Excerpt
The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.
Our analysis
ORI, S.I. faced a complaint filed by a data subject for non-compliance with GDPR regulations, specifically the lack of a privacy policy on their website. The website had multiple forms that collected personal data, but at least five of these forms did not provide information on the company's privacy policy. The DPA determined that this constituted an infringement of Article 13 GDPR, as defined in Article 83.5 GDPR, and initiated a sanctioning procedure. The resulting fine was 1,200€, imposed in accordance with the criteria outlined in Article 83.2 GDPR. The data controller was given one month to adopt appropriate measures to bring their actions into compliance with data protection regulations, including notifying the Agency of their efforts.
Outcome
The initial fine was set at 2,000€. However, the responsible party acknowledged their mistake within the given timeframe, which led to a 20% reduction in the sanction, resulting in a fine of 1,600€. They also opted for voluntary payment of the penalty, which allowed for an additional 25% reduction, bringing the total amount to 1,200€. The case was ultimately closed after the responsible party agreed to withdraw any administrative action or appeal against the sanction.
Parties
D.A.A.A. (Data Subject) and ORI, S.L.
Case number
PS-00289-2022
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.
Outlines conditions for fines and penalties for non-compliance, including up to 4% of global annual revenue or €20 million, whichever is greater.