APD/GBA (Belgium) - 85/2022: Difference between revisions

From GDPRhub
m (comma, parallel "for")
 
(One intermediate revision by one other user not shown)
Line 79: Line 79:
}}
}}


The Belgian DPA fined a large media company €50,000 for not obtaining prior consent for the placement cookies and for violating the principles of accountability and storage limitation.
The Belgian DPA fined a large media company €50,000 for not obtaining prior consent to place cookies and for violating the principles of accountability and storage limitation.


== English Summary ==
== English Summary ==
Line 111: Line 111:


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
https://www.lesoir.be/448977/article/2022-06-17/lapd-t-elle-enterine-la-regionalisation-de-la-vie-privee


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==

Latest revision as of 15:55, 18 June 2022

APD/GBA - 85/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 6(1) GDPR
Article 7(1) GDPR
Article 7(3) GDPR
Article 12(1) GDPR
Article 24 GDPR
Article 5(3)(e) ePrivacy Directive
Type: Investigation
Outcome: Violation Found
Started: 16.01.2019
Decided: 25.05.2022
Published: 25.05.2022
Fine: 50.000 EUR
Parties: Roularta Media Group
National Case Number/Name: 85/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 85/2022 van 25 mei 2022 (in NL)
Initial Contributor: Enzo Marquet

The Belgian DPA fined a large media company €50,000 for not obtaining prior consent to place cookies and for violating the principles of accountability and storage limitation.

English Summary

Facts

On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the use of cookies on Belgian media websites. The controller in this case is Roularta Media Group.

The investigation revealed the following potential violations. First, the placement of unnecessary cookies prior to consent of the data subject. Second, the placement of statistical cookies without consent. Third, pre-ticked boxes to grant consent for cookies from partners. Fourth, the placement of a disclaimer for third-party cookies. Fifth, false and inadequate information in their privacy policy. Sixth, unjustified retention periods for the storage of cookies. Lastly, revoking consent was impossible. In fact, this placed more cookies. The controller argued that statistical cookies are used for aggregated basic statistics, necessary for the business model of the website. No personal data is being processed for this activity, as such, the GDPR does not apply.

The controller argued that regarding the statistical cookies, the personal data was anonymised. The controller further argued that the Belgian DPA did not provide adequate guidelines for companies to comply with the GDPR. The controller refers to e.g. the French and Dutch DPA, who have provided this.

Holding

Regarding the placement of cookies, the DPA first noted that cookies can only be placed without prior consent when they are (1) strictly necessary for the transmission of communication or (2) to provide a service that is explicitly requested by the user. The DPA held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC, as some of the cookies placed without prior consent were found to be not strictly necessary. The controller even admitted to the placement of unnecessary cookies without obtaining prior consent.

Regarding the placement of statistical cookies in particular, the DPA noted - with reference to her decision in 12/2019 - that these also require prior consent. The DPA observed that the placement and reading of these cookies on the terminal equipment of users revealed their IP-addresses to the controller. The DPA disregarded the defence of the controller that the IP-addresses were anonymised, and found that they were instead pseudonimised. This makes the data subjects indirectly identifiable and thus the GDPR applicable. The DPA therefore held that the controller violated Article 6(1)(a) and Article 5(3) ePrivacy Directive 2002/58/EC by not obtaining prior consent.

Regarding the pre-ticked boxes for the cookies from partner companies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11) (and with reference to Planet49). The DPA thus found another violation of Article 6(1)(a).

The DPA held that regarding the disclaimer placed on their website for third-party cookies, the controller violated the principle of accountability laid down in Article 5(2). The DPA stated that controllers are responsible for compliance with the GDPR and the demonstration thereof (Article 24).

The DPA found that the privacy policy of the controller contained false, incomplete and insufficient information. The DPA therefore held that the controller violated Article 12(1), as it did not communicate the information referred to in of Article 13 and Article 14 in a "concise, transparent, intelligible and easily accessible form". The DPA furthermore held that the controller violated the principle of storage limitation laid down in Article 5(1)(e) by not proactively defining the criteria for the storage of cookies.

Lastly, the DPA found that the controller violated Article 7(3), as withdrawing consent was made impossible by the controllers cookie-management tool. The DPA noted that withdrawing consent must be as easy as providing consent for users.

The DPA found that the alleged absence of concrete guidelines is not a valid argument against a violation of data protection legislation. The DPA held that it is the responsibility of the controller to comply with the law and further noted that numerous guidelines for companies to ensure compliance with the GDPR already exist.

The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months.

Comments

While addressing the installation of statistical cookies, both the DPA and the controller seem to focus on the (non-)personal data conveyed by the tracker. It is important to note that this is only of importance for the applicability of the GDPR. The ePrivacy Directive refers to the storage of 'information,' which is a broader concept. This is also stated in Planet49.

Further Resources

https://www.lesoir.be/448977/article/2022-06-17/lapd-t-elle-enterine-la-regionalisation-de-la-vie-privee

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

                                                                                               1/58







                                                                               Dispute room



                                              Decision on the merits85/2022 of 25 May 2022



File number : DOS-2020-03432



Subject: Use of cookies on Knacken LeVif's media websites (RoulartaMediaGroup)





The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman, and Messrs Christophe Boeraeve and Frank De Smet, members;



Having regard to Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on

the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General
Data Protection Regulation), hereinafter GDPR;



Having regard to the law of 3 December 2017 establishing the Data Protection Authority, hereinafter WOG;



In view of the law of 30 July 2018 on the protection of natural persons with regard to
the processing of personal data, hereinafter WVP;



Having regard to the internal rules of procedure, as approved by the Chamber of Representatives

on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;


Having regard to the documents in the file;




has taken the following decision regarding:

                                                                                               †

Defendant: Roularta Media Group, a public limited company under Belgian law, with .

                  registered office at 8800, Roeselare, Meiboom, 33 and registered in the .
                  Crossroads Bank for Enterprises under number 0434.278.896,

                  represented by Master Tom De Cordier, with office at 1170,

                  Watermael-Bosvoorde, Terhulpsesteenweg 178 (CMS)., Decision on the merits 85/2022 - 2/58



I. Facts procedure



   I.1. Investigation Inspection Service


   1. On January 16, 2019, the Executive Committee of the Data Protection Authority (“DPA”) decides on

      pursuant to Article 63, 1° WOG, read in the light of Article 57, paragraph 1, points a) and h) of the GDPR, in order to
      submit a file to the Inspectorate in connection with the use of cookies on

      Belgian media websites.


   2. In particular, it was decided to conduct a survey of the most consulted
                            1
      Belgian news media:

        1 HLN DPG Media nv http://hln.be/ NL

        2 Het Nieuwsblad Mediahuis http://nieuwsblad.be/ NL

        3 VRT VRT http://deredactie.be/ NL

        4 Sudinfo Groupe Rossel http://sudinfo.be/ FR

        5 La DH IPM Group SA http://dhnet.be/ FR

        6 De Standaard Mediahuis http:// Standaard.be/ NL

        7 RTBF RTBF http://rtbf.be FR

        8 Gazet van Antwerpen Mediahuis http://gva.be/ NL
        9 RTL Groupe RTL http://RTL.be FR

        10 The Importance of Mediahuis http://hbvl.be/ NL

             Limburg

        11 Le Soir Groupe Rossel http://lesoir.be/ FR

        12 7 sur 7 DPG Media nv http://7sur7.be/ FR

        13 La Libre IPM Group SA http://lalibre.be/ FR

        14 De Morgen DPG Media nv http://demorgen.be/ NL

        15 De Tijd MEDIAFIN NV http://tijd.be/ NL

        16 l'Avenir Nethys.sa http://lavenir.net/ FR
        17 VTM DPG Media nv http://vtm.be NL

        18 Sudpresse Editions Groupe Rossel http://www.sudpressedigital.be/FR

             digitals

        19 Knack Roularta Media http://knack.be/ NL

                                   group

        20 Le Vif Roularta Media http://levif.be/ FR

                                   group





1According to 2019 figures from the Center for Information on the Media (CIM), Decision on the substance 85/2022 - 3/58



3. The aforementioned investigation related to the verification of the basic principles of the GDPR and the e-mail

    Privacy Policy on the use of cookies and in particular:


         - the clarity and accessibility of the information about cookies;


         - compliance with obtaining the user's consent for posting
             not strictly necessary cookies;


         - the (whether or not) placement of cookies that are not strictly necessary before the consent of

             the user has been obtained;

         - the possibility for the user to parameterize his acceptance of cookies (i.e.

             the possibility of differentiating options on a more general level), in

             in particular to refuse cookies intended for profiling for

             advertising purposes.


