AP (The Netherlands) - z-2021-14274
From GDPRhub
| AP - z-2021-14274 | |
|---|---|
 | |
| Authority: | AP (The Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 02.05.2024 |
| Published: | 16.07.2024 |
| Fine: | 600,000 EUR |
| Parties: | AS Watson (Health & Beauty Continental Europe) B.V. |
| National Case Number/Name: | z-2021-14274 |
| European Case Law Identifier: | n/a |
| Appeal: | Pending appeal |
| Original Language(s): | Dutch |
| Original Source: | Autoriteit Persoonsgegevens (in NL) |
| Initial Contributor: | ec |
The DPA fined the controller of Kruidvat.nl €600,000 for placing tracking cookies before obtaining consent. The DPA also found that a pre-ticked box for accepting tracking cookies does not constitute freely given, specific, informed and unambiguous consent.
English Summary
Facts
The controller AS Watson (Health & Beauty Continental Europe) B.V. is a financial holding company that manages and operates several wholesale and retail businesses. One of them is Kruidvat, a Dutch retail, pharmacy and drugstore chain.
In 2019, the Dutch DPA (“Autoriteit Persoonsgegevens”) started an investigation into different websites, including Kruidvat.nl, to review whether the websites complied with placing (tracking) cookies. On first glance, the DPA found that the website did not seem to comply with the requirements of obtaining consent under the GDPR. Therefore, the DPA send a letter to the controller on 29 November 2019, which stated that the controller presumably did not comply with the law on obtaining consent for tracking cookies. The DPA encouraged the controller in the letter to change its practices for obtaining consent for tracking cookies.
After multiple reviews, the DPA found that the controller still did not change its practices on 16 June 2020. The DPA therefore decided to launch an ex officio investigation into the controller.
In their investigation, the DPA found that the controller placed tracking cookies before obtaining consent from users via a cookie banner. The DPA also found that “accept all cookies” on the controller’s cookie banner was selected by default. Only after clicking through four different steps, was the user able to reject cookies.
The controller argued that the investigation by the DPA was unlawful, because the cookies they use on their website does not qualify as public data and the DPA entered the controller's virtual premises without the controller's consent or knowledge. The DPA had no legal basis for starting an investigation.
Holding
First, the DPA dismissed the controller’s argument and held that the controller’s website is a publicly accessible website, which cannot be equated with entering a business premise. The DPA also has the authority under the GDPR and the Dutch GDPR implementation law ("Uitvoeringswet Algemene verordening gegevensbescherming"), to investigate and proceed with enforcement if there has been a breach of the GDPR.
Secondly, the DPA found that the controller unlawfully processed personal data of users by placing tracking cookies before obtaining consent, violating Article 6(1) GDPR and Article 5(1)(a) GDPR.
Thirdly, on rejecting cookies via the controller's cookie banner, the DPA took into account the CJEU judgement in case C-673/17 Planet49. According to the CJEU, there is no legally valid consent if the placing of cookies on the data subject’s devises uses a default tick box, which the data subject must uncheck to refuse consent. The DPA therefore held that by using pre-ticked (tracking) cookies, the controller did not obtain freely given, specific, informed and unambiguous consent under Article 4(11) GDPR. The controller thus violated Article 6(1) GDPR and Article 5(1)(a) GDPR for unlawfully processing personal data by not obtaining consent.
The DPA took into account the duration of the violations and noted that the controller changed its practices since 1 October 2020. Now, consenting to cookies is not automatically ticked on anymore. It also does not place cookies anymore before obtaining consent.
The DPA therefore fined the controller €600,000 for violating Article 6(1) GDPR and Article 5(1)(a) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Dutch Data Protection Authority
PO Box93374,2509AJ The Hague
HogeNieuwstraat8,2514EL The Hague
T0708888500-F088-0712140
Confidential/Registeredautoriteitpersoonsgegevens.nl
A.S.WatsonHealth&BeautyContinentalEuropeB.V.
Attn: the management
PO Box34
3927ZLRenswoude
Date Unmarked
May 2, 2024 z-2021-14274
Contact
[CONFIDENTIAL]
[CONFIDENTIAL]
Subject
Decides to impose an administrative fine for violating the General Regulation
data protection
Dear members of the management,
The Dutch Data Protection Authority (hereinafter: AP) has decided to A.S.WatsonHealth&Beauty
ContinentalEuropeB.V. (hereinafter: A.S.Watson) to impose an administrative fine of €600,000 for the
violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, of the General
Data Protection Regulation (hereinafter: GDPR). The reason for this is that A.S. Watson is not lawful
has a basis for processing data because it has failed to consent
questions to data subjects for the processing of their data through (tracking)
cookieswhenvisitingthewebsitekruidvat.nl.
The AP is of the opinion that imposing an administrative fine on A.S. Watson is not only appropriate
but also necessary. A.S. Watson has violated the rights and freedoms of citizens by
to process their data in an unlawful manner. The AP believes this is serious and is going to do so for that reason
aboutenforcementagainstA.S.Watson.
This decision explains the administrative fine. This will be discussed in turn
reason for the investigation, the findings of the investigation report, the process, the opinion
by A.S. Watson, the violation and the amount of the fine. Finally, the dictum follows.
1 Date Unmarked
May 2, 2024 z-2021-14274
1. Background investigation
1. A.S. Watson is a company established in Renswoude and active as a financial holding company that offers various
wholesale-retailcompaniesmanagedandexploited.Kruidvatiseen
subsidiary within the A.S. Watson group.
2. TheFirst-lineResearchdepartmentofthemanagementCustomer ContactsandControllingResearchoftheAP
In October and November 2019, we started an investigation into various websites, including
kruidvat.nl, to test whether those websites meet the requirements for placing (tracking)
cookies are set. It is also checked whether consent from those involved has been requested
for processing data by means of (tracking) cookies, as well as the manner in which
the giving of this permission had been designed.
3. On 29 November 2019, the AP sent a standard-transmitting letter to A.S. Watson in which
indicated that the applicable legal framework was probably not complied with. The AP has met
the aforementioned letter to A.S. Watson encouraged the method regarding the consent procedure
(tracking) cookies against the light.
4. The AP conducted technical research on April 28, 2020, May 7, 2020 and June 16, 2020 and found that
A.S.Watsonhadnotadjustedthemethod.
5. The AP subsequently initiated an ex-officio investigation into a possible violation of the GDPR
byA.S.Watson.
2. Findings research reports process flow
6. The findings of the investigation have been recorded in a report. This paragraph summarizes the most important ones
findings from this together.
7. A.S.Watson has its head office in the Netherlands.
Research report, appendix 8: extract from Chamber of Commerce.
2 File document 1: research report with appendices.
2/29 Date Unmarked
May 2, 2024 z-2021-14274
8. A.S.Watsonis responsible for the processing of the GDPR ofkruidvat.nl because it
3
goalsthemeansdeterminesthemethodofquestionsoftoestemmingvankruidvat.nl.
