AEPD (Spain) - PS/00388/2020

From GDPRhub
(Redirected from AEPD - PS/00388/2020)
AEPD - PS/00388/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
Article 22(2) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 16.04.2021
Fine: 3000 EUR
Parties: FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L.
National Case Number/Name: PS/00388/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA fined a website €3000 for installing third-party cookies without the user's consent, as well as for not informing the user about the purpose of such cookies.

English Summary

Facts

The AEPD received a complaint stating that two websites of a controller lacked a privacy and cookies policy, or any other kind of information regarding the data that they process.

After launching an investigation, the AEPD found that the one of the websites did have a privacy and cookies policy. However, the AEPD also found that both websites gathered consent from the use in a generic way. The user did not have an option to specify what processing they wanted to consent. This was amended by the controller during the proceeding.

The website also offered, in the form for collecting the user's data, information on who is responsible for the processing of personal data; the legitimacy of the data processing (consent); the recipients and the rights that assist the user in relation to the processing of their personal data.

The AEPD also found that the website placed unnecessary third-party cookies in the user's device without consent. The banner only offered generic information and had no button to reject the cookies in its first layer. An option to reject cookies was included by the controller during the proceeding.

In the second layer, the user can reject unnecessary cookies. However, the authority found that, when exercising this option, they were used anyway.

During the course of the investigation, the controller deleted the second website, that lacked a privacy and cookies policy, redirecting the user to the first website when using its domain.

Holding

The AEPD held that the cookie banner of the website violated Article 22(2) of the Spanish Information Society Services Act (LSSI), implementing the e-Privacy Directive, as it did not properly inform the user about the fact that the website used third-party cookies with marketing purposes, that would create a profile, based on the user's navigation behaviour, in order to show them advertisements related to their preferences.

It also violated Article 22(2) by not allowing to reject such cookies, using them without consent, even when the user had deactivated the option.

The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose what specific processing they wanted to consent.

The AEPD decided the following:

  • To warn the controller with regards to a violation of Article 7 GDPR, for gathering consent in a generic way.
  • To fine the controller €3000 for infringing Article 22(2) LSSI, for installing third-party cookies without consent.
  • To warn the controller for lacking a privacy policy in their second website, thus violating Article 13 GDPR.
  • To order the controller to adapt its website, with respect to the "cookies policy", including the necessary information in the cookie banner regarding the use of third party cookies, as well as preventing the use of unnecessary cookies until the user has consented to their use.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                  1/19








     Procedure No.: PS / 00388/2020

                RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 00388/2020, instructed by the Spanish Agency for
Data Protection, to the entity, FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L., with
CIF.:B73447393, owner of the web pages: *** URL.1 and *** URL.2, (hereinafter, “the en-
claimed amount ”), and based on the following,


                                   BACKGROUND

FIRST: In the claim filed on 07/21/20, it was indicated, among others, the following:
following: “The web pages *** URL.1 and *** URL.2 do not have a privacy policy
privacy, legal text or cookie management. In the contact forms there is no

information on what is going to be done with the form data ”.

SECOND: In view of the facts presented in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of

investigation granted to the control authorities in art 57.1 of the RGPD. Thus, with
dated 09/16/20, an informative request is addressed to the claimed entity.

THIRD: On 10/15/20, the entity claims to send this Agency a written statement of
response to the request and the content of which is included in the document initiating the

file and in the resolution proposal writing.

FOURTH: On 11/19/20, by this Agency, checks are carried out
on the "Privacy Policy" and on the "Cookies Policy" of the web pages
indicated, checking the aspects that were already included in the brief of
initiation of file and in the resolution proposal writing.


FIFTH: In view of the facts denounced and the evidence observed in the
web pages, the Director of the Spanish Agency for Data Protection, dated
11/25/20, agreed to initiate a sanctioning procedure against the claimed entity, by virtue of
of the powers established in the current legislation, for the following infractions:


a) .- Regarding the web page *** URL.1:

.- Infringement of article 7) of the RGPD, when collecting the consent of the
users, through a generic acceptance for all treatment purposes, with

an initial penalty of "warning".

.- Infringement of article 22.2) of the LSSI, regarding the non-existence of "Policy of
Cookies ”of the website of its ownership, with an initial penalty of 3,000 euros.

b) .- Regarding the web page *** URL.2:


.- Infringement of article 13) of the RGPD, regarding the lack of privacy policy.
city on its website, verifying that there is a treatment of personal data-
the users, with an initial penalty of 3,000 euros.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/19









.- Infringement of article 22.2) of the LSSI, regarding the non-existence of "Policy of
Cookies ”of the website of its ownership, with an initial penalty of 3,000 euros.


