D.A.A.A. (Claimant) v. Happy Friday, SL

€ 1500 in fines


A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.

Our analysis

The case involves a complaint of non-compliance regarding the processing of personal data and the use of cookies on a company's website. The complainant alleged that employees could access all types of personal data, regardless of their tasks, without using login credentials or passwords. The complainant also claimed that the company's website did not provide adequate information regarding the use of cookies. The first pop-up banner did not inform users about the existence of tracking cookies, and the full cookie policy was vague and did not provide an easy way to uninstall cookies. The Spanish data protection authority (AEPD) was tasked with investigating the complaint and assessing whether the processing was safeguarded with appropriate technical and organisational measures. The AEPD also had to verify whether the controller had respected the Spanish implementation of the ePrivacy Directive and had provided clear and complete information on the use of cookies. After a thorough investigation, the AEPD found that some of the complainant's statements were not accurate. The company had improved its security measures by limiting employees' access to personal data and resources required to carry out their tasks. Printed manuals and personal data were stored in locked filing cabinets, and access to the office was only allowed to authorised personnel. However, the AEPD did find that the company's website was not compliant with Article 22(2) of the Spanish ePrivacy Directive. The first layer of the pop-up notification did not provide sufficient information for users to understand the use of cookies. Phrases like "improve our services" were not descriptive enough to inform users about the types of cookies used. The second layer of the cookie policy did not describe the types of cookies used or provide information about their sources (first or third-party). Additionally, there was no tool to manage cookies in a granular way. As a result of these findings, the AEPD determined that the company had violated Article 22(2) of the Spanish ePrivacy Directive and imposed appropriate sanctions.


Following an investigation into a complaint of general non-compliance regarding processing, the AEPD found that some statements were no longer accurate in terms of appropriate technical and organisational measures. However, they found a violation of Article 22(2) of the LSSI with regards to the Cookie Policy. As a result, the case was partly upheld, and a fine of €1500 was imposed on the controller.


D.A.A.A. (Claimant) and Happy Friday, SL

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us