9. The privacy statement ofkruidvat.nl states that advertising cookies and tracking are included in a visit tokruidvat.nl
4
cookies are placed and read. The types of personal data are hereby described
basis of processing, the types of cookies as well as the retention period are described. There is also
information is given about sharing the collected information with third parties. Finally, the visitor becomes
from that website you are informed about the possibility of creating an account and it is
visitor is informed about the data required, such as the name and address details, the date of birth,
the gender and email address.
10. TheFirst-lineResearchdepartmentofthemanagementCustomercontactsandControllingResearchoftheAP
carried out technical research on the websitekruidvat.nl on 28 April 2020 and determined which one
cookies, javascripts and web beacons (hereinafter collectively referred to as: ''cookies'') are
placed/loaded athet Visitenvankruidvat.nl. Because the visitor has a consent procedure
must go through to share certain data (cookie window), the AP has looked at both
consent procedure itself and the placement of cookies both before and after going through the
consent procedure.
11. It turned out that cookies were used both before and after completing the consent procedure
placed.A.S.Watson has been asked about five cookies by the AP, in particular about the type
data processing per cookie, whether or not to assign a unique identifier to (the device
of) the visitor, the purpose of cookies and finally any processing by and
processing agreements with third parties.
12. In response to that request, A.S. Watson provided information to the AP about the five on 21 July 2020
requested cookies. Partly due to the response that A.S. Watson has given in the
research report established the following.
13.Thefirst-partyerius_usercookieandfirst_partyunless_visitorIDcookieassignauniqueuserID
to the website visitor, with goal personalization and keeping track of (future) repeating
visits.
14. The first-partyerius_sess cookie collects information about the specific visit (session) of a
visitor device at a certain time. It then depends on which pages are visited, which ones
products are added to the shopping cart and which ones are purchased, based on which recommendations
is clicked, the email address, user ID, IP address and user agent. The purpose of this cookie is to
3
4Research report, appendix 3: letter from A.S. Watson dated 21 July 2020.
Consulted by the AP on September 23, 2020 at 2:07 PM.
3/29 Date Unattribute
May 2, 2024 z-2021-14274
to offer this information about the visit a better user experience to the website visitor behind it
theuniqueuserID.
15. The first-party cookies also have a certain function determined by technical research
validity period:
a. peerius_user: until14January204011:39:10am(approx.19yearsand9months)
b. unless_visitorID: untilApril 28, 2021 11:39:10 am (approx. 1 year)
c. peerius_sess: until28april202015:39:10 (approx. a few hours)
16. The third-partyunlessjavascriptcollectsanalyticaldataperpagevisitbasedon
aggregated/aggregated behavioral scores, theURLand so-calledcustomevents.TheIPaddressand
user agent is also processed and sent. The IP address is not stored, but used to
determine the location of the browser session. All this data is sent by A.S. Watson to a
third party that processes this data. The purpose of this processing is personalization and the
optimizing the user experience. With this third party, A.S. Watson has
processing agreement concluded.
17. The third-party Google Analytics tracking beacon collects data for the purpose of obtaining
statistical insights into the use ofkruidvat.nl. This data is sent to a
third party (Google) with which a processing agreement has been concluded.
18. Finally, each of the above cookies has been determined to have been placed before the visitor
kruidvat.nl had given permission. On May 11, 2021, it was once again determined that the third party was unless
JavaScript was executed before permission was given.
19. The way in which A.S. Watson asks the visitor of the websitekruidvat.nl for permission
6
Placing cookies consists of a number of steps. In the first step, two options are displayed: “I
agree to the use of cookies” and “Would you like to know more?”
20. In the second step (after clicking on 'Want to know more?') the choice is given between 'Agree
continue''and''More information''.
21. In the next step (after clicking on ''More information''), a slider becomes visible with the options ''Functional
Cookies'', ''Required Cookies'' and ''Advertising Cookies''. A.S. Watson has ensured that the slider
5
'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see
6research report,p.28.
Research report, appendix 5: technical research28 April 2020.
4/29 Date Unmarked
May 2, 2024 z-2021-14274
default was set to the option “AdvertisingCookies”. The three other options were “Cancel”, “Send
Preferences” and “Advanced Settings”.
22. In the fourth step (after clicking on “Advanced Settings”), separate permission can be given
for Functional Cookies and Advertising Cookies by clicking ''allow''. There are also two options:
“Cancel” and “SendPreferences”.
23. In step five (after clicking on “Send Preferences”), the website visitor is informed about
the fact that the settings have been sent and that the consent procedure is over.
24. The investigation report established that A.S. Watson set permission as the default as the entire
7
procedure will continue as long as no settings are actively changed by the visitor.
25. At the time of the investigation, the Primary Research Department of the management had customer contacts
Verifying investigation by the AP on September 4, 2020 determined that asking permission for
the placing of cookies had been changed, but that on the same date the ''Advertising cookies'' was still standard
were checked. The AP pointed this out to A.S. Watson on 24 September 2020 and to additional
questions were asked to A.S. Watson. On October 5, 2020, the AP determined that the consent procedure
was adjusted and that there was no longer any question of pre-filled boxes/pre-filled consent.
This change is the result of, according to A.S. Watson, the implementation of eLab2.0, in which a
future-proof cookie policy is used by means of a technical improvement of the
codebasevandewebsitekruidvat.nl.
26. When asked, A.S.Watson indicated that the number of visitors tokruidvat.nl during the period
from November 29, 2019 to June 25, 2020 was on [CONFIDENTIAL].It is for A.S. Watson
unknown how many unique visitors it concerns because of the possibility that the same user
different devices used.
27. The above is done by the department of primary research of management, customer contacts and control
Research from the AP was submitted in a report, which report was signed on 1 July 2021
A.S.Watsonissent. 9
7Research report, appendix 5: technical research28 April 2020.
8Research report, appendix 3: letter from A.S. Watson dated 21 July 2020.
9 File document 1: research report with appendices.
5/29 Date Unattribute
May 2, 2024 z-2021-14274
28. By letter of 19 August 2021, the Enforcement department of the Legal Affairs Directorate
Legislative advice from the AP expresses its intention to move to enforcement. A.S. Watson is included
given the opportunity to express her views on the investigation report. 10
11
29. A.S. Watson gave her written opinion on the report on 31 October 2021.
30. By letter dated 14 January 2022, the Enforcement Department of the AP requested additional
information requested, to which A.S. Watson responded on January 31, 2022.
31. Due to limited capacity at the AP, this procedure was subsequently halted. On October 11, 2023
hasA.S. Watson explained her views orally.
3. Legal framework
32. For a better readability of this decision, the relevant legal framework is included in the appendix.
legal framework is part of this decision.
4. ViewA.S.Watson
33. A.S. Watson has – in short – given the following view on the report.
34. The AP's investigation is unlawful, because the cookies and similar techniques are on the website
kruidvat.nl may not be regarded as public data in the AP without prior notice
with the permission or knowledge of A.S. Watson to enter her virtual courtyard. In addition, the AP
used a 'tool' that is not user-friendly. That is why the AP was forced to
to make the results transparent via expensive software that is not available to everyone
stands.