SIXTH: Once the agreement to initiate the sanctioning file has been notified, the entity complained
mada, by letter dated 12/11/20, made allegations to the initiation of ex-
petitioner, whose content was already indicated in the resolution proposal writing.

SEVENTH: On 02/20/21, by this Agency, they are again made

Provisions of the "Privacy Policy" and the "Cookies Policy" of the pages
website indicated, and the proposed resolution is notified to the entity claimed in the
that it was proposed that, by the Director of the Spanish Agency for Data Protection
the claimed entity is sanctioned:


.- Regarding the web page *** URL.1, with "warning", for the violation of article
lo 7, of the RGPD, regarding the inoperability in the collection of consent for
the different purposes for which the entity wishes to process personal data, and with 3,000
euros (three thousand euros), for the violation of article 22.2) of the LSSI, regarding the
"Cookies Policy" on the website.


.- Regarding the website *** URL.2, with 3,000 euros (three thousand euros), for the infringement
tion of article 13 of the RGPD, regarding the lack of privacy policy in
the web and with 3,000 euros (three thousand euros), for the violation of article 22.2) of the LSSI,
Regarding the "Cookies Policy" on the website of its ownership.


In addition, in accordance with article 58.2 of the RGPD, it was proposed to the Director of the
Spanish Data Protection Agency to order the entity to:

.- Take the necessary measures to activate the mechanism to collect consent.
ment of the website users *** URL.1.


.- Take the necessary measures to include on the web, *** URL.2, the “Privacy Policy
Vacity ”adapting it to the provisions of article 13 of the RGPD.

.- Take the necessary measures to adapt the cookie policies of the two pa-
web pages, as stipulated in current regulations.


NINTH: After notification of the proposed resolution, dated 03/30/21, the
complained entity submitted a brief of allegations to the resolution proposal, in the
which indicated, among others, the following:


“In the Document received by Flexomed, in relation to the treatment of personal data
sonals of the web page *** URL.1, once that incorrect phrase that appears
company on the web, it was used to provide users with an independent opt-in, not
marked by default, in which they could provide their consent to receive
commercial communications, modifying accordingly, the purposes of the treatment

of the data and including that they would be, the main purpose of giving
response to the request made by the user and, in addition, and only in case of consent
express consent through the opt-in provided separately for this, your data
would also be used for the purpose of sending communications.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/19









Regarding the newsletter form, it is possible that, at the time it is made-
The appropriate checks were made by the Aepd, there was a computer error that did not

allow access to the form to subscribe to the newsletter, however, this
The form is active and has the information related to the treatment of
personal data, as can be seen in the screenshot ...

- Regarding the "Cookies Policy" on the website, the Aepd is informed that Flexomed
carried out the appropriate checks being able to confirm at present that, without

perform any action on the web and without accepting the use of cookies, you will not
They install unnecessary cookies. Similarly, in case the user rejects them,
Except for those strictly necessary, said non-necessary cookies will not be installed.
In addition, in the drop-down banner the types of cookies


About the alleged infringements on the website *** URL.2 This website, as
was indicated in the allegations made by Flexomed dated December 10,
2020, was created and published by the former employee's own decision without having instructions.
purposes of the company to do so or inform it of said action. Proof of this is that this
website, has not been published or announced by the company in any way. The same-
This happened with the registration of the domain *** URL.3, carried out by the ex-

worker under his ownership and without notifying Flexomed.

One of the complaints filed against the former employee for this reason is provided. TO
in view of the above, this web domain was redirected by Flexomed to the web
*** URL.1 permanently, and for the time being, until the company decides whether to

nally they will use this website and in what way they will do it, as well as the types of data
that will be collected and the treatment that will be made of them in order, in this way, to inform
correctly to users and comply with current regulations.

Flexomed undertakes that, in the event of making the decision to activate again

this website, it will implement all the measures adopted by the website
*** URL.1, especially with regard to information on data processing
personal data that are collected through it and regarding the cookies that go to ins-
be logged in the same, attending to the indications of the Aepd in the notifications between
sent to Flexomed and the cookie guide published by the same body, complying with
In this way, the regulations on data protection and the Law on services

of the information society and electronic commerce.

As detailed and documented in this writing and as a sample of the
good faith and the interest of the company in complying with the data protection regulations
not suppose any type of damage in this sense to the owners of the personal data

sonal and solve this matter as quickly as possible, the above measures
days imposed by the Aepd had already been adopted ”.

