The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).

In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.

Processing sensitive personal data for advertising purposes without consent

The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.

It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Continue Reading Spanish DPA fines Facebook €1.2 million for data protection infringements

Spain’s Data Protection Authority, the Agencia Española de Proteccion de Datós (‘AEPD’), has issued a deadline of 29 January 2016, for the implementation of alternative mechanisms to Safe Harbor.

By letter dated 3 November 2015, the AEPD imposed the deadline on all companies operating in Spain that had previously notified it of personal data transfers to the United States which were based on the recipient’s Safe Harbor certification.  The letter requires companies in Spain to inform the AEPD of the mechanism(s) they have implemented to ensure the “adequate protection” of personal data which is transferred to the United States.
Continue Reading Spain issues deadline for implementing alternative Safe-Harbor mechanisms

The Spanish data protection authority, the AEPD, has issued the first European cookie fine for the violation of Article 22.2 of Spain’s Information Society Services and Electronic Communications Law 34/2002 (Spanish E-Commerce Act), as amended by Royal Decree Law 13/2012 which implements the e-Privacy Directive (Directive 2002/58).

On 29 April 2013, the AEPD issued