35. In addition, there is no legal basis for the investigation that the AP conducted.
36. A.S. Watson cannot deduce from the conclusion in the investigation report which accusation she is facing
must defend herself. This has damaged her rights of defence. This is stated in the investigation report
it is not clear whether A.S. Watson has committed one or more violations, which violation in which
period was committed and what the duration of the offense was.
1 File document 2: Letter of intention to enforce dated 19 August 2021.
1 File document 3: Written opinion of A.S. Watson from 31 October 2021.
6/29 Date Unmarked
May 2, 2024 z-2021-14274
37. The AP has not investigated how many users actually register and whether the collected
information can be linked to the registration data of users. Nor has the AP investigated
for which the cookies in question were used. The AP is therefore in conflict with it
principle of care has been taken.
38. The research report did not determine which cookies were placed at the time the option was selected
“advertising cookies” was accepted.
39. A.S.Watson did not have the actual or legal options to use cookies
identify natural persons.
40. The use of the concept of “personal data” from the Telecommunications Act (Tw) de facto constitutes a
unauthorized extension of that concept as included in the AVG.
41. A.S. Watson has not followed visitors to its website on other websites.
42. The number of visitors to the websitekruidvat.nl cannot serve as a basis for determining the size
and scope of a possible violation.
43. Withtheacceptdealcheckboxes,visitorsofKruidvat.nlexclude
permission has been given for the placement of cookies and similar techniques and therefore no
there is an ambiguous given consent.
44. A.S.Watson has not used the tracking functionalities of 'Unless' and 'Peerius' in the
period between 1 October 2020 and 11 May 2021 without prior permission from visitors.
45. A.S. Watson had no prior use of Google Analytics in the period from 1 October 2020
permission from visitors is required because from that date Google Analytics will only be used for
measuring the qualities and effectiveness of the website.
46. Insofar as there was a violation, the duration was limited to the period between April 28
2020 and 1 October 2020. If there is a violation, then a reprimand would be more
proportionate to the standard violated, which can be regarded as a minor infringement.
7/29 Date Unattribute
May 2, 2024 z-2021-14274
5. Assessment
5.1 Controller and authorityAP
47. It is established and not in dispute that A.S. Watson is the controller (Article 4, opening words under
7,GDPR).
48. The protection of natural persons in the processing of data is a fundamental right that 12
the AP must monitor as the competent supervisory authority. To comply with this, the GDPR is used
14
the AP has been assigned, among other things, the task of enforcing and monitoring the application of the GDPR. For this
To be able to carry out its task, the AP has investigative powers, such as carrying out checks and
15
requisitioninginformation. These investigative powers are used by the inspectors employed by the company
APemployment. In the context of an investigation into A.S. Watson, the inspectors of the APde
websitekruidvat.nlvisitedwiththeuseoftoolstoconducttechnicalresearch
results of this are written down in a report of official action.
49. Thewebsitekruidvat.nl is an accessible website for everyone. That is also exactly the purpose of that
website. After all, A.S. Watson uses kruidvat.nl to sell products to consumers online.
The public accessibility of this website is (therefore) essential for A.S. Watson. Other than that
ASH. Watson states that the websitekruidvat.nl is therefore not equated with a property (or a private domain).
Conducting research on a publicly accessible website such as kruidvat.nl is possible
in the opinion of the AP, it cannot be equated with entering an office building, a (secondary) branch
or another business premises. There is therefore no interference with private life, as A.S. Watson argues.
17
no way.
50. The AP is authorized under the GDPR to investigate the processing of
personal data and, where appropriate, the AP can proceed with enforcement when this is the case
infringement of the GDPR. in the Implementation Act of the GDPR in Chapter 5 of the General Act
administrative law, these powers are further specified. These powers also extend to
entering office buildings, (subsidiary) branches and business premises. A.S. Watson's point of view
therefore hits no target.
12Consideration 1 of the GDPR article 1GDPR.
13Article 55, first paragraph,GDPR.
14Article 57, first paragraph, suba, GDPR.
15Article 58, first paragraph,GDPR.
16Article 15, first paragraph, UAVG.
17Article 8Convention for the Protection of Human RightsFundamental Freedoms(ECHR).
8/29 Date Unattribute
May 2, 2024 z-2021-14274
5.2 Gathering legality evidence
51. Researchers of the AP are on the basis of article 58 of the GDPR, title 5.2 of the General Act
administrative law (Awb) is authorized to conduct investigations. In accordance with Article 5:18 of the Awb, they are authorized
matters to investigate. In this study, researchers from the AP have the freedom for everyone
accessiblewebsitekruidvat.nlvisitedtodotechnicalresearch intotheoperationonthatwebsite
of cookies. Such research falls under the authority referred to in Article 5:18 of the General Administrative Law Act.
circumstance where a computer program has been used to produce only the results of the
Making research transparent does not mean that the evidence gathering is unlawful. From unlawful
there is therefore no evidence gathering.
5.3 Principle of due care
52.A.S.Watson's argument that they were wrongly not given the opportunity to respond to
the technical investigation of May 11, 2021 and that therefore the AP has acted contrary to it
principle of care, fails. And because of the following.
53. The research report shows that technical research has taken place into the cookies on the
websitekruidvat.non 28 April 2020, on 7 May 2020 and on 17 June 2020. The researchers of the AP have
Following this research, A.S. Watson was asked, among other things, by letter dated 26 June 2020
to provide information about the cookies that the AP researchers use during that investigation
encountered. A.S. Watson responded to this on July 21, 2020, after which the researchers
September 24, 2020 have asked additional questions. A.S. Watson has also asked these questions
responded, on October 5, 2020. Followed up with another technical investigation on May 11, 2021
carried out, but A.S. Watson was not given the opportunity to respond. Well-being
research reports and the underlying documents provided to A.S. Watson on 1 July 2021.
has taken advantage of the opportunity given to her to express her views on this matter.
54. The results of the technical research, also taken into account by A.S. Watson
The views put forward do not, in the opinion of the AP, provide sufficient support for the conclusion that
addthevisitorsofkruidvat.nlintheperiodbetweenOctober11,2020untilMay11,2021cookieswerden
placed with the aim of processing data before visitors consent
had given. This means that there has been no violation of Article 6, first paragraph, of
the GDPR in the period between October 1, 2020 and May 11, 2021.
55. In the opinion of the AP, there is no question of acting contrary to the principle of due care.
On the contrary, A.S. Watson has not only been given the opportunity to do so at various times
questions to answer based on findings by the researchers of the AP, A.S. Watson
9/29 Date Unattribute
May 2, 2024 z-2021-14274
has also submitted an opinion. This opinion partly formed the basis for the conclusion
of the AP that there is no violation in the period between 1 October 2020 and 11 May 2021.
