Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines NH Hotel €10,000 for LSSI violation

On April 1, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00490/2023, in which it imposed a fine of €10,000, subsequently reduced to €8,000, on NH Hotel Group SA (NH Hotel) for violation of the Information Society Services and Electronic Commerce (LSSI), following an investigation.

Background to the decision

The AEPD stated that on December 12, 2023, it inspected cookies deployed on the NH Hotel website when accessing it for the first time, clearing browsing history, and prior to providing consent. The AEDP added that it also reviewed the information provided on the cookie banner in the first layer, the cookie information provided in the second layer, and the possibility of modifying consent preferences at a later stage.

In particular, the AEPD identified that with the acceptance of cookies that are not technical or necessary, the website continues to deploy the same cookies as at the beginning of the session.

Furthermore, the AEPD explained that to refuse consent to unnecessary cookies, the user is required to go into 'settings,' where cookie groups are automatically marked in the 'off' position, and that there is only one button 'Yes, I accept.' The AEPD clarified that in this case as well the website continues to deploy the same cookies as at the beginning of the session.

Findings of the AEPD

The AEDP determined that the deployment of certain Google Analytics cookies, as well as several other types of cookies detected on the NH Hotel Group website, is not strictly necessary for the functioning of the website. However, the AEPD identified that Google reCAPTCHA is a necessary cookie of a technical nature, set up to provide risk analysis, and therefore, does not require consent from the user for its deployment. 

Following this, the AEPD held that by not collecting consent of the user, prior to the deployment of the aforementioned cookies, by rendering impossible the rejection or management of cookies in a granular way and withdrawal of consent once given, NH Hotel infringed Article 22(2) of the LSSI.


In light of the above, the AEPD imposed a fine of €10,000, which was subsequently reduced to €8,000 owing to NH Hotel's voluntary payment of the fine.

You can read the decision, only available in Spanish, here.