     The study was based on the following principles:

         - Further browsing is no longer accepted as it violates the GDPR;


         - To comply with the consent requirement, which implies a freedom of choice,

             the possibility to parameterize cookies and clear information about

             the purposes of the categories of cookies are provided;

         - For websites currently working with a parameter setting, the

             effectiveness of that parameter setting at a technical level.


4. On 7 October 2020, the inspection of the Inspectorate for the websites www.knack.be and

    www.levif.be and the file is transferred by the Inspector General to the
    Chairman of the Disputes Chamber, in accordance with art. 91, §1 and §2 WOG.


5. The inspection reports of the Inspectorate contain the following findings:


         1. Placement of cookies that are not strictly necessary before consent was given
             obtained (potential violation of Article 6.1 a) GDPR):


                ▪ Article 6.1 a) GDPR and Article 129 of the law on electronic

                    communication (WEC) determine that the consent of the data subjects is required

                    before placing the cookies, except when it is strictly necessary

                    cookies;

                ▪ The technical analysis of the Inspection Service shows that cookies are used

                    installed before the data subject has been able to give his consent (for

                    Knack 66 cookies and for Le Vif 60 cookies). These include third party, Decision on the merits 85/2022 - 4/58




                        cookies (48 for Knack, 44 for Le Vif). The technical report would also show

                        that numerous analytical and marketing cookies have been registered.


                    ▪ For both the Knack and Le Vif site, only 2 cookies were considered strict

                        found necessary.


            2. Statistical cookies are placed without permission (potential violation of

                article 6.1 a) GDPR):

                    ▪ The cookie settings screen shows that Roularta Media Group on the websites of

                        Knack and Le Vif considers statistical cookies as cookies that are not subject

                        are subject to permission. After all, they are always active by default and cannot

                        be turned off;


                    ▪ First party “statistical” cookies are not necessarily subject to the exception of

                        'strictly necessary cookies' from Article 5.3 paragraph 2 of the e-Privacy Directive. The

                        The Disputes Chamber ruled in a decision on the merits 12/2019 of 17 December

                        2019 that statistical cookies cannot be considered as cookies that are strictly

                        are necessary to provide a service requested by a subscriber, in the sense

                        of article 129 paragraph 2 WEC. It considered that the term “necessary” in accordance with the

                        protection purposes of European data protection law

                        be interpreted in the sense that this exception is only in the interest of the

                        data subjects (website visitors) and not in the exclusive interest of the provider

                        may be invoked by the information service. Even though website operators find

                        that these cookies are indispensable for the provision of their service, they are per

                        se not absolutely necessary to provide the information requested by the website visitor
                                                     2
                        provide information services.


                    ▪ However, in the same decision, the Disputes Chamber did not exclude that certain

                        statistical cookies are strictly necessary under certain conditions
                        cookies would be for the provision of a requested by the data subject

                        service, for example to detect a navigation problem. Of these, in this

                        case, however, is not the case. 3


            3. Pre-ticked boxes for the partners (potential violation of Articles4.11,

                6.1 a) and 7.1 GDPR):


                    ▪ The GDPR requires a “statement or unequivocal active act” (Article

                        4.11 GDPR), which means that all presumed consents based on a more



2 GK, Decision on the merits 12/2019 of 17 December 2019,
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf,

3Ibid., Decision on the merits 85/2022 - 5/58




                        implicit course of action of the data subject, not in accordance with the standards

                        of the consent of the GDPR. The Inspectorate bases itself on the Planet49

                        judgment from which it became clear that Article 2. F (definition of consent) and Article

                        5.3 (consent for cookies) of the ePrivacy Directive, should be read in
                                                                                    4
                        in conjunction with Article 4.11 and Article 6.1 a) of the GDPR. The Court of Justice
                        subsequently ruled that consent was not validly granted when

                        the storage of information by means of cookies or access to already on the

                        terminal equipment of the website user stored information via cookies

                        is allowed by default checked checkboxes which

                        the user must tick if he refuses to give his consent; 5


                    ▪ The technical analysis shows that the cookies of partner companies are set to

                        being active;


                    ▪ The Inspectorate also establishes that the defendant also does not comply with the

                        obligation of Article 7.1 of the GDPR which imposes on him to demonstrate that the
                        data subject has given his consent to use cookies that are not strictly necessary

                        to place.


            4. Disclaimer for third party cookies (potential violation of Article 5.2 a) and 7.1 GDPR):


                    ▪ According to the Inspectorate, Roularta Media Group is trying to

                        disclaim responsibility for third-party cookies that

                        visit to the sites of Knack and Le Vif;

                    ▪ For example, the cookie policy states that Roularta Media Group is not responsible for

                        cookies that are placed and managed by third parties (including to make it possible

                        share information through social networks). The cookie policy also states that

                        Roularta Media Group has no control over certain cookies that are placed on its

                        website are used.


                    ▪ The Inspectorate refers to the judgment in this regard

                        Wirtschaftsakademie of the Court of Justice which held that the

                        owner of a website is responsible for the processing of cookies that






4Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49 (hereinafter: "Judgment Planet49"), paragraph
65: “In view of the foregoing, the answer to question 1(a) and (c) is that Article 2(f) and Article 5(3) of

Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and with Articles 4(11) and 6(1)
point (a) of Regulation 2016/679, must be interpreted as meaning that the authorization referred to in those provisions does not
legally valid is granted when the storage of information by means of cookies or access to the terminal equipment of
the user of a website information stored via cookies is allowed by means of a ticked by default
checkbox that this user should uncheck in case he refuses to grant his consent.”
5Ibid., Decision on the merits 85/2022 - 6/58




                       installs or reads its website. At the very least, he participates in determining

                       the purposes and means of processing the personal data of

                       the visitors of its website through third-party applications on its website or the

                       dissemination of the content of third parties in the advertising spaces of its website
                                    7
                       to allow.


                    ▪ Subsequently, the Inspectorate refers to the accountability principle in Article
                       5.2 of the GDPR showing that the controller

                       is responsible for compliance with the principles governing the processing of

                       personal data and that he must be able to demonstrate compliance with these principles

                       be taken.


                    ▪ This practice used by Roularta Media Group should also be seen as

                       a violation of Article 7.1 GDPR, as a controller

                       must demonstrate that the data subject has given permission for the posting

                       of all cookies that are not strictly necessary.


            5. Wrong and faulty information (potential violationart.4.11,12.1,13and14ofthe

                GDPR).

                    ▪ The Roularta Media Group cookie policy contains provisions that are not in

                       comply with the GDPR. For example, the cookie policy speaks of implicit

                       permission for cookies via access to the websites of Roularta Media

                       Group, which conflicts with the need for an expression of will by a clear

                       statement or affirmative action in accordance with Article 4.11 GDPR. Also,

                       note that for sharing data collected through cookies no

                       specific permission is required, which is contrary to the specific character

                       of the consent to data processing in accordance with Article 4.11

                       of the GDPR;


                    ▪ The cookie policy would also lack clarity about the necessity of the use

                       from third party cookies due to technical problems that have been going on for more than a year

                       last for years;








6 Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, para. 39: “In this
circumstances, it must be considered that the administrator of a fan page on Facebook, such as Wirtschaftsakademie, has been
define institutions according to, in particular, its target audience and objectives for the management or promotion of its
activities, participates in the determination of the purposes and means of the processing of the personal data of the
visitors to his fan page. For this, this manager must, in this case, be regarded as a controller within the Union,

jointly with Facebook Ireland, for this processing, within the meaning of Article 2(d) of Directive 95/46.”
7Ibid., Decision on the merits 85/2022 - 7/58




                   ▪ The Inspectorate also notes that the names of the types of cookies in the
                       cookie policy do not match the names of the cookie categories in the

                       cookie setting tool, which does not improve comprehensibility;


                   ▪ In addition, the cookie policy does not include information about the

                       storage periods of cookies. After all, the cookie policy would mention a

                       unlimited storage period for cookies;


                   ▪ The cookie policy states that the partners use the “IAB Europe”
                       Transparency & Consent Framework” that would ensure that third parties comply with the GDPR

                       comply. However, of the 449 partners that are on the Knack and Le Vif sites

                       mentioned, 312 have not been validated or are no longer validated by IAB;


                   ▪ The fact that the user must follow the policies of the 449 sellers (“vendors”)

                       to find out what these companies do with his data and

                       make an informed decision on that basis to obtain his/her consent

                       giving is more than illusory and impracticable. In addition, this will likely lead
                       to place even more cookies when visiting the links to this one

                       partners;


                   ▪ Finally, it is noted that cookies are not individually documented,

                       making the user unable to control what happens to their data

                       is being done.

