Mapfre España Compañia de Seguros y Reaseguros SA – Complaint Upheld (Spain, 2024)
Mapfre España, an insurance company, placed cookies on its website before getting user consent. This practice violates data protection rules because users should have control over their data. Website operators should ensure they get proper consent before using cookies to avoid similar issues.
What happened
Mapfre España placed cookies on its website before users interacted with the cookie consent banner.
Who was affected
Website visitors who accessed Mapfre España's site and had their data tracked by cookies without consent were affected.
What the authority found
The Spanish data protection authority ruled that Mapfre España violated Article 5(1)(a) of GDPR by not obtaining consent before placing cookies.
Why this matters
This ruling emphasizes the importance of obtaining user consent before using cookies. Companies should review their cookie practices to comply with data protection rules.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The controller, an insurance company, has a website that uses cookies. The data subject noticed that, even though the website had a cookie banner, the cookies were placed even before the user interacted with the cookie banner. Moreover, the cookies at hand were connected with the Google Analytics service. According to the data subject, this entailed an unlawful data transfer to the USA. Therefore, the data subject filed a complaint with the Spanish DPA. The controller acknowledged that it was using Google Analytics on its website, but argued that the relevant cookie is placed only after the data subject's consent. Moreover, the controller pointed out that it is now using the so-called "Google Analytics 4", which uses an IP-address "anonymiser". First, the DPA noted that the controller acknowledged the Google Analytics tool. Therefore, the controller processed several data of the data subject, including unique user identifiers, the IP address as well as other data associated with the browser. The DPA shared the data subject's view, holding that the controller should not have installed the cookies before the data subject's consent. Since no legal basis for this processing was present, the DPA found a violation of Article 5(1)(a) GDPR. Second, the DPA pointed out that, even though the data transfer to the USA (i.e. to Google LLC) was carried out by Google Ireland (appointed as processor pursuant to Article 28 GDPR), the controller is however responsible and liable under Chapter V GDPR (see [https://www.edpb.europa.eu/system/files/2023-02/edpb_guidelines_05-2021_interplay_between_the_application_of_art3-chapter_v_of_the_gdpr_v2_en_0.pdf EPDB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR], para. 19). As for this point, the DPA considered it irrelevant that the controller did not decide where personal data is stored by Google LLC, since the data processing agreement a
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (2)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Mapfre España Compañia de Seguros y Reaseguros SA in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Mapfre España Compañia de Seguros y Reaseguros SA - Spain (2024). Retrieved from cookiefines.eu
Last updated: