The Spanish Data Protection Authority (AEPD) has condemned Facebook Inc. to the payment of a sanction of 1,200,000 Euros for the existence of two serious and one very serious infringements of Data Protection Law.

According to the Agency, Facebook treats personal data for advertising purposes without express consent of the data subjects and does not erase the data after the completion of the purpose. Furthermore, sensitive data like sexual orientation, believes and personal tastes are collected with the interaction of third party web pages without informing the users of the processing of their personal data nor on the purpose. This last infringement was classified by AEPD as very serious since the collection and use of sensitive data, which require special protection, was abused and performed in a way that did not grant adequate protection to the Facebook users.

The Agency has also verified, during the investigations, that users are not informed on the way their data is processed through the use of cookies when browsing non-Facebook pages including the link to Facebook “Like” option. This last scenario, involves also users who do not have a Facebook account but have only visited the Facebook page and users who have an account but visited the page without logging-in to it. Further to this, AEPD remarked that the Facebook Privacy Policy provides generic and unclear content and it is not easily accessible to the users who are not facilitated in having clear and complete information on the use of their personal data.

The investigations were part of a joint effort of the Data Protection Authorities of: Belgium, France, Hamburg and the Netherlands. We remind that Facebook was already sanctioned by the French Data Protection Authority in May to a 150 Million Euros fine for multiple breaches of the Data Protection Law.