D.A.A.A. (Data Subject) v. ORI, S.L.

€1,200 in fines


The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.

Our analysis

ORI, S.I. faced a complaint filed by a data subject for non-compliance with GDPR regulations, specifically the lack of a privacy policy on their website. The website had multiple forms that collected personal data, but at least five of these forms did not provide information on the company's privacy policy. The DPA determined that this constituted an infringement of Article 13 GDPR, as defined in Article 83.5 GDPR, and initiated a sanctioning procedure. The resulting fine was 1,200€, imposed in accordance with the criteria outlined in Article 83.2 GDPR. The data controller was given one month to adopt appropriate measures to bring their actions into compliance with data protection regulations, including notifying the Agency of their efforts.


The initial fine was set at 2,000€. However, the responsible party acknowledged their mistake within the given timeframe, which led to a 20% reduction in the sanction, resulting in a fine of 1,600€. They also opted for voluntary payment of the penalty, which allowed for an additional 25% reduction, bringing the total amount to 1,200€. The case was ultimately closed after the responsible party agreed to withdraw any administrative action or appeal against the sanction.


D.A.A.A. (Data Subject) and ORI, S.L.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us