BVwG - W108 2280724-1
From GDPRhub
| BVwG - W108 2280724-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 4(7) GDPR Article 4(11) GDPR Article 7 GDPR Article 58(1)(b) GDPR Article 58(2)(d) GDPR §1 DSG §133 Abs4 B-VG |
| Decided: | 31.07.2024 |
| Published: | 05.09.2024 |
| Parties: | |
| National Case Number/Name: | W108 2280724-1 |
| European Case Law Identifier: | |
| Appeal from: | DSB D124.5057 2022-0.735.789 |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (in German) |
| Initial Contributor: | n/a |
The BVwG annulled the DPA decision regarding a cookie banner. The DPA ordered the controller to redesign the cookie banner so the reject button was available on its first layer.
English Summary
Facts
The data subject visited the website, for which the complaining party was responsible, on May 21, 2021. Upon accessing the website, the data subject was presented with a 'Consent Management Platform (CMP or cookie banner)' that, according to the data subject, violated Article 17 GDPR. The data subject filed a complaint to the authority concerned ('Datenschutzbehörde - DSB') on August 10, 2021.
The authority concerned sent the complaint to the processor, to which the processor submitted a statement on November 26, 2021. In this statement, the processor claimed to have reworked the design of the CMP and to have deleted the contested personal data of the data subject.
The data subject replied to this statement claiming that even though the violations identified in the complaint had been remedied by the new design of the CMP, certain cookies were then classified as 'strictly necessary' (within the meaning of Article 5 (3) ePrivacy Directive) and thus set as 'always active'.
The processor issued a supplementary statement on June 3, 2022 claiming not to have processed any personal data without the data subjects consent. In addition, the processor explained that the note 'always active' for certain cookies was incorrect and had only not been removed by the time of the data subject's statement for technical reasons.
Upon being granted a party's opinion, the data subject claimed in its statement on July 12, 2022 that the cookies had still been incorrectly classified and various non-required cookies were set without interaction with the banner. In response to this statement, the processor claimed in its reply that it had revised the cookie settings and the banner again and the contested cookies that were not deemed strictly necessary were not being set anymore if consent was not given.
The data subject stated on October 10, 2022 that their data was indeed processed without their consent upon visiting the website and that the processor had not explained in sufficient detail to what extent certain cookies were considered strictly necessary.
The authority concerned dismissed the complaint by decision of October 3, 2022. However, it also officially instructed the processor in point 3) to adapt the website and the banner in such a way to be compliant with Article 4 (11) and (7) and Article 7 (3) GDPR, respectively.
The processor lodged a timely appeal against point 3) of the decision, claiming that the design of the cookie banner is already in compliance with Article 7(3) GDPR as it already has a sufficiently marked option to revoke consent. Furthermore, the processor claimed not to have set cookies that are not technically necessary and the website is therefore already in compliance with Article 4(11) and (7) GDPR.
The processor submitted an additional statement on June 6, 2024 that it decided not to operate the website XXXX any further and redirect visitors to a different website. The processor claimed that this provided another reason to annul point 3) of the decision of the DSB. The data subject issued multiple statements during the proceedings, claiming that the new website violates Article 4(11) and (7) and Article 7(3) GDPR in the same way as the previous website did.
Holding
The DPA gave way to the appeal of the processor and annulled the contested ruling point 3) of the decision of the DSB on the following grounds: After the changes made to the design of the CMP, there are clear textual instructions given as to how to grant or revoke consent. It is now as easy for an averagely informed, attentive and circumspect consumer to grant consent as to revoke it and the CMP is therefore already in compliance with Article 7(3) GDPR. Upon visiting the latest version of the website, there are only strictly necessary cookies in terms of Article 5 (3) ePrivacy Directive are active without consent and there is no processing of personal data that would violate Article 4(11) and (7) GDPR .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date
July 31, 2024
Standard
B-VG Art133 Para. 4
DSG §1
DSGVO Art4 Z1
DSGVO Art4 Z11
DSGVO Art4 Z2
DSGVO Art4 Z7
DSGVO Art58 Para. 1 litb
DSGVO Art58 Para. 2 litd
DSGVO Art7
B-VG Art. 133 today B-VG Art. 133 valid from January 1, 2019 to May 24, 2018, last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from January 1, 2019, last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018, last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to 24.05.2018 last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from 01.01.2014 to 31.07.2014 last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from 01.01.2004 to 31.12.2013 last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 12/31/1974 last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from 12/19/1945 to 12/24/1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934
DSG Art. 1 § 1 today DSG Art. 1 § 1 valid from 01/01/2014 last amended by BGBl. I No. 51/2012 DSG Art. 1 § 1 valid from 01/01/2000 to 12/31/2013
Saying
W108 2280724-1/12E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Mag. BRAUCHART as chairwoman and the expert lay judge Mag. HAIDINGER, LL.M. and the expert lay judge Mag. SCHACHNER as assessors, has ruled on the complaint of XXXX, represented by attorney Dr. Peter ZÖCHBAUER, against point 3 of the decision of the Data Protection Authority dated October 3, 2023, file number D124.5057 2022-0.735.789, concerning a data protection matter (co-parties: XXXX represented by noyb - European Center for Digital Rights):The Federal Administrative Court, through Judge Mag. BRAUCHART as chairwoman and the expert lay judge Mag. HAIDINGER, LL.M. and the expert lay judge Mag. SCHACHNER as assessor and assessor on the complaint of the roman 40, represented by lawyer Dr. Peter ZÖCHBAUER, against point 3 of the decision of the data protection authority dated October 3, 2023, reference number D124.5057 2022-0.735.789, concerning a data protection matter (co-participants: roman 40 represented by noyb - European Center for Digital Rights) rightly ruled:
A)
The complaint is upheld and the contested decision (point 3) is annulled without replacement.
B)
The appeal is not admissible according to Art. 133, paragraph 4, B-VG.The appeal is not admissible according to Article 133, paragraph 4, B-VG.
Text
Reasons for the decision:
I. Course of proceedings and facts:roman one. Procedure and facts:
1. In the data protection complaint addressed to the data protection authority (DPO, the authority concerned before the Federal Administrative Court) pursuant to Art. 77 of the General Data Protection Regulation (GDPR) of August 10, 2021, the now co-participant, XXXX (former complainant in the proceedings before the authority concerned), alleged a violation of the right to erasure pursuant to Art. 17 GDPR and, related to this, a violation of the obligation to notify by the complaining party (former respondent in the proceedings before the authority concerned). The co-participant requested that the authority concerned instruct the controller to cease all "relevant processing activities", delete all relevant personal data and notify all recipients to whom the data had been disclosed of the deletion, and suggested that an effective, proportionate and deterrent fine be imposed on the complaining party.1. In the data protection complaint addressed to the Data Protection Authority (DPO, the authority concerned before the Federal Administrative Court) pursuant to Article 77 of the General Data Protection Regulation (GDPR) of August 10, 2021, the now co-participant, Roman 40 (former complainant in the proceedings before the authority concerned), alleged a violation of the right to erasure pursuant to Article 17 of the GDPR and, related to this, a violation of the obligation to notify by the complaining party (former respondent in the proceedings before the authority concerned). The co-participant requested that the authority concerned instruct the controller to cease all "relevant processing activities", delete all relevant personal data and notify all recipients to whom the data had been disclosed of the deletion, and suggested that an effective, proportionate and deterrent fine be imposed on the complaining party.
In this regard, it was argued (as far as relevant to the proceedings) that the co-participant visited the website XXXX, for which the complaining party was responsible, on May 21, 2021 from 5:16:48 p.m. to 5:18:26 p.m. The website displayed a Consent Management Platform ("CMP") provided by XXXX in the form of a "banner". Due to the design of the cookie banner, several legal violations occurred. There is no "reject" option on the first level, the link design, the button colors and the button contrast are misleading and revoking consent is not as easy as granting consent. The complaining party could not rely on any legal basis within the meaning of Art. 6 GDPR for the "relevant processing activities", which would include in particular the setting and reading of cookies on the website and the disclosure of this data to recipients by the complaining party, in particular there was no effective consent and no legitimate interest. In this regard, it was argued (as far as relevant to the proceedings) that the co-participant visited the roman 40 website, for which the complaining party was responsible, on May 21, 2021 from 5:16:48 p.m. to 5:18:26 p.m. The website showed a Consent Management Platform ("CMP") provided by roman 40 in the form of a "banner". Due to the design of the cookie banner, several legal violations had occurred. There is no "reject" option on the first level, the link design, the button colors and the button contrast are misleading and revoking consent is not as easy as giving consent. The complaining party cannot rely on any legal basis within the meaning of Article 6 of the GDPR for the "relevant processing activities", which would include in particular the setting and reading of cookies on the website and the disclosure of this data to recipients by the complaining party, in particular there is no effective consent and no legitimate interest.
Attached to the data protection complaint were screenshots of the website and the banner, a summary of all relevant settings within the XXXX configuration files in JSON format, a summary of all HTTP requests and responses between the browser and the various servers while visiting the website, as well as a summary of all cookie data.Attached to the data protection complaint were screenshots of the website and the banner, a summary of all relevant settings within the Roman 40 configuration files in JSON format, a summary of all HTTP requests and responses between the browser and the various servers while visiting the website, as well as a summary of all cookie data.
2. The authority concerned sent the complaining party the data protection complaint of the co-parties by letter dated October 4, 2021 and asked them to comment on it within a period of four weeks. The statement should in particular state whether it is intended to adapt the cookie banner in accordance with the statements of the co-parties, which cookies would specifically be set after a website visitor makes the choice in the cookie banner to allow all cookies, whether personal data of the co-parties, such as their online identification features, would be stored, whether the personal data of the co-parties would be deleted as requested, and if so, whether the complaining party would inform the recipients of the personal data of the co-parties about this deletion.
