Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines MyHeritage €16,000 for LSSI violation

The Spanish data protection authority ('AEPD') published, on 4 January 2022, its decision in proceeding PS-00475-2021, in which it imposed a fine of €20,000 on MyHeritage Ltd., which was subsequently reduced to €16,000, for the provision of insufficient information on its website's cookie policy, resulting in a violation of Article 22.2 of Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce ('LSSI'), as well as a warning for the violation of Article 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').

Background to the decision

In particular, the AEPD initiated a sanctioning procedure against MyHeritage, following a complaint by the Organisation of Consumers and Users ('OCU') which indicated a series of potential breaches of data protection regulations by MyHeritage, who are responsible for offering genealogical services, including DNA analysis and comparisons. The complaint was subsequently forwarded to MyHeritage, and following lack of response, the AEPD decided, on 30 November 2020, to process said claim.

Findings of the AEPD

After assessing MyHeritage's practices with regards to the potential breaches indicated by OCU, the AEPD found that there have been deficiencies regarding the website's cookie policy, including the fact that the website uses non-necessary cookies, does not provide the possibility of rejecting cookies, and the cookie policy does not identify the cookies used, hence breaching Article 22.2 of the LSSI.

Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy; i.e. the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, which resulted in a violation of Article 13 of the GDPR.


As a result of the cookie violation, the AEPD fined MyHeritage €20,000, which was subsequently reduced to €16,000 following use of two reductions for the voluntary payment of the fine, and imposed a warning for the infringement of Article 13 of the GDPR.

You can read the decision, only available in Spanish, here.