TENTH: On 04/06/21, by this Agency, they will again carry out
Provisions on the “Privacy Policy” and the “Cookies Policy” on the pages

web sites indicated, checking the following aspects in each of them:

A) .- Regarding the website, *** URL.1:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/19








    - About the processing of personal data on the website:


1.- On the initial page, through the tab: <<contact>>, the web redirects to a form-

form where personal data of users are collected, such as name, telephone number,
phone or email.

On the same page where the form is located, there is also information about
bre, who is responsible for the processing of personal data; legitimation

that you have for the treatment of the data (consent); recipients and
rights that assist the user in relation to the processing of their personal data-
them.

Before being able to send the questionnaire, it is necessary to accept the privacy policy
marking the corresponding box: “_ I accept the << Legal Notice >> and the << Policy of

Privacy >> whose basic information appears below (…) ”.

At the bottom of the main page, the user can subscribe to receive co-
Commercial communications of the entity: "_I wish to receive commercial communications
related to the products and services of FLEXOGRÁFICA DEL MEDITERAAÉ-

NEO, S.L. ".

There is also the possibility of subscribing to the entity's newsletter by filling in
the existing form at the bottom of the main page: Subscribe to our
NEWSLETTER to keep up to date with all the news in our universe of pa-

ckaging and food packaging <<send>>.

    - About the "Privacy Policy" of the website:


1.- Through the link << Privacy Policy >>, existing at the bottom of the form.

As previously indicated, the web redirects to a new page, *** URL.4, which provides
provides information on compliance with current legislation on the subject of
data protection; identification of the person responsible for data processing; the finali-
nature of data collection; the rights of users regarding the treatment of
your personal information; on the use of the web portal or on intellectual property, in-

among others.

    - About the "Cookies Policy" of the website:


1.- When entering the initial page of the indicated web (first layer), without making any

action on it and without rejecting cookies, it is verified that they are used
non-necessary third-party cookies, whose domain belongs to "youtube.com" and which are
the following:

    - VISITOR_INFO1_LIVE: cookie that tracks the videos you visit-

        two that are embedded in the web. Has a permanence of 240
        days approximately.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/19









    - YSC: cookie that measures the reproductions of videos made by the user and
        logs the "Like" or "Share Video" events. It is a cookie of se-

        sion, expiring when the session with the browser ends;


    - CONSENT: which measure when a video is seen, liked or shared.



2.- On the same initial page, (first layer), the following banner is displayed with in-
cookie training:

 “We use cookies on our website to give you the most relevant experience re-

matching your preferences and repeat visits. By clicking "Accept", you agree to the use
                                  of ALL cookies ”.

                           << Cookie Settings >> --- <<accept>>

3.- If you choose to go to the cookie configuration panel, through the link,

<< set cookies >>, a cookie configuration panel is displayed where you can
den manage their use, in a granular way, by moving the cursor
from position <<off>> to position <<on>>, in the different groups of cookies
constituted: "Functional"; "Performance"; "Analytics" and "Others".


However, if you choose NOT to allow the use of cookies, leaving the cursors in
the position, <<off>>, it is verified that the web page continues to use third-party cookies
zeros not necessary and not now allowed by the user, whose domains belong to
they need to, "Google.com"; "Youtube.com" and "doubleclick.net" and which are the following:


    - 1P_JAR: Cookie that transfers data to Google to advertise more
        attractive.


    - VISITOR_INFO1_LIVE: cookie that tracks the videos you visit-

        two that are embedded in the web. Has a permanence of 240
        days approximately.



    - YSC: cookie that measures the reproductions of videos made by the user and
        logs the "Like" or "Share Video" events. It is a cookie of se-
        sion, expiring when the session with the browser ends.



    - CONSENT: which measure when a video is seen, liked or shared.


    - IDE: cookies used to display Google ads on sites that do not

        They are from Google.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/19








    - NID: cookie used by Google to store user preferences.




4.- On the "Cookies Policy" page, whose link is at the bottom
of the page, << Cookies Policy >>, the web redirects to a new page, *** URL. 5,
that provides information about what cookies are and what they are used for; what infor-
mation saves a cookie; what type of cookies exist and identifies the cookies used

liza the website, both its own and those of third parties (Google Analytics), the finali-
how long they have and how long they will be active. On how to manage the installation of
cookies in the terminal equipment, the web page refers the user to configure the navigation-
dor installed in your terminal equipment.

B) .- Regarding the website, *** URL.2:


It has been found that, when trying to access the page. *** URL.2, the web redirects
the user to the *** URL. 1.

                                  PROVEN FACTS


1º.- According to the claim presented in this Agency, the web pages, *** URL.1 and
*** URL.2, did not have a privacy policy or cookie management.