3. At the request of the authority concerned, the complaining party submitted a statement on November 26, 2021, in which it was stated that the complaining party was a media company within the meaning of Section 1 Paragraph 1 Item 6 of the Media Act and media owner within the meaning of Section 1 Paragraph 1 Item 8 Letter a of the Media Act of the website relevant to the proceedings. Editorial articles on the subject of health are kept available on this website. The processing of personal data carried out in this context is carried out exclusively for journalistic purposes; Section 9 Paragraph 1 of the Data Protection Act stipulates a total exception to the provisions of the GDPR. The authority concerned is therefore not competent to deal with the present complaint. 3. At the request of the authority concerned, the complaining party submitted a statement on November 26, 2021, in which it was stated that the complaining party is a media company within the meaning of paragraph one, paragraph one, number 6, Media Act and media owner within the meaning of paragraph one, paragraph one, number 8, letter a, Media Act of the website relevant to the proceedings. Editorial articles on the subject of health are kept available on this website. The processing of personal data carried out in this context is carried out exclusively for journalistic purposes; Paragraph 9 Paragraph one, DSG stipulates a total exception to the provisions of the GDPR. The authority concerned is therefore not competent to deal with the present complaint.
The legal representative of the co-parties contacted the complaining party in advance of the complaint to point out the issues of the complaint regarding the cookie banner. The complaining party then stopped the behavior pointed out by the legal representative of the co-parties - without prejudice to the factual and legal situation. The "Reject" button is now on the first level of the cookie banner with the same conspicuity and in the same design and with the same contrast directly next to the "Accept" button. The cookie settings are no longer designed as a link, but as a color-coded button. The revocation of consent already given and the objection in accordance with Art. 21 GDPR are possible at any time via a permanently visible "floating" symbol with which users can return to their data protection settings and revoke the consent given and/or exercise the objection. Users are expressly informed of this symbol on the first level of the cookie banner. If a user selects the "Reject button", this will be noted as a non-giving of consent and will be considered an objection within the meaning of Art. 21 GDPR. If a user selects "Accept" or "Allow all" in the cookie banner, cookies that are absolutely necessary for the website to function, performance cookies to count visits and traffic sources, functional cookies to provide extended functionality and personalization, cookies from advertising partners for marketing purposes, cookies for personalized ads and content, ad and content measurements, insights into audiences and product development, information on the user's device, location data, device properties for identification, cookies to ensure security, prevent fraud, troubleshooting, technical delivery of ads or content, selection of personalized content to merge with offline data sources, linking different devices and to receive and use automatically sent device properties for identification will be set. The user can find a list of these cookies including a detailed explanation on the second level of the cookie banner if they click on the "Cookie Settings" button on the first level or return to their data protection settings via the permanently visible "floating symbol". In any case, the complaining party no longer stores the contested personal data of the co-defendants and has in any case deleted it. The recipients are currently being informed that the contested personal data of the co-defendants has been deleted. The co-defendants' legal representatives contacted the complaining party prior to the complaint to explain the issues raised in the complaint regarding the cookie banner. The complaining party then stopped the behavior outlined by the co-defendants' legal representatives - without prejudice to the factual and legal situation. The "Reject" button is now on the first level of the cookie banner with the same prominence and design and with the same contrast, directly next to the "Accept" button. The cookie settings are no longer designed as a link, but as a colored button. The revocation of consent already granted and the objection in accordance with Article 21 of the GDPR are possible at any time via a permanently visible "floating" symbol with which users can return to their data protection settings and revoke the consent granted and/or exercise the objection. Users are expressly informed of this symbol in the first level of the cookie banner. If a user selects the "Reject button", this is noted as a non-granting of consent and considered an objection within the meaning of Article 21 of the GDPR. If a user selects "Accept" or "Allow all" in the cookie banner, cookies that are strictly necessary for the website to function, performance cookies to count visits and traffic sources, functional cookies to provide enhanced functionality and personalization, cookies from advertising partners for marketing purposes, cookies for personalized ads and content, ad and content measurements, audience insights and product development, information on the user's device, location data, device characteristics for identification, cookies to ensure security, prevent fraud, troubleshoot, technical delivery of ads or content, selection of personalized content for merging with offline data sources, linking different devices and receiving and using automatically sent device characteristics for identification will be set. The user will find a list of these cookies with a detailed explanation on the second level of the cookie banner if he clicks on the "Cookie Settings" button on the first level or returns to his data protection settings via the permanently visible "floating icon". In any case, the complaining party no longer stores the contested personal data of the co-participants and has in any case deleted them. The recipients are currently being informed about the deletion of the contested personal data of the co-participants.
Attached to the statement was, among other things, an excerpt from the website's cookie banner dated November 18, 2021.
4. The co-participant replied to this - after the authority concerned had granted it a party's opinion on the results of the investigation - in its statement dated December 13, 2021, summarizing that the violations identified in the complaint - with the exception of the appeal to alleged legitimate interests - were considered to have been remedied. With regard to the new banner, it should be noted that certain cookies are now classified as absolutely necessary ("always active"). This is a wrong classification, in fact all of these processing operations and cookies use personal data and serve purposes that are obviously not "strictly necessary" within the meaning of Art. 5 Para. 3 ePrivacy Directive or, in common parlance, "strictly necessary" or "essential" under the GDPR. This classification also appears to have led to personal data being processed and information being stored and made accessible before the data subject had any interaction with the banner. Contrary to the complaining party's argument, the non-applicability of the GDPR due to the exception in Section 9 Para. 1 DSG is not an option. The "broad definition of journalism" ruled by the ECJ does not in any way mean that any data processing on the website of a media company within the meaning of Section 1 Paragraph 1 Item 6 of the Media Act or of a media owner within the meaning of Section 1 Paragraph 1 Item 8 Letter a of the Media Act is to be categorized as processing for journalistic purposes within the meaning of Article 85 of the GDPR. The data collection and transmission challenged in this complaint was in no way carried out with the "aim of disseminating information, opinions or ideas to the public" - rather, personal data was processed for other purposes, e.g. for personalized advertising. The GDPR and the DSG are fully applicable and the authority concerned is responsible for dealing with the complaint.4. The co-participant replied to this - after the authority concerned had granted it the right to be heard on the results of the investigation - in its statement of December 13, 2021, summarizing that the violations identified in the complaint - with the exception of the appeal to alleged legitimate interests - were considered to have been remedied. With regard to the new banner, it should be noted that certain cookies are now classified as strictly necessary ("always active"). This is an incorrect classification, in fact all of these processing operations and cookies use personal data and serve purposes that are obviously not "strictly necessary" within the meaning of Article 5, paragraph 3, ePrivacy Directive or, in common parlance, "strictly necessary" or "essential" under the GDPR. This classification also appears to have led to personal data being processed and information being stored and made accessible before the data subject had made any interaction with the banner. Contrary to the complainant's argument, the non-applicability of the GDPR due to the exception in paragraph 9, paragraph one, DSG is not an option. The "broad definition of journalism" adjudicated by the ECJ does not in any way mean that any data processing on the website of a media company within the meaning of paragraph one, paragraph one, item 6, Media Act or of a media owner within the meaning of paragraph one, paragraph one, item 8, letter a, Media Act is to be categorized as processing for journalistic purposes within the meaning of Article 85 of the GDPR. The data collection and transmission challenged in this complaint was in no way carried out with the "aim of disseminating information, opinions or ideas to the public" - rather, personal data was processed for other purposes, e.g. for personalized advertising. The GDPR and the DSG are fully applicable and the authority concerned is responsible for dealing with the complaint.
5. At the request of the authority concerned, the complaining party submitted a supplementary statement on June 3, 2022, in which it stated that it had not processed any personal data without consent. The reference to the "legitimate interest" in the second level of the cookie banner on the left side of the individual buttons was therefore incorrect and had no technical impact on data processing. If the website visitor selects the "Reject button" on the first level of the cookie banner, the cookies listed on the second level would actually be deactivated. To this extent, no data processing based on a "legitimate interest" takes place. The corresponding reference to a "legitimate interest" is no longer found in the cookie banner.
The same applies to the cookies criticized in the statement of December 13, 2021, which are described as "always active". In fact, the complaining party did not process any personal data to this extent without consent. The note "always active" is therefore incorrect and has no technical impact on data processing. The note "always active" has not yet been removed by the complaining party for technical reasons only. The complaining party is in contact with XXXX in this regard to have the name corrected. The complaining party intends to introduce a completely new cookie banner that will (also) implement all of the other parties' complaints. In this regard, the complaining party will provide the data protection authority with appropriate evidence after the new cookie banner has been introduced. The same applies to the cookies criticized in the statement of December 13, 2021, which are described as "always active". In fact, the complaining party did not process any personal data to this extent without consent. The note "always active" is therefore incorrect and has no technical impact on data processing. The note "always active" has not yet been removed by the complaining party for technical reasons only. The complaining party is in contact with roman 40 in this regard to get the name corrected. The complaining party intends to introduce a completely new cookie banner that will (also) implement all of the co-parties' complaints. In this regard, the complaining party will provide the data protection authority with appropriate evidence after the new cookie banner has been introduced.
