[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKAnrf7ylnEBWMF2ng4FFgw34XSj128jlt_UK5NPF1d8":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"2de87f00-7d38-48ff-ab76-a29265936ee0","AEPD (Spain) - PS-00480-2025","aepd-spain-ps-00480-2025-6b618c","← Older revision Revision as of 09:50, 21 May 2026 Line 67: Line 67: }} }} The AEPD fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative. The DPA fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative. == English Summary == == English Summary == Line 85: Line 85: === Holding === === Holding === The AEPD held that the controller violated [[Article 6 GDPR|Article 6 GDPR]] by processing personal data without a valid legal basis. The DPA emphasised that the LSSI, the Spanish law implementing the ePrivacy Directive require prior consent for storing or accessing information on a user’s device through cookies, unless an exemption applies. The AEPD held that the controller violated [[Article 6 GDPR]] by processing personal data without a valid legal basis. The DPA emphasised that the LSSI, the Spanish law implementing the ePrivacy Directive require prior consent for storing or accessing information on a user’s device through cookies, unless an exemption applies. The DPA distinguished between the placement or reading of cookies, which is governed by the cookie rules, and the subsequent processing of personal data obtained through those cookies, which must comply with the GDPR. Since the cookies were installed without consent, the subsequent processing of the data collected through them could not be considered lawful. The DPA distinguished between the placement or reading of cookies, which is governed by the cookie rules, and the subsequent processing of personal data obtained through those cookies, which must comply with the GDPR. Since the cookies were installed without consent, the subsequent processing of the data collected through them could not be considered lawful. Line 91: Line 91: The AEPD rejected the controller’s reliance on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It found that users had not received clear information and had not consented to the use of cookies. Moreover, users of the affected websites did not have a reasonable expectation that their browsing-related data would be processed by a third-party advertising network for advertising purposes. Therefore, the processing did not pass the balancing test required under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The AEPD rejected the controller’s reliance on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It found that users had not received clear information and had not consented to the use of cookies. Moreover, users of the affected websites did not have a reasonable expectation that their browsing-related data would be processed by a third-party advertising network for advertising purposes. Therefore, the processing did not pass the balancing test required under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA also held that the controller violated [[Article 27 GDPR|Article 27 GDPR]]. Since the controller was not established in the EU but processed personal data of users in Spain in connection with its advertising services, it was required to appoint a representative established in an EU Member State. A representative in Northern Ireland did not meet this requirement. The DPA also held that the controller violated [[Article 27 GDPR]]. Since the controller was not established in the EU but processed personal data of users in Spain in connection with its advertising services, it was required to appoint a representative established in an EU Member State. A representative in Northern Ireland did not meet this requirement. The AEPD fined the controller €120,000 in total: €70,000 for the violation of [[Article 6 GDPR|Article 6 GDPR]] and €50,000 for the violation of [[Article 27 GDPR|Article 27 GDPR]]. Pursuant to Article 85 of the Spanish administrative Law 39\u002F2015, the notice of initiation informed the controller of the possibility of acknowledging liability and making a voluntary payment of the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the final penalty was set at €72,000, and its payment resulted in the termination of the proceedings. The AEPD fined the controller €120,000 in total: €70,000 for the violation of [[Article 6 GDPR]] and €50,000 for the violation of [[Article 27 GDPR]]. Pursuant to Article 85 of the Spanish administrative Law 39\u002F2015, the notice of initiation informed the controller of the possibility of acknowledging liability and making a voluntary payment of the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the final penalty was set at €72,000, and its payment resulted in the termination of the proceedings. The AEPD also ordered the controller to adopt corrective measures within three months. In particular, the controller had to ensure compliance with [[Article 6 GDPR|Article 6 GDPR]], ensure compliance with the Spanish cookie rules by the service providers using its cookies, appoint an EU representative and notify the AEPD of the measures adopted. The AEPD also ordered the controller to adopt corrective measures within three months. In particular, the controller had to ensure compliance with [[Article 6 GDPR]], ensure compliance with the Spanish cookie rules by the service providers using its cookies, appoint an EU representative and notify the AEPD of the measures adopted. == Comment == == Comment ==","Spain's data protection authority (AEPD) fined an adult advertising network €72,000 for placing tracking cookies without user consent and unlawfully relying on legitimate interest as a legal basis under GDPR Article 6. The authority also found the controller violated Article 27 GDPR by failing to appoint a representative established in an EU Member State (a Northern Ireland representative did not suffice). The DPA ordered corrective measures including GDPR compliance, appointment of an EU representative, and notification within three months.","Spain's AEPD fines adult ad network €72K for non-consensual cookies and missing EU representative.","Help AEPD (Spain) - PS-00480-2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 09:44, 21 May 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 edits Tag: submission [1.0] Latest revision as of 09:50, 21 May 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators49 editsTag: Visual edit Line 67: Line 67: }}}} The AEPD fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative.The DPA fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative. == English Summary ==== English Summary == Line 85: Line 85: === Holding ====== Holding === The AEPD held that the controller violated [[Article 6 GDPR|Article 6 GDPR]] by processing personal data without a valid legal basis. The DPA emphasised that the LSSI, the Spanish law implementing the ePrivacy Directive require prior consent for storing or