2.- At the request of this Agency, the entity reported, among others, that:


“The web, *** URL.1, owned by the Company, has the information and documents
necessary information regarding data protection, including the Privacy Policy,
*** URL.4, and Cookies Policy, *** URL.5, with a cookie notice that appears
pray on the screen when entering the Web (Annex III) (…) ”.


“Likewise, the web *** URL.2, also owned by the Company, redirects users
who want to contact the owner of the page to the contact form of the Web:
*** URL.1, which includes information on the processing of user data
(…) ”.


3.- This Agency was able to verify the following aspects on the page, *** URL.1:

    - Regarding the processing of personal data on the website, it was found that
        Through the website, users' personal data could be obtained. On

        said page there was a message that informed users of the following:
        “Your email address is only used to send you our catalog.
        go and inform you about our personalized packaging services for em-

        dams. You have the right to contact us to remove
        your data from our records ”.



    - It was found that in the “Privacy Policy”, *** URL.4, which provided information
        training on compliance with current legislation on the protection of
        tion of data.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/19









    - About the "Cookies Policy" of the website, when entering the main page
        of the web, without taking any action on it and without accepting the use of

        cookies, unnecessary cookies were used. It was also proven
        that no banner was displayed with information on the use of

        these.


    - In the second layer, "Cookies Policy", *** URL.5, provided information
        information on cookies, but there was no mechanism that would allow the

        chazo of the same, only the user was sent to configure the
        browser installed on your terminal equipment.



4.- On the web page, *** URL.2, this Agency was able to verify the following aspects:
cough:

    - About the processing of personal data, through the tabs,

        << examples of psycho packaging >>, and << online digital printing >>, the web
        redirected to pages where personal data could be collected.


    - About the "Privacy Policy" of the website, *** URL.6, when accessing it,

        the following message appeared: “Could not find the page that
        you seek. It may have been removed, renamed or not even exist. "



    - About the "Cookies Policy" of the website, when entering the main page
        of the web, without taking any action on it and without accepting the use of
        cookies, unnecessary cookies were used. It was also proven

        that no banner was displayed with information on the use of
        these.



Through the link, *** URL.7, the web redirected to a new page with the following:
“The page you are looking for could not be found. It may have been removed
renamed or not even exist ”.

5.- Once the initiation agreement has been notified, the claimed entity, owner of the individual web pages
each, alleged, dated 12/11/20, among others, the following:


Regarding the website *** URL.1:

"On the consent given by users for the processing of their data
personal information, it is reported that Flexomed will eliminate the apartment

ted to which the Aepd refers at this point, (...), because, erroneously, it has been
including that information on that form and not on the registration form for the
newsletter also available on the web since the data collected through the form

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/19








Contact details are not treated for the purpose of sending the newsletter but only,
in order to answer requests for information or doubts indicated by users
rios through said form.

On the "Cookies Policy" of the website "of the Document, it is reported that the
The website does have a banner where information on the installation of cookies is provided,
attaching as Annex I a capture of said banner that appears on the web, where
It can be appreciated that the user is offered the possibility to accept, reject or confi-
set cookies. and is currently modifying the second layer of the Polí-
Cookies policy on your website to include clearer information (…).


In relation to the website *** URL.2:

Regarding this web address, the Aepd is informed that Flexomed did not have
knowledge of the publication of this website, since, only requested a worker

the company that will register the domain without having to do any other
management beyond this, worker who no longer provides his services to the company. East
In addition, and without any indications from the Company, he registered the domain *** URL.3,
in his own name, without informing Flexomed of this and while rendering services to the
herself.


In addition to registering in your name, in your last stage as a worker in the
Company, created and published the web page *** URL.2, by own decision, without having ins-
instructions for it by the Company and without informing it of this action, therefore
that the Company and its staff were unaware of the existence of said page until
moment in which the first of the Aepd notifications is received.


(…) Therefore, Flexomed wants to record before this body that it was not
aware that said website was created, far from it, enabled or published
since the indication that the former worker received by the Company was only that of
register the domain name.


(…) Notwithstanding the foregoing, the Company is currently in processes
to recover the ownership of the domains registered by the former employee and power
start with their management, complying, at all times, with the legislation
current status.


For the moment, the Company proceeds to implement the necessary legal texts (Avi-
so Legal, Privacy Policy and Cookies Policy) at *** URL.2, to guarantee
that the web complies with the regulations.

