Subdirectorate General for Data Inspection v. Flexografica Del Mediterraneo, S.L.

€3000 in fines


The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.

Our analysis

The case reported the violation of several data protection laws by two websites of a controller. The AEPD received a complaint indicating that both websites lacked a privacy and cookies policy, or any other kind of information regarding the data that they process. The investigation conducted by the AEPD revealed that one of the websites had a privacy and cookies policy, but both websites gathered consent from the user in a generic way, with no option to specify the processing they wanted to consent to. The AEPD found that the website placed unnecessary third-party cookies on the user's device without consent. The cookie banner only provided generic information and did not have a button to reject the cookies in its first layer. An option to reject cookies was included in the banner during the proceeding. In the second layer, the user could reject unnecessary cookies. However, the authority found that, even when exercising this option, the cookies were still used. 
The AEPD held that the cookie banner of the website violated Article 22(2) of the Spanish Information Society Services Act (LSSI), which implements the e-Privacy Directive, as it did not properly inform the user that the website used third-party cookies with marketing purposes that would create a profile based on the user's navigation behaviour to show them advertisements related to their preferences. It also violated Article 22(2) by not allowing users to reject such cookies, using them without consent, even when the user had deactivated the option. Furthermore, during the investigation, the controller deleted the second website, which lacked a privacy and cookies policy, redirecting the user to the first website when using its domain. The AEPD also found that there had been a violation of Article 7 GDPR before the controller allowed the user to choose the specific processing they wanted to consent to. The case involved several deceptive patterns, including forced action and hidden information. The websites gathered consent from users in a generic way, without allowing them to choose specific processing. The cookie banner provided only generic information, with no button to reject the cookies in the first layer. The controller also used unnecessary third-party cookies without consent, even when the user had exercised the option to reject them.


The AEPD has issued a set of decisions against a controller for several violations of GDPR and LSSI. The controller was warned for gathering consent in a generic way, fined €3000 for installing third-party cookies without consent, and warned for not having a privacy policy on their second website. Additionally, the controller was ordered to adapt their website's "cookies policy," including necessary information in the cookie banner and preventing the use of unnecessary cookies until the user has provided consent.


Sub Directorate General for Data Inspection and Flexografica Del Mediterraneo, S.L.

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us