In April 2022, the Spanish data protection supervisory authority – Agencia Española de Protección de Datos (AEPD) – issued several fines and in this article, we will review four decisions totaling 178,000 euros.
What and why is the AEPD issuing fines?
In Decisions 482, 483, and 603, the AEPD issued fines for unlawful processing of personal data, lack of information about the processing of personal data and placement of cookies on data subjects’ terminals without their consent.
“This website uses own and third-party cookies to offer you a better service. If you continue browsing, we consider that you authorize their use”
According to the AEPD, the banner lacked: a) Mention of the person responsible for the website; b) Description of the cookies used in the website and their purpose; c) Description of categories of personal data when profiles were created; and d) Buttons or settings to accept, reject or customize cookies.
Additionally, the authority found that the website lacked a policy informing about third-party cookies, the time that cookies remained in users’ terminals and the type of cookies used.
In Decision 603, the AEDP fined the company for the same breaches already mentioned in Decision 482. However, the authority also found that a form within the website used by customers to place orders lacked a tick-box or other means to enable data subjects to provide a clear affirmative action of having agreed to the processing of their personal data.
Decision 476 involves a complaint against an electricity service provider for having modified a contract without the customer’s consent, which resulted in an increase in the electricity supply. During the investigation, the authority determined that the amendment to the contract was the result of a request from an individual impersonating the customer.
The company claimed to have acted in strict accordance with the established protocol for contractual amendments. However, the security protocol was based on data that may be known by third parties such as ID number, name and surname, telephone number and address. As a result, the AEPD concluded that the electricity provider’s protocol lacked an appropriate security level to ensure the processing of personal data as per Art.32, GDPR resulting in a contractual amendment without the data subject’s consent.
Lessons learned from the AEPD fines
Cookie banners. Controllers using non-essential cookies must gather data subjects’ consent. The consent should be a freely given, specific, informed and unambiguous affirmative action by data subjects. For consent to be informed regarding cookies, controllers must provide details about their trackers by means such as cookie banners and policies. The AEDP recommends displaying buttons enabling data subjects to accept, reject or customize cookies with the same level of ease.
Cookies interaction. Non-essential cookies should not be placed on data subjects’ terminals without their consent. In addition, they should not be triggered based on users’ interactions with the website (e.g., scrolling or mouse movement).
Customer verification. The obligation of controllers and processors to implement appropriate technical and organizational measures should be reflected in procedures such as the verification of customers‘ identities. The measures should take into consideration the state of the art, costs of implementation, and nature, scope, context, and purposes of the processing.