AEPD - PS/00386/2019

From GDPRhub
AEPD - PS/00386/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
22(2) of Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Published: 15.06.2020
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS/00386/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) decided to impose a fine up to 3,000 € on Innova Resort, S.L. for the infringement of its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that a website by the defendant loads a great number of analytical and advertising cookies without requesting the consent by the user.

Dispute[edit | edit source]

The defendant did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. During its investigations, the AEPD discovered that (i) the website automatically loaded cookies without any action by the user, such as MUID, test_cookie, _ga and _gid, that (ii) the basic layer of the website informed that, in case the user continues browsing, cookies would be considered automatically accepted, (iii) the detailed layer of the website contained a Cookies Policy specifying that cookies would not link to personal data obtained in the process of product purchasing without the consent of the user, and that, in order to refuse the use of cookies, the user should choose that option on his/her browser.

Holding[edit | edit source]

Thus, the AEPD understood that the defendant has infringed its information duties in relation to cookies as per Article 22(2) LSSI, according to which, digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws. Consequently, after considering some aggravating circumstances [(i) the existence of intentionality, and (ii) the period of time the defendant has been infringing its duties taking into account that the claim is dated February 2019], the AEPD decided to impose a fine of 3,000 € to the defendant. Additionally, the AEPD requires the defendant to correct the situation on the cookies use at the website in the period of one (1) month since this resolution.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 Procedure No.: PS / 00386/2019938-051119RESOLUTION OF PENALTY PROCEDUREIn the sanctioning procedure PS / 00386/2019, instructed by the Spanish Agency ofData Protection, before IMNOVA RESORT, SL entity with CIF: B64138407, ownerof the website *** URL.1 , (hereinafter “the entity claimed”), for alleged infringementtion to Law 34/2002, of July 11, on services of the information society andelectronic commerce (LSSI), and based on the following,BACKGROUNDFIRST: dated 02/25/19, Ms. AAA (hereinafter, “the claimant”), presented this-crito before the Spanish Agency for Data Protection, in which, among others, denounce-ciaba:“That the online store *** URL.1 installs a large number of cookies, includinganalytical cookies and cookies for advertising purposes without requesting in any casethe user's consent for said installation ”SECOND: In view of the facts set forth in the claim and the documentscontributed by the claimant, the General Sub-Directorate for Data Inspection proceededto carry out actions for its clarification, under the protection of investigative powers.tion granted to supervisory authorities in Article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD), Thus, withdate 04/01/19 and 04/12/19, an information request is addressed to the entity claim-gives.THIRD: According to the certificate from the Electronic Notifications and Management ServiceElectronic Enabled, the request sent to the claimed entity, dated04/01/19, through the Notific @ service, was rejected, dated 04/12/19.According to a certificate from the Sociedad Estatal de Correos, the notification sent to the companydata claimed, dated 10/31/18, through the SICER service, at the address: P Fe-Catalan railways 131; 08940 Cornella de Llobregat (Barcelona), was deliveredon 04/26/19, being the person receiving the same Dª BBB *** NIF.1C / Jorge Juan, 6www.aepd.es28001 -
Page 2
2/5FOURTH: After consulting the website *** URL.1 , dated 10/23/19 , the following are observed:following situations:a) .- Without accepting cookies or taking any action on the web, they are loaded, among others,the following cookies: MUID, test_cookie, _ga, and _gid.b) .- The existence of a first layer of information on cookies is verified,stating that "If you continue browsing, we consider that you accept its use".c) .- The existence of a *** URL.1 Cookies Policy is verified, which containsIt has, among others, the following manifestations:- “Without your express consent –by activating cookies on yourBrowser- *** NAVEGADOR.1 not link in cookies memorized datatwo with your personal data provided at the time of registration orpurchase."- “The User expressly accepts, through the use of this Site, the treatmentof the information collected in the form and for the purposes mentioned above-two. And also acknowledges knowing the possibility of rejecting the treatment ofsuch data or information rejecting the use of Cookies by selectingof the appropriate configuration for this purpose in your browser. While this option ofCookies blocking in your browser may not allow full use of allthe functionalities of the Website ”.- “Can you allow, block or eliminate the cookies installed on your computerby configuring the browser options installed on your computernador: Chrome, Explorer, Firefox, Safari ”.- “If you have questions about this cookie policy, you can contact *** NAVE-GADOR.1 at *** EMAIL.1 ”.FIFTH: On 12/02/19, the Director of the Spanish Agency for the Protection ofData agreed to initiate a sanctioning procedure against the owner of the website claim-mada, by virtue of the powers established in article 43.1 of the LSSI, setting ainitial penalty of 3,000 (three thousand euros), without prejudice to what will result inof the instruction of the procedure, and requiring the owner of said page that: “ forthat you take the appropriate measures to include on the website of your ownership( *** URL.1 ), information about the cookies that are installed and a mechanism that allowsta enable or reject all cookies and another to enable cookies freelyvoid in order to manage user preferences ”.SIXTH: On 12/12/19, the opening of the file was notified to the entity claimingMada, who has not submitted to this Agency, any brief or allegation, within thethe period granted for this purpose.PROVEN FACTS1.- Consulted the claimed web page, *** URL.1 , dated 10/23/19, it is observedthat are loaded without performing any previous action. In the first layer of informationC / Jorge Juan, 6www.aepd.es28001 -
Page 3