accessing information on a user’s device through cookies, unless an exemption applies.The AEPD held that the controller violated [[Article 6 GDPR]] by processing personal data without a valid legal basis. The DPA emphasised that the LSSI, the Spanish law implementing the ePrivacy Directive require prior consent for storing or accessing information on a user’s device through cookies, unless an exemption applies. The DPA distinguished between the placement or reading of cookies, which is governed by the cookie rules, and the subsequent processing of personal data obtained through those cookies, which must comply with the GDPR. Since the cookies were installed without consent, the subsequent processing of the data collected through them could not be considered lawful.The DPA distinguished between the placement or reading of cookies, which is governed by the cookie rules, and the subsequent processing of personal data obtained through those cookies, which must comply with the GDPR. Since the cookies were installed without consent, the subsequent processing of the data collected through them could not be considered lawful. Line 91: Line 91: The AEPD rejected the controller’s reliance on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It found that users had not received clear information and had not consented to the use of cookies. Moreover, users of the affected websites did not have a reasonable expectation that their browsing-related data would be processed by a third-party advertising network for advertising purposes. Therefore, the processing did not pass the balancing test required under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].The AEPD rejected the controller’s reliance on legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. It found that users had not received clear information and had not consented to the use of cookies. Moreover, users of the affected websites did not have a reasonable expectation that their browsing-related data would be processed by a third-party advertising network for advertising purposes. Therefore, the processing did not pass the balancing test required under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. The DPA also held that the controller violated [[Article 27 GDPR|Article 27 GDPR]]. Since the controller was not established in the EU but processed personal data of users in Spain in connection with its advertising services, it was required to appoint a representative established in an EU Member State. A representative in Northern Ireland did not meet this requirement.The DPA also held that the controller violated [[Article 27 GDPR]]. Since the controller was not established in the EU but processed personal data of users in Spain in connection with its advertising services, it was required to appoint a representative established in an EU Member State. A representative in Northern Ireland did not meet this requirement. The AEPD fined the controller €120,000 in total: €70,000 for the violation of [[Article 6 GDPR|Article 6 GDPR]] and €50,000 for the violation of [[Article 27 GDPR|Article 27 GDPR]]. Pursuant to Article 85 of the Spanish administrative Law 39\u002F2015, the notice of initiation informed the controller of the possibility of acknowledging liability and making a voluntary payment of the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the final penalty was set at €72,000, and its payment resulted in the termination of the proceedings.The AEPD fined the controller €120,000 in total: €70,000 for the violation of [[Article 6 GDPR]] and €50,000 for the violation of [[Article 27 GDPR]]. Pursuant to Article 85 of the Spanish administrative Law 39\u002F2015, the notice of initiation informed the controller of the possibility of acknowledging liability and making a voluntary payment of the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the final penalty was set at €72,000, and its payment resulted in the termination of the proceedings. The AEPD also ordered the controller to adopt corrective measures within three months. In particular, the controller had to ensure compliance with [[Article 6 GDPR|Article 6 GDPR]], ensure compliance with the Spanish cookie rules by the service providers using its cookies, appoint an EU representative and notify the AEPD of the measures adopted.The AEPD also ordered the controller to adopt corrective measures within three months. In particular, the controller had to ensure compliance with [[Article 6 GDPR]], ensure compliance with the Spanish cookie rules by the service providers using its cookies, appoint an EU representative and notify the AEPD of the measures adopted. == Comment ==== Comment == Latest revision as of 09:50, 21 May 2026 AEPD - PS-00480-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1)(f) GDPR Article 27 GDPR Article 5(3) ePrivacy DirectiveArticle 22(2) LSSI Type: Investigation Outcome: Violation Found Started: 02.10.2025 Decided: 14.11.2025 Published: Fine: 72,000 Parties: Tiger Media Inc. National Case Number\u002FName: PS-00480-2025 European Case Law Identifier: n\u002Fa Appeal: Not appealed Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined an adult ad network for placing advertising cookies without consent, unlawfully relying on legitimate interest and lacking an EU representative. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Tiger Media Inc., the controller, operated an advertising platform for publishers and advertisers of adult products and services. The platform acted as an ad network, connecting publishers offering advertising space with advertisers seeking to display ads on those websites. Through this platform, the controller processed personal data of users visiting publishers’ websites where its ads were displayed. This included IP addresses, device and browser information, website URLs, referral URLs, clicks, impressions and cookie identifiers. According to the controller, the data were processed for ad delivery, fraud prevention, frequency capping, performance measurement and service improvement. The controller argued that it did not carry out behavioural advertising or profiling. It claimed that any targeting was limited to contextual factors, such as country and language. The controller relied mainly on legitimate interest as a legal basis and argued that publishers, as independent controllers of their own websites, were responsible for obtaining any consent required for cookies. The DPA investigated the controller’s platform and several Spanish websites using it. It found that cooki","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00480-2025&diff=51702&oldid=51701","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-05-21T09:50:48+00:00","2026-05-21T10:00:12.770952+00:00",7,[18],{"name":19,"type":20},"AEPD (Agencia Española de Protección de Datos)","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,32,37],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]