AEPD (Spain) - PS/00410/2019

From GDPRhub
Revision as of 16:07, 26 June 2020 by Miguel Garrido de Vega (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00410/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
22(2) Spanish Law on Information Society Services
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 15.06.2020
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS/00410/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

15 June 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 3,000 € on Garantiza Automoción, S.L. for the infringement of its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the defendant does not comply with its information duties in relation to the cookies used at one of its websites.

Dispute

The defendant did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. During its investigations, the AEPD discovered that (i) on the basic layer of the website, there is no banner informing on the use of cookies, although both cookies by the defendant and by third parties are automatically installed, that (ii) on the detailed layer of the website, there is a Cookies Policy providing generic information, but there is no way to manage such cookies by the user.

Holding

Thus, the AEPD understood that the defendant has infringed its information duties in relation to cookies as per Article 22(2) LSSI, according to which, digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws. Consequently, after considering some aggravating circumstances [(i) the existence of intentionality, and (ii) the period of time the defendant has been infringing its duties taking into account that the claim is dated September 2018], the AEPD decided to impose a fine of 3,000 € to the defendant. Additionally, the AEPD requires the defendant to correct the situation on the cookies use at the website in the period of one (1) month since this resolution.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 Procedure No.: PS / 00410/2019938-051119RESOLUTION OF PENALTY PROCEDUREIn the sanctioning procedure PS / 00410/2019, instructed by the Spanish Agency ofData Protection, before entity GARANTIZA AUTOMOCIÓN, SL with CIF:B87149001, owner of the websites www.garantiza.net and www.garantizaautomocion.com ,(hereinafter, "the entity claimed"), for alleged violation of Law 34/2002, of 11July, of services of the information society and electronic commerce (LSSI),and based on the following,BACKGROUNDFIRST: dated 09/19/18, AAA (hereinafter “the claimant”), presented a writtenbefore the Spanish Agency for Data Protection, in which, among others, it denounced:"On the website of the entity claimed there is a breach of dutyinformation on the cookie policy "."SECOND: In view of the facts set forth in the claim and the documentscontributed by the claimant, the General Sub-Directorate for Data Inspection proceededto carry out actions for its clarification, under the protection of investigative powers.tion granted to supervisory authorities in Article 57.1 of Regulation (EU)2016/679 (RGPD). Thus, with dates of 10/16/18, and 10/31/18, an information request is addressedMative to the claimed entity.THIRD: According to the certificate from the Electronic Notifications and Management ServiceElectronic Enabled, the request sent to the claimed entity, dated10/16/18, through the Notific @ service, was rejected, dated 10/27/18.According to a certificate from the Sociedad Estatal de Correos, the notification sent to the companydata claimed, dated 10/31/18, through the SICER service, at the address: C /PERU 8, OFFICE 49 (28290 LAS ROZAS, MADRID), was delivered on 11/06/18,being the receiving person BBB. *** NIF . 1 .FOURTH: On 10/31/18 an analysis of the website www.garanti- has been analyzedzaautomocion.com , confirming that said page does not install cookies.On 10/31/19, an analysis of the website http://www.garantiza.net ,checking that:a) .- When accessing the main page, (first layer), it is verified that noThere is no banner that informs about the installation and management of cookies,although if it is verified that own and third-party cookies are installed whenbrowse the website.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/5b) .- There is a link at the bottom of the web page that accesses the "Cookies". If accessed, it provides information on what they are and the useCookies on the web, the type, purpose and operation of cookies in generalral, but there is no mechanism to manage them.FIFTH: On 12/02/19, the Director of the Spanish Agency for the Protection ofData agreed to initiate a sanctioning procedure against the owner of the website claim-mada, by virtue of the powers established in article 43.1 of the LSSI, setting ainitial penalty of 3,000 (three thousand euros), without prejudice to what will result inof the instruction of the procedure, and requiring the owner of said page that: “ forthat you take the appropriate measures to include on the website of your ownership(www.garantiza.net), information about the cookies that are installed and a mechanismthat allows managing the configuration of cookies ”.SIXTH: On 12/13/19, the opening of the file was notified to the entity claimingMada, who has not submitted to this Agency, any brief or allegation, within thethe period granted for this purpose.PROVEN FACTS1.- If you access the website www.garantiza.net, as of 10/31/19, you can obtainserve that:a) .- In the first layer of the web page, there is no type of banner thatreport on the installation and management of cookies, although if it is verified thatown and third-party cookies are installed when browsing the website.b) .- In the second layer, accessible through the link "Cookies Policy",provides information on what they are and the use of Cookies by the web, thetypology, purpose and functioning of cookies in a generic way but notThere is no mechanism that enables their management.FUNDAMENTALS OF LAWIIn accordance with the provisions of art. 43.1, second paragraph, of the Law34/2002, of July 11, on Services of the Information Society and CommerceElectronic (LSSI), is competent to initiate and resolve this Sanction Procedure-dor, the Director of the Spanish Agency for Data Protection.IIIn the present case, on the website www.garantiza.net , it does not exist, in the firstlayer, no banner that reports the use of cookies. There is also no possibilitylity to "accept", "reject" and / or "configure cookies" in this first layer. In theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/5At the bottom of the page there is a link to the "Cookies Policy". If you access saidpage, some information about cookies is offered, but there is no panel