           6. Unjustified storage periods of cookies (potential violation of article 5.1e)

               of the GDPR):


                   ▪ The Inspection Service refers to article 5.1e) AVG, which stipulates that cookies

                       should not be kept for longer than is necessary to achieve the purpose. This one

                       retention period may therefore not be indefinite. The information that becomes

                       collected and stored in a cookie and the information collected as

                       as a result of reading a cookie should be deleted if it is not
                       longer is needed for the intended purpose. A cookie that is exempt from

                       the consent requirement must have a lifetime that is directly related

                       with the purpose for which it is used and must be set up to

                       expire as soon as it is no longer necessary, taking into account the reasonable

                       user expectations. Cookies that are exempt from the

                       consent requirement will therefore generally have to expire when the
                                                           8
                       browser session ends or even earlier ;



8 See “The lifespan of cookies” and the “Questions” in the theme file “Cookies” on the website of the GBA,
https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies., Decision on the merits 85/2022 - 8/58




                    ▪ The technical analysis report shows that the effective storage periods are unreasonable
                       are long and that cookies have a lifespan of several years. It

                       cookie policy mentions a storage period that is in principle unlimited.


            7. Non-compliance with the withdrawal of consent (potential violation of Article 7.3

                GDPR):


                    ▪ Article 7.3 of the GDPR provides that the data subject has the right to give his/her consent

                       withdraw at any time;

                    ▪ The technical analysis shows that the withdrawal of consent is not

                       is effective. The technical analysis of the Knack site shows that the number

                       cookies does not decrease after returning to minimal choices. The Inspection Service states

                       established that if she withdraws her consent again, there will be no change in the
                                                                                                   9
                       amount of cookies loaded, on the contrary, the number of cookies increases. From the

                       technical analysis of the Le Vif website shows that it is impossible to

                       operate the cookie management tool after the first consent has been given.

   6. On November 6, 2020, the Disputes Chamber requests the Inspectorate on the basis of Article 94, 2° and

       96, § 2 WOG for additional information regarding the technical investigation reports.


   7. On November 30, 2020, the additional investigation will be completed and the Inspectorate will provide

       an additional investigative report to the Disputes Chamber.

    I.2.The procedure before the Disputes Chamber



   8. On 21 December 2020, the Disputes Chamber decides on the basis of Article 98 WOG that the file

       ready for treatment on the ground.

   9. On December 21, 2020, the defendant will be notified of this

       decision, as well as the inspection report and the inventory of the documents in the file submitted by

       the Inspectorate was transferred to the Disputes Chamber. The defendant is also

       under Section 99 WOG notified of the deadlines to submit its defenses.

       The deadline for receipt of the defendant's response was

       laid down on February 9, 2021.

   10. On January 6, 2021, the Disputes Chamber will receive a letter from the defendant's counsel. In

       the aforementioned letter requests the defendant for a copy of the file (art. 95, § 2, 3° WOG) and

       it asks the Disputes Chamber to be heard in accordance with Article 98 WOG, in order to:

       to explain its defenses orally.




9See page 46 of the De Knack Inspection Report: “Between step 24 “everything” and step 26 “minimum”, the number of cookies
not finished”., Decision on the substance 85/2022 - 9/58



11. On January 18, 2021, the Disputes Chamber will send a copy of the file to the defendant.


12. On 9 February 2021, the Disputes Chamber receives the statement of defense from the defendant.

    Following is the summary of pleas and arguments formulated by the defendant in

    that conclusion.

13. In its reply, the defendant points out, first, that there are some

    inaccuracies were during the GBA's investigation.


        ▪ Means 1: the investigation was not carried out according to the rules of the art of

            are applicable.
                o The manual cookie scans are missing essential elements, namely the list

                    of URLs visited and specific requests related to the placement of

                    cookies. This makes it impossible for Roularta Media Group to determine which

                    URLs were visited during the study and whether these URLs were limited to

                    Roularta and whether cookies were already present during each consent scenario or

                    were placed.


                o Cookiebot and Onetrust were used as classification mechanisms

                    (both do not provide information and methodology on the used

                    classification method).



                o In addition, the Inspectorate used a free version of both mechanisms

                    which does not contribute to the credibility of the research.


                o Finally, OneTrust and Cookiebot's ratings show conflicts, and

                    nowhere in the study is it clarified how these are resolved when

                    the mechanisms are applied to Roularta's cookies.

                o Unclear terminology: “no technology”, “further browsing”, “CMP”,

                    “cookiewall”, “persistent banner”, “non-permanent banner”.


                o Unprofessional tooling: both WEC and Cookie Manager are immature github

                    repositories according to any software development standard. Although the WEC it

                    bears the stamp of approval of the EDPB, this repository is exclusively
                    developed by Robert Riemann, IT Policy Officer at the European regulator

                    for data protection (EDPS), and is not actively maintained, assuming

                    on the number of recent pull requests and open issues. Also Cookie Manager

                    was developed by a private individual (Rob Wu) who has no specific privacy or

                    has security background., Decision on the merits 85/2022 - 10/58



        ▪ Means 2: the document uses sources/tools that are not official


                o The sources for the cookie format cannot be verified, and the

                    documented sources are not reliable. Both OneTrust and Cookiebot

                    have built their own cookie classification database that controllers

                    supported by their understanding of cookies and bootstrap during implementation
                    of a CMP.


                o Regarding OneTrust: the classifications are based on the guidelines of the ICC

                    in the UK, which are no longer available, and supplemented by "a

                    layer of simple rules that allow clearer decisions to be made

                    in certain edge case scenarios, and a methodology for the
                    classification of best practices when further information on the use of

                    certain cookies is not otherwise available".


                o As for Cookiebot: Owned by Swedish privacy company Cybot, gives

                    only indicates that the company maintains a global cookie repository without

                    methodology and sources.

                o The credibility of these classifications is further affected by the fact

                    that the Researcher uses free versions of both Cookiebot and

                    OneTrust aiming to encourage users to subscribe to a full subscription

                    to buy.

                o Reference to website gdpr.eu for definition of strictly necessary cookies:

                    website is owned by the Swiss company Proton Technologies AG. The

                    Inspectorate could also refer to the correct legislation.


                o Ratio of third-party cookies: The inspectorate claims that the ratio between
                    first and third party cookies in the context of strictly necessary cookies serves as

                    proxy for potential breach. While there is absolutely no causal relationship between

                    the purpose of a cookie and domain ownership.


                o Manual cookies do not contain time stamps. As a result, Roularta cannot

                    verify whether these cookies are actually placed in sequence and which ones
                    cookies are added after a specific permission setting.





14. The defendant then addresses the findings of the Inspectorate:

        ▪ Fix 1: placement of non-strictly necessary cookies before consent

            was obtained, Decision on the substance 85/2022 - 11/58



        o Roularta states in its conclusions that it cannot verify which cookies are on the

            time of the findings were effectively placed. She declares that by

            lack of technical knowledge at Roularta there was a poor implementation

            from OneTrust. Cookies that would have been placed by advertisers

            should normally follow the consent obtained through the IAB TCF

            passed. According to Roularta, however, it is very difficult to permanently
            check whether all IAB vendors adhere to the agreements of the IAB TCF.


        o Roularta does indicate that in 2021 it will bring all news and content websites under one

            Roularta domain so that this problem is much better controlled

            can become.

 ▪ Fix 2: statistical cookies without permission


        o According to Roularta, placing statistical cookies before permission

            was obtained in accordance with art. 6.1 a) GDPR. This is due to the fact that the

            The purpose of placing these statistical cookies is to provide aggregated

            collect basic statistics about the use of its websites, which means
            is necessary for the business model of the websites:


                ▪ advertisers must be trusted and certified by the CIM (Centre for

                    Information about the Media) controlled visitor figures available

                    be asked;

                ▪ on the other hand, editors must be able to read the result of online

                    to measure published articles in order to be able to continuously evaluate and

                    adjust.


        o Defendant refers to the fact that aggregated data outside the
            scope of the GDPR.


        o In addition, the DPA had not yet published official guidelines on the

            obligation to obtain permission to place

            statistical cookies. Defendant then refers to the position of both

            the CNIL (French Authority) and the AP (Dutch Authority) regarding
            statistical cookies. It states that it maintains its practice with regard to statistical cookies

            inspired by the recommendations of the CNIL and the AP. Corresponding

            own interpretationswasRoularta's practice with regard to statistical cookies in

            compliance with the WEC and the GDPR.


▪ Identification 3: pre-ticked boxes for the partners, Decision on the substance 85/2022 - 12/58



       o Roularta believes that the use of pre-ticked boxes is a valid

           permission.


       o Partner companies within the OneTrust Consent Management Platform were

           default to "active", but Roularta clarifies that this does not mean that cookies

           were installed by those partner companies. So it wasn't about a
           permission to place cookies, but about a permission for

           give a number of partner companies access to data for one or more

           purposes. For example, if the data subject did not accept advertising cookies,

           then these partner companies would also not be able to place advertising cookies.


       o Roulartai's view, in the light of the case law of the Court of Justice in the
           judgment Planet49, that the practice whereby cookies from partner companies are

           being “active” constitutes a valid consent within the meaning of Articles 4.11 and

           6.1 a) GDPR.


       o Roularta points out that they have switched to the Didoma Consent

           Management Platform in March 2020, and now none of the partner companies
           is still automatically set to “active” and the user always has to make an active choice

           to make.