6. The co-participant replied to this - after the authority concerned had granted it a party's opinion on the results of the investigation - in its statement of July 12, 2022, summarizing that the cookies on the website were still incorrectly classified. The purposes (i) “Ensuring security, preventing fraud and troubleshooting”, (ii) “Technically providing ads or content”, (iii) “Merging with offline data sources”, (iv) “Linking different devices”, (v) “Receiving and using automatically sent device properties for identification” and (vi) “Strictly necessary cookies” are marked as “always active”. This means that the complaining party considers these to be absolutely necessary for the service, which is why the user’s consent is not necessary. However, at least purposes (iii), (iv) and (v) are not absolutely necessary within the meaning of Art. 5 Para. 3 of the ePrivacy Directive. The identification of fraudulent activities in accordance with purpose (i) and the provision of ads in accordance with purpose (ii) are also not absolutely necessary. Without interaction with the cookie consent banner – i.e. without consent – various non-required cookies are set. The installation of these cookies without the corresponding consent is unlawful. Among other things, the cookies "_ga", "_gid" are set in connection with Google Analytics and the cookies "i00" and "ioam2018" store individual string values. The aim of these cookies appears to be the analysis of website visits. The setting of analysis cookies is not "absolutely necessary" to display the website.6. The co-defendant replied to this - after the authority concerned had granted it a party's opinion on the results of the investigation - in its statement of July 12, 2022, summarizing that the cookies on the website were still incorrectly classified. The purposes (i) "ensuring security, preventing fraud and correcting errors", (ii) "technically providing ads or content", (iii) "merging with offline data sources", (iv) "linking different devices", (v) "receiving and using automatically sent device properties for identification" and (vi) "strictly necessary cookies" are marked as "always active". This means that the complaining party considers these to be absolutely necessary for the service, which is why the user's consent is not necessary. At least purposes (iii), (iv) and (v) are not absolutely necessary within the meaning of Article 5, paragraph 3, ePrivacy Directive. The identification of fraudulent activities in accordance with purpose (i) and the provision of advertisements in accordance with purpose (ii) are also not absolutely necessary. Without interaction with the cookie consent banner - i.e. without consent - various non-required cookies are set. The installation of these cookies without the corresponding consent is unlawful. Among other things, the cookies "_ga", "_gid" are set in connection with Google Analytics and the cookies "i00" and "ioam2018" store individual string values. The aim of these cookies appears to be the analysis of website visits. The setting of analysis cookies is not "absolutely necessary" to display the website.
7. By letter dated July 22, 2022, the authority concerned asked the complaining party to provide a supplementary statement as to whether the IP address of the co-participants' terminal device, the cookie values ("value") contained in the co-participants' terminal device, in particular unique user identification numbers ("unique id") and other information about the co-participants were stored by the complaining party at the time in question. If the answer to the first question was in the affirmative, the question was asked whether the complaining party would delete the stored information. In addition, the authority concerned asked the complaining party to provide information as to whether it was aware that its advertising partners (such as Facebook or Google) stored the above-mentioned information and whether it intended to adapt the cookie banner in question in accordance with the co-participants' current statements.
8. The complaining party submitted a statement on September 8, 2022, in which it stated that it had revised the cookies and settings of the cookie banner again, among other things, on the occasion of the complaint in question. Without the user's consent and without interaction with the cookie banner, no cookies that are not absolutely necessary would be set. No IP addresses of the users would be stored, and there would also be no "unique id" cookie. If the cookies were rejected, only "ÖWA cookies" would be set (i00, ioam2018). These were cookies from the Austrian Web Analysis (ÖWA). Based on the compelling, overriding legitimate interest of the complaining party within the meaning of Art. 6 (1) (f) GDPR, data (IP address, length of stay, interests based on reading behavior as well as location data and browser type) would be collected as part of the reach survey for the website, whereby this user data would be anonymized before it was stored. For this purpose, the ÖWA uses cookies that are stored on the user's computer. The ÖWA has been "the currency" of the Austrian online market for over two decades. This makes the performance data of its members comparable and verifiable. The usage statistics collected by the ÖWA are published at www.oewa.at. The cookie "__adblocker" is a client-side, functional cookie that is not transferred to any servers and therefore not to the complaining party. The other visible cookies ("OptanonConsent", "eupubconsent-v2", "OptanonAlertBoxClosed") are functional and absolutely necessary cookies from the provider of the "cookie banner" ( XXXX ). These store information about the categories of cookies that the website uses and whether visitors have given or withdrawn their consent to the use of each category. The complaining party does not store any user data; the only exception is when users register with their data for prize draws or for additional offers such as XXXX. For the data processing of the advertising partners, reference should be made to the respective data protection declaration. It should also be noted that the co-participants do not claim that their personal data has been processed. Rather, there are only general statements on alleged violations, which is why the co-participants do not have standing to take action to this extent.8. The complaining party submitted a statement on September 8, 2022 in which it stated that it had revised the cookies and settings of the cookie banner again, among other things, on the occasion of the complaint in question. Without the user's consent and without interaction with the cookie banner, no cookies that are not absolutely necessary are set. No IP addresses of the users are stored, and there is no "unique id" cookie. If the cookies are rejected, only "ÖWA cookies" are set (i00, ioam2018). These are cookies from the Austrian Web Analysis (ÖWA). Based on the compelling, overriding legitimate interest of the complaining party within the meaning of Article 6, paragraph one, letter f, GDPR, data (IP address, length of stay, interests based on reading behavior, location data and browser type) would be collected as part of the reach survey for the website, with this user data being anonymized before it was saved. For this purpose, the ÖWA uses cookies that are saved on the user's computer. The ÖWA has been the "currency" of the Austrian online market for over two decades. This makes the performance data of its members comparable and verifiable. The usage statistics collected by the ÖWA are published at www.oewa.at. The "__adblocker" cookie is a client-side, functional cookie that is not transferred to any servers and therefore not to the complaining party. The other visible cookies (“OptanonConsent”, “eupubconsent-v2”, “OptanonAlertBoxClosed”) are functional and absolutely necessary cookies from the provider of the “cookie banner” (roman 40). These would store information about the categories of cookies that the website uses and whether visitors have given or withdrawn their consent for the use of each category. The complaining party does not store any user data; the only exception is when users register with their data for prize draws or additional offers such as roman 40. For data processing by the advertising partners, reference should be made to the respective data protection declaration. It should also be noted that the co-participants do not claim that their personal data has been processed. Rather, there are only general statements about alleged violations, which is why the co-participants do not have standing to take action to this extent.
A screenshot of the website dated August 31, 2022 was attached to the statement.
9. The co-defendant replied to this - after the authority concerned had granted it the right to be heard on the results of the investigation - in its statement dated October 10, 2022, summarizing that the complaining party's banner was still not legally compliant. The evidence attached to the complaint shows that the complaining party had processed the co-defendants' data at the time of the violation. The co-defendant is therefore also entitled to take legal action. The complaining party cannot escape its obligations under the GDPR by allowing cookies to be set via the cookie banner on its website, but stating that it is not (fully) informed about its partners' processing of personal data collected on its website. The complaining party did not explain to what extent the cookies "__adblocker", "i00" or "ioam2018" were technically necessary for the provision of the website. Currently, these cookies are set even before a user interacts with the website. A "legitimate interest" of the complaining party plays no role, since the only possible legal basis for setting "non-essential" cookies is consent in accordance with Art. 5 Para. 3 ePrivacy Directive. 9. The co-defendant replied to this - after the authority concerned had granted it the right to be heard on the results of the investigation - in its statement of October 10, 2022, summarizing that the complaining party's banner was still not legally compliant. The evidence attached to the complaint shows that the complaining party had processed the co-defendants' data at the time of the violation. The co-defendant is therefore also entitled to take action. The complaining party cannot escape its obligations under the GDPR by allowing cookies to be set via the cookie banner on its website, but stating that it is not (fully) informed about its partners' processing of personal data collected on its website. The complaining party has not explained to what extent the cookies "__adblocker", "i00" or "ioam2018" are technically necessary for the provision of the website. Currently, these cookies are set before a user interacts with the website. A "legitimate interest" of the complaining party does not play a role, since the only possible legal basis for setting "non-essential" cookies is consent in accordance with Article 5, paragraph 3, ePrivacy Directive.
10. In a submission dated December 30, 2022, the co-participant requested that it be determined pursuant to Section 24, Paragraph 2, Item 5, DSG in conjunction with Section 1 DSG that the complaining party had violated the provisions specified [in the data protection complaint] for each "type of violation". 10. In a submission dated December 30, 2022, the co-participant requested that it be determined pursuant to Paragraph 24, Paragraph 2, Item 5, DSG in conjunction with Paragraph 1, DSG that the complaining party had violated the provisions specified [in the data protection complaint] for each "type of violation".
11.1. The authority concerned decided by decision of October 3, 2023, reference number D124.5057 2022-0.735.789, on the data protection complaint of the co-parties regarding the right to erasure and the obligation to notify in connection with the erasure (A), the application for an order against the complaining party to stop the unlawful processing (B) and the application to establish an alleged violation of the right to confidentiality (C) as follows (formatting not reproduced 1:1):
"1) The complaint is dismissed with regard to points A) and B).
2) The complaint is dismissed with regard to point C).
3) The respondent [complaining party] is officially instructed to, within a period of 8 weeks,
a) adapt its website XXXX in such a way that the revocation of consent for the cookies used (see factual findings C.6.) and the associated processing of personal data complies with the requirements of Art. 7 Paragraph 3 GDPR. To this end, the respondent [complaining party] must implement at least one clearly visible option for revocation on its website and expressly include the information on where the right of revocation can be exercised in the information in the request for consent (see factual findings C.6.);a) adapt its website roman 40 in such a way that the revocation of consent for the cookies used (see factual findings C.6.) and the associated processing of personal data complies with the requirements of Article 7 Paragraph 3 GDPR. To this end, the respondent [complaining party] must implement at least one clearly visible option for revocation on its website and explicitly include the information on where the right of revocation can be exercised in the information in the request for consent (see factual findings C.6.);
b) modify its website XXXX (see factual findings C.6.) in such a way that valid consent is obtained in advance in accordance with Art. 4, paragraphs 11 and 7 of the GDPR for the processing of personal data in connection with technically unnecessary cookies (in particular the Google and ÖWA services)."b) modify its website roman 40 (see factual findings C.6.) in such a way that valid consent is obtained in advance in accordance with Article 4, paragraphs 11 and 7 of the GDPR for the processing of personal data in connection with technically unnecessary cookies (in particular the Google and ÖWA services)."