thatenable its management and configuration.IIIThe exposed facts suppose, on the part of the entity claimed, the commission of theinfringement of article 22.2 of the LSSI, according to which: “The service providersmay use data storage and recovery devices on computersterminals of the recipients, provided that they have given their consentafter they have been provided with clear and complete information about theiruse, in particular, for the purposes of data processing, in accordance with theprovided in Organic Law 15/1999, of December 13, on the protection of data frompersonal character.When technically possible and effective, the recipient's consent toAccepting the data processing may be facilitated by using the parametersbrowser or other applications.The foregoing shall not prevent possible storage or technical access to the solopurpose of transmitting a communication over a communication networkelectronic or, to the extent strictly necessary, for the provision ofan information society service expressly requested by the recipient-River.This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, whichconsiders as such: “Use data storage and recovery deviceswhen the information has not been provided or the consent of the destination has been obtainedcustomer of the service in the terms required by article 22.2. ”, and may be sanctionednothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.IVIn accordance with the provisions of article 39.1. c) of the LSSI, minor infractions canwill be sanctioned with a fine of up to € 30,000, establishing the criteria for itsgraduation in article 40 of the same standard.After the evidence obtained in the preliminary investigation phase, and without prejudice towhatever results from the instruction, it is considered that the sanction should be graduatedner in accordance with the following criteria established by art. 40 of the LSSI:- The existence of intentionality, an expression to be interpreted asequivalent to the degree of guilt according to the Hearing Judgmentcia Nacional of 12/11/2007 relapse in Resource no. 351/2006, correspondinggiving the denounced entity the determination of a obtaining systeminformed consent that is in accordance with the LSSI mandate.- Period of time during which the offense has been committed, as it is theclaim of September 2018, (section b).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/5In accordance with these criteria, it is considered appropriate to impose on the entity claimeda penalty of 3,000 euros (three thousand euros).Having seen the aforementioned precepts and others of general application, the Director of the AgencySpanish Data Protection.RESOLVESFIRST: TO IMPOSE the entity GARANTIZA AUTOMOCIÓN, SL with CIF:B87149001, owner of the websites www.garantiza.net , a penalty of 3,000 euros (threethousand euros), for violation of article 22.2) of the LSSI Law, typified as “slight” in theArticle 38.4.g) of the aforementioned Law.SECOND: REQUIRE the entity GARANTIZA AUTOMOCIÓN, SL so that, inwithin one month of this act of notification, proceed to take the appropriate measureswhen to adapt your website to the provisions of article 22.2 of the LSSI, towhich may follow the recommendations published by this AEPD, in its “So-bre Use of Cookies ”, November 2019.THIRD: NOTIFY this resolution to the entity AUTOMOTIC GUARANTEE-CIÓN, SL and the claimant on the result of the claim.Warn the sanctioned that the sanction imposed must be effective once it isexecutive this resolution, in accordance with the provisions of article 98.1.b)of law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-Public ministries (LPACAP), in the period of voluntary payment indicated in the article68 of the General Collection Regulation, approved by Royal Decree 939/2005,of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-by entering the restricted account no. ES00 0000 0000 0000 0000 0000, openedon behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,SA or otherwise, will be collected in the executive period.Notification received and once executive, if the date of enforcement is foundbetween the 1st and 15th of each month, both inclusive, the deadline for making the vo-luntary will be until the 20th of the following month or immediately the next business day, and ifbetween the 16th and last day of each month, both inclusive, the payment termIt will be until the 5th of the second following month or immediately following business.In accordance with the provisions of article 82 of Law 62/2003, of December 30,On fiscal, administrative and social order measures, this Resolution iswill make public, once the interested parties have been notified. The publication is made-will be in accordance with the provisions of Instruction 1/2004, of December 22, of the AgencySpanish Data Protection on publication of its Resolutions.Against this resolution, which ends the administrative route, and in accordance with theestablished in articles 112 and 123 of the LPACAP, the interested parties may interpo-ner, optionally, appeal for reversal to the Director of the Spanish AgencyData Protection within a month from the day after the notificationfication of this resolution, or, directly administrative contentious appeal before theContentious-Administrative Chamber of the National Court, in accordance with the provisionsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/5set forth in article 25 and section 5 of the fourth additional provision of the Law29/1998, of 07/13, regulating the Contentious-Administrative Jurisdiction, in thetwo months from the day after notification of this act, according tothe provisions of article 46.1 of the aforementioned legal text.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,may provisionally suspend the final resolution in administrative proceedings if the interested-do express your intention to file a contentious-administrative appeal. Of beingIn this case, the interested party must formally communicate this fact in writing.addressed to the Spanish Agency for Data Protection, presenting it through the Re-Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], orthrough any of the remaining records provided in art. 16.4 of the aforementioned Law39/2015, of October 1. You must also transfer the documentation to the Agencythat proves the effective filing of the contentious-administrative appeal. If theAgency had no knowledge of the filing of the contentious-administrative appealtreatable within two months from the day following notification of thisresolution, would terminate the precautionary suspension.

Mar España Martí
Director of the Spanish Agency for Data Protection