▪ Fix 4: Disclaimer for Third Party Cookies

       o Roularta states that it is not responsible for the processing of cookies used by

           third parties are placed within the framework of the IAB TCF.


       o The defendant relies on the IAB Europe investigation for its argumentation:

           “Belgium's Data Protection Authority found IAB Europe's Transparency and

           Consent Framework does not meet several standards under the EU General Data
           Protection Regulation, TechCrunch reports. The DPA determined the framework

           fails to comply with the GDPR's principles of transparency, fairness and

           accountability. IAB Europe said in response it “respectfully disagree[s] with the

           [Belgian DPA]'s apparent interpretation of the law, pursuant to which IAB Europe is

           a data controller in the context of publishers' implementation of the TCF

           [Transparency & Consent Framework (TCF)'".

       o Subsequently, the defendant argues that, should the DPA come to a different conclusion,

           its practices nevertheless comply with Article 5.2 of the GDPR. The

           accountability means “(I) the need for a for the

           controller to take appropriate and effective measures

           to implement the principles of data protection…”
           No guidelines have been published by the DPA clarifying what, Decision on the merits 85/2022 - 13/58



       is meant by a minimum of appropriate and effective measures.

       In addition, Roularta has chosen to use the IAB

       Framework described as “the most sophisticated and scrutinised”

       model of GDPR compliance for digital advertising in the world”.



   o Roularta clarifies that the disclaimer was not intended to
       shuffle off responsibility but give more to indicate that they are not

       is able to block cookies placed by third parties.


   o With regard to elements II and III of Article 5.2 of the GDPR: “(ii) the need to request

       demonstrate that appropriate and effective measures have been taken.

       The controller must therefore be able to provide evidence
       of (i) above”.


       Defendant admits that the statement in the cookie policy that “Roularta Media”

       Group is not responsible for the cookies placed by third parties and

       managed, among other things, to make it possible to share information via social media

       networks” and that “Roularta Media Group has no control over certain
       cookies used on its website” which was worded in an unfortunate way.

       Defendant argues that it was not so much the intention to disclaim responsibility

       to indicate that Roularta is technically unable to accept cookies

       block those placed by some third parties (in this case: advertisers)

       become.

       Advertisers and agencies, when an ad campaign is on

       one of the Roularta sites is shown, via those campaign cookies or scripts

       launches that are impossible for Roularta to know in advance.


       Roularta states in its conclusions that the statement in the cookie policy in
       issue was removed because it can be turned into TCF framework since the IAB

       assumed that IAB vendors no longer use cookies or scripts in accordance with this framework

       unless there is permission for both the cookies and the vendor involved

       approved in the list of partner companies.


▪ Conclusion 5: wrong and faulty information

           Regarding the statement “.. the lack of clarity in the cookie policy

           regarding the necessity of using third party cookies is due to

           technical problems”:


        o Position of Roularta: At the time of adoption by the GBA,
           this problem has already been solved but it was still in the privacy policy. At, Decision on the substance 85/2022 - 14/58



           update of the cookie policy on June 23, 2020 this entry was removed.

           Specifically, the problem was that Knack used a new registration system

           since November 2018. This registration system used functional

           cookies, to ensure that users do not have to log in again and again

           sign in. Technically, this cookie was a third-party cookie. It turned out

           be a problem for users who default third party cookies
           refused (they had to re-register each time). This problem became

           raised with the supplier of the registration system with a view to a

           quick solution. A solution was sought, but turned out to be more difficult than

           thought. They had to find a way in which people who are only first-party

           accept cookies can remain logged in on the website.

           About the mismatch of the names of the cookies in the

           cookie policy, on the one hand, and the categories of cookies in the cookie

           setting tool, on the other hand:


        o Roularta's point of view: Roularta had no choice but to

           terms used by IAB TCF on its consent tool (on
           penalty of exclusion from the TCF).


           About the fact that the cookie policy would not contain any information

           regarding the storage periods:

        o See statement of defense about determination 6.


           Regarding the listing in the consent management tool related to the

           use of the “IAB Europe Transparency & Consent Framework”:


        o The statement and brief explanation were only intended to provide transparency
           create and inform the user about how Roularta

           want to control the use of cookies, namely by joining a

           internationally recognized standard within the digital advertising world.


           Regarding the fact that the user of the website has followed the cookie policy of the 449

           should consult vendors to get an idea of what's
           happened with her data:


        o An obligation imposed on it by the IAB TCF.


           With regard to not individually documenting the cookies:

        o Fixed in the meantime by an update of the cookie policy.


▪ Statement 6: Unjustified storage periods of cookies, Decision on the merits 85/2022 - 15/58



        o Here again, the defendant refers to the lack of precise guidelines as to what

            concerns the lifespan of cookies.


        o She states that this makes it very difficult for companies to (1) understand what the

            lifespan is when cookies “should not be kept longer than the time”

            necessary to achieve the intended purpose” and (2) their practices
            must adjust to comply with the GBA.


        o The Inspectorate also incorrectly stated that no information about the

            storage period of cookies can be found in the privacy policy (piece 8): “La durée

            the conservation variety de cookie à cookie, en général les cookies sont stockés

            jusqu'à ce que l'utilisateur supprime les cookies (...)". Paragraph 11 of the
            privacy policy(Part8)in factcontainstwotypesofinformationabouttheretention time

            of cookies: (i) the fact that the duration varies from cookie to cookie (ii) the fact that

            the user can disable cookies, resulting in zero retention time

            (since cookies are not active). It is therefore incorrect to state that Roulartaeen

            has a retention period, which is in principle unlimited. It is correct that there is no

            concrete information could be found about the storage period of cookies, but it
            goes too far that the Inspectorate equates this with an unlimited duration.


        o Defendant also refers to an amended privacy policy on June 23, 2020,

            where now a detailed description of the retention period can be found

            to find.

▪ Notice 7: Non-compliance with the withdrawal of consent


        o This was due to the technical difficulties related to the use of the

            cookie tool OneTrust. The problem was solved by implementing the

            Consent Management Platform Didomi.

        o Withdrawing consent should be as easy as giving it

            of it:Roulartaprovides a simple and easily accessible tool, and

            without lowering the level of service.


        o In addition, Roularta cannot effectively remove a particular cookie itself from
            the device, this should be done by the person concerned.


        o In summary, the consequence of withdrawing consent is: “it

            blocking and subsequent deletion of cookies in the browser of the

            user, no more data processing will take place”. The cookies

            will still be installed on the user's device, but
            they will be inactive and no longer functional., Decision on the merits 85/2022 - 16/58



   15. On December 6, 2021, the Defendant will be notified that the hearing will be

       take place on December 17, 2021.


   16. On December 17, 2021, the defendant will be heard by the Disputes Chamber.


   17. On 23 December 2021, the minutes of the hearing will be sent to the counsel of the

       submitted to the defendant.

   18. On January 6, 2022, the Disputes Chamber will receive the defendant's comments with

       with regard to the official report, which it includes in its deliberations.


   19. On April 20, 2022, the Disputes Chamber notified the defendant of its intention

       to proceed with the imposition of an administrative fine, as well as the amount thereof
       in order to give the defendant the opportunity to defend itself before the sanction takes effect

       is imposed.


   20. On 11 May 2022, the Disputes Chamber will receive the defendant's response to the intention to

       the imposition of an administrative fine, as well as the amount thereof.




II. Justification


    II.1. Competence of the Data Protection Authority


   21. In accordance with Article 4, §1 WOG, the Data Protection Authority is “responsible for”

       monitoring compliance with the basic principles of data protection,

       within the framework of this law and of the laws containing provisions for the protection of the
       processing of personal data.” From the wording of the Explanatory Memorandum of the

       WOG shows that the competence of the GBA must be interpreted very broadly:


               “The Data Protection Authority acts with regard to legislation that

               contain provisions regarding the processing of personal data, such as, for example

               the law regulating a national register, the law establishing and organizing
               a Crossroads Bank for Social Security, the Act establishing a

               Crossroads Bank for Enterprises, etc.” 10


       It can be deduced from the foregoing that the intention of the legislator was to make the GBA a

       confer general and horizontal competence with regard to the protection of

       personal data. The GBA therefore not only has supervisory powers with regard to the GDPR,






10Belgian Chamber of Representatives, Draft law establishing the data protection authority, 23 August
2017, DOC 54 2648/001, 13., Decision on the merits 85/2022 - 17/58




        but also with regard to other legislation relating to the processing of
        personal data.