11.2. After describing the course of the procedure (essentially as described under points 1-10), the authority concerned made the following findings of fact (as far as relevant to the proceedings):
C.1. Cookies can be used to collect information that has been generated by a website and stored via an Internet user's browser. It is a small file or text information that is placed by a website via an Internet user's browser on the hard drive of their computer or mobile device. A cookie allows the website to identify users, remember their customers' preferences and enables users to complete tasks without having to re-enter information when they switch to another page or visit the website again later. Most web browsers support cookies, but users can set their browsers to reject cookies. They can also delete cookies at any time. Cookies can also be used to collect information based on online behavior for targeted advertising and marketing. For example, companies would use software to track user behavior and create personal profiles that make it possible to show users advertising tailored to their previous searches.
C.2. The complaining party is the operator of the website XXXX. It makes the decision under which conditions which cookies are set or read when the website is accessed. C.2. The complaining party is the operator of the website roman 40. It makes the decision under which conditions which cookies are set or read when the website is accessed.
C.3. The co-defendant visited the website XXXX at least on May 21, 2021.C.3. The co-defendant visited the website roman 40 at least on May 21, 2021.
The cookie banner on May 21, 2021 was specifically designed as follows (formatting not reproduced 1:1)
C.4. As a result of the visit to the website XXXX, the following cookies, among others, which contained a unique, randomly generated value (random number), were set and read on the co-participants' device on May 21, 2021. C.4. As a result of the visit to the website roman 40, the following cookies, among others, which contained a unique, randomly generated value (random number), were set and read on the co-participants' device on May 21, 2021.
The content of the cited attachment "cookies.json" (JSON file) was used as the basis for the findings of fact.
C.5. The complaining party is currently not storing any cookie values that were set and read on the co-participants' device on May 21, 2021 as a result of the visit to XXXX. In addition, the complaining party does not currently store the IP address of the co-participants' end device, which was stored in its log files as a result of the same visit - at least for a short time.C.5. The complaining party does not currently store any cookie values that were set and read in the co-participants' end device as a result of the visit to Roman 40 on May 21, 2021. In addition, the complaining party does not currently store the IP address of the co-participants' end device, which was stored in its log files as a result of the same visit - at least for a short time.
The complaining party has also informed the recipients of the data transmission (specifically the providers of the services it has implemented on its website) about the deletion.
C.6. The complaining party has adjusted its cookie banner on the XXXX website.C.6. The complaining party has adapted its cookie banner on the Roman 40 website.
At the current time, the complaining party's cookie banner looks like this (formatting not reproduced 1:1):
Before interacting with the cookie banner, the following cookies are set (formatting not adopted 1:1):
The cookie "i00" is used by the ÖWA to recognize end devices. If the cookie is suppressed, the ÖWA tries to recognize the device by combining the IP address and browser name. The cookie "ioam2018" stores a client hash for the ÖWA to optimize the determination of the key figures for unique clients and visits.
If you select the option "Cookie Settings", the following button appears (formatting not reproduced 1:1):
The following floating icon is located at the bottom left of the website (formatting not adopted 1:1):
If the pointer is moved to the icon, the following text appears (formatting not adopted 1:1): "Cookie Settings".
If you select the icon, the following button appears (formatting not adopted 1:1):
There is no way to revoke all of the settings made with one click.
Legally, the authority concerned (as far as relevant to the proceedings) stated that processing operations in a given case could be subject to the provisions of Directive 2002/58/EC as amended (e-Data Protection Directive) or the TKG 2021 as well as the GDPR. While the setting or reading of cookies is to be assessed according to the requirements of Article 5, Paragraph 3 of the e-Privacy Directive, the subsequent data processing falls within the scope of the GDPR. Legally, the authority concerned stated (as far as relevant to the proceedings) that processing operations in a given case could be subject to both the provisions of Directive 2002/58/EC as amended (e-Privacy Directive) or the TKG 2021 and the GDPR. While the setting or reading of cookies is to be assessed according to the requirements of Article 5, Paragraph 3 of the e-Privacy Directive, the subsequent data processing falls within the scope of the GDPR.
The jurisdiction of the data protection authority is therefore not excluded, since data processing took place as a result of the setting or reading of cookies.
To the extent that the complainant relies on the applicability of Section 9 Para. 1 DSG, it should be pointed out that the national legislature restricts the so-called media privilege under Art. 85 GDPR in conjunction with Section 9 Para. 1 DSG by making the privilege accessible only to media companies or media services if personal data is processed for journalistic purposes by media owners, publishers and media employees or employees of a media company or media service. The extent to which the processing operations subject to the complaint pursue a "journalistic purpose" within the meaning of the case law of the ECJ is neither apparent nor comprehensible. Cookies for displaying personalized advertising on a media company's website or the management of a database by a media company for the purpose of sending print advertising are not subject to the media privilege, even if these operations serve to finance the medium. The media privilege therefore does not apply to the data processing that is the subject of the complaint. To the extent that the complaining party relies on the applicability of paragraph 9, paragraph one, DSG, it must be countered that the national legislature restricts the so-called media privilege under Article 85, GDPR in conjunction with paragraph 9, paragraph one, DSG by making the privilege accessible only to media companies or media services if personal data is processed for journalistic purposes by media owners, publishers and media employees or employees of a media company or media service. The extent to which the processing operations that are the subject of the complaint pursue a "journalistic purpose" within the meaning of the case law of the ECJ is neither apparent nor comprehensible. Cookies for displaying personalized advertising on a media company's website or the management of a database by a media company for the purpose of sending print advertising are not subject to the media privilege, even if these operations serve to finance the medium. The media privilege therefore does not apply to the data processing that is the subject of the complaint.
The material scope of application of the GDPR is also fulfilled. In the Google Analytics case, the authority concerned has already stated - in accordance with the case law of the European Data Protection Supervisor (EDPS) - that cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualizing and separating people meet the definition of Art. 4 Z 1 GDPR. In particular, it can never be ruled out that the cookie values and the IP address of a person's end device are combined with additional information at some point in the processing chain, for example when the person concerned registers on a website with their email address or real name. These considerations could be applied to the present case, since as a result of the visit to the website XXXX on May 21, 2023 [meaning: 2021], cookies with unique, randomly generated values were set and read in the end devices of the parties involved. Subsequently, the cookie values and IP address of the end device of the parties involved were transmitted to the servers of the respective providers, such as Google, Bing or TheTradeDesk. The material scope of application of the GDPR was also fulfilled. In the Google Analytics case, the authority concerned had already stated - in accordance with the case law of the European Data Protection Supervisor (EDPS) - that cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualizing and separating people meet the definition of Article 4, paragraph 1, GDPR. In particular, it can never be ruled out that the cookie values and the IP address of a person's end device are combined with additional information at some point in the processing chain, for example when the person concerned registers on a website with their email address or real name. These considerations could be applied to the present case, since as a result of the visit to the website roman 40 on May 21, 2023 [meaning: 2021], cookies with unique, randomly generated values were set and read in the end device of the co-participants. Subsequently, the cookie values and IP address of the end device of the co-participants were transmitted, for example, to the servers of the respective providers, such as Google, Bing or TheTradeDesk.
According to Art. 58 (2) (d) GDPR, the authority concerned has remedial powers that allow it, among other things, to instruct a controller to change or carry out processing operations in a certain way and within a certain period of time. It is permissible for the authority concerned to make official use of its powers as standardized in Art. 58 (2) GDPR in the complaint procedure. This is also in line with the case law of the ECJ, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified deficiencies. Although the complaint in question was ultimately rejected because, among other things, the data of the parties involved had been deleted in the meantime, this does not change the fact that, in the opinion of the authority concerned, the cookie banner in question (or more specifically: the request for consent) does not comply with the requirements of the GDPR. According to Article 58, Paragraph 2, Letter d, GDPR, the authority concerned has remedial powers that allow it, among other things, to instruct a controller to change or carry out processing operations in a certain way and within a certain period of time. It is permissible for the authority concerned to make official use of its powers as set out in Article 58, Paragraph 2, GDPR in the complaint procedure. This is also in line with the case law of the ECJ, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified deficiencies. Although the complaint in question was ultimately rejected because, among other things, the data of the parties involved had been deleted in the meantime, this does not change the fact that, in the opinion of the authority concerned, the cookie banner in question (or more specifically: the request for consent) does not comply with the requirements of the GDPR.
To assess how the cookie banner and the interaction options should be understood, the figure of an averagely informed, attentive and intelligent consumer should be used.
Regarding the service contract according to 3) a) of the ruling, it should be noted that giving consent for cookies must be just as easy as revoking it in accordance with Art. 7 Para. 3 GDPR and according to the case law of the ECJ. In the online context, it must therefore be clearly visible where and how consent can be revoked. In the present case, there is no simple and clearly visible indication in the cookie banner itself explaining where consent can be revoked. Although there is a floating "Cookie Settings" icon at the bottom of the website and various preferences for cookies and the revocation can be made in the menu, this alone is not sufficient, because it must already be clear from the cookie banner at the time of giving consent how this can be revoked. Objectively speaking, however, the word "Cookie Settings" cannot be used to conclude that the consent can be revoked. In particular, a data subject cannot be expected to have to deselect numerous "checkboxes" in order to revoke consent before finally clicking on "Confirm my selection". With regard to the service contract according to 3) a) of the ruling, it should be noted that giving consent for cookies must be just as easy as revoking it in accordance with Article 7, paragraph 3, GDPR and according to the case law of the ECJ. In the online context, it must therefore be clearly visible where and how consent can be revoked. In the present case, there is no simple and clearly visible information in the cookie banner itself explaining where consent can be revoked. Although there is a floating "Cookie Settings" icon at the bottom of the website and various cookie preferences and revocation can be entered in the menu, this alone is not sufficient, because it must be clear from the cookie banner at the time of giving consent how this can be revoked. Objectively speaking, however, the word "Cookie Settings" cannot be used to conclude that the consent can be revoked. In particular, a data subject cannot be expected to have to deselect numerous "checkboxes" in order to revoke consent before finally clicking on "Confirm my selection".
The complaining party will therefore have to implement a solution in which it is already clear in the cookie banner where the consent can be revoked. In addition, the consent must be able to be revoked with a button without having to first operate several "sliders" (e.g. in the form of a "Revoke consent" button).
