A.A.A v. Predase Servicios Integrales SL

Predase Servicios Integrales SL was fined by the Spanish Data Protection Agency (AEPD) for breaching Article 13 of the GDPR. The company was found to be non-compliant as it did not have a privacy policy and failed to provide any information on data processing in the contact section of its website, which required users to provide their personal data.

Predase Servicios Integrales SL (PSI) was found to have used a deceptive pattern of hidden information on its webpage. Despite including a section for interested parties to provide their personal information, such as address and telephone number, PSI failed to provide a privacy policy or information on data processing in accordance with Article 13 of the GDPR. PSI attempted to justify this by claiming that the contact form was not operational and that an email address was provided instead. However, the Spanish DPA found errors while attempting to access the website during their investigation, making it impossible to verify this claim. The Spanish DPA held that the lack of a privacy policy or information on data processing, regardless of the non-operational contact form, violated Article 13 GDPR and Article 11 of the Spanish Law on Data Protection and Digital Rights (LOPDGDD) on the provision of information to data subjects.