Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines unnamed company €3,000 for data protection failures on its website 

The Spanish data protection authority ('AEPD') published, on 18 May 2022, its decision in proceeding PS/00603/2021, in which it imposed a total fine of €3,000, subsequently reduced to €1,800, on an unnamed company, for violation of Articles 6(1) and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 22(2) of the the Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce ('LSSI'), following a complaint by the entity, Zulmar Santamaría SL.

Background to the decision 

In particular, the AEPD stated that it had initiated an investigation, on 10 January 2022, against the defendant in relation to the defendant's reported failure to provide information on its website regarding the identity of the controller of the website and the contact details of the same, as well as its failure to provide a privacy and cookies policy for website users. Furthermore, the AEPD specified that on the website, personal data could be obtained through a 'purchase form'.

Findings of the AEPD

Notably, the AEPD found the defendant in breach of Article 6(1) of the GDPR for processing personal data unlawfully in connection with the purchase form on its website, as it had failed to obtain website users' consent prior to processing their personal data. Additionally, the AEPD found the defendant in breach of Article 13 of the GDPR for failure to put in place a privacy policy on its website. Furthermore, the AEPD noted that there was no mechanism on the website that allowed users to reject cookies that are not technical or necessary nor a cookie policy informing users of the necessary characteristics of the cookies used. As such, the AEPD also found the defendant in breach of Article 22(2) of the LSSI. 


Ultimately, the AEPD found the defendant in breach of Articles 6(1) and 13 of the GDPR as well as Article 22(2) of the LSSI and thereby imposed a total fine of €3,000 on the defendant, which was subsequently reduced to €1,800.

You can read the decision, only available in Spanish, here