Likewise, said website will have the cookie notice in the same way as *** URL.1


Currently, Flexomed has initiated legal proceedings against the author of
the claim (…)

6.- On 02/20/21, by this Agency, checks are made on

the Privacy Policy and the Cookies Policy of the indicated web pages:

    - Regarding the web page, *** URL.1, it has been possible to verify the following as-
        pects:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/19









a) .- About the processing of personal data on the website:


It was found that through the website it was possible to obtain personal data from
users. Regarding the purpose of the data obtained in the form, the website indicated
ca which will be: "To be able to reply to the message you send me with this form
contact". However, there is also a message at the bottom of this page.
na, where the user is informed that: “your email address is only used
to send you our catalog and inform you about our personal packaging services

sonalizado for companies. You have the right to contact us
to delete your data from our records ”, there being no possibility of denying the
consent for this specific treatment.

At the bottom of the main page there is the following message: “subscribe to

our NEWSLETTER to keep up to date with all the news in our universe
of food packaging and packaging. [sibwp_form id = 4] - Your email address
nico is only used to send you our newsletter and information about the activities,
offers and communications from FLEXOMED. You can always use the link to give yourself
unsubscribe included in each newsletter in your email ”. However,
check that the form to subscribe to the "newsletter" is not active.


b) .- About the "Cookies Policy" of the website:

When entering the home page of the web, without taking any other action on it
and without rejecting cookies, it is verified that unnecessary cookies are used. In the

same initial page, when entering it, the banner with information about
cookies. In the same banner, there are the options to accept all cookies, re-
Chase all cookies and accept cookies in a granular way (preferences;
statistics and marketing. However, all of the options are pre-marked.
found in "accept cookies").


If you choose to reject all cookies except those strictly necessary, (<< only
use necessary cookies >>), it is verified that the website continues to use cookies
not necessary from the domains *** URL.1, Google.es and Google.com; youtube.com; dou-
bleclick.net, sibautomations.com.


On the "Cookies Policy" page, *** URL.5, which provides information on,
what cookies are and what they are used for; what information a cookie stores; what type
of cookies exist and identifies the cookies used by the website, both its own
such as those of third parties, the purpose they have and the time they will be active in the equipment
po terminal.


    - Regarding the web page, *** URL.2, the following has been found:


a) .- On the initial page of the website, the person responsible for it is identified as:
Flexomed; *** ADDRESS.1, *** LOCATION.1; (MURCIA) SPAIN.


b) .- On the processing of personal data on the web:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/19








However, through the tabs, << examples of psycho packaging >> and << printing
online digital sion >>, the web redirects to pages where data can be collected
personal data of the users.


c) .- About the "Privacy Policy" of the website:

Through the link, << Privacy Policy >>, existing on the main page, the
web redirects to a new page: *** URL.6, where the following message appears: “No
the page you are looking for could be found. It may have been removed, rename-

it gives or not even exist ”.

d) .- About the "Cookies Policy" of the website:

When entering the home page of the web, without taking any other action on it

and without rejecting cookies, it is verified that unnecessary cookies are used. In the
same initial page, when entering it, the banner with information about
cookies. In the same banner, there are the options to accept all cookies, re-
Chase all cookies and accept cookies in a granular way (preferences;
statistics and marketing. However, all of the options are pre-marked.
found in "accept cookies").


On the "Cookies Policy" page, *** URL.5, which provides the following message
heh: “Page not found. The page you are looking for could not be found. Can
to have been eliminated, renamed or not even exist ”.


7.- After receiving the allegations to the proposed resolution, it is verified
again the "Privacy Policy" and the "Cookies Policy" of the web pages,

noting in this last check the following questions:

A) .- Regarding the website, *** URL.1:


    - About the processing of personal data on the website:


1.- On the initial page, through the tab: <<contact>>, the web redirects to a form-

form where personal data of users are collected, such as name, telephone number,
phone or email.

On the same page where the form is located, there is also information about
bre, who is responsible for the processing of personal data; legitimation
that you have for the treatment of the data (consent); recipients and

rights that assist the user in relation to the processing of their personal data-
them.

Before being able to send the questionnaire, it is necessary to accept the privacy policy
marking the corresponding box: “_ I accept the << Legal Notice >> and the << Policy of

Privacy >> whose basic information appears below (…) ”.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/19








At the bottom of the main page, the user can subscribe to receive co-
Commercial communications of the entity: "_I wish to receive commercial communications
related to the products and services of FLEXOGRÁFICA DEL MEDITERAAÉ-

NEO, S.L. ".

There is also the possibility of subscribing to the entity's newsletter by filling in
the existing form at the bottom of the main page: Subscribe to our
NEWSLETTER to keep up to date with all the news in our universe of pa-
ckaging and food packaging <<send>>.


