The Royal Clinic by Doctor Marin – €2,400 Fine (Spain, 2020)

A data subject sent a complaint to the AEPD against a plastic surgery clinic because he had received unwanted publicity on his phone number. The data subject tried to find in the website of the clinic information about who to address his complaint to but he couldn't find it due to lack of a privacy policy in the website. The AEPD sent a request for information to the clinic and they replied that they provide adequate information to their clients upon collection of their data when the clients go for the first time to the clinic. The clinic argued that in the data sheet where the personal data is collected, the data subjects are informed that their data will be used also for sending them publicity (such as discounts, offers, etc.). The AEPD checked the website of the clinic (three months after the answer from the clinic was received) and they found that both the privacy policy and the cookies policy were missing. Does the lack of a privacy and cookie policy on a website infringe Article 13 GDPR and Article 22(2) LSSI? The AEPD decided to impose a fine to the clinic: € 2000 for the lack of the privacy policy and € 2000 for the lack of cookies policy on the website. The absence of a privacy policy infringed Article 13 GDPR and the absence of a cookie policy infringed Article 22(2) of the Spanish law on the Information Society and Electronic Commerce Services (LSSI). However, the fine got reduced due to: 1. prompt payment; 2. acknowledgement of responsibility (that includes the commitment of the company not to pursue any further appeal against the decision).