56. In view of the foregoing, the AP concludes that there is no conflict with it
principle of care.
5.4 Processing of personal data
57. This paragraph explains why the AP, unlike A.S. Watson argues, is of the opinion that
A.S.Watsonopkruidvat.nl has processed personal data by placing cookies.
58. Visitors to the websitekruidvat.nl have the option to register
18
address, e-mail address, gender, first name and date of birth are registered. According toA.S.Watsonis
approximately [CONFIDENTIAL] of the visitors ofkruidvat.nl registered. This means that A.S. Watson
of the registered visitors, the aforementioned data is processed before the visitors communicate about it
have given permission.
59. In addition, it follows from consideration 30 of the GDPR that natural persons can be linked to
online identifiers through their equipment, applications, instruments and protocols, such as
internet protocol (IP) addresses, identification cookies, or other identifiers such as radio frequency
identification tags. This can leave traces, especially when they are with unique identifiers
otherinformationreceivedbytheserverscanbecombinedandusedto
to set up profiles of natural persons and to recognize natural persons.
60. A.S.Watson assigns a unique user ID (or visitor ID) to each visitor using cookies, such as
highlighted in margin numbers 13 to 17 of this decision.
61. The unique user ID that is the first party cookie 'peerius_user' and the unique visitor ID that is the first party cookie
Link 'unless_visitorId' to a visitor, with the aim of tracking returning visitors. This
means that a visitor who has previously visitedkruidvat.nl can be identified with a unique one
user-IDofvisitor-IDandtheIP-address.
62. AlsousesA.S.WatsonUnlessons'thirdpartyjavascriptandthirdpartytrackingbeacon
GoogleAnalytics.Collects data to serveUnless andGoogleAnalytics21
1Research report, p.11 (and appendix 9 to the research report).
1Speaking notes and opinion session11 October 2023, margin number 3.7.
2'aggregatedbehavorialscores,URL,customevents,IPanduser-agent',see research report,p.27.
2'Useragents,Traficsources-referrers/campaigns/Sources,clientID/visitorID,Location,language,PageURL,Page Title,see
research report,p.28.
10/29 Date Unmarked
May 2, 2024 z-2021-14274
sent with the aim of creating a personalized experience based on the unique user ID or
visitor ID.UnlessonsGoogleAnalyticscanthusbebasedonthiscollecteddataand
data they have available to provide a personalized experience back to the website
kruidvat.nl.
63. This personalized experience together with the unique user ID or visitor ID makes that of the visitors
vankruidvat.nl profiles are made. In addition, A.S. Watson can also create interest profiles for himself
set up personalization purposes by processing data including the navigation behavior on the
web pages (pages viewed) and products added to the shopping cart and purchased
products, geolocation and IP address. Kruidvat.nl offers a very wide variety of products.
It can concern health products, care products, household products, but also
electronics, toys and baby products. In particular, viewing them in context with the shopping cart
added products, purchased products and geolocation (via IP address) linked to unique user ID
orvisitor-ID can sketch a very specific and invasive profile of the visitors ofkruidvat.nl. 22
64. In this context, the AP notes that A.S. Watson itself indicates in its privacy policy that it
personal data of visitors is processed. Visitors are explicitly mentioned in the privacy policy
informed about the processing of their data. Examples are:
“In this privacy policy we explain what types of data we collect[…]”; 23
“What data may we collect?
Information about the type of browser you use when visiting our Sites, your IP address and device address,
hyperlinks you clicked, the previous website you visited before coming to our Sitesinformation
collected by cookies or similar tracking systems. Your username, profile photo, gender, networks and all
other information you want to share when you use third-party sites (such as when you like "Like"
24
functionalityonFacebookused)”; and
“We can also tailor our Sites and our products to your interests and needs, through information about you
device to collect and link it to your personal data. This way we ensure that our sites are aligned
arewhatinterestingtoyou”.5
65. For unregistered visitors, this involves the processing of a unique user ID or visitor ID that
interchangeable with a name. Such an online identifier counts as personal data in the sense of
22
Zieter comparison:Amsterdam Court of Appeal,5 December 2023, ECLI:NL:GHAMS:2023:2971.
23Research report,p.10.
24Research report,p.10.
25Research report, p.11 (and appendix 5, p.9 to the research report).
11/29 Date Unmarked
May 2, 2024 z-2021-14274
Article 4, under 1, GDPR. This is because it is possible that the data subject directly or indirectly
Identifiable is that this is the case with the unique user ID or visitor ID.
66. In view of the foregoing, the AP concludes that A.S. Watson may collect personal data from visitors to
kruidvat.nlprocessed.
5.5 Basis for processing data
67. Now there is a question of processing of personal data, it must then be assessed by A.S. Watson
there is a basis for this processing. After all, the processing of personal data is only
lawful if there is a basis for this. 27
68. A.S.Watson places cookies on the equipment of visitors ofkruidvat.nl (from now on: the data subject) with
the purpose is to process data. A.S. Watson has been used to place cookies
consent from the data subject is required. The consent given by the data subject must consist of several
free, specific, informed and unambiguous expression of will, in combination with an unambiguous one
activeaction. Silence, the use of boxes or checkmarks already checked, or inactivity applies
not as permission. 29
69. The investigation report shows that during a visit tokruidvat.nl the equipment of the person concerned
cookies are placed before the data subject has given permission for them. This is the point
followingcookies:
- Firstparty cookie 'peerius_user';
- Firstparty cookie 'unless_visitorId';
- ThirdpartyjavascriptfromUnless;en
30
- Third party tracking beacon from Google Analytics.
70. This fact in itself constitutes a violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph
paragraph, under a, GDPR, because without prior consent, thus unlawful, personal data of the
data subject are processed.
26
27CJEU19October2016,C-582/14,ECLI:EU:C:2016:779(Breijer),paragraph 42.
Article 6, first paragraph, GDPR.
28See article 4, preamble under 11, GDPR.
29Consideration 32 of the GDPR; see also CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801(Planet49), paragraph 61-63.
3 Research report p. 11 and appendix 5 to the research report p. 11 et seq.
12/29 Date Unmarked
May 2, 2024 z-2021-14274
71. It also follows from the research report that the websitekruidvat.nl has the checkmark on “agreement” as standard
selected, so that the data subject is assumed to agree with it by default
31
placing advertising cookies. Wanted to find out whether the data subject is concerned about “advertising cookies”
have been set, the person concerned must take the following steps.
72. In the first step at the bottom of the page, the data subject has the choice of “I agree to the use of
cookies” or “want to know more”.
73. Once you click on “want to know more”, the person concerned will arrive at the second step with a subsequent 'pop-up'
with the choice of “continue agreeing” or “more information”.
31
Research reportp.12-15.
13/29 Date Unmarked
May 2, 2024 z-2021-14274
74. Then, at the third step, the person concerned encounters a successive 'pop-up' containing a vertical slider
which is set to “advertising cookies” by default. The data subject has the option on this screen to opt
Click on “advanced settings”.