   22. With regard to the use of cookies, reference should be made in this regard to the European

       Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and

       protection of privacy in the electronic communications sector (“e-mail

       privacy directive"), which has been partially transposed in Belgian law by the Electronics Act

       Communications (WEC). In particular, Article 5(3) of the ePrivacy Directive is important in this regard, such as

       converted at the time into (former) Article 129 WEC (cf. infra). The first provision reads as follows:

               "Member States shall ensure that the storage of information or the obtaining of access

               to information already stored in the terminal equipment of a subscriber or user,

               is only allowed on the condition that the subscriber or user concerned has consent

               has provided, after having been provided with clear and complete information in accordance with

               Directive 95/46/EC, including on the purposes of the processing. This does not constitute a

               prevent any form of technical storage or access for the sole purpose of

               carrying out the transmission of a communication on an electronic
               communication network, or, if strictly necessary, to ensure that the provider

               of a service expressly requested by the subscriber or user of the

               information society provides this service.”





   23. With regard to the jurisdiction of the Disputes Chamber with regard to the e-Privacy Directive and the
       WEC refers the Disputes Chamber to its previous decisions 12/2019 of 17 December 2019,

       19/2021 of February 12, 2021, 24/2021 of February 19, 2021 and 11/2022 of January 21, 2022.


   24. The Disputes Chamber furthermore emphasizes that as a body of the GBA it is competent to rule on

       the legality of personal data processing activities in accordance with Article 4, §1

       WOG, as well as Article 55 GDPR, and this in the light of Article 8 of the Charter of Fundamental Rights

       of the European Union.

   25. Furthermore, at the time of the Inspectorate's findings, under Belgian law, the Belgian

       Institute for Postal Services and Telecommunications (BIPT) the competent authority for the law

       on electronic communications (WEC), including Article 129 of that Act, which

       implements Article 5(3) of the ePrivacy Directive. Nevertheless, the concept depends

       consent under the ePrivacy Directive inseparable from the requirements of consent

       under the GDPR, which was also clarified in guidelines regarding consent by the WP29 as
                                                                                               11
       legal predecessor of the European Data Protection Board (hereinafter: “EDPB”).




1EDPB, Guidelines 5/2020 on consent in accordance with Regulation 2016/679, 4 May 2020, inter alia para. 7., Decision on the merits 85/2022 - 18/58




   26. In addition, in this regard, particular reference should be made to Opinion 5/2019 of the

       EDPB on the interaction between the ePrivacy Directive and the General Regulation

       Data protection, in which the EDPB states:


                “The data protection authorities are empowered to enforce the GDPR

                fact that a sub-part of the processing within the scope of the e-mail

                Privacy Directive, limits the powers of data protection authorities

                not under the GDPR”.12


   27. In the aforementioned opinion, the EDPB states that the provisions of the ePrivacy Directive are after all

       “clarify and complete” with regard to the processing of personal data in the sector

       of electronic communications, with a view to ensuring compliance with the

       Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 5, paragraph 3 of the

       ePrivacy Directive is hereby cited as an example of such a “specification provision”.


   28. That the provisions of the ePrivacy Directive - as well as its transposition provisions - as a

       clarification of and addition to the provisions of the GDPR should be considered,

       is also explicitly confirmed in the Explanatory Memorandum to the WEC bill:


                “Section 2 of Chapter III of Title IV is mainly devoted to the transposition of

                Directive 2002/58/EC of 12 July 2002 of the European Parliament and of the Council on

                the processing of personal data and the protection of privacy


                in the electronic communications sector (the so-called «Privacy Directive and

                electronic communication», hereinafter referred to as: «the Privacy Directive»). The provisions of

                this department set up a specific privacy protection regime in some places,

                adapted to the characteristics and needs of the electronic

                communication.Other placestheprovisionsofthisdepartmentmustbeseen

                as a supplement to the provisions of the Act of 8 December 1992 on the

                protection of privacy with regard to the processing of

                personal data (hereinafter referred to as: “the Privacy Act”).” 15(own underlining)


   29. In its judgment Planet49, the Court of Justice also ruled that the collection of cookies as

       processing of personal data can be considered. The Court confirmed in the aforementioned

       judgment that the intent of Article 5(3) of the ePrivacy Directive is to “tell the user

       protect against interference in his private life, whether or not that interference relates to




12EDPB, Opinion 5/2019 on the interplay between the ePrivacy Directive and the General Data Protection Regulation, with
in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 69.
13
  Ibid, edge no. 38.
14Ibid, edge no. 41.

15 Bill on Electronic Communications, Parl. St. Kamer, DOC 51 1425/001, p. 73. The current Article 129 is in the
draft law article 138.
16
  Judgment Planet49, § 45., Judgment on the substance 85/2022 - 19/58




       personal data". Furthermore, the Court of Justice stated that Article 5(3) of the ePrivacy Directive

       must be interpreted in the light of the GDPR, and in particular Articles 4.11, 6.1 a)

       (consent requirement) and 13 GDPR (information to be provided).


   30. In this regard, the Disputes Chamber also refers to the proposal for the e-Privacy Regulation in which

       provides that the supervision and compliance with the Regulation will be entrusted to the

       supervisory authorities responsible for the supervision of Regulation (EU)
       2016/679. 18


   31. Finally, the Disputes Chamber points out that since the entry into force of the Act of 21 December

       2021 transposing the European Electronic Communications Code and

       amendment of various provisions on electronic communications on January 10, 2022 the DBA

       is henceforth competent, in accordance with Belgian law, for the supervision of the provisions relating to

       the placement and use of cookies (i.e. “storing information or gaining access”

       to information already stored in a subscriber's or user's terminal equipment").

       The aforementioned law brought changes to the WEC, among other things. In particular, Article 256 provides for

       the law of December 21, 2021 the abolition of article 129 WEC and the transfer of this

       provision according to the law of 30 July 2018 on the protection of natural persons with
                                                                   19
       regarding the processing of personal data (WVP). Article 10/2 WVP now reads as

       follows:


        “In application of Article 125, § 1, 1°, of the Law of 13 June 2005 on electronic
        communication and without prejudice to the application of the Regulation and this law, the storage of

        information or accessing information already stored in the

        a subscriber's or a user's terminal equipment is permitted only on the condition that:

          1° the subscriber or user concerned, in accordance with the conditions laid down in the

        Regulation and in this law, get clear and precise information about the purposes of the

        processing and its rights under the Regulation and this law;

          2° the subscriber or end user has given his consent after being informed

        in accordance with the provision under 1°.

        The first paragraph does not apply to the technical storage of information or access to

        information stored in the terminal equipment of a subscriber or an end user with as

        the sole purpose of transmitting a communication via an electronic communications network







1Judgment Planet49, §69.
18Article 18, Proposal for a Regulation of the European Parliament and of the Council on respect for the
privacy and the protection of personal data in electronic communications, and repealing Directive 2002/58/EC,
COM/2017/010 final.

19Law of 21 December 2021 transposing the European Electronic Communications Code and amending various
provisions on electronic communications, Belgian Official Gazette 31 December 2021., Decision on the merits 85/2022 - 20/58



        perform or provide a service expressly requested by the subscriber or end user

        when this is strictly necessary.”


        In view of the fact that the GBA has the residual competence to supervise the provisions

        of the WVP, the material competence of the GBA with regard to the placement and

        use of cookies confirmed.



   32. The Disputes Chamber points out, however, that, in view of the fact that this amendment dates from after the

       conclusion of the debates in the present case, in this case further account will be taken of the


       legislative framework as it existed at the time of the (start of) procedure before the GBA.

   33. In any case, the GBA is therefore competent to judge – also under the legal situation that applied at the time of

       at the time of the determinations of the Inspectorate – to judge the legal validity of a

       given permission to place cookies. In that sense, the GBA is also authorized to:


       to exercise its powers of control over all other terms and conditions that are

       imposed by the GDPR for activities involving the processing of personal data – such as
                                                                                  20
       the obligations regarding transparency and information (Article 12 et seq. GDPR).


    II.2. Introduction to the general principles regarding the use of cookies


   34. Before discussing the findings contained in the report of the investigation, the

       Litigation Chamber it is useful to understand the general principles regarding the use of cookies and

       other means of tracing. 21


   35. The term "tracking tools" includes cookies and HTTP variables, which may be placed via

       web beacons or web pixels, flash cookies, access to terminal information from APIs (Local Area

       Network), and information from APIs (LocalStorage, IndexedDB, advertising identifiers such as identifiers

       such as IDFA or Android ID, GPS access, etc.), or any other identifier generated

       by a software or an operating system (serial number, MAC address, unique terminal identifier

       (UDI), or a set of data used to uniquely identify the

       terminal (e.g. via fingerprints).


