The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros

17 October 2019

Users who access the Vueling company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the URL page: , users are informed about what cookies are and what cookies they use. It also communicates that Vueling can use the information by itself or through third parties such as, beacons, Pixel tags and Local storage, evaluations  and  statistical calculations on anonymous data, indicating  "such information will not be used for any other purpose". They also report that they may use third-party analytics cookies.

However, on the management of cookies, the company merely indicates that: "you can configure the browser to accept or reject by default all cookies or to receive an on-screen notice of the reception of each cookie and decide at that time its implementation or not on your hard drive. You can also use "do not track" tracking cookie blocking tools. It is also noted that, "you can revoke at any time the consent given for the use of cookies by Vueling, configuring the browser for this purpose and that you can adjust the browser settings to prevent the installation of cookies websites or third parties in general."

What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way. To facilitate this selection the panel would have to enable a mechanism or button to reject all cookies, another to enable all cookies or to be able to do it in a granular way in order to manage the preferences of each user. On this subject, it is considered that the information offered on the tools provided in the browsers of the computers to configure cookies would be complementary to the previous one, but insufficient for the intended purpose of allowing you to configure preferences in granular or selective form.

These facts constitute an infringement of Section 22.2 of the LSSI  (Spanish Law on Information Society Services and Electronic Commerce), according to which:  "Service providers may use of data storage and retrieval devices on recipients' terminal equipment, provided that they have given their consent after they have been provided with clear and complete information on their use, in particular , on the purposes of data processing".

Read the decision in Spanish here
For further information, please contact the Spanish DPA:

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.