Autocontrol, the Spanish not-for-profit association that acts as a self-regulatory and supervisory body for the advertising industry in Spain, has recently published a revised code of conduct on the processing of personal data for advertising activities (the "CoC”). The code covers both traditional direct marketing and online targeted ads.

The revised CoC has been approved by the Spanish Data Protection Agency (the “AEPD”) and recently came into effect. It provides for, among others, a nimbler online out-of-court dispute settlement mechanism for resolving data protection disputes between adhering entities and data subjects.

Background

The GDPR sets out that associations and other bodies representing categories of controllers or processors may prepare codes of conduct to specify the application of the GDPR, such as with regard to the legitimate interests pursued in specific contexts, the collection of personal data, and out-of-court proceedings and other dispute resolution procedures.

Autocontrol is made up of the main advertisers, advertising agencies, media, and professional organisations involved in advertising activities in Spain. Currently, it has over 600 members, which are involved in approximately 70% of all advertising-related investments in Spain.

Autocontrol adopted its initial CoC back in 2020 for the main purpose of adopting an out-of-court dispute settlement mechanism for complaints in data protection advertising. This was the first GDPR approved CoC with an accredited monitoring body in the EU.

Since then, technological advances have transformed the advertising industry. Phenomena such as big data and AI allow advertisers to scale ad placements and reach wider audiences, and cookies enable them to tailor and personalise ads based on users’ interests, habits, and demographics. Nevertheless, these developments have brought new challenges for the protection of users’ personal data, which led Autocontrol to revise its existing CoC.

Scope

The CoC applies to the processing of personal data for advertising purposes carried out by adhering entities. This includes sending direct marketing communications and using cookies and other technologies for targeted advertising.

Its scope of application is limited to those processing activities that are carried out by adhering entities in Spain, or that affect data subjects located in Spain where such processing relates to the offering of goods or services to data subjects in Spain, or involves the monitoring of the behaviour of data subjects in Spain.

Generally, any company or entity processing personal data in the context of an advertising activity may adhere to the CoC, regardless of whether they were previously associated with Autocontrol. Participation in the CoC is voluntary, but it becomes legally binding for entities that adhere to it.

Obligations of adhering entities

Under the CoC, adhering entities undertake to comply with the GDPR and other data protection laws when carrying out their advertising activities. This includes:

• Data minimisation and purpose limitation – Entities should not collect and process more data than is necessary for the sending or display of marketing communications. In particular, if more data than necessary to send marketing communications was collected because that data was necessary for a different purpose, as soon as this other purpose has been fulfilled, the data that is not necessary for the advertising purpose shall be deleted.
• Lawfulness – When relying on consent, consent to the sending of third-party advertising must be obtained separately from consent to the sending of advertising of the entity’s own products and/or services. When assessing whether a legitimate interest outweighs the rights of data subjects, entities should consider the privacy expectations of data subjects, whether the advertising is based on profiling and the complexity of such profiling.
• Transparency – Advertisers should provide information to the data subjects in a layered manner and in clear and plain language, avoiding complex legal terminology and ambiguous terms.
• Opt-out of direct marketing – Entities should inform data subjects of their right to object to the processing of their personal data for direct marketing purposes at the time of collection of their personal data and in each marketing communication. Data subjects should not be required to provide a justification in order to exercise their right to object.
• Robinson lists – Entities should check advertiser suppression lists before sending direct marketing communications, unless the data subject has given consent.
• Cookies – Where cookies are used for personalised or behavioural advertising purposes: (i) this purpose should be explicitly stated; (ii) ambiguous descriptions should be avoided; and (iii) it should be mentioned that such advertising is carried out on the basis of profiling derived from the user's browsing and use of the application.

Out-of-court procedure

The CoC sets forth an online updated out-of-court procedure for resolving data protection disputes between adhering entities and data subjects in relation to the processing of personal data carried out in the context of advertising activities.

• Initiation – The data subject may initiate the procedure either with Autocontrol by filling in an online form or with the AEPD, who may refer it to Autocontrol’s Advertising Jury.
• Admissibility – Autocontrol will admit the complaint where a number of requirements are met (e.g. details of the complainant and information on the factual basis of the complaint are specified).
• Mediation – The complaint will be forwarded to the relevant adhering entity so that it can propose the actions it considers appropriate for mediation. Autocontrol's Mediation Unit shall encourage the parties to reach an agreement that resolves the dispute.
• Duration – The procedure will be resolved within 30 days (27 days where the mediation has been initiated by referral from the AEPD).
• Referral to the AEPD – Where the mediation procedure has been initiated by referral from the AEPD, the Advertising Jury should inform the AEPD of the result of the mediation.
• Referral to the Advertising Jury – Where the data subject is not satisfied with the result of the mediation procedure, Autocontrol will refer the complaint, with the consent of the adhering entity, to its Advertising Jury.
• Outcome – The suggestions made by the Mediation Unit are not binding. However, the agreement reached in mediation, as well as, where applicable, the decisions of the Advertising Jury, are binding for the adhering entities.
• Confidentiality – The procedure and the agreement reached in mediation, and the handling of the complaint by the Advertising Jury, will be confidential. The decisions of the Advertising Jury will be made public by Autocontrol.

Sanctions

The CoC also sets out the sanctions to be imposed by the Advertising Jury in case of infringement. Sanctions range from a private and public reprimand in case of minor infringements, to the temporary suspension of the rights conferred to in the CoC in case of serious infringements, and to the expulsion from the scope of the CoC in case of very serious infringements. The suspension of the rights or expulsion of the adhered entity will be notified to the AEPD.

Conclusion

This revised CoC is expected to serve as a guide for companies to process personal data in the development of their advertising and marketing activities in compliance with data protection regulations. Important players in the advertising sector in Spain, such as Atresmedia (Antena 3), Dentsu, Ikea, L’Oréal, MásMóvil, Orange, Procter & Gamble, Telefónica and Vodafone, have already adhered to it.

It will also allow data subjects to resolve their data protection claims in a more agile and simple manner through the updated online out-of-court procedure.