With regard to the service contract according to 3) b) of the ruling, it should be stated that the use of cookies (and the associated processing of personal data), which is not technically necessary for the use of a website, requires prior consent. According to the case law of the Federal Administrative Court, Art. 5 (3) of Directive 2002/58/EC as amended (in conjunction with Section 165 (3) TKG 2021) should not be interpreted in the sense of "economic necessity". This means that advertising cookies for displaying personalized advertising are not "technically necessary" just because displaying personalized advertising is necessary to finance the operation of the website. It must also be examined what is absolutely necessary from the point of view of the user, not the service provider. The complaining party sets cookies from the services ÖWA (cookies "i00" and "ioam2018") and Google (cookie "IDE") before interaction with the cookie banner and thus before consent to data processing is given. However, the cookies mentioned are in any case not to be regarded as technically necessary cookies. The complaining party will therefore have to adapt its website accordingly so that prior consent is obtained for the use of the cookies mentioned and the associated data processing. With regard to the service contract according to 3) b) of the ruling, it should be stated that the use of cookies (and the associated processing of personal data) which is not technically necessary for the use of a website requires prior consent. According to the case law of the Federal Administrative Court, Article 5, Paragraph 3, of Directive 2002/58/EC as amended in conjunction with Paragraph 165, Paragraph 3, TKG 2021) should not be interpreted in the sense of an "economic necessity". This means that, for example, advertising cookies for displaying personalized advertising are not "technically necessary" just because the display of personalized advertising is necessary to finance the operation of the website. It must also be examined what is absolutely necessary from the point of view of the user, not the service provider. The complaining party sets cookies from the services ÖWA (cookies "i00" and "ioam2018") and Google (cookie "IDE") before interaction with the cookie banner and thus before consent to data processing is given. In any case, the cookies mentioned should not be regarded as technically necessary cookies. The complaining party will therefore have to adapt its website accordingly so that prior consent is obtained for the use of the cookies mentioned and the associated data processing.
12. The complaining party lodged a timely appeal against point 3 of this decision to the Federal Administrative Court pursuant to Article 130, paragraph 1, item 1 B-VG (party appeal), in which it submitted the following:12. The complaining party lodged a timely appeal against point 3 of this decision to the Federal Administrative Court pursuant to Article 130, paragraph one, item one, B-VG (party appeal), in which it submitted the following:
With regard to point 3) a), the authority concerned is of the opinion that a solution is required “in which it is already clear in the cookie banner where the consent can be revoked”. However, the authority concerned fails to recognise that the revocation of consent already given (as well as the objection in accordance with Art. 21 GDPR) is possible at any time on the website via a permanently visible "floating icon" with which users can return to their data protection settings and easily revoke the consent given and/or object. Users are expressly informed of this symbol and the possibility of not granting consent, revoking consent given at any time and the possibility of objection already in the first level of the cookie banner; this information - just like the "floating icon" - is not hidden, but rather clearly visible. The order given in point 3) a) of the ruling should therefore be omitted if the legal assessment is correct. With regard to point 3) a), the authority concerned is of the opinion that a solution is needed "in which it is already clear in the cookie banner where the consent can be revoked". However, the authority concerned fails to recognise that the revocation of consent already given (as well as the objection in accordance with Article 21, GDPR) is possible at any time on the website via a permanently visible "floating icon" with which users can return to their data protection settings and easily revoke the consent given and/or exercise an objection. Users are expressly informed of this symbol and the possibility of not granting consent, revoking consent given at any time and the possibility of objection already in the first level of the cookie banner; this information - like the "floating icon" - is not hidden, but rather clearly visible. The order given in point 3) a) should therefore be omitted if the legal assessment is correct.
Regarding point 3) b), the authority concerned is of the opinion that the cookies from the services ÖWA (cookies "i00" and "ioam2018") and Google (cookie "IDE") are not technically necessary and consent must therefore be obtained before they are set. The official orders are based on an incorrect legal assessment. The complaining party collects data (IP address, length of stay, interests based on reading behavior as well as location data and browser type) on the basis of its compelling, overriding legitimate interest (as defined in Art. 6 Para. 1 lit. f GDPR) as part of the reach survey for the website, whereby this user data is anonymized before it is stored. Contrary to the claim of the authority concerned, no "Google cookies" are set before interaction with the "cookie banner" without consent. It is not understandable how the authority concerned came to this conclusion. Therefore, no technically unnecessary cookies are set on the website before interaction with the cookie banner. Therefore, the official order to obtain valid consent for such cookies in advance in accordance with Art. 4 Z 11 and 7 GDPR should no longer apply if the legal assessment is correct. With regard to point 3) b), the authority concerned is of the opinion that the cookies from the services ÖWA (cookies "i00" and "ioam2018") and Google (cookie "IDE") are not technically necessary and that consent must therefore be obtained before they are set. The official orders are based on an incorrect legal assessment. The complaining party collects data (IP address, length of stay, interests based on reading behavior as well as location data and browser type) on the basis of its compelling, overriding legitimate interest (within the meaning of Article 6, paragraph one, letter f, GDPR) as part of the reach survey for the website, with this user data being anonymized before it is stored. Contrary to the claim of the authority concerned, no "Google cookies" are set before interaction with the "cookie banner" without consent. It is not understandable how the authority concerned came to this conclusion. No technically unnecessary cookies are therefore set on the website before interaction with the cookie banner. Thus, the official order to obtain valid consent for such cookies in advance in accordance with Article 4, paragraphs 11 and 7 of the GDPR should be omitted if the legal assessment is correct.
13. The authority concerned did not make use of the possibility of a preliminary decision on the complaint, submitted the complaint together with the relevant files of the administrative procedure to the Federal Administrative Court for a decision and issued a statement in which it defended the contested decision and additionally stated that an initial research on November 3, 2023 had shown that Google services ("NID") were still being used before consent was given. The technical necessity of the cookies in question for the operation of the website was not apparent to the authority concerned.
14. The Federal Administrative Court forwarded the complaint of the co-participants by means of the complaint notification and to the complaining party the statement made by the authority concerned when the file was submitted in accordance with Section 10 VwGVG for information and comment.14. The Federal Administrative Court forwarded the complaint of the co-participants by means of the complaint notification and to the complaining party the statement made by the authority concerned when the file was submitted in accordance with Section 10 VwGVG for information and comment.
15. The co-participant submitted a statement on the complaint on November 30, 2023, in which it stated that the complaining party had changed its website again and reversed the improvements made in the meantime. The icon for revoking consent has been revised, and the text "Cookie settings" above the icon has since been replaced by the text "Show purposes". According to general life experience, an averagely understandable data subject will not understand that this text is related to the revocation. The cookies "i00", "ioam2018" and "NID" will continue to be used without consent, although they are not absolutely necessary within the meaning of Section 165 (3) TKG or Article 5 (3) ePrivacy Directive to display the website. The complaint should therefore be dismissed.15. The co-participant submitted a statement on the complaint on November 30, 2023, in which she stated that the complaining party had again changed its website and reversed the improvements made in the meantime. The icon for revoking consent has been revised, and the text "Cookie settings" above the icon has now been replaced by the text "Show purposes". Based on general life experience, an averagely understandable data subject will not understand that this text is related to the revocation. The cookies "i00", "ioam2018" and "NID" will continue to be used without consent, although they are not absolutely necessary within the meaning of Section 165, Paragraph 3, TKG or Article 5, Paragraph 3, ePrivacy Directive to display the website. The complaint should therefore be dismissed.
16.1. The Federal Administrative Court informed the parties in a letter dated May 13, 2024 of the results of the official research carried out on the XXXX websites regarding the current design of the cookies banner and the cookies set without consent and gave them the opportunity to submit a written statement on this. 16.1. The Federal Administrative Court informed the parties in a letter dated May 13, 2024 of the results of the official research carried out on the roman 40 websites regarding the current design of the cookies banner and the cookies set without consent and gave them the opportunity to submit a written statement on this.
16.2. The co-participant made use of this in a written submission dated May 27, 2024, essentially referring to its previous statements.
16.3. In its statement on this matter, submitted in a written submission dated June 6, 2024, the complaining party stated that the complaining party had decided not to operate the website XXXX any further. Instead, it now publishes its articles on the subject of "health" to "fitness" on the website XXXX, specifically under the subsite XXXX. If the user enters the URL XXXX, he is automatically redirected to XXXX. For this reason alone, the contested decision should be annulled and the proceedings should be discontinued due to the fact that the website XXXX does not continue to exist.16.3. In its statement on this matter, submitted in a written submission dated June 6, 2024, the complaining party stated that the complaining party had decided not to operate the website roman 40 any further. Instead, it now publishes its articles on the subject of "health" to "fitness" on the website roman 40, specifically under the subsite roman 40. If the user enters the URL roman 40, he will automatically be redirected to roman 40. For this reason alone, the contested decision should be revoked and the proceedings should be discontinued - due to the fact that the website roman 40 does not continue to exist.
The cookie banner of the website XXXX (which of course also appears when XXXX is called up) has since been changed. The first level of the cookie banner expressly states how the consent for the cookies set can be revoked. The following text passage can be found on the first level of the cookie banner: "In addition, you will find a link at the bottom of the page "Cookie settings and revocation", which you can use to return to your cookie settings and revoke your consent and object (Art. 21 GDPR). If you click on "Show purposes", you will be taken to the advanced settings, where you can reject all cookies." Accordingly, the link "Cookie settings and revocation" can be found at the bottom of the page (in the "footer"), clearly visible and accessible from every page. If you click on this link, you will be taken to the second level of the cookie banner, where you can immediately click on "Reject all" and thereby revoke your consent. The cookie banner on the roman 40 website (which of course also appears when you visit roman 40) has since been changed. The first level of the cookie banner expressly states how you can revoke your consent for the cookies that have been set. The following text passage can be found on the first level of the cookie banner: "You will also find a link at the bottom of the page called "Cookie settings and revocation", which you can use to return to your cookie settings and revoke your consent and object (Article 21, GDPR). If you click on "Show purposes", you will be taken to the advanced settings where you can reject all cookies." Accordingly, the link "Cookie settings and revocation" can be found at the bottom of the page (in the "footer"), clearly visible and accessible from every page. If you click on this link, you will be taken to the second level of the cookie banner, where you can immediately click on "Reject all" and thus revoke your consent.
