Spain: AEPD fines unnamed company €3,000 for data protection failures on its website
The Spanish data protection authority ('AEPD') published, on 18 May 2022, its decision in proceeding PS/00603/2021, in which it imposed a total fine of €3,000, subsequently reduced to €1,800, on an unnamed company, for violation of Articles 6(1) and 13 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Article 22(2) of the the Law No. 34/2002, of 11 July 2002, on Information Society Services and Electronic Commerce ('LSSI'), following a complaint by the entity, Zulmar Santamaría SL.
Background to the decision
In particular, the AEPD stated that it had initiated an investigation, on 10 January 2022, against the defendant in relation to the defendant's reported failure to provide information on its website regarding the identity of the controller of the website and the contact details of the same, as well as its failure to provide a privacy and cookies policy for website users. Furthermore, the AEPD specified that on the website, personal data could be obtained through a 'purchase form'.
Findings of the AEPD
Ultimately, the AEPD found the defendant in breach of Articles 6(1) and 13 of the GDPR as well as Article 22(2) of the LSSI and thereby imposed a total fine of €3,000 on the defendant, which was subsequently reduced to €1,800.
You can read the decision, only available in Spanish, here.