   36. Cookies and other tracking devices can be distinguished by

       various criteria, such as the purpose they serve, the domain in which they are placed, or their

       lifespan.









20Comparison about the scope of this control power as well as the judgment of the EU Court of Justice of 15 June
2021, C-645/19, ECLI:EU:C:2021:483, para. 74.
21
   See also the theme page on the website of the Data Protection Authority, available at:
https://www.dataprotectionauthority.be/burger/thema-s/internet/cookies, Decision on the merits 85/2022 - 21/58




   37. Cookies can be used for various purposes (for example, to support the

       communication over the network, for audience measurement, for marketing and/or behavioral

       advertising purposes, for authentication purposes, etc.).

   38. They can be used, inter alia, to support communication over the network

       (login cookies), to measure the audience of a website (visitor number cookies, also called

       referred to as "analytical cookies" or "statistical cookies"), for marketing and/or advertising based on

       of behaviour, for authentication purposes, for website security, for load balancing,

       to personalize the user interface or to allow the use of a media player

       to create (flash cookies).

   39. Cookies can also be distinguished based on the domain through which they are stored

       placed on your device. The "first party" cookies are placed directly in the address bar

       of the browser by the registered domain. In other words, it concerns cookies that

       owner of the website you are visiting. The "third party" cookies are

       posted by a domain that is different from the domain you are visiting. This is the case

       when the website incorporates elements from other websites, such as images, social media

       “plugins” (for example, the Facebook “like button”) or advertisements. When this

       elements retrieved by the browser or other software from other websites may

       these websites also place cookies that can then be read by the websites that have them

       posted. These "third party cookies" enable these third parties to track the behavior of the
       tracking internet users over time and across numerous websites and based on this

       to create data profiles of people (profiling), so that they can be used in the future, for example

       be able to place more accurate and targeted marketing during the future surfing sessions of

       these internet users, who are traced in this way.


   40. Cookies can be further distinguished according to their lifespan. In this regard,

       made a distinction between "session cookies" and "persistent cookies". Session cookies become

       deleted automatically when you close your browser, while the "persistent cookies" are in your device

       (computer, smartphone, tablet, etc.) remain stored until a predetermined expiration date (which

       can be expressed in minutes, days or years, if applicable).

   41. Furthermore, from a legal point of view, a distinction must be made between, on the one hand, the

       means of tracking which require the prior consent of the user and,

       on the other hand, those for which it is not required.


   42. In accordance with article 129 WEC, there are two situations in which for the setting or reading of cookies
                                                                                            22
       no prior consent should be obtained from the data subject:



22In so far as relevant, Section 129 WEC reads as follows: “The storage of information or the gaining of access to information that
is already stored in the terminal equipment of a subscriber or a user is only permitted on the condition that […] 2° the
subscriber or end user has given his consent after being informed in accordance with the provisions in 1°. The first paragraph is, Decision on the substance 85/2022 - 22/58




        1) when the cookie has the sole purpose of sending a communication via a

        electronic communications network (for example, load balancing cookies); and


        2) when the cookie is strictly necessary to enable an express by the subscriber or end user

        to provide the requested service (such as, for example, cookies that enable the shopping cart

        or cookies that are used to ensure the security of a banking application).


   43. For the placement of other cookies and tracing means, the prior

       User consent is required, in accordance with Article 129 WEC.


   44. This includes cookies or other tracking devices that enable the display of

       (personalized) advertising or related features for sharing on social networks. Bee

       In the absence of a valid consent, these not strictly necessary cookies cannot be used on the

       device of the user are placed or read.


   45. The Disputes Chamber points out that, in order to be in accordance with the GDPR, the aforementioned

       consent should be informed, specific and free and that the user can do it just as easily

       must be able to revoke if it was given (cf. also infra title II.5.6).





    II.3. As to the alleged lack of guidance


   46. In its response, the defendant argues that cookie compliance is a technical and

       is a complex subject that requires both technical and legal expertise. She argues that the GBA

       would not have provided sufficient support to companies to comply with applicable regulations

       to apply correctly.


   47. More specifically, the defendant argues that the GBA, at the time of the findings by the

       Inspection service in this file, had not issued any guidelines regarding the use

       of cookies. This is in contrast to the French supervisory authority (CNIL).


   48. The Disputes Chamber points out that both at the level of the European Union and at the Belgian

       level, advice and positions from authorities already existed regarding cookies under the e-mail

       privacy directive many years before 25 May 2018. 23 At the European level, the Working Group

       Article 29 in 2012 expresses an opinion on the exceptions for consent for cookies. 24 on

       at the Belgian level, the legal predecessor of the GBA, the Commission for the



not applicable for the technical storage of information or access to information stored in the terminal equipment of a
subscriber or end user for the sole purpose of transmitting a communication over an electronic

communications network or to provide a service expressly requested by the subscriber or end user when doing so
is strictly necessary for this." (the Disputes Chamber underlines)
23 Pursuant to Article 99 of the GDPR, the Regulation has been in force since that date.
24
  WP29, Opinion 04/2012 on Cookie Consent Exemption (“Opinion 4/2012 on waiver of the consent obligation for
cookies”), 7 June 2012, WP194, available at: https://ec.europa.eu/justice/article-29/documentation/opinion-
recommendation/files/2012/wp194_en.pdf., Decision on the merits 85/2022 - 23/58




       Protection of Privacy (“CPP”), guidelines already in 2015 regarding the

       use of cookies. 25Furthermore, at the time of the determination of the

       Inspectorate, and there are currently many guidelines and advice that are directly

       relate to the situation regarding cookies that occurs in this file, such as

       guidelines on legal consent. 26



   49. It is indeed true that the legal situation, as well as the technical possibilities with and for

       cookies, have changed since the entry into force of the GDPR. The Disputes Chamber has already

       2019 made its first decision on cookies, which was also published on the

       website of the Data Protection Authority. 27


   50. Although the Disputes Chamber clearly recognizes that both the EDPB and the GBA itself as

       supervisory authority have powers to formulate opinions and guidelines and

       publication in connection with the protection of personal data, the Disputes Chamber points out

       points out, however, that this is part of the tasks and competences of those institutions, and not in itself

                                    28
       is an obligation. After all, it cannot be expected from supervisory authorities

       become that in a digitized society on every (changed) aspect of the processing of

       take a position of personal data proactively, where the lack of such positioning

       would hinder enforcement.


   51. For that reason, the European legislator has chosen to take responsibility for

       place the processing of personal data with the controller, without

       reservation in the absence of clarity regarding certain technical situations. 29 Among those


       processing responsibility also includes demonstrating that data subjects have a legally valid

       consent, as well as the adequate follow-up of the consequences of its withdrawal,
                                                              30
       which is extremely relevant in the present case.


   52. In this regard, it is the defendant, as operator of the contested websites, which chooses

       a certain structure by a certain provider for placing cookies (choice for

       certain “resources”) to collect advertising income through this way, among other things (choice for a

       particular “purpose”). Due to the defendant's choice of a particular management of its websites,

       it is the complexity of the defendant's processing activities per se that necessitates a




25
 CPP, Recommendation of its own accord on the use of cookies no. 01/2015.
26At the time of the determinations, the following guidelines, among others, were relevant: WP29, Guidance on
Consent under Regulation 2016/679, WP259 rev.01, as adopted by the European Committee for
Data protection dd. May 25, 2018: EDPB, Endorsement 1/2018, available at:

https://edpb.europa.eu/sites/default/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
27 Dispute Chamber Data Protection Authority, Decision 12/2019 of 17 December 2019, available at:
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-12-2019.pdf.

28Resp. Articles 70(e) and 58(3)(b) GDPR.
29
  Articles 5, paragraph 2, as well as 24 and 25 GDPR;
30Comparatorinformativetitle:E.M.FRENZEL,"DS-GVOart.5. GrundsätzefürdieVerarbeitungmensenbezogenerDaten”inBoris
P Paal and Daniel Pauly (eds), Datenschutz-Grundverordenung Bundesdatenschutzgesetz (CH Beck 2021), (85)106, marg. 52., Decision on the substance 85/2022 - 24/58




       thorough - and admittedly technically complex - investigation and subsequent analysis of a factual
       situation. The alleged lack of concrete guidelines in the current context cannot therefore

       serve as an argument against a breach of data protection law.






        II.4. As for the alleged inaccuracies during the investigation


   53. The defendant argues in the first instance that the Inspectorate's investigation did not

       performed according to the rules of the art. In summary, the defendant argues that:


            - there are discrepancies between the results obtained through the automated and de

               manual cookie scan;


            - there is a lack of documentation of the cookie classification by Onetrust and Cookiebot;

            - unclear terminology is used in the research report;


            - use is made of unprofessional tooling.


   54. Second, the defendant alleges that the Inspectorate used sources and tools that were not

       be official.