    - About the "Privacy Policy" of the website:


1.- Through the link << Privacy Policy >>, existing at the bottom of the form.
As previously indicated, the web redirects to a new page, *** URL.4, which provides

provides information on compliance with current legislation on the subject of
data protection; identification of the person responsible for data processing; the finali-
nature of data collection; the rights of users regarding the treatment of
your personal information; on the use of the web portal or on intellectual property, in-
among others.


    - About the "Cookies Policy" of the website:


1.- When entering the initial page of the indicated web (first layer), without making any
action on it and without rejecting cookies, it is verified that they are used

non-necessary third-party cookies, whose domain belongs to "youtube.com" and which are
the following: VISITOR_INFO1_LIVE; YSC and CONSENT

2.- On the same initial page, (first layer), the following banner is displayed with in-
cookie training:


 “We use cookies on our website to give you the most relevant experience re-
matching your preferences and repeat visits. By clicking "Accept", you agree to the use
                                 of ALL cookies ”.
                          << Cookie Settings >> --- <<accept>>


3.- If you choose to go to the cookie configuration panel, through the link,
<< set cookies >>, a cookie configuration panel is displayed where you can
den manage their use, in a granular way, by moving the cursor
from position <<off>> to position <<on>>, in the different groups of cookies
constituted: "Functional"; "Performance"; "Analytics" and "Others".


However, if you choose NOT to allow the use of cookies, leaving the cursors in
the position, <<off>>, it is verified that the web page continues to use third-party cookies
zeros not necessary and not now allowed by the user, whose domains belong to
they need to, "Google.com"; "Youtube.com" and "doubleclick.net" and which are the following:

1P_JAR; VISITOR_INFO1_LIVE; YSC; CONSENT; IDE and NID.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/19








4.- On the "Cookies Policy" page, whose link is at the bottom
of the page, << cookie policy >>, the web redirects to a new page, *** URL.5,
that provides information about what cookies are and what they are used for; what infor-

mation saves a cookie; what type of cookies exist and identifies the cookies used
liza the website, both its own and those of third parties (Google Analytics), the finali-
how long they have and how long they will be active in the terminal equipment. On how to manage
tion the installation of cookies on the terminal equipment, the web page refers the user to
configure the installed browser.


B) .- Regarding the website, *** URL.2:

It has been found that, when trying to access the page. *** URL.2, the web redirects
the user to the page, *** URL.1.



                            FOUNDATIONS OF LAW

                                     I.-Competition:

It is competent to resolve this procedure, regarding the privacy policy

and the treatment of the personal data of the users of the webs, the Director of the
Spanish Agency for Data Protection, in accordance with the provisions of art.
58.2 of the RGPD in art. 47 of LOPDGDD.

It is competent to resolve this procedure, regarding the cookie policy, the

Director of the Spanish Agency for Data Protection, in accordance with the
provided in art. 43.1, second paragraph, of the LSSI.

                                             II
The joint assessment of the documentary evidence in the procedure brings to

knowledge of the AEPD, a vision of the denounced action that has been
strapped in the facts declared proven above related, verifying that, as-
The privacy policy and the cookie policy had been modified after the initiation of
ation of the file and notification of the resolution proposal.

Upon receipt of the allegations to the proposed resolution, it is verified

Again, the "Privacy Policy" and the "Cookies Policy" of the web pages, consists of
taking in this last check the following questions:

a) .- Regarding the web page *** URL.1:

In relation to the processing of personal data carried out on the website, the website will
directs to a form where personal data of users are collected, such as the
name, phone or email. On the same page where the form is located,

There is also information about who is responsible for data processing
personal; the legitimacy that it has for the treatment of the data (the consent
to); the recipients and the rights that assist the user in relation to the treatment
storage of your personal data.

Before being able to send the questionnaire, it is necessary to accept the privacy policy

by checking the corresponding box.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/19









On the other hand, the user can subscribe to receive commercial communications
of the entity by checking the corresponding box, if you wish. There is also the

possibility of subscribing to the entity's newsletter, by filling in the existing form
Tente for this purpose.

In relation to the "Cookies Policy" of the website, it continues to be verified that:

    - When entering the home page of the web, without taking any other action on the

        itself and without rejecting cookies, unnecessary cookies are used.


    - The banner on cookies existing in the first layer does not inform the user of

        the use of third-party cookies, it is not reported that it will be displayed
        advertising related to preferences, based on the profile prepared from
        of the user's browsing habits.



    - If you choose to reject all cookies, in the control panel, leaving all
        the cursors in the <<off>> position, it is verified that the web page follows

        using non-necessary third-party cookies.


b) .- Regarding the website, *** URL.2,

It has been found that, when trying to access the page. *** URL.2, this one no longer

exists, redirecting the user to the page, *** URL.1.

