In order to provide data subjects with the required information for transparency purposes under article 13 GDPR, the company implemented a 2-layer approach:
In the second layer, VUELING provided more information to their website users mentioning the following:
- A description of what cookies are;
- Information on which cookies are used on the website;
- Information to the website users according to which VUELING could use beacons, Pixel tags, and local storage for the purposes of statistical evaluations over anonymous data, and to guarantee the continuity of the services offered through their website for their own purposes or through third party websites;
- The option for website users to configure the cookies according to their preferences within their browser settings; and,
According to the Spanish DPA, by using this approach, VUELING violated article 22.2 of Law 34/2002 of 11 of July on Information Society Services and Electronic Commerce. This provision requires for the consent of the data subjects to be provided for the storage and recovery of data in terminal equipment, in line with the requirements of European data protection law. Furthermore, this same article (22.2) classifies the infraction as a minor infraction under article 38.4 lit. g) of the same law. Such minor sanction according to the respective article may be estimated in up to 30.000€.
Therefore, when establishing the sanction, the Spanish DPA considered the following -in line with article 40 of Law 34/2002-:
- The existence of intention interpreted as guilt according to Spanish case law as the company had to obtain consent from the data subjects;
- The timeframe in which the infraction was committed, considering that the complaint was filed on January 2019;
- The nature and amount of the damages in relation to the volume of users affected by the infraction;
- The benefits obtained from the infraction in relation to the users affected by it; and,
- The turnover of the company.
The sanction was reduced to 18.000 € – a 20%- as article 85 of Law 39/2015 of Common Administrative Procedure considers the possibility of a reduction of the fine whenever the perpetrator has accepted responsibility for the infraction thus resulting in the termination of the administrative procedure. Therefore, VUELING paid a total of 18.000€ on September 24th, 2019 bringing the procedure to an end.
Contrast with CJEU ruling Planet49 Case C-673/17
Due to the complexities of acquiring appropriate consent for marketing purposes from website users, we look forward to seeing more interpretations by the Data Protection Authorities which further develop consent for the use, storage or access of cookies in terminal devices under the GDPR.
 Sentencia de la Audiencia Nacional de 12/11/2007 recaída en el Recurso núm. 351/2006
 Recital 32 GDPR: “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 2This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. 3Silence, pre-ticked boxes or inactivity should not therefore constitute consent. 4Consent should cover all processing activities carried out for the same purpose or purposes. 5When the processing has multiple purposes, consent should be given for all of them. 6If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”