web, *** URL.1, (first layer), there is a
banner at the bottom of it, with the following message:

        “This website uses cookies, you can see here the << cookie policy >>. If I continue
                          when browsing you are accepting it "

                                     <<ACCEPT>>

3.2.- If the "cookie policy" is accessed, through the link in the banner,
the web redirects to a page where information is provided on: what are the
cookies and what types of cookies this website uses. To manage cookies, the
page refers to the user when configuring the browser installed on their terminal equipment:


                            FOUNDATIONS OF LAW

                                             I
The Director of the Spanish Agency is competent to resolve this procedure

of Data Protection, in accordance with the provisions of art. art. 43.1, paragraph
second, from the LSSI.
                                            II
The joint assessment of the documentary evidence in the procedure brings to
knowledge of the AEPD a vision of the denounced action that has been reflected

It gives in the facts declared proven above related.
In relation to the "Cookies Policy" of the website denounced, it is verified
that, the information provided in the banner of the first layer is little

clarifying the purpose of the cookies that are used. There is also no
mechanism that allows rejecting all cookies.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/4








The exposed facts suppose, on the part of the claimed, the commission of the infraction
of article 22.2 of the LSSI.


This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2. ”, which may be
sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned
LSSI.


In accordance with these criteria, and considering that the person responsible for the website is
a natural person, it is considered appropriate to impose a penalty of warning, for the
infringement of article 22.2 of the LSSI, regarding the cookie policy carried out in
the website of your ownership.


Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
                                       RESOLVES

APPEAR: to Dª. A.A.A. (*** COMPANY.1), with NIF: *** NIF.1, owner of the website,

*** URL.1, for the violation of article 22.2 of the LSSI, with regard to the policy
of cookies of the web page of its ownership.

REQUIRE: to Dª. A.A.A. (*** COMPANY.1), so that, within a month, counting
from the notification of this resolution, modify the website of your ownership, res-

pect of the cookie policy, adapting the information provided in the banner
on cookies of the first layer and including a mechanism that allows to reject all
you give the cookies.

NOTIFY: this resolution to Ms. A.A.A. (*** COMPANY.1).


In accordance with the provisions of article 50 of the LOPDPGDD, this Re-
solution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the

The interested parties may file, optionally, an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from
the day after notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision

Fourth nal of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following the notification
tion of this act, as provided in article 46.1 of the aforementioned Law.

Mar Spain Martí

Director of the Spanish Agency for Data Protection.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es