The Spanish Data Protection Authority fines company 30,000 over cookie policy used on its website

Updated: Apr 14

Customers who access the Vueling company’s website did not have the capacity to configure the cookies.


The decision can be read in Spanish here


Whilst accessing online the cookie policy of the URL: https://www.vueling.com/es, users are informed what cookies are and what cookies they use. It additionally communicates that Vueling can use the information itself or through third parties which include, beacons, Pixel tags and local storage, evaluations and statistical calculations on anonymous data, indicating “such information will not be used for any other purpose”. They also report that they’ll use third-party analytics cookies.


However, on the management of cookies, the company states that: “you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive.


You can also use “do not track” tracking cookie blocking tools. it is also noted that, “you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general.”


What the organisation does not provide is a control system or cookie configuration panel that permits the person to delete them in a granular manner. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular manner to manage the preferences of each user.


These facts constitute an infringement of section 22.2 of the LSSI (Spanish law on information society services and electronic commerce), in keeping with which: “service providers may also use of data storage and retrieval devices on recipients’ terminal equipment, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular, on the purposes of data processing”.

Join our mailing list

© 2018 - 2020 GDPR Community Ltd

  • Facebook
  • Twitter
  • Instagram