75. When the data subject clicks on this, a 'pop-up' will appear in the fourth step with the option to
Allow or refuse functional cookies and advertising cookies.
76. The AP notes that this case concerns pre-checked (advertising) cookies. According to the
32
case law of the Court of Justice of the European Union (CJEU) does not
legally valid consent for placing cookies on the data subject's equipment
a standard checked check box is used that the data subject must uncheck
in case he refuses to give his consent. Now that A.S. Watson has made use of the advance
(advertising) cookies that are checked do not imply that they are free, specific, informed persons
unequivocal expression of intention by the data subject by means of a statement or a
accepts unequivocal action regarding the processing of data.
77. The AP concludes with regard to pre-checked (advertising) cookies that there is a
violation of Article 6, first paragraph, in conjunction with Article 5, first paragraph, under a, GDPR because
A.S.Watson has not received permission as intended for the data subject from the person concerned
processing of personal data. It follows that A.S. Watson is unlawful, because it is contrary to the
GDPR, has acted.
3CJEU1October2019,C-673/17,ECLI:EU:C:2019:801(Planet49),paragraph 63.
14/29 Date Unmarked
May 2, 2024 z-2021-14274
5.6 Duration of the violation
78. As of October 1, 2020, A.S. Watson adjusted its working method with regard to asking
permission to the data subject to place (the aforementioned) cookies during a visit
kruidvat.nl. This adjustment does not include all other cookies, other than necessary cookies.
are checked by default.
79. Furthermore, it follows from the research report that the Third Party Javascript of Unless was published on 11 May 2021
found before the person concerned had given permission. A.S. Watson has explained
it has been made plausible that Unless's Thirdparty JavaScript only became active after October 1, 2020
the person involved had given permission for this. It has now been determined in the investigation report
that mentioned javascript has been found, without its functionality being apparent, and partly in view of what
A.S. Watson has argued in her opinion on this point, the AP concludes that A.S. Watson
October 1, 2020 only places cookies after the data subject has given permission.
80. This means, as already considered in paragraph 53, that the violation of Article 6, first paragraph, in
connection with article 5, first paragraph, under a, GDPR took place until October 1, 2020.
6. Administrative fine
81. The AP is, on the basis of Article 58, second paragraph, at the beginning and below, in connection with Article 83 GDPR
read in conjunction with Article 14, paragraph 3, UAVG, the authority to impose an administrative fine.
82. The case law of the ECJ shows that the wording of Article 83, paragraph 2, GDPR follows
that infringements of the provisions of the GDPR that are culpable by the controller
manner committed – that is to say, infringements committed intentionally or negligently – could lead to
that the controller may impose an administrative fine on the basis of that article
34
be imposed. In this case there is culpable conduct on the part of A.S. Watson for which the AP
will impose a fine.
83. It has been concluded above in paragraphs 70 and 77 that A.S. Watson was wrongfully without permission
has processed data from the data subject and has therefore processed Article 6, first paragraph, in conjunction with
Article 5, first paragraph, under a, GDPR has been violated. This violation occurred during the period
from April 28, 2020 to October 1, 2020. This means that there is one behavior for which a
administrative fine will be imposed.
3Research report p.20 and appendix 11 to the research report.
3CJEU5December2023,C-683/21,ECLI:EU:C:2023:949(NVSC)point73and83;CJEU5December2023,C-807/21,ECLI:EU:C:2023:950
(DeutscheWohnen)point68and76.
15/29 Date Unmarked
May 2, 2024 z-2021-14274
6.1 Systematics for determining the amount of the fine
84. When exercising its power to impose an administrative fine, the APobserves both
Policy rules of the AP regarding determining the amount of administrative fines (Stcrt.2019,
14586)(hereinafter: Fine policy rules) as the Guidelines 04/2022 for the calculation of administrative
fines under the GDPR (hereinafter: Guidelines). In the explanatory notes to the Fine Policy Rules 2019
mention that the EDPB does not yet have common principles for calculating fines
was established. This was due to legal equality and legal certainty policy
to determine with regard to the power to impose a fine. Because within the EDPB
the aim was to arrive at joint principles regarding the fine calculation, this was
policy is temporary in nature. On 24 May 2023, the EDPB adopted the Guidelines. This policy is
joint principles have been laid down for the situation in which companies violate the GDPR. In the present
In this case, the application of the 2019 Fine Policy Rules amounts to the same fine amount as
applicationoftheGuidelines.
85. The amount of the fine will be determined as follows:
1. Determining the starting amount of the fine on the basis of the Fine policy rules;
2. Consideration of the circumstances based on the Penalty Policy Rules;
3. Consideration of the circumstances based on the Guidelines;
4. Determining the amount of the fine and assessing effectiveness, proportionality and deterrence.
86. These parts are discussed in turn below.
6.2 Determining the starting amount based on Fine policy rules
87. In this case, the starting point is the applicable bandwidth of the Fine policy rules.
The AP shall determine the amount of the fine, without prejudice to Articles 3:4 and 5:46 of the General Administrative Law Act,
take into account the factors mentioned in article 7 of the Fine Policy Rules. These factors are also included
Article 83, second paragraph, GDPR appointed in the Guidelines.
88. For a violation of Article 6, first paragraph, GDPR, in conjunction with Article 5, first paragraph, under
a, GDPR, the AP may impose an administrative fine up to an amount of € 20,000,000. In the case of a
company may be fined up to 4% of the total worldwide annual turnover
previous financial year, if this figure is higher.
35
36th Guidelines can be consulted at<edpb_guidelines_042022_calculationofadministrativefines_nl_0.pdf(europa.eu)>.
EuropeanDataProtectionBoard, or the European Data Protection Committee referred to in Article 68e of the GDPR.
16/29 Date Unmarked
May 2, 2024 z-2021-14274
89. Under the Fine Policy Rules, an infringement is classified into a category according to the
violation of the provision, ranging from category I to IV. The following applies: how important the provision is
for the protection of data, the higher the category of infringement. The
37
Penalty policies stipulate that violations of Articles 5 and 6 GDPR fall into category III. The
bandwidth of this category runs from €300,000 to €750,000. This bandwidth will be
starting point for the further calculation of the final fine, after consideration
therelevantfactors.
6.3 Assessment of the circumstances based on the Fine Policy Rules
90. When determining the amount of the fine, the relevant circumstances are discussed in this case
assessed on the basis of the factors mentioned in Article 7 of the Fine Policy Rules
case, the nature and severity, duration of the infringement are taken into account. Other circumstances
which are taken into account in each case are the categories of personal data concerned
or there is an infringement that is by nature intentional or negligent.
i. Nature, severity and duration of the infringement
Nature of the infringement
91. With regard to the nature of the infringement, the AP considers that the infringement relates to the principle
of legality. This is one of the six basic principles of the GDPR and therefore fundamental
requirement for the protection of data. The principle of lawfulness guarantees the
control of the data subject over his data. By tacit consent
Assuming and making use of pre-filled boxes, A.S. Watson has ignored it
principle of lawfulness and the data subject has a say over his data
harmed. Moreover, the (European) legislator has emphasized that this method of obtaining consent
notinlinewithGDPR. 38
Seriousnessoftheinfringement
92. When determining the seriousness of the infringement, the AP takes into account the extent of the processing, the
number of people involved and the damage suffered by them. Furthermore, the AP takes into account how long
the infringement has lasted, as well as the type of personal data to which the infringement relates.