                                              III
    - On the consent given by users for the treatment of their

        personal data, on the website *** URL.1.


In the last check that has been made of the web page, it has been possible to
verify that it allows collecting the consent of the user, individualized
for each of the purposes to which the entity will dedicate the data processing.


Article 6.1.a) of the RGPD, establishes that, “the treatment will only be lawful if the
interested party gave their consent to the processing of their personal data for
one or more specific purposes ”.


For its part, article 7 of the RGPD indicates, regarding consent, that:

"1. When the treatment is based on the consent of the interested party, the person in charge
must be able to demonstrate that he consented to the processing of his data
personal. 2. If the consent of the interested party is given in the context of a
written statement that also refers to other matters, the request for

Consent will be presented in such a way that it is clearly distinguishable from others
matters, in an intelligible and easily accessible way and using clear and simple language.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/19








Any part of the declaration that constitutes an infringement of the
this Regulation (…).


In relation to these two cited articles, the recital should be taken into account
(32) of the RGPD, as it indicates that:

“Consent must be given through a clear affirmative act that reflects a
manifestation of free, specific, informed, and unequivocal will of the interested party
accept the processing of personal data that concerns you ... Therefore, the

silence, checked boxes, or inaction should not constitute consent. The
Consent must be given for all processing activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them ... "


Likewise, article 6.2 of the LOPDGDD indicates, on the treatment based on the
consent, that:

"two. When it is intended to base the processing of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.


Therefore, the known facts about the processing of personal data by the
website, until the collection of personal data processing was modified
were constitutive of an infringement for violation of article 7 of the RGPD
mentioned.


For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes of
prescription, "Failure to comply with the requirements of article 7 of the RGPD".

This offense may be punished with a fine of a maximum of € 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.

However, Article 58.2) of the RGPD provides that: “Each control authority
have all of the following corrective powers listed below: b)

sanction any person responsible or in charge of the treatment with warning when
the treatment operations have infringed the provisions of this
Regulation; (…); i) impose an administrative fine in accordance with article 83,
in addition to or instead of the measures mentioned in this section, according to the
circumstances of each particular case, therefore, the sanction that could

Corresponding would be a warning, without prejudice to what results from the instruction
of the present file, since in this case, it has not been verified that the defendant
has sent communications unrelated to the main purpose.

In accordance with these criteria, it is considered appropriate to impose a sanction on the defendant

of "warning", for the violation of article 7 of the RGPD, on the website of your
ownership, during the time that the collection of the consent of the
user in a generic way for all purposes of the processing of personal data.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/19








                                             IV
    - About the "Cookies Policy" of the website *** URL.1.



In the last check made on the website in question, and despite having
observed that the cookie policy of the same has been changed, it has become
to verify the following circumstances not in accordance with current regulations:

    - When entering the home page of the web, without taking any other action on the

        itself and without rejecting cookies, unnecessary cookies are used.


    - The banner on cookies existing in the first layer does not inform the user of

        the use of third-party cookies, it is not reported that it will be displayed
        advertising related to preferences, based on the profile prepared from
        of the user's browsing habits.



    - If you choose to reject all cookies, in the control panel, leaving all
        the cursors in the <<off>> position, it is verified that the web page follows
        using non-necessary third-party cookies.



Therefore, the facts presented suppose, on the part of the claimed entity, the
commission of the violation of article 22.2 of the LSSI, regarding the cookie policy
on its website, according to which:


“Service providers may use storage devices and
data recovery on recipients' terminal equipment, provided that
they have given their consent after it has been provided to them
clear and complete information on its use, in particular, on the purposes of the
data processing, in accordance with the provisions of Organic Law 15/1999, of 13

December, protection of personal data.

When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters
from the browser or other applications.


The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network
electronic devices or, to the extent strictly necessary, for the provision of
an information society service expressly requested by the

addressee".

This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information has not been provided or the consent of the
recipient of the service in the terms required by article 22.2. ”, which may be

sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned
LSSI.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/19









After the evidence obtained in the preliminary investigation phase, and without prejudice to
Whatever results from the instruction, it is considered that the sanction should be

impose in accordance with the following aggravating criteria, established in art. 40 of
the LSSI:

    - The existence of intentionality, an expression that must be interpreted as equi-
        value to degree of guilt according to the Judgment of the Hearing

        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent

        informed service that conforms to the mandate of the LSSI.


    - Period of time during which the offense has been committed, as it is the first
        mere claim of July 2020, (section b).



