Ms. A.A.A. (Claimant) v. Marbella Resorts, S.L.

€7000 in fines

Excerpt

Marbella Resorts was fined by the Spanish DPA for not having a data processing agreement with the processor and for violating the Spanish Law on cookies by placing unnecessary cookies without user consent.

Our analysis

The complaint was submitted by a data subject to the Spanish DPA (AEPD), stating that their ID card had been found on an adult website, along with their personal information, after being a guest in one of the chain's hotels. The data subject also requested access to their personal data from the hotel, which revealed that an employee of the building's owners association had scanned their ID card since the reception desk was closed. Upon further investigation, the AEPD discovered that Marbella Resorts' website had a cookie banner that did not provide sufficient information about the use of cookies and did not allow users to reject consent for unwanted cookies. Additionally, the hotel chain used unnecessary cookies before obtaining consent, violating Article 22 of the Spanish Law implementing the e-Privacy Directive (LSSI). Furthermore, the AEPD found that Marbella Resorts had violated Article 28(3) of the GDPR, as the hotel chain did not have a data processing agreement with the building's owners association to govern the processing of personal data. The use of deceptive patterns, specifically the lack of transparency in the cookie banner and the placement of unnecessary cookies without clear user consent, was a significant factor in the AEPD's decision to fine Marbella Resorts. The forced action of accepting cookies without sufficient information or the ability to reject unwanted cookies is a clear example of a deceptive pattern, which violates both Article 5(3) of the e-Privacy Directive and Article 22(2) of the Spanish Law on cookies (LSSI). The lack of transparency and user control in cookie consent mechanisms is a significant concern for data protection authorities, as it can lead to the misuse of personal data.

Outcome

The controller was fined €7,000 by AEPD, which was reduced to €4,200 after early and voluntary payment, for violating Article 28(3) GDPR and Article 22 of the Spanish Law implementing the e-Privacy Directive (LSSI). The infringements included improper information about the use of cookies and placing unnecessary cookies without consent, without the option of individually rejecting them.

Parties

Ms. AAA (Claimant) and Marbella Resorts

Case number

PS/00151/2021

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us