37
38ieFine policy rules 2019, appendix 2.
Recital 32 in the GDPR.
17/29 Date Unmarked
May 2, 2024 z-2021-14274
93. With regard to the extent of the processing, the AP notes that there was no question of
extremely large processing, but there was also no small-scale processing
The area of application of the processing concerned the whole of the Netherlands. Furthermore, A.S. Watson collected them
personal data via the website kruidvat.nl operated by her by means of posting
(tracking) cookies. With regard to the purpose of the processing, the AP takes into account the processing of
personal data by placing such (tracking) cookies not under any of the
main activities ofA.S.Watsonvalt.
94. With regard to the number of people involved, the AP notes that A.S. Watson has stated that she
the period between 29 November 2019 and 25 June 2020 has had approximately [CONFIDENTIAL] visitors
kruidvat.nl. It is not possible to determine how many of these website visitors are unique visitors.Continue
A.S.Watson has substantiated that during the period mentioned, in view of the government's
restrictions imposed in connection with the COVID19 pandemic, there has been an increase in the number
visitorsopkruidvat.nl.Drogisteriesweredesignatedatthetimeasessentialshopsterwijandere
shops had to close their doors. The AP deduces from this that the number of people involved is below
would have been (or would have been) lower under normal circumstances. Given this, the AP judges that even in the case under
Under normal circumstances the visitor numbers would only be half of [CONFIDENTIAL].
There is still a substantial number of visitors. This is also the case if, such as A.S. Watson
itself indicates, only [CONFIDENTIAL] of those visitors make a purchase or only
[CONFIDENTIAL]is logged in. In all cases it concerns [CONFIDENTIAL] logged in visitors and
[CONFIDENTIAL]visitors who have made a purchase, who have been affected by the conduct of
A.S. Watson.
95. With regard to (the extent of) the damage, the AP notes that the person concerned was by A.S.Watson
control over his personal data, with which A.S. Watson has committed an infringement
on the rights and freedoms of those involved. In this case, it has not been established that those involved and in concrete terms
40
have suffered demonstrable damage.
Duration of the infringement
96. As mentioned in paragraph 5.6, the AP found that the infringement occurred by
April 28, 2020 to October 1, 2020. The infringement found lasted five months.
97. The AP qualifies the nature of the infringement as serious, due to the violation of two fundamental
aspects of the GDPR. On the other hand, the infringement was short-lived and the severity of the
infringement must be qualified as low.
39
40 research report p. 19 and appendix 3 to the research report.
CJEU 5 March 2024, C-755/21, ECLI:EU:C:2022:202(Kočner v Europol) point 135.
18/29 Date Unmarked
May 2, 2024 z-2021-14274
ii. The intentional or negligent nature of the infringement
98. Pursuant to Article 7, opening words and subsection b, Fine Policy Rules, the AP takes into account the intentional or
the negligent nature of the infringement by A.S. Watson. The gravity of the infringement is indeed greater
weight when the controller has consciously committed an infringement. When the
infringement is the result of negligent behavior, then the gravity of the infringement has a smaller weight.
99. In this framework, the AP takes into account that A.S. Watson has a method with the previously checked cookies
followed without regard to the requirement that there must be a free, specific,
informedan unequivocal expression of will from the data subject by means of
a statement or an unequivocal action regarding the processing of personal data
accepts. Furthermore, A.S. Watson has only started adapting its working methods,
only after she was made aware by the AP in the standard letter of 29 November 2019 that A.S.
Watson, with its working method, infringes the GDPR. The AP notes that this adjustment determines
could have been more expeditious.
iii. The categories of personal data infringed
100. Pursuant to Article 7, paragraph 1, Fine Policy Rules, the AP takes the categories into account
personal data involved in the infringement. If data have been processed, those special
deserve protection, the AP qualifies the infringement as more serious
categories mentioned in articles 9 and 10 of the GDPR.
101.The AP notes that there is no question of processing special data in the sense of
Articles 9 and 10 of the GDPR. With regard to the amount of data, the AP notes that A.S. Watson
has processed a limited number of personal data.
102.Based on the considerations under i, ii, and iii, the AP assesses the severity of the violation. The
The qualifications indicated also determine the amount of the fine within the bandwidth of category III
Penalty Policy Rules .Taking into account the foregoing circumstances, the AP is of the opinion that this
case the severity of this infringement must be qualified at a low level.
iv. Other relevant circumstances applicable to the present case
4See Fine Policy Rules 2019, appendix 2.
19/29 Date Unmarked
May 2, 2024 z-2021-14274
103.The AP has established the other circumstances as mentioned in Article 7, underk, Fine policy rules
taken into consideration.The long period between providing the research report to A.S. Watson
and the adoption of this enforcement decision is the reason for the AP to impose the fine from the perspective of
proportionality.
104. Furthermore, it has not become apparent that any remaining circumstances referred to in Article 7 of the Fine Policy Rules
mentioned and views regarding the infringement by A.S. Watson have occurred.
6.4 Assessment of the circumstances based on the Guidelines
105.The Guidelines describe a methodology that will be considered successively:
1. What and how many acts and infringements are under assessment;
2. What amount is the starting point for calculating the fine for this;
3. Whether mitigating or aggravating circumstances arise, it is open to adjustment
amountexit2;
4. What maximum amounts apply to the violations and any increases from the previous ones
stepnotexceedthisamount;
5. Whether the final amount of the calculated fine meets the requirements of effectiveness,
deterrence and proportionality, and if necessary, adjusted accordingly.
106.The number of actions that resulted in infringements of the GDPR and the starting amount for
penalty calculation are already qualified under paragraph 6.2.
107. As well as the Fine Policy Rules, write the Guidelines before the AP considers whether to mitigate or
are aggravating circumstances that may lead to an adjustment in the classification of the infringement.
This must be done on the basis of the circumstances stated in Article 83, second paragraph,
salutationsunderatotenwithk,AVG.
108.First of all, attention must be paid to the gravity of the infringement. Here is an account
taken into account the nature, severity and duration of the infringement, as well as the intentional or negligent nature of the infringement
infringements and categories of processed data. For this purpose, in section 6.3, are these
factors have already been discussed. This has led to the severity of the infringement being classified as low.
109.The Guidelines are written before taking into account the size of the company from the point of view of fairness
must be taken into account when calculating the amount of the fine. The size of the company is determined
42
Guidelines,p.17.