   55. The Disputes Chamber first points out that, in accordance with Article 72 WOG, the inspector

       generals and inspectors may “proceed to any investigation, any inspection, any interrogation, as well as

       obtain any information they deem necessary to satisfy themselves that the Fundamental Principles

       of the protection of personal data, within the framework of this law and of the laws enacted

       contain provisions on the protection of the processing of personal data, to which they

       supervision, are actually complied with”.

   56. Article 67 WOG provides that “the investigative measures [may] give rise to a lawsuit

       verbally establishing an infringement. That official report has evidential value to the contrary

       has been proven”. The Inspectorate has carried out several investigative acts of which it de

       detailed results in reports.


   57. The findings of the Inspectorate are administrative acts that fall under the

       material motivation obligation, and for that reason must be supported by "motives that are legitimate"
                                                                                              31
       and are in fact acceptable and which must therefore be verifiable."

       material obligation to state reasons, on the other hand, it is not required that such motives are explicitly stated
       be included in the administrative act itself. In other words, it is not required that the

       Inspection service all aspects – such as a detailed outline of the programming language used




31I. Opdebeek & S. De Somer, General Administrative Law (2nd edition), 2019, 435, par. 944., Decision on the merits 85/2022 - 25/58




       within and with which it uses research instruments, the technical terminology and so on

       – formally reasons for its findings.


   58. It is only in the context of "decisions of individual scope", such as the present one of

       the Disputes Chamber, that in the decision itself (explicitly) the legal and factual considerations

       must be stated on which the decision is based, and this in an adequate manner. 32 De

       Belgian legislator has approved the review of the investigative acts of the Inspectorate

       expressly restricted, since it leaves it to the Inspector General and his inspectors

       to ensure "that the resources they employ are appropriate and necessary." (art. 64, §2

       WOG). It is therefore not up to the Disputes Chamber to make the choices for certain

       to test investigative resources, where they appear to be within the powers of the Inspectorate

       and in which the principles of general good governance have apparently been observed .33


   59. As regards the discrepancies invoked by the defendant between the manual and the

       automated cookie scan, the Disputes Chamber points out that the aforementioned differences

       explained by the fact that additional operations were performed manually during the manual scan,

       or the “maximum” permission was granted in the cookie banner, which means additional

       cookies were placed. However, this is not possible with the automated cookie scan –

       performed through the Website Evidence Collector (WEC) – which cannot grant permission and through

       which therefore only detects those cookies that have been used without permission

       posted.


   60. It should also be noted in this regard that this was expressly stated

       in the technical investigation report drawn up by the Inspectorate. 34


   61. With regard to the cookies that were placed without permission, it should be

       pointed out that the different methods actually yielded almost the same results.


   62. In this regard, it should also be emphasized that it is by no means technically possible that

       cookies would be detected that were not placed. If the detection of the cookies

       had been done carelessly - quod non - this could only have resulted in

       effectively placed cookies were not detected by the tool and as a result this should only be done in the

       could have benefited the defendant.






32Article 3 Law of 29 July 1991 on the express statement of reasons for administrative acts, see also judgment of the Court of Appeal
Brussels (Market Court section) of 9 October 2019, 2019/AR/1006: “The main raison d'être of the obligation to state reasons […]
consists in the fact that the person concerned must be able to find the same motives as to which they are interested in the decision

was taken […]"
33See mutatis mutandis also Judgment of the Brussels Court of Appeal (Market Court section) of 7 July 2021, 2021/AR/320, 21: “The [Marktenhof]
has no jurisdiction to adjudicate on statements made by the Inspectorate […]”
34
  For example, technical research report website Knack, p.4(“3.Analysis”):“First, all websites, including the website
of “Knack”, automatically investigated by WEC. Then the various choices presented, provided by the website
with regard to cookies, manually followed from “minimum” consent to “maximum” consent (…)”., Decision on the merits 85/2022 - 26/58



63. In line with this, the Disputes Chamber points out, with regard to the argument of the

    defendant, according to which it is not possible to verify whether the investigation

    whether or not cache memory has been emptied and temporary internet files may be present

    were, can only be relevant for the manual search via Cookiemanager, but that this is not of

    applies to the automatic inquiry carried out via the WEC (which always
    starts as if the browser hadn't been manipulated in that sense in any way yet). Also during this last

    automatic search did detect not strictly necessary cookies on the

    researched websites.


64. As regards the argument raised by the defendant regarding the alleged
    unprofessional character of the tools used, in particular theWebsiteEvidenceCollector,

    the Disputes Chamber first points out that, in accordance with Article 64, §2 WOG, the inspector

    General and the inspectors, when exercising the powers referred to in Chapter 6,

    ensure that the resources they use are appropriate and necessary. This is the case regardless

    whether the resource used is ad hoc software or not, a beta version or not.

65. In addition, it should be noted that the changes made between versions 0.3.1 and 1.0.0

    applied to the tool WEC only concern "features" or "bug fixes", i.e. improvements

    benefit of the researcher so that the tool does not crash, freeze or generate errors.

    In other words, if the WEC version 0.3.1 has detected a cookie, it means

    that the tool has worked. After all, it is impossible for an instrument like this to be
    accidentally detect a non-existent cookie.


66. Finally, the Disputes Chamber points out that the defendant in no way demonstrates that this,

    as controller, is able to make a full inventory of the placed

    to make cookies. At no point during the proceedings does the defendant have its own
    an inventory of the cookies used on the websites concerned. On the contrary

    the defendant argued at the hearing that IAB occupies a dominant position and its

    requirements are imposed in this way, as it were, and that the publishers are therefore not in a position to

    to control all these cookies. The defendant added at the time of the hearing

    accept that the inventory of cookies should ideally be done several times a day
    as the situation is constantly changing. However, the fact that a supplier has a dominant position –

    e.g. occupies a mono- or oligopolistic position in the online advertising market,

    cannot in itself be exempted from responsibilities for the

    bring the controller.




 II.4. The IAB TransparencyandConsent Framework (“IAB TCF”), Decision on the merits 85/2022 - 27/58



                                                                                              35
   67. In this regard, the Disputes Chamber refers to its decision 21/2022 of 2 February 2022.


   68. The Disputes Chamber stated in this decision: “IAB Europe is a federation that

       and marketing industry on European
       level represents. It includes both corporate members and national associations, with

       their own company members. Indirectly, IAB Europe represents approximately 5,000 companies,

       including both large companies and national members” 36


   69. IAB Europe itself described its operation as follows: “In its current form, the TCF is a

       cross-sector standard for best practice that

       makes it easier for the digital advertising industry to comply with certain EU regulations

       privacy and data protection and that individuals have greater transparency and

       control over their personal data. In particular, it is a "framework" within which

       companies operate independently and that helps them comply with the GDPR legal basis for the

       processing of personal data and to the ePrivacy Directive, which requires that the user

       must consent to the storage of and access to
       information on a user's device.”37


   70. In the reply, as well as at the hearing, the defendant argues that

       it can only allow advertisements on its website if it respects the IAB TCF.


   71. The Disputes Chamber first points out that the defendant does not adduce any evidence to

       support the argument set out above. The Disputes Chamber also states:

       determined that the administrators of other similar media websites do not use the IAB

       TCF. In any event, the defendant is not obliged to use IAB's TCF.

   72. The Disputes Chamber points out that the defendant, as operator of the contested websites and as

       controller within the meaning of Article 4(7) GDPR of the personal data of the

       users of the aforementioned websites on the basis of the contained in Article 5, paragraph 2 j° 24 GDPR

       accountability is responsible for complying with the provisions of the GDPR for the

       processing involved and for demonstrating it.





    II.5. Established Infringements


        II.5.1. Lack of valid consent (Article 6, paragraph 1, point a) GDPR j° Article 129

           WEC)





35Available via: https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf.
36
  Ibid, para. 36.
37Ibid., para. 39., Decision on the substance 85/2022 - 28/58




            II.5.1.1. Placing non-strictly necessary cookies before the

                permission was obtained–determination 1Inspection Service


   73. Article 6(1) of the GDPR provides that processing of personal data is lawful only if

       it is based on one of the processing bases mentioned in this provision.


   74. Article 6(1) of the GDPR serves the processing of personal data through the posting of

       cookies should be read in conjunction with (former) article 129 WEC (current article 10/2 WVP),
                                                                                            38
       as this article clarifies and supplements the provisions of the GDPR.


   75. The aforementioned article therefore stipulates that the permission for placing and/or reading cookies

       of the data subject is required, except if the cookies are strictly necessary to 1) the transmission

       of a communication over an electronic communications network or 2) to perform a

       provide a service expressly requested by the user.