Based on these criteria, it is deemed appropriate to impose on the claimed entity
a penalty of 3,000 euros (three thousand euros), for the violation of article 22.2 of the
LSSI, regarding the cookie policy carried out on the website of its ownership.


                                             V
    - About the "Privacy Policy" of the web: *** URL.2


In the first checks carried out by this Agency, on the website, it was
verified that, through the tabs, << examples of psycho packaging >> and

<< online digital printing >>, the web redirected to pages where they could
obtain personal data. However, through the link << Privacy Policy >>,
that existed on the main page, the web redirected to a new page, where
reports that the page did not exist.


According to the allegations of the claimed entity, this web page was created and published
given by a former employee's own decision without having instructions from the company to
this, providing the complaints filed against the former employee for this reason. To
In view of the above, this web domain was redirected by Flexomed to the web
*** URL.1, permanently.


The known facts are constitutive of an infringement, for violation of article
13 of the RGPD, as the page where the information must be provided is not operational.
information to the interested party at the time of collection of their personal data.

For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of

prescription, “the omission of the duty to inform the affected party about the treatment of
your personal data in accordance with the provisions of articles 13 and 14 of the RGPD ”.

This offense may be punished with a fine of a maximum of € 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for the
of a higher amount, in accordance with article 83.5.b) of the RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/19









The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of its article 13, it allows

set a final sanction of "warning", taking into consideration that the website
in question no longer exists, redirecting the user to the web page *** URL.1, and to the
corroborate the allegations that the website was created and published by decision of the
pia of an ex-employee without having instructions from the company to do so, providing the
complaints filed against the former worker for this reason.


                                            SAW
    - About the "Cookies Policy" of the website *** URL.2:


It has been found that, when trying to access the page. *** URL.2, this one no longer
exists, redirecting the user to the page, *** URL.1.


In accordance with the foregoing, by the Director of the Spanish Agency for
Data Protection,
                                       RESOLVES:


FIRST: SANCTION the entity FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L.,
with CIF .: B73447393, owner of the web pages: *** URL.1 and *** URL.2, for the
following offenses:

A) .- Regarding the web page *** URL.1:


.- With a sanction of "warning", for Infringement of article 7) of the RGPD, when rea-
lizar the collection of the consent of the users in a generic way, during the
time it was active on the website until its modification and adaptation to the
regulations in force.


.- With a penalty of 3,000 euros (three thousand euros), for violation of article 22.2) of
the LSSI, regarding the "Cookies Policy" of the website.

B) .- Regarding the web page *** URL.2:


.- With a sanction of "warning" for the violation of article 13) of the RGPD, res-
pect of the non-existence of privacy policy on its website, verifying that
there was a treatment of the personal data of the users, taking into account
tion, for the final imposition of the sanction, the allegations and the documentation
sitting by the entity denouncing that the web page had been created by an extra-

downloader without the consent of the company.

.- File this procedure with respect to the "Cookies Policy" of the page
web to verify, this Agency, that it no longer exists.

SECOND: REQUEST: the entity, FLEXOGRÁFICA DEL MEDITERRÁNEO, S.L.,

so that, within a month, counting from the notification of this resolution,
adapt the website of your ownership (*** URL.1), regarding the "Cookies Policy",
including the necessary information in the banner about cookies regarding the use-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/19








tion of third-party cookies, as well as preventing the use of cookies, does not need
sary until the user has not consented to its use.

SECOND: NOTIFY this resolution to the entity FLEXOGRÁFICA DEL
MEDITERRÁNEO, S.L., and the claimant on the result of the claim.

Warn the sanctioned person that the sanction imposed must be effective once it is
executive this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the Ad-
Public Ministries (LPACAP), within the voluntary payment period indicated in article

68 of the General Collection Regulation, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
Upon entering the restricted account No. ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection in Banco CAIXABANK,
S.A. or otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
between the 1st and the 15th of each month, both inclusive, the deadline for making the vo-
luntario will be until the 20th day of the following or immediately subsequent business month, and if

between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of December 30-
of fiscal, administrative and social order measures, this Resolution is
will be made public, once it has been notified to the interested parties. The publication is made-
It will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection Agency on the publication of its Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
ner, optionally, appeal for reconsideration before the Director of the Spanish Agency

of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly administrative contentious appeal before the
Contentious-administrative Chamber of the National Court, in accordance with the provisions
set out in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the

or two months from the day following the notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the interested party
do manifests its intention to file a contentious-administrative appeal. Of being
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to

through any of the other records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
trative within two months from the day following notification of this

resolution, would terminate the precautionary suspension.

Mar Spain Martí

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/19











Director of the Spanish Agency for Data Protection.















































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es