In addition, it should be noted that when you call up XXXX or XXXX - as was the case previously when you called up XXXX before interacting with the cookie banner - only technically necessary cookies are set.In addition, it should be noted that when you call up roman 40 or roman 40 - as was the case previously when you called up roman 40 before interacting with the cookie banner - only technically necessary cookies are set.
16.4. The co-participant replied to this in its statement of July 1, 2024, summarizing that the domain XXXX would continue to be operated for a similar purpose in the interests of the complaining party, which is why there could be no talk of a lack of "continued existence" of the site. 16.4. The co-participant replied in its statement of July 1, 2024 that the domain roman 40 would continue to be operated for a similar purpose in the interests of the complaining party, which is why there could be no talk of a lack of "continued existence" of the site.
According to the evidence taken by the Federal Administrative Court and the statement of the complaining party, the revocation of consent is only possible via a link in the footer. The co-participant is of the opinion that consent is therefore not "as easy to revoke as to grant" within the meaning of Art. 7 Para. 3 GDPR. Consent requires a click on a directly recognizable button in a banner that centrally and clearly covers a large part of the page and requires interaction. In order to revoke consent, however, various steps are necessary. Revocation via the footer link requires scrolling to the end of the page, a step that only a small proportion of all users ever take. Even if you scroll to the end of the page, you need to look very carefully to find the correct option among the ten different options (“General Terms of Use”, “Privacy Policy”, “Cookie List”, “Advertising in the XXXX Network”, “Advertising on XXXX”, “Imprint of XXXX”, “Cookie Settings and Revocation”, “Rates & Media Data”, “Current subscription offers from the daily newspaper XXXX and questions about your subscription”, “Imprints of daily newspapers and magazines”). You then have to click on “Cookie Settings and Revocation” again to open the settings. Finally, you can revoke your consent by clicking on the “Reject all” button. Attentive eyes will not miss the fact that the complaining party has wrongly categorised purposes such as “provision and display of advertising and content” or “comparison and combination of data from different sources” as “always active”. This means that data is processed for these purposes even if consent has been refused or revoked. It is undeniable that the procedure described is not "as simple" as granting consent. For this reason, the co-defendant considers a floating icon that signals the revocation option to be more appropriate. According to the evidence taken by the Federal Administrative Court and the statement of the complaining party, revocation of consent is only possible via a link in the footer. The co-defendant is of the opinion that consent is therefore not "as easy to revoke as to grant" within the meaning of Article 7, Paragraph 3, GDPR. Consent requires a click on a directly recognizable button in a banner that centrally and clearly covers a large part of the page and requires interaction. In order to revoke consent, however, various steps are necessary. Revocation via the footer link requires scrolling to the end of the page, a step that only a small proportion of all users ever take. Even if you scroll to the end of the page, you need to look very carefully to find the correct option among the ten different options (“General Terms of Use”, “Privacy Policy”, “Cookie List”, “Advertising in the roman 40 network”, “Advertising on roman 40”, “Imprint of roman 40”, “Cookie Settings and Revocation”, “Rates & Media Data”, “Current subscription offers from the daily newspaper roman 40 and questions about your subscription”, “Imprints of daily newspapers and magazines”). You then have to click on “Cookie Settings and Revocation” again to open the settings. Finally, you can revoke your consent by clicking on the “Reject all” button. Attentive eyes will not miss the fact that the complaining party has wrongly categorised purposes such as “provision and display of advertising and content” or “comparison and combination of data from different sources” as “always active”. This means that data will be processed for these purposes even if consent has been refused or revoked. It is undeniable that the procedure described is not "as simple" as giving consent. For this reason, the party involved considers a floating icon that signals the revocation option to be more appropriate.
16.5. The authority concerned did not issue a statement.
II. The Federal Administrative Court has considered: Roman II. The Federal Administrative Court has considered:
1. Findings:
With regard to the course of proceedings (the administrative process), the complaining party, the co-participants and with regard to the technical functioning of cookies, the statements above under point I., in particular the findings/considerations of the authority concerned in the contested decision, are assumed.With regard to the course of proceedings (the administrative process), the complaining party, the co-participants and with regard to the technical functioning of cookies, the statements above under point Roman one., in particular the findings/considerations of the authority concerned in the contested decision, are assumed.
With regard to the current URL of the website, the design of the cookie banner and the setting of cookies before interaction with it, the following is stated, contrary to the findings of the authority concerned:
The complaining party now publishes its articles on the topics of "health" and "fitness" on the website XXXX (previously on the website XXXX If the user enters the URL XXXX, he is automatically redirected to XXXX. The complaining party now publishes its articles on the topics of "health" and "fitness" on the website roman 40 (previously on the website roman 40 If the user enters the URL roman 40, he is automatically redirected to roman 40.
The cookie banner currently looks like this when you visit the website XXXX:The cookie banner currently looks like this when you visit the website roman 40:
By clicking on the link "Show purposes", the user reaches the "second level" of the cookie banner, which is currently designed as follows:
A "floating icon" with which a user can return to the cookie settings and revoke their consent and/or exercise an objection is currently not implemented on the complaining party's website. In order to be able to access the cookie settings again and revoke their consent and/or exercise an objection, the user must click on a link with the text "Cookie settings and revocation" in the "footer" at the bottom of the page:
After clicking on the "Cookie settings and revocation" link, the user reaches the second level of the cookie banner, where consent can be revoked by clicking on the "Reject all" button.
Currently, when you visit the XXXX website, the cookies "__adblocker" and "OptanonConsent" are set without any interaction with the cookie banner or consent having been given beforehand: Currently, when you visit the Roman 40 website, the cookies "__adblocker" and "OptanonConsent" are set without any interaction with the cookie banner or consent having been given beforehand:
The "__adblocker" cookie checks whether an ad blocker is installed in the user's browser, the "OptanonConsent" cookie is used to save the cookie settings. These are technically necessary cookies.
2. Assessment of evidence:
The findings are derived from the administrative and court files. The relevant investigation results and documents are contained in the files mentioned.
The authority concerned carried out a flawless, proper investigation procedure. The complaining party did not substantively object to the facts established by the authority concerned and its assessment of the evidence in the party complaint. However, the official findings regarding the design of the cookies banner and the cookies set before interaction with it turned out to be out of date during the official searches carried out on the XXXX websites on May 7, 2024, May 13, 2024 and July 22, 2024. The now adapted findings arise from the result of these searches or searches carried out at the time of the decision and the written submissions received from the complaining party on June 6, 2024 and the co-parties on May 27, 2024 and July 1, 2024 after the parties were granted a hearing. The authority concerned carried out a flawless, proper investigation procedure. The complaining party did not substantively object to the facts established by the authority concerned and its assessment of the evidence in the party complaint. However, the official findings regarding the design of the cookies banner and the cookies set before interaction with it turned out to be out of date during the official searches on the roman 40 websites on May 7, 2024, May 13, 2024 and July 22, 2024. The now adapted findings result from the result of these searches or searches carried out at the time of the decision and the written submissions received from the complaining party on June 6, 2024 and from the co-parties on May 27, 2024 and July 1, 2024 after the parties were granted a hearing.
The facts essential to the decision have thus been established. There is therefore no need for further clarification of the facts by taking further evidence and holding an oral hearing. The parties have not indicated which aspects of the facts still need to be supplemented, and this has not come to light elsewhere either. In this case, only legal questions need to be clarified.
3. Legal assessment:
Re A)
3.1. According to Article 130, Paragraph 1, Item 1 of the Federal Constitutional Court Act, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality.3.1. According to Article 130, Paragraph 1, Item 1 of the Federal Constitutional Court Act, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality.
According to Section 6 of the Federal Administrative Court Act, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates. According to Section 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides by senate in proceedings on complaints against decisions due to violation of the duty to inform pursuant to Section 24, Paragraph 7 and the data protection authority's duty to decide. The senate consists of a chairperson and one expert lay judge from the circle of employers and one from the circle of employees. According to Paragraph 6 of the BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for decisions by senates. According to Paragraph 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides by senate in proceedings on complaints against decisions due to violation of the duty to inform pursuant to Paragraph 24, Paragraph 7 and the data protection authority's duty to decide. The senate consists of a chairperson and one expert lay judge from the circle of employers and one from the circle of employees.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, BGBl. I 2013/33 as amended by BGBl. I 2013/122 (§ 1 leg.cit.). According to § 58 paragraph 2 VwGVG, conflicting provisions that were already published at the time this federal law came into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, BGBl. Roman one 2013/33 as amended by BGBl. Roman one 2013/122 (paragraph one, leg.cit.). According to paragraph 58, paragraph 2, VwGVG, conflicting provisions that were already published at the time this federal law came into force remain in force.
According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Administrative Court Act.According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Administrative Court Act. one to 5 and Roman IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194 of 1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173 of 1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29 of 1984, and in addition those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court are to be applied mutatis mutandis.
According to Section 28 Paragraph 1 VwGVG, the administrative court must settle the legal matter by decision, unless the appeal is to be rejected or the proceedings are to be discontinued. According to Paragraph 28, Paragraph one, VwGVG, the administrative court must settle the legal matter by decision, unless the appeal is to be rejected or the proceedings are to be discontinued.
According to Section 28 Paragraph 2 VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130 Paragraph 1 Item 1 B-VG if (1.) the relevant facts are established or (2.) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings. According to Paragraph 28, Paragraph 2, VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130, Paragraph one, Item one, B-VG if (1.) the relevant facts are established or (2.) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.2. On the procedural requirements:
The complaint was filed within the time limit pursuant to Section 7 Paragraph 4 VwGVG and the other procedural requirements are also met. The complaint was filed within the deadline in accordance with paragraph 7, paragraph 4, VwGVG and the other procedural requirements are also met.
