Ms. A.A.A. (Claimant) v. Marbella Resorts, S.L.

Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.

The complaint was submitted by a data subject to the Spanish DPA (AEPD), stating that their ID card had been found on an adult website, along with their personal information, after being a guest in one of the chain's hotels. The data subject also requested access to their personal data from the hotel, which revealed that an employee of the building's owners association had scanned their ID card since the reception desk was closed. Upon further investigation, the AEPD discovered that Marbella Resorts' website had a cookie banner that did not provide sufficient information about the use of cookies and did not allow users to reject consent for unwanted cookies. Additionally, the hotel chain used unnecessary cookies before obtaining consent, violating Article 22 of the Spanish Law implementing the e-Privacy Directive (LSSI). Furthermore, the AEPD found that Marbella Resorts had violated Article 28(3) of the GDPR, as the hotel chain did not have a data processing agreement with the building's owners association to govern the processing of personal data. The use of deceptive patterns, specifically the lack of transparency in the cookie banner and the placement of unnecessary cookies without clear user consent, was a significant factor in the AEPD's decision to fine Marbella Resorts. The forced action of accepting cookies without sufficient information or the ability to reject unwanted cookies is a clear example of a deceptive pattern, which violates both Article 5(3) of the e-Privacy Directive and Article 22(2) of the Spanish Law on cookies (LSSI). The lack of transparency and user control in cookie consent mechanisms is a significant concern for data protection authorities, as it can lead to the misuse of personal data.