The Facebook case and the application of the Spanish Personal Data Protection Law

VolverDue to our expertise in personal data protection, we have deemed convenient commenting on such decision, in view of the amount of breach sanctions in this matter and due to the effect of such penalties on the image of economic and social operators.

All the fines due to several breaches provided under on the mentioned Decision amount to one million two hundred thousand Euros (€1,200,000). In a nutshell, the breaches are as follows:

1.- Breach of the duty to report expressly, unequivocally and accurately the interested party on personal data and the purposes of data collection and processing.

On this point, it is important to remark that, according to the Decision ruled by the AEPD, when new users sign up, they are not shown a text with the appropriate information on personal data collection, the purpose of such collection and data processing, which might be confusing for users and render them defenceless against the use that the aforementioned social network makes of their personal data.

Furthermore, the Decision deems the Data Policy writing and language vague and sometimes confusing, since the information on the data that shall be subject to processing is subordinate to browsing on several pages and it is difficult to find.

On the Resolution proven facts, it is provided that users are not informed that their data would be processed through cookies, some specifically for advertising purposes and other for secret purposes, when browsing non-FACEBOOK pages (third-party pages) that contain a Like button. This happens even when users are not signed up on FACEBOOK but they have ever visited one of its pages. It also happens to signed-up FACEBOOK users, even if they are not logged in, those pages gather their data and link them to their FACEBOOK account. And the web pages editors are not appropriately informed by FACEBOOK of such processing taking place.

Therefore, the AEPD deems that the actions of Facebook Inc. represent a serious breach fined with €300,000.

2.- Processing personal data without the consent of the interested parties and processing of sensitive data.

According to the Decision proven facts, there is no need for the potential FACEBOOK user to accept the terms and conditions of the privacy policy to finish the signup process, which doesn’t make the consent unequivocal. This issue, on this case, is especially more serious since sensitive data are being processed, and in these cases the consent must be express and in writing. Only with the express consent in writing of the affected party, personal data disclosing opinions, union memberships, religion or beliefs may be subject to processing. The Decision provides on the matter that FACEBOOK states that on their Advertisement Policy published on their web page, it is said: “We do not use sensitive personal data for advert targeting. Topics you choose for targeting your advert don't reflect the personal beliefs, characteristics or values of the people who use Facebook or Instagram.” According to the AEPD, this public statement is an aggravating factor, because it misinforms FACEBOOK users on the processing of their sensitive data and dwells on the certainty that data are being processed without their prior consent in writing.

For the specific case of sensible data processing with advertising purposes, the proven facts fourteen and twenty-five provide that the tools available to the users to control adverts don’t establish a system of preferences regarding sensible data processing, no consent is beforehand requested, but every personal datum is processed by default for the aforementioned advertising purposes. Furthermore, the settings indeed allow the user to stop FACEBOOK from showing adverts based on their profiles, but it does not imply that data are not being collected and processed in order to create a user-related profile and that it would be indefinitely kept.

The AEPD deduces that such actions are a serious breach, which shall be fined with €600,000.

3.- Duty to cancel data.

Lastly, the AEPD Decision believes that Facebook Inc. infringes the data quality principle, not cancelling all data when they cease to be necessary for the purposes of their collection or when the user requests their cancellation.

This breach is deemed serious and therefore is fined with €300,000.

Turning to comment specifically the enforceability of national law and consideration of FACEBOOK, INC. as controller, as stated on the abstract, it is necessary to point out that the social network FACEBOOK is structured around the parent company FACEBOOK, INC., which has in Spain the limited company named Facebook Spain, S.L. and in Ireland, Facebook Ireland Limited (FACEBOOK IRELAND).

So, on the sanctions proceeding started by the AEPD, Facebook Inc. (the Californian parent company) pleaded that the Spanish law does not apply to them since the data controller for Spanish users is FACEBOOK IRELAND. However, the Decision states that such company is the data controller of the European Union FACEBOOK users, since its involvement in determining processing purposes and means is proved because the “” domain is registered under FACEBOOK, INC. in Menlo Park, United States and the “” domain under FACEBOOK IRELAND. However the latter does not exist per se, since it redirects to “”. The Decision states that FACEBOOK, INC bears the ultimate responsibility for the whole activity of the communication platform.

The Decision points out the case-law of the Spanish High Court 210/2016, Civil Division, of 5 April 2016 (Google case), which sets out that:

The useful effect of Community law would be seriously weakened if the affected parties had to find out, within the business group holder of a search engine, what is the specific function of every company that forms it, which, sometimes even, is trade secret and, at any rate, it is not publicly accessible information. The Directive useful effect would be also weakened if the legal personification that the data controller gives to their business in different Member States is given importance, as intended by the petitioner, Google Spain, and thus, the affected parties are forced to litigate against companies in foreign countries.”

This case-law is something similar to what, in mercantile terms, is called “piercing the corporate veil”.

That said, national law is deemed applicable when enforcing paragraph 2 of section 2.1 LOPD, where it is provided its application in these events, among others:

a) When the processing is carried out on Spanish territory as part of the activities of an establishment belonging to the controller …

c) When the controller is not established on the territory of the European Union and is using for the processing means situated on Spanish territory, unless such means are used solely for transit purposes.”

In this case, the AEPD highlights that FACEBOOK SPAIN, S.L. is an establishment involved in data processing activities regarding identified or identifiable individuals, collected on Spanish territory. FACEBOOK, INC performs an economic activity with the goal of obtaining income in exchange of third-party adverts entered in the websites it manages. FACEBOOK, INC activity would not be feasible without such funding. Attracting advertisers on Spanish territory is the main task of FACEBOOK SPAIN, S.L. Therefore, FACEBOOK SPAIN, S.L. actions are significant for services provision and their data processing, because its activity entails attracting advertisers on Spanish territory, with a causal link between FACEBOOK SPAIN, S.L. actions and the processing with advertising purposes.

And in conclusion on this point, the Decision highlights that “it is relevant to add that FACEBOOK, INC. relies on means located on Spanish territory in order to gather information in our territory (using, among others, the computers of users residing in Spain in order to keep information locally through cookies and other means, as well as running code on such devices), without making use of such data collection devices only for the purpose of transit through the European Union, i.e. they are not only data-transmission equipment but they are used to gather and process data.”

The AEPD finishes highlighting that, against this background, the LOPD is applicable to this case and the AEPD is the relevant body to apply it.

Due to our expertise in data protection and information technology (IT), we highlight again the relevance of this matter that affects the fundamental rights of a person and the need for legal and technical mechanisms for ensuring compliance with the rules; breaching them may have serious consequences to companies; Belzuz Abogados is at your disposal to advise and assist you in these increasingly important matters.

 Emilio Perez Labrador Emilio Pérez Labrador

Departamento de Tecnologías de la Información y de la Comunicación (TIC)


Belzuz Abogados SLP

La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.



Belzuz Abogados - Despacho de Madrid

Nuñez de Balboa 115 bis 1

  28006 Madrid

+34 91 562 50 76

+34 91 562 45 40

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.


Belzuz Abogados - Despacho de Lisboa

Av. Duque d´Ávila, 141 – 1º Dtº

  1050-081 Lisboa

+351 21 324 05 30

+351 21 347 84 52

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.


Belzuz Abogados - Despacho de Oporto

Rua Julio Dinis 204, Off 314

  4050-318 Oporto

+351 22 938 94 52

+351 22 938 94 54

Esta dirección de correo electrónico está siendo protegida contra los robots de spam. Necesita tener JavaScript habilitado para poder verlo.