3.3. On the merits:
3.3.1. Legal basis:
The provisions of Regulation (EU) 2016/679 (General Data Protection Regulation), GDPR, relevant to the complaint procedure in question are (excerpts, including heading):
Art.4 Z 1, 2, 7 and 11 GDPR: Art. 4 number one,, 2, 7 and 11 GDPR:
Definitions
Art. 4. For the purposes of this Regulation, the following terms shall apply: Article 4. For the purposes of this Regulation, the following terms shall apply:
1. “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7. "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are specified by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Article 7 GDPR:
Conditions for consent
(1) Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
(2) Where the data subject’s consent is given by a written statement which also covers other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it is clearly distinguishable from the other matters. Parts of the statement shall not be binding if they constitute an infringement of this Regulation.
(3) The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of the consent up to the time of withdrawal. The data subject shall be informed of this before consent is given. Withdrawing consent shall be as easy as giving consent.
(4) In assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, depends on consent to the processing of personal data which are not necessary for the performance of the contract.
Article 58(1)(b) and (2)(d) GDPR: Article 58(1)(b) and (2)(d) GDPR:
Powers
(1) Each supervisory authority shall have all of the following investigative powers, allowing it to:
b) carry out investigations in the form of data protection audits
(2) Each supervisory authority shall have all of the following remedial powers, allowing it to:
d) order the controller or processor to bring processing operations into compliance with this Regulation, where appropriate in a specified manner and within a specified period of time
3.3.2. Applied to the present case, this means the following:
3.3.2.1. First of all, it should be noted that the complaining party did not (any longer) object to the legal assessment of the authority concerned in the contested decision with regard to its jurisdiction, the non-applicability of Section 9 Paragraph 1 DSG and the existence of processing of personal data in its complaint against the decision. 3.3.2.1. First of all, it should be noted that the complaining party did not (any longer) object to the legal assessment of the authority concerned in the contested decision with regard to its jurisdiction, the non-applicability of Section 9 Paragraph 1 DSG and the existence of processing of personal data in its complaint against the decision.
It was also not disputed that the complaining party is to be qualified as the controller within the meaning of Article 4 Paragraph 7 GDPR for data processing as a result of setting or reading cookies on its website. The Federal Administrative Court cannot find that the legal assessment of the authority concerned is incorrect with regard to these points. It was also not disputed that the complaining party is to be qualified as the controller within the meaning of Article 4, paragraph 7, of the GDPR for data processing resulting from the setting or reading of cookies on its website. The Federal Administrative Court cannot find that the legal assessment of the authority concerned is incorrect with regard to these points.
3.3.2.2. It should also be noted that according to Article 58, paragraph 2, letter d of the GDPR, every supervisory authority has all the remedial powers that allow it to instruct the controller or the processor to bring processing operations into line with this regulation in a specific manner and within a specific period of time. Article 58, paragraphs one to three of the GDPR standardizes a comprehensive catalogue of investigative, remedial, approval and advisory powers. These powers arise directly from the GDPR and therefore did not have to be implemented separately by the Member States. The supervisory authority can act on its own initiative, at the request of the controller, processor or representative, in response to a complaint from a potentially affected person or at the request of another (supervisory) authority (cf. ECJ 14.03.2024, C-46/23, Újpesti Polgármesteri Hivatal, paras 25 ff, 42, 46). In principle, any deviation from the GDPR can be grounds for an instruction. The instruction is not to be limited to violations that lead to the material inadmissibility of data processing (Zavadil in Knyrim, DatKomm Art. 58 GDPR paras 2, 5, 34 [as of 1.3.2021, rdb.at]). 3.3.2.2. Furthermore, it should be noted that according to Article 58, paragraph 2, letter d, GDPR, each supervisory authority has all remedial powers that allow it to instruct the controller or processor to bring processing operations into compliance with this regulation, where appropriate in a specific manner and within a specific period of time. Article 58, GDPR, in paragraphs one to three, sets out a comprehensive catalogue of investigative, remedial, approval and advisory powers. These powers arise directly from the GDPR and therefore did not have to be implemented separately by the Member States. The supervisory authority can act on its own initiative, at the request of the controller, processor or representative, in response to a complaint from a potentially affected person or at the request of another (supervisory) authority (cf. ECJ 14.03.2024, C-46/23, Újpesti Polgármesteri Hivatal, paras. 25 ff, 42, 46). In principle, any deviation from the GDPR can be grounds for an instruction. The instruction is not to be limited to violations that lead to the material inadmissibility of data processing (Zavadil in Knyrim, DatKomm Article 58, GDPR margin numbers 2, 5, 34 [as of March 1, 2021, rdb.at]).
As the authority concerned correctly stated in the contested decision, it is permissible for the authority concerned to make official use of its powers stipulated in Article 58 (2) GDPR in a complaint procedure pursuant to Article 77 GDPR (see also BVwG November 16, 2022, W274 2237056-1/8E). This power of the authority concerned was not disputed by the complaining party in its party complaint. As the authority concerned correctly stated in the contested decision, it is permissible for the authority concerned to make official use of its powers stipulated in Article 58, paragraph 2, GDPR in a complaint procedure pursuant to Article 77, GDPR (see also BVwG 16.11.2022, W274 2237056-1/8E). This power of the authority concerned was not disputed by the complaining party in its party complaint.
3.3.2.3. Regarding point 3) a) of the contested decision:
The authority concerned has instructed the complaining party under this point to adapt its website XXXX in such a way that the revocation of consent for the cookies used and the associated processing of personal data complies with the requirements of Art. 7 Paragraph 3 GDPR. To this end, the complaining party must at least implement a clearly visible option for revocation on its website and expressly include the information on where the right of revocation can be exercised in the information in the request for consent.The authority concerned has instructed the complaining party under this point to adapt its website Roman 40 in such a way that the revocation of consent for the cookies used and the associated processing of personal data complies with the requirements of Article 7 Paragraph 3 GDPR. To this end, the complaining party must at least implement a clearly visible option for revocation on its website and expressly include the information on where the right of revocation can be exercised in the information in the request for consent.
In its statement of June 6, 2024, the complaining party initially counters the legal opinion and the performance mandate of the authority concerned by arguing that the proceedings should be discontinued due to the fact that the website XXXX does not continue to exist. In its statement of June 6, 2024, the complaining party initially counters the legal opinion and the performance mandate of the authority concerned by arguing that the proceedings should be discontinued due to the fact that the website Roman 40 does not continue to exist.
This cannot, however, be agreed with:
As the co-participant rightly points out, the domain XXXX continues to be operated in the interests of the complaining party. Contrary to the statements of the complaining party, the operation of the website was not discontinued, but continued under a new URL, so only the "name" of the website was changed. If the user enters the URL XXXX, he is automatically redirected to XXXX. It cannot therefore be said that the complaining party's website, which is the subject of the proceedings, no longer exists and that the proceedings should therefore be discontinued. As the co-participant rightly points out, the domain roman 40 continues to be operated in the interests of the complaining party. Contrary to the complaining party's statements, the operation of the website was not discontinued, but continued under a new URL, so only the "name" of the website was changed. If the user enters the URL roman 40, he is automatically redirected to roman 40. It cannot therefore be said that the complaining party's website, which is the subject of the proceedings, no longer exists and that the proceedings should therefore be discontinued.
However, as can be seen from the findings, at the time of the decision, when the complaining party's website XXXX or XXXX is accessed, a "cookie banner" appears, which, among other things, now contains the following text passage: "In addition, at the bottom of the page you will find a link "Cookie settings and revocation" with which you can return to your cookie settings and revoke your consent and exercise your objection (Article 21 GDPR)."However, as can be seen from the findings, at the time of the decision, when the complaining party's website roman 40 or roman 40 is accessed, a "cookie banner" appears, which, among other things, now contains the following text passage: "In addition, at the bottom of the page you will find a link "Cookie settings and revocation" with which you can return to your cookie settings and revoke your consent and exercise your objection (Article 21, GDPR)."
Accordingly, at the bottom of the page (in the "footer") you will find the link "Cookie settings and revocation". After clicking on the link "Cookie settings and revocation", the user is taken to the second level of the cookie banner, where consent can be revoked by clicking on the button "Reject all".
According to Art. 7, Paragraph 3 of the GDPR, the data subject has the right to revoke their consent at any time and revoking consent must be as easy as giving consent. In the online context, it must therefore be clearly visible - as the authority concerned correctly stated - where and how consent can be revoked. In the contested decision, the authority concerned states that the complaining party must at least implement a clearly visible option for revocation on its website and also explicitly include the information on where the right of revocation can be exercised in the information in the request for consent. According to Article 7, Paragraph 3 of the GDPR, the data subject has the right to revoke their consent at any time and revoking consent must be as easy as giving consent. In the online context, it must therefore be clearly visible - as the authority concerned correctly stated - where and how consent can be revoked. In the contested decision, the authority concerned states that the complaining party must at least implement a clearly visible option for revocation on its website and also explicitly include the information on where the right of revocation can be exercised in the information in the request for consent.
Against this background, the textual changes now made by the complaining party in the cookie banner and in the "footer" of the website are to be regarded as sufficient in terms of the service mandate of the authority concerned.
The authority concerned has already correctly stated in the contested decision that the figure of an averagely informed, attentive and circumspect consumer must be used to assess how the cookie banner and the interaction options are to be understood (cf. ECJ 16.07.1998, C-210/96 [Gut Springenheide GmbH] Rn 37; BVwG 13.12.2022, W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Art. 12 Rz 11; Illibauer in Knyrim, DatKomm Art. 12 Rz 39; with regard to the DSG 2000 also Jahnel, Handbook Rz 7/22 mwN).The authority concerned has already correctly stated in the contested decision that the figure of an averagely informed, attentive and circumspect consumer must be used to assess how the cookie banner and the interaction options are to be understood (cf. ECJ 16.07.1998, C-210/96 [Gut Springenheide GmbH] para. 37; BVwG 13.12.2022, W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259 rev.01, 17/DE, Session 16; Greve in Sydow, Commentary Article 12, para. 11; Illibauer in Knyrim, DatKomm Article 12, para. 39; in relation to the DSG 2000 also Jahnel, Handbook Rz 7/22 mwN).