3/5Regarding cookies, it is stated that "if you continue browsing, we consider that you accept youruse ” and in the second layer:“ Cookies Policy ”, it states that to block or eliminateTo use the cookies installed on the computer, you must configure the browser optionswithout existing any option where it is allowed to reject all cookies.FUNDAMENTALS OF LAWIIn accordance with the provisions of art. 43.1, second paragraph, of the Law34/2002, of July 11, on Services of the Information Society and CommerceElectronic (LSSI), is competent to initiate and resolve this Sanction Procedure-dor, the Director of the Spanish Agency for Data Protection.IIIn the present case, the website *** URL.1 loads without performing any pre-actionvia. In the first layer of information on cookies, it is stated that “if you continuebrowsing, we consider that you accept its use "and in the second layer" Policy ofCookies ”, states that to block or eliminate the cookies installed on the equipmentYou must configure the browser options, without there being any option whereYou are allowed to reject all cookies.IIIThe exposed facts suppose, on the part of the entity claimed, the commission of theinfringement of article 22.2 of the LSSI, according to which: “The service providersmay use data storage and recovery devices on computersterminals of the recipients, provided that they have given their consentafter they have been provided with clear and complete information about theiruse, in particular, for the purposes of data processing, in accordance with theprovided in Organic Law 15/1999, of December 13, on the protection of data frompersonal character.When technically possible and effective, the recipient's consent toAccepting the data processing may be facilitated by using the parametersbrowser or other applications.The foregoing shall not prevent possible storage or technical access to the solopurpose of transmitting a communication over a communication networkelectronic or, to the extent strictly necessary, for the provision ofan information society service expressly requested by the recipient-River.This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, whichconsiders as such: “Use data storage and recovery deviceswhen the information has not been provided or the consent of the destination has been obtainedcustomer of the service in the terms required by article 22.2. ”, and may be sanctionednothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.IIIC / Jorge Juan, 6www.aepd.es28001 -
Page 4
4/5In accordance with the provisions of article 39.1. c) of the LSSI, minor infractions canwill be sanctioned with a fine of up to € 30,000, establishing the criteria for itsgraduation in article 40 of the same standard.After the evidence obtained in the preliminary investigation phase, and without prejudice towhatever results from the instruction, it is considered that the sanction should be graduatedner in accordance with the following criteria established by art. 40 of the LSSI:- The existence of intentionality, an expression to be interpreted asequivalent to the degree of guilt according to the Hearing Judgmentcia Nacional of 12/11/2007 relapse in Resource no. 351/2006, correspondinggiving the denounced entity the determination of a obtaining systeminformed consent that is in accordance with the LSSI mandate.- Period of time during which the offense has been committed, as it is theclaim of February 2019, (section b).In accordance with these criteria, it is considered appropriate to impose on the entity claimeda penalty of 3,000 euros (three thousand euros).Having seen the aforementioned precepts and others of general application, the Director of the AgencySpanish Data Protection.RESOLVESFIRST: TO IMPOSE the titular entity IMNOVA RESORT, SL with CIF: B64138407,holder of the website *** URL.1 , a penalty of 3,000 euros (three thousand euros), for in-fraction of article 22.2) of the LSSI Law, typified as “slight” in article 38.4.g)of the aforementioned Law.SECOND: REQUIRE the entity IMNOVA RESORT, SL so that, within theone month from this act of notification, proceed to take the appropriate measures toadapt your website to the provisions of article 22.2 of the LSSI, for which you canfollow the recommendations published by this AEPD in its "Guide on the Use ofCookies ”, November 2019.THIRD: NOTIFY this resolution to the entity IMNOVA RESORT, SL andto the claimant about the result of the claim.Warn the sanctioned that the sanction imposed must be effective once it isexecutive this resolution, in accordance with the provisions of article 98.1.b)of law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-Public ministries (LPACAP), in the period of voluntary payment indicated in the article68 of the General Collection Regulation, approved by Royal Decree 939/2005,C / Jorge Juan, 6www.aepd.es28001 -
Page 5
5/5of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-by entering the restricted account no. ES00 0000 0000 0000 0000 0000, openedon behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,SA or otherwise, will be collected in the executive period.Notification received and once executive, if the date of enforcement is foundbetween the 1st and 15th of each month, both inclusive, the deadline for making the vo-luntary will be until the 20th of the following month or immediately the next business day, and ifbetween the 16th and last day of each month, both inclusive, the payment termIt will be until the 5th of the second following month or immediately following business.In accordance with the provisions of article 82 of Law 62/2003, of December 30,On fiscal, administrative and social order measures, this Resolution iswill make public, once the interested parties have been notified. The publication is made-will be in accordance with the provisions of Instruction 1/2004, of December 22, of the AgencySpanish Data Protection on publication of its Resolutions.Against this resolution, which ends the administrative route, and in accordance with theestablished in articles 112 and 123 of the LPACAP, the interested parties may interpo-ner, optionally, appeal for reversal to the Director of the Spanish AgencyData Protection within a month from the day after the notificationfication of this resolution, or, directly administrative contentious appeal before theContentious-Administrative Chamber of the National Court, in accordance with the provisionsset forth in article 25 and section 5 of the fourth additional provision of the Law29/1998, of 07/13, regulating the Contentious-Administrative Jurisdiction, in thetwo months from the day after notification of this act, according tothe provisions of article 46.1 of the aforementioned legal text.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,may provisionally suspend the final resolution in administrative proceedings if the interested-do express your intention to file a contentious-administrative appeal. Of beingIn this case, the interested party must formally communicate this fact in writing.addressed to the Spanish Agency for Data Protection, presenting it through the Re-Electronic Registry of the Agency [], orthrough any of the remaining records provided in art. 16.4 of the aforementioned Law39/2015, of October 1. You must also transfer the documentation to the Agencythat proves the effective filing of the contentious-administrative appeal. If theAgency had no knowledge of the filing of the contentious-administrative appealtreatable within two months from the day following notification of thisresolution, would terminate the precautionary suspension.

Mar España Martí
Director of the Spanish Agency for Data Protection