Excerpt
The AEPD warned a website for failure to provide precise information about the data processing in its privacy policy.
Our analysis
A citizen filed a complaint with the AEPD regarding the privacy policy of www.banderacatalana.cat, which was controlled by GRUP BC S.L. The complainant claimed that the policy did not comply with GDPR standards, specifically citing the lack of precise information regarding the purposes of processing, consent, and child consent as a legal basis for processing. Upon investigation, the AEPD confirmed that GRUP BC S.L had indeed violated Articles 13(1), 6(1)(a), and 8 of the GDPR. The AEPD found that the webpage's privacy policy did not provide sufficient information about the specific purposes of processing personal data and did not include proper provisions for obtaining consent or child consent as a legal basis for processing. Consequently, the AEPD issued a warning to the company for its non-compliance with GDPR standards.
Outcome
The GDPR violations by GRUP BC S.L were confirmed by the AEPD, who found that the webpage's privacy policy lacked the necessary precision required under Article 13(1), 6(1)(a), and 8 of the GDPR. As a result, the AEPD issued a warning to the company.
Parties
D.A.A.A. (Claimant) and Group BC S.L.
Case number
PS/00006/2019
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Establishes rules for processing personal data of children under the age of 16.