20/29 Date Unmarked
May 2, 2024 z-2021-14274
based on the turnover. According to the case law of the Court of Justice, the turnover of the entire group must
are used to determine the upper limit of the fine. A.S. Watson is a full one
subsidiary ofA.S.WatsonEuropeHoldingB.V.which in turn is a complete
is a subsidiary of CKHutchisonHoldingsLimited. Therefore, the size of the company
are determined on the basis of the worldwide turnover of CKHutchisonHoldingsLimited. The turnover 44
from CKHutchisonHoldingsLimited amounted to €53.5 billion in 2022. The AVG writes a maximum
fine of 4% of the total worldwide annual turnover for. In this case it is legal
maximum fine of €2.14 billion.
110. Then write the Guidelines for the other circumstances from Article 83, second paragraph, GDPR
are taken into account. As already mentioned, the circumstances that are taken into account
are stated in that provision (parts, atoms and with k).
As other circumstances, the AP has taken into account the long period of time between publishing it
investigation reports the issuance of an enforcement decision. This part is noted as
mitigation with regard to the amount of the fine.
6.5 Determining the amount of the fine and assessing effectiveness, proportionality and deterrence
111. In this case, the amount of the fine will, however, be determined by applying the basic fine from the
concerning category of the Fine policy rules. The amount of the fine will be determined in this specific case
both the Penalty Policy Rules and the Guidelines lead to the same outcome.
112. In this case, it concerns an infringement for which category III of the Fine policy rules apply.
The fine range for category III ranges from €300,000 to €750,000.
113. In view of all the aforementioned circumstances, the AP will be fined €600,000 due to the
placing cookies without prior legally valid consent from the data subject
(Article 6, first paragraph, read in conjunction with Article 5, first paragraph, under a, GDPR). The AP finds this fine
appropriate commandments.
114. Finally, it must be assessed whether the fine is effective, proportionate and deterrent. From Article 49,
third paragraph, of the Charter of Fundamental Rights of the EU and articles 3:4 and 5:46, second paragraph, General Administrative Law Act
It follows that, given the circumstances of the case, the administrative fine does not lead to a disproportionate penalty
outcome.
4GroupeGascogneSA v European Commission (Case C-58/12P, judgment of 26 November 2013), ECLI:EU:C:2013:770, §52-57.
4A calculation based on CKHutchisonHoldingsLimited's global turnover of HK$457 billion, as
parent company of A.S. Watson. See 2022AnnualResults, p.24.
4See Article 83, fifth paragraph, GDPR.
21/29 Date Unmarked
May 2, 2024 z-2021-14274
115. An administrative fine is effective when the purpose for which it was imposed is achieved.
The purpose may be to punish unlawful conduct, as well as to promote compliance
applicable regulations. Given the considerations regarding the nature, severity and duration of the infringement,
as well as the aggravating and mitigating circumstances of Article 83, second paragraph, GDPR is the AP of
judges that the present administrative fine achieves both objectives and is therefore effective.
116. The AP considers the fine proportionate, taking into account the seriousness of the violation. Now violation of a
of the basic principles of the GDPR has taken place, the AP considers an administrative fine advisable.
Partly in view of the previously mentioned turnover of €53.5 billion of the group to which A.S. Watson belongs,
the AP concludes that no such special circumstances have occurred that the
administrative fine on A.S. Watson would be disproportionate.
117.Finally, the fine imposed must be a deterrent. This means that A.S.Watson will be in the future
prevented from an infringement of the GDPR. The AP is of the opinion that the prescribed fine is a
has a deterrent effect.
7. Conclusion
118.TheAPlegatestoA.S.WatsonHealth&BeautyContinentalEuropeB.V.for violation of Article 6,
first paragraph, read in conjunction with article 5, first paragraph, under a, GTC No administrative fines
46
amount of €600,000.
Yours faithfully,
Dutch Data Protection Authority,
mr.A.Wolfsen
Chair
Remedies clause
If you do not agree with this decision, you can do so within six weeks after the date of dispatch of the letter
decides to submit an objection digitally or on paper to the Dutch Data Protection Authority.
Article 38 of the UGDPR suspends the submission of an objection to the effect of the decision
4The AP will hand over the aforementioned claim to the Central Judicial Collection Agency (CJIB).
22/29Date Unattribute
May 2, 2024 z-2021-14274
imposition of the administrative fine. The AP will only proceed to recovery after the decision
has become irrevocable.
To submit a digital objection, see www.autoriteitpersoonsgegevens.nl, under the heading Object
against a decision, at the bottom of the page under the heading Contact the Dutch Data Protection Authority.
The address for submitting on paper is:
Dutch Data Protection Authority, PO Box93374, 2509AJTheHague.
Please state 'Awb objection' on the envelope and put 'objection notice' in the title of your letter.
Write in your objection letter at least:
-your name and address;
-the date of your objection;
- attach the reference (case number) mentioned in this letter; or a copy of this decision;
-the reason(s) why you do not agree with this decision;
-your signature.
Attachment 1
23/29Date Unattribute
May 2, 2024 z-2021-14274
General Data Protection Regulation
Article4
Definitions
For the application of this Regulation the following definitions apply:
1) 'personal data' means any information relating to an identified or identifiable natural data
person ("the data subject"); is considered identifiable as a natural person who is directly or
can be identified indirectly, in particular by means of an identifier such as a name, a
identification number, location data, an online identifier or one or more elements that
characteristic of the physical, physiological, genetic, psychological, economic, cultural or social
identity of that natural person;
2) processing”: an operation or set of operations performed on personal data
or a set of personal data, whether or not carried out via automated processes, such as
collecting, recording, organizing, structuring, storing, updating or changing, querying, consulting,
use, provide by transmission, distribute or otherwise make available
set, align or combine, shield, erase or destroy data;
[…]
7) controller” means a natural or legal person, a
government agency, service or other body that, alone or together with others, serves the purpose of
determines the means for processing data; when the objectives of the
the means for this processing may be laid down in Union or Member State law
it is determined who the controller is or according to what criteria he is appointed;
[…]
11) consent” of the data subject: any free, specific, informed and unambiguous
expression of will expressed by the data subject by means of a statement or an unambiguous statement
accepts action regarding the processing of data;
Article5
1. Personal data must:
24/29Date Unattribute
May 2, 2024 z-2021-14274
a) processed in a manner that is lawful, proper and transparent with regard to the data subject
(legality, propriety and transparency);
[…]
Article6
1. The processing is only lawful if and to the extent that at least one of the following applies
conditions are met:
a)the data subject has given consent to the processing of his personal data for one or
more specific purposes;
b) the processing is necessary for the performance of an agreement to which the data subject is a party, or
to take measures at the request of the data subject before concluding an agreement;
c)the processing is necessary for compliance with a legal obligation imposed on the
controller rest;
d) the processing is necessary for the purposes of the vital interests of the data subject or of another natural person
protect persons;
e) the processing is necessary for the performance of a task of general interest or of a task in the
in the context of the exercise of public authority, the data controller is required to do so;
f) the processing is necessary for the purposes of the legitimate interests pursued by the
controller or of a third party, except where the interests or fundamental rights and
fundamental freedoms of the data subject that require the protection of personal data are more stringent
weigh these interests, especially when the person involved is a child.
