Mrs. A.A.A., (Lia’s Clothing) and Zulmar Santamaria, S.L.

€1800 in fines


The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.

Our analysis

Lia's Clothes, an online clothes store, was found liable for not having an adequate privacy policy or cookie banner. Upon investigation, the Spanish DPA (AEPD) found that personal data was collected without informing the data subjects about the protection of their personal data or providing a link to a privacy policy. Additionally, non-essential cookies were used on the website without providing appropriate information through a banner or giving data subjects the option to reject them. The AEPD held that the online store violated Article 6(1) GDPR by processing personal data without clear, affirmative, informed, and free consent. Furthermore, by not having a privacy policy or disclosing who the controller of the personal data would be, the online store also violated Article 13 GDPR. Lastly, the use of non-essential cookies without a cookie banner violated Article 22.2 of the Spanish Law of Information Society Services (LSSI), which requires clear and complete information on the use of cookies and the option to reject them.


The AEPD fined the owner of an online store €3000 for three violations of data protection laws. The owner voluntarily paid the fine and accepted responsibility, resulting in a reduced fine of €1800. Additionally, the AEPD ordered the owner to add a proper privacy policy and cookie banner to their website to comply with data protection laws.


Mrs. A.A.A., (Lia’s Clothing) and Zulmar Santamaria, S.L.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us