Lia's Clothes – €1,800 Fine (Spain, 2022)

A data subject filed a complaint against Lia's Clothes (an online clothes store) stating that the website did not have an adequate privacy policy or cookie banner. The Spanish DPA (AEPD) initiated an investigation, and determined that once data subjects were prompted to introduce their personal data, there was indeed no information provided related to the protection of personal data, or a link to a privacy policy. The AEPD also verified that when entering the website, non-essential cookies such as Google Analytics are used, without an adequate banner informing data subjects about their use, the possibility to reject them, or consent to them in a differentiated granular manner. The AEPD held that by processing personal data without the data subject’s clear, affirmative, informed and free consent, or any other valid legal basis, the online store had violated Article 6(1) GDPR. The AEPD also held that the online store had violated its obligation under Article 13 GDPR to provide data subjects information related to the processing of their personal data when collected from them, in particular by not having a privacy policy and not disclosing any details as to who the controller of that personal data would be. Lastly, the AEPD held that the online store’s use of non-essential cookies without having a cookie banner violated Article 22.2 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Spanish Law of Information Society Services (LSSI)], which establishes that clear and complete information on the use of cookies and the purposes of the data processing must be provided to data subjects, as well as the possibility to reject non-essential cookies. Taking into account that the online store was owned by a private individual, the AEPD issued a fine of €1000 for the each of the three aforementioned violations, for a total fine of €3000. Due to the fact that the individual voluntarily paid the fine and expressly accepted their responsibility, the fine was reduced to