Point (f) of the first paragraph shall not apply to processing by public authorities in the context of
performance of their duties.
2. Member States may maintain or introduce more specific provisions to adapt the manner
to which the rules of this Regulation regarding processing for the purpose of compliance with
paragraph 1(c) (e) shall be applied; to this end they can provide a further description of specific ones
regulations for processing and other measures to ensure lawful and proper processing
guarantees, also for other specific processing situations as referred to in Chapter IX.
[…]
Article58
Powers
25/29Date Unattribute
May 2, 2024 z-2021-14274
[…]
2.Each supervisory authority shall have all the following powers to take corrective action
measures:
[…]
(i) as appropriate to the circumstances of each case, in addition to or instead of that referred to in this paragraph
measures, imposing an administrative fine on the basis of Article 83;
[…]
Article83
General terms and conditions for imposing administrative fines
1. Each supervisory authority shall ensure that any administrative penalties imposed pursuant to this
article are imposed for the end of paragraphs 4, 5 and 6, infringements of this regulation are mentioned in each case
be effective, proportionately deterrent.
2. Administrative fines are imposed, depending on the circumstances of the specific case
in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j).
it decides on whether an administrative fine will be imposed and on its amount
the following shall be duly taken into account for each concrete case:
(a) the nature, severity and duration of the infringement, taking into account the nature, extent or purpose
of the processing in question as well as the number of data subjects affected and the extent of the processing by them
damages suffered;
b) the intentional or negligent nature of the infringement;
c) the measures taken by the controller or processor to
limit damage suffered by those involved;
d) the extent to which the controller or processor responsible is seen
technical and organizational measures he has implemented in accordance with Articles 25 and 32;
e) previous relevant infringements by the controller or processor;
(f) the extent to which it cooperated with the supervisory authority to commit the infringement
to remedy and limit possible negative consequences;
g) the categories of personal data to which the infringement relates;
h) the manner in which the supervisory authority became aware of the infringement, in particular
whether, and if so to what extent, the controller or processor has reported the infringement;
26/29Date Unattribute
May 2, 2024 z-2021-14274
(i) compliance with the measures referred to in Article 58(2), to the extent that they previously concern
of the controller or processor in question in relation to the same
matter have been taken;
j) adherence to approved codes of conduct in accordance with Article 40 or of approved ones
certification mechanism in accordance with Article 42; and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial gains made, or losses avoided, whether or not directly resulting from the infringement
ensue.
3.If a controller or a processor intentionally or negligently with regard to
to the same or related processing activities, an infringement commits more than one
provisions of this regulation, the total fine is not higher than that for the serious infringement.
4. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2
fines up to EUR 10 000 000 or, for an undertaking, up to 2% of the total worldwide annual turnover in
the previous financial year, if this figure is higher:
a) the obligations of the controller and the processor in accordance with this
Articles 8, 11, 25 to 39, 42 and 43;
(b) the obligations of the certification body under Articles 42 and 43;
(c) the obligations of supervision in accordance with Article 41(4).
5. Infringements of the provisions below shall be subject to administrative action in accordance with paragraph 2
fines up to EUR 20 000 000 or, for an undertaking, up to 4% of the total worldwide annual turnover in
the previous financial year, if this figure is higher:
a) the basic principles of processing, including the conditions for consent,
in accordance with Articles 5, 6, 7 and 9;
(b) the rights of the data subject in accordance with Articles 12 to 22;
c) the transfer of personal data to a recipient in a third country or an international country
organization in accordance with articles 44 to 49;
(d) all obligations under law established by the Member States under Chapter IX;
e) non-compliance with an order or a temporary or permanent processing restriction or
suspension of data flows by the supervisory authority in accordance with Article 58(2) or
failure to grant access in violation of Article 58(1).
6. Non-compliance with an order of the supervisory authority referred to in Article 58(2) is
in accordance with paragraph 2 of this article, subject to administrative fines of up to EUR 20 000 000 or,
27/29Date Unattribute
May 2, 2024 z-2021-14274
for a company, up to 4% of the total worldwide annual turnover in the previous financial year, if this
grade higher.
7. Without prejudice to the powers to take corrective measures of the supervisory authority
authority, in accordance with Article 58(2), each Member State may lay down rules concerning the question whether and
to what extent administrative fines can be imposed on persons established in that Member State
government agencies and government bodies.
8. The exercise by the supervisory authority of its powers under this Article is
subject to the appropriate procedural guarantee in accordance with Union law and Member State law
law, including an effective remedy and a fair administration of justice.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may
are applied in such a way that fines are initiated by the competent supervisory authority
and imposed by the competent national courts, ensuring that these remedies are available
are effective and have the same effect as those imposed by supervisory authorities
administrative fines. The fines are effective, proportionate and deterrent in every case
Member States shall communicate to the Commission by 25 May 2018 at the latest the legislative provisions it adopts on the basis of
adopt this paragraph, as well as all subsequent amendments thereto and all matters affecting it
amending legislation.
Implementation Act of the General Data Protection Regulation
Article14
DutiesandauthoritiesAP
[…]
3. The Data Protection Authority may, in the event of a violation of the provisions of Article 83, fourth,
fifth or sixth paragraph of the regulation imposes an administrative fine on at most these members
mentioned amounts.
General Administrative Law Act
Article3:2
When preparing a decision, the administrative body gathers the necessary knowledge about the relevant issues
factsandweighinginterests.
Article3:4
28/29Date Unattribute
May 2, 2024 z-2021-14274
1. The administrative body shall weigh the interests directly involved in the decision, insofar as not stated
a limitation arises from a legal requirement or from the nature of the authority to be exercised.
2. The adverse consequences of a decision for one or more interested parties may not be disproportionate
relationship to the goals to be served by the decision.
Article4:8
1. Before an administrative body issues a decision against which an interested party takes the decision
has not requested it is expected that he will have reservations, it puts the interested party to an end
opportunity to submit his views if:
(a) the decision would be based on information about facts and interests concerning the interested party, and
b) that data has not been provided by the interested party itself.
2.The first paragraph does not apply if the interested party has not fulfilled a legal obligation
to provide data.
Article 5:46
1. The law determines the maximum administrative fine that can be imposed for a specific violation
imposed.
2. Unless the amount of the administrative fine has been determined by statutory regulation, it votes
administrative body administrative fine depending on the seriousness of the violation and the extent to which it occurred
offender can be blamed. The administrative body will take this into account if necessary
circumstances under which the violation was committed.
3. If the amount of the administrative fine has been determined by statutory regulation, it shall be imposed
administrative body shall nevertheless impose a lower administrative fine if the offender can demonstrate that this is the case
established administrative fine due to special circumstances is too high.
4. Article 1, second paragraph, of the Criminal Code applies accordingly.
29/29