   76. In its Planet judgment49, the Court of Justice held that the term “consent” in Article 5,

       paragraph 3 of Directive 2002/58 (transposed into Belgian law via former article 129 WEC, current article

       10/2 WVP) refers to “the consent of a data subject” as defined and specified
       in Directive 95/46 (i.e. the legal predecessor of the GDPR). 39The EDPB states in its Guidelines

       05/2020 of 4 May 2020 regarding consent in this regard: “The EDPB notes that the

       requirements for consent under the GDPR are not considered to be an ‘additional obligation’, but

       rather as preconditions for lawful processing. Therefore, the GDPR conditions for obtaining valid

       consent are applicable in situations falling within the scope of the e-Privacy Directive”.0


   77. The Disputes Chamber points out that Article 4, point 11) GDPR defines the valid “consent” as

       follows: “any free, specific, informed and unambiguous expression of will by which the

       data subject by means of a statement or an unambiguous active act

       concerning the processing of personal data”.


   78. The technical analyzes of the Inspectorate show that for the website of Knack 66 cookies

       and for the website of Le Vif 60 cookies were installed before the consent of the

       person concerned was asked. This includes third party cookies (48 for the website

       van Knack and 44 for the website of Le Vif). Although it is in principle not excluded that third

       party cookies are also strictly necessary for the operation of the website, it may be legal

       distinction with a first party, however, are a parameter in the evaluation of whether a cookie is strictly





38
  EDPB, Opinion 5/2019 on the interaction between the ePrivacy Directive and the General Data Protection Regulation, with
in particular as regards the tasks and powers of data protection authorities, 12 March 2019, marginal no. 38.
39Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, paragraph 50.
40
  EDPB, Guidelines 05/2020 on Consent under Regulation 2016/679, 4 May 2020, p. 6 (no. 7). Free translation: “The EDPB notes that
the consent requirements of the GDPR should not be regarded as an "additional obligation", but rather as
conditions for lawful processing. The AVG conditions for obtaining a valid consent are therefore
applicable in situations falling within the scope of the ePrivacy Directive.”, Decision on the substance 85/2022 - 29/58



                        41
       is necessary. In addition, the defendant does not demonstrate that these cookies are strictly

       are necessary.


   79. In this regard, the Disputes Chamber refers to advice no. 10/2012 of the former Commission

       for the Protection of Privacy (predecessor of the DPA) about the

       draft law containing various provisions relating to electronic communications

       that the cookies that are exempt from the consent requirement mainly provide certain “first”

       party cookies”. The Commission pointed out that in this case it concerns cookies that are

       placed by the user himself and which include language settings and personal proposals

       remembered at an online store (for example, customer identification and the virtual shopping cart). 42

       Furthermore, the aforementioned advice states that certain cookies are clearly not covered by the exemption on


       the information obligation. This concerns the most intrusive and latest cookie types (such as

       “supercookies” or “evercookies”). The Commission stated that this mainly concerns “third party”

       cookies about which very little or no information is given by the various controllers,
                                                                                                           43
       and for which special expertise and software is required in order to delete the cookies. er

       In that advice, the legislator was also clearly asked to provide additional information in Article 129 WEC

       provide an explanation for which type of cookies concrete permission is required. 44The legislator

       has failed to provide further clarification on this.


   80. The Article 29 Working Party has stated in its Opinion 04/2012 on exemption from the

       consent obligation for cookies provided that: “third-party cookies” moreover usually

       are not “strictly necessary” for visiting the website, as such cookies

       usually relate to a service other than that for which the user “explicitly”

                          45
       has asked". The Article 29 Working Party states that “according to the purpose,

       the specific implementation, or the specific processing must be determined or a cookie then

       cannot be exempted from the consent requirement”.





   81. Consent must in principle be obtained for all cookies, unless the cookies

       are “functional” or “strictly necessary”, according to the criteria set out in article 129 WEC (see above).







41
  Compare: WP29, Opinion 04/2012 on Cookie Consent Exemption, June 7, 2012, p. 5: “[…]'third party' cookies are usually not 'strictly
necessary’totheuservisitingawebsitesincethesecookiesareusually relatedtoaservicethatisdistinctfromtheonethathasbeen
'explicitly requested' by the us; free translation by the Disputes Chamber: “third party cookies are usually not strict
necessary for the visitor to a website, as these cookies are usually related to a service that is different from
the one expressly requested by the user.”
42
   Opinion no. 10/2012 of 21 March 2012 on the draft law on various provisions relating to electronic
communication (CO-A-2012-009), § 51.
43Advice no. 10/2012, §52.

44Opinion no. 10/2012, § 64.
45GroupData ProtectionArticle 29, Opinion No. 04/2012 on the waiver of the consent obligation for cookies, p.60., Decision on the merits 85/2022 - 30/58




       It is in accordance with its duty of responsibility to the defendant to demonstrate that cookies
       are strictly necessary, and therefore no consent is required.


   82. The report of the Inspectorate's investigation shows that only 2 cookies on both the

       Knack's and Le Vif's website were found to be strictly necessary. Only these two cookies

       should therefore in principle be placed without the consent of the data subject. At

       these, the Disputes Chamber repeats, the defendant does not put forward any arguments as to why the

       other cookies that the Inspectorate detected, (also) if strictly necessary

       are considered.

   83. The Inspectorate supported the description of “strictly necessary cookies” on a

       definition included on the website www.gdpr.eu , which contains strictly necessary cookies as follows

       are defined:


               “Strictlynecessarycookies -Thesecookiesareessentialforyoutobrowsethewebsiteand

               use its features, such as accessing secure areas of the site. Cookies that allow web shops

               to hold your items in your cart while you are shopping online are an example of strictly
               necessary cookies. These cookies will generally be first-party session cookies. while it is

               not required to obtain consent for these cookies, what they do and why they are necessary

               should be explained to the user”. (own underlining)

               In Dutch: “Strictly necessary cookies – These cookies are essential for you

               surf the website and make use of its opportunities, such as visiting

               from secure parts of the site. Cookies that allow web shops to put things in the basket

               while shopping online are examples of strictly necessary cookies. This one

               cookies will generally be first-party cookies. Although it is not required
               to obtain consent for these cookies, the user must be explained

               what they do and why are necessary.” (own translation and own underlining by the

               dispute room)


        The Disputes Chamber points out that the aforementioned definition was used to clarify the

        findings of the Inspectorate. From the actual legal provision, Article 129 WEC, in

        se be deduced the same.

   84. For both the Le Vif and Knack websites, 2 cookies were deemed strictly necessary

       qualified:


         Le Vif Knack


         OptanonConsent OptanonConsent





46A website subsidized by the EU under the Horizon 2020 Framework Programme., Decision on the merits 85/2022 - 31/58




         PHPSESSID PHPSESSID




        In order to classify the various cookies, the Inspectorate took the information into account

        about the specific cookie on the website, the cookie bot report or a manual interrogation. 47


   85. The Disputes Chamber points out that the defendant itself states in its statement of defense that

       due to a lack of technical knowledge of the cookie tool OneTrustop used at the time

       was poorly implemented. The defendant adds that cookies that would

       have been placed. Moreover, during the hearing of the defendant, it appeared that

       acknowledges that not strictly necessary cookies were placed without obtaining

       with the consent of the data subjects.


   86. On the basis of the above, the Disputes Chamber finds that an infringement was committed by the defendant
       committed on Article 6 (1) point a) GDPR j° Article 129 WEC.





            II.5.1.2. Placing statistical cookies without permission – observation 2

                Inspection service


   87. The technical analysis report of the Inspectorate shows that statistical cookies are used

       posted before permission was obtained. From the then by the defendant

       the usedcookie-setting tool turns out that statistical cookies are always active and that
       they cannot be turned off.


   88. The Disputes Chamber wishes to clarify that Article 129 WEC, which is a supplement and clarification

       of the provisions of the GDPR, it appears that placing and/or reading cookies is

       required by the data subject, unless the cookies are strictly necessary to enable the transmission of

       to carry out a communication via an electronic communications network, or to expressly

       provide the service requested by the user. The Disputes Chamber will state its position below:

       clarify regarding the placement of statistical cookies.


   89. In the decision on the merits 12/2019, the Disputes Chamber defined statistical cookies

       as “collecting information about the technical data of the exchange or about the”
       useofthewebsite(pages visited,averagedurationofthevisit,...)tothefunctionof

       to improve [i.e. to learn how to use the website]. The data on

       collected in this way by the website are in principle aggregated and become anonymous

       processed but may also be processed for other purposes”. 48




47
  For the classification of the different cookies, see p. 15-29 in Knack's technical report.
48GBA, decision on the merits 12/2019 of 17 December 2019, p. 31., Decision on the substance 85/2022 - 32/58




        In the case in question, statistical cookies were also placed without prior notice

        consent of the data subject. The Disputes Chamber then ruled that “according to the current

        state of the law there is no exception for permission for “first party analytical”

        cookies' exists, so that prior consent