In the present case, as stated, the text of the cookie banner expressly indicates, before consent is given, where and how consent can be revoked later (“In addition, at the bottom of the page you will find a link “Cookie settings and revocation” with which you can return to your cookie settings and revoke your consent and exercise your objection (Article 21 GDPR).”). In the present case, as stated, the text of the cookie banner expressly indicates, before consent is given, where and how consent can be revoked later (“In addition, at the bottom of the page you will find a link “Cookie settings and revocation” with which you can return to your cookie settings and revoke your consent and exercise your objection (Article 21 GDPR).”).
Even if - as the co-participant argues - consent requires (only) a click on a directly recognizable button in a banner that covers a large part of the page in a central and clearly visible manner, while revocation requires scrolling to the end of the page, where the correct option must then be found among ten different options, and the co-participant would prefer the revocation option to be designed in the form of a button, the Federal Administrative Court is of the opinion that - also due to the explicit reference in the cookie banner to the place where consent can be revoked - this is now a sufficiently visible option for revocation in accordance with Art. 7 Para. 3 GDPR, especially since the link "Cookie settings and revocation" is now clearly and unambiguously worded, so that it can be assumed that an averagely informed, attentive and intelligent consumer who wishes to revoke his or her consent is able to find the revocation option without any special effort. In addition, at the time of the decision, there is also the possibility - as requested by the defendant in the contested decision - to revoke consent with a (single) click on the "Reject all" button, so that numerous "checkboxes" no longer have to be individually deselected in order to withdraw consent. The fact that a large (permanently displayed) banner that extends prominently over a large part of the screen cannot be available for revoking consent, as is the case when consent is first granted, is already clear from the fact that otherwise the website would be largely illegible. Even if – as the co-participant argues – consent requires (only) a click on a directly recognizable button in a banner that covers a large part of the page in a central and clearly visible manner, while revocation requires scrolling to the end of the page, where the correct option must then be found among ten different options, and the co-participant would prefer the revocation option to be designed in the form of a button, the Federal Administrative Court is of the opinion that – also due to the explicit reference in the cookie banner to the point where consent can be revoked – this is now a sufficiently visible option for revocation in accordance with Article 7, paragraph 3, GDPR, especially since the link “Cookie settings and revocation” is now clearly and unambiguously worded, so that it can be assumed that an averagely informed, attentive and intelligent consumer who wishes to revoke his or her consent is able to find the revocation option without any special effort. In addition, at the time of the decision, there is also the possibility - as requested by the defendant in the contested decision - to revoke consent with a (single) click on the "Reject all" button, so that numerous "checkboxes" no longer have to be individually deselected in order to withdraw consent. The fact that a large (permanently displayed) banner that extends prominently over a large part of the screen cannot be available for revoking consent, as is the case when consent is first granted, is already clear from the fact that otherwise the website would be largely illegible.
Against this background, it should be noted that at the time of the decision, the complaining party's website provided an option to revoke consent for the cookies used and the associated processing of personal data in accordance with Art. 7, Paragraph 3 of the GDPR - in accordance with the requirements of the authority concerned in the contested decision - so that the complaining party complied with the service contract given to it under point 3) a) of the contested decision.Against this background, it should be noted that at the time of the decision, the complaining party's website provided an option to revoke consent for the cookies used and the associated processing of personal data in accordance with Article 7, Paragraph 3 of the GDPR - in accordance with the requirements of the authority concerned in the contested decision, so that the complaining party complied with the service contract given to it under point 3) a) of the contested decision.
3.3.2.4. On point 3) b) of the contested decision:
Under this point, the authority concerned instructed the complaining party to modify its website XXXX in such a way that valid consent is obtained in advance in accordance with Art. 4, paragraph 11 and 7 of the GDPR for the processing of personal data in connection with technically unnecessary cookies (in particular the Google and ÖWA services).Under this point, the authority concerned instructed the complaining party to modify its website Roman 40 in such a way that valid consent is obtained in advance in accordance with Article 4, paragraph 11 and 7 of the GDPR for the processing of personal data in connection with technically unnecessary cookies (in particular the Google and ÖWA services).
Currently, when the complaining party's website is accessed (without prior interaction with the cookie banner or consent being given), the cookies "__adblocker" and "OptanonConsent" are set. These are technically necessary cookies because - as stated - they are absolutely necessary for the provision of the service and there is a clear connection with the service expressly requested by the subscriber or user (cf. Riesz in Riesz/Schilchegger [ed.], TKG [2016] § 96 Rn 48). The setting of cookies from the Google and ÖWA services (before consent) objected to by the authority concerned in the contested decision is currently no longer taking place, so that the complaining party has ultimately also complied with this service order from the authority concerned. Although the complaining party has - as the co-defendant claims - marked purposes such as "provision and display of advertising and content" or "comparison and combination of data from different sources" as "always active" in the cookie banner, the complaining party has already demonstrated in a comprehensible manner in the administrative proceedings that this notice is incorrect and has no technical impact on data processing and has not yet been removed for technical reasons. In any case, it is clear that apart from the two technically necessary cookies "__adblocker" and "OptanonConsent", no other cookies are set before consent is given, not even for "provision and display of advertising and content" or "comparison and combination of data from different sources". Neither the co-defendant nor the authority concerned claimed the opposite, despite the parties being granted the opportunity to be heard. Currently, when the complaining party's website is accessed (without prior interaction with the cookie banner or consent being given), the cookies "__adblocker" and "OptanonConsent" are set. These are technically necessary cookies because, as stated, they are absolutely necessary for the provision of the service and there is a clear connection with the service expressly requested by the subscriber or user (see Riesz in Riesz/Schilchegger [ed.], TKG [2016] Paragraph 96, Rn 48). The setting of cookies from the Google and ÖWA services (before consent) objected to by the authority concerned in the contested decision is currently no longer taking place, so that the complaining party has ultimately also complied with this service order from the authority concerned. The complaining party did indeed - as the co-participant claims - mark purposes such as "provision and display of advertising and content" or "comparison and combination of data from different sources" as "always active" in the cookie banner, but the complaining party had already demonstrated in a comprehensible manner in the administrative proceedings that this notice was incorrect and had no technical impact on data processing and had not yet been removed for technical reasons. In any case, it is clear that apart from the two technically necessary cookies "__adblocker" and "OptanonConsent", no other cookies are set before consent is given, not even for "provision and display of advertising and content" or "comparison and combination of data from different sources". Neither the co-participant nor the authority concerned claimed the opposite, despite the parties being granted the opportunity to be heard.
3.3.3. Since, for the reasons set out above, there is no longer any scope for issuing the performance contracts at the time of the decision, the Federal Administrative Court is obliged to grant the party's complaint and to annul the contested ruling point 3 of the decision (in its entirety) without replacement.
3.4. According to Section 24 Paragraph 1 of the Administrative Court Act, the administrative court must hold a public oral hearing upon request or, if it considers this necessary, of its own motion.3.4. According to Section 24, Paragraph 1 of the Administrative Court Act, the administrative court must hold a public oral hearing upon request or, if it considers this necessary, of its own motion.
According to Section 24, Paragraph 4 of the Administrative Court Act (VwGVG), the administrative court can – unless otherwise provided by federal or state law – refrain from holding a hearing regardless of a party’s application if the files show that the oral discussion is unlikely to provide any further clarification of the legal matter, and neither Article 6, Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights preclude the omission of the hearing.According to Section 24, Paragraph 4 of the Administrative Court Act (VwGVG), the administrative court can – unless otherwise provided by federal or state law – refrain from holding a hearing regardless of a party’s application if the files show that the oral discussion is unlikely to provide any further clarification of the legal matter, and neither Article 6, Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights preclude the omission of the hearing.
Such a case is present here: In the present case, the facts relevant to the decision are established and clarified based on the files. According to the case law of the ECHR, an oral hearing is not required to resolve legal issues. The ECHR and the Charter of Fundamental Rights therefore do not preclude the waiver of an oral hearing. For these reasons, it was also not necessary to hold a public oral hearing ex officio.
To B)
According to Section 25a, Paragraph 1 of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.According to Section 25a, Paragraph 1 of the Administrative Court Act, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Court Act. The ruling must be briefly justified.
The present decision does not depend on the resolution of a legal issue of fundamental importance. There is no lack of case law from the Administrative Court, nor does the decision in question deviate from the case law of the Administrative Court; furthermore, the case law of the Administrative Court cannot be judged to be inconsistent. There are also no other indications of a fundamental importance of the legal questions to be resolved. For all significant legal questions, the Federal Administrative Court can rely on the established case law of the Administrative Court or on a legal situation that is already clear. It is also not apparent that a legal question arises in the specific case that has significance beyond the (specific) individual case. Based on this, a legal question of fundamental importance cannot be affirmed in this respect either. It was therefore necessary to declare that the appeal is not admissible in accordance with Article 133, paragraph 4 of the Federal Constitutional Law. The present decision does not depend on the resolution of a legal question that is of fundamental importance. There is no lack of case law from the Administrative Court, nor does the decision in question deviate from the case law of the Administrative Court; furthermore, the case law of the Administrative Court cannot be considered inconsistent. There are also no other indications of a fundamental importance of the legal questions to be resolved. For all significant legal questions, the Federal Administrative Court can rely on the established case law of the Administrative Court or on a legal situation that is already clear. It is also not apparent that a legal question arises in the specific case that has significance beyond the (specific) individual case. Based on this, a legal question of fundamental importance cannot be affirmed in this respect either. It was therefore necessary to declare that the appeal is not admissible in accordance with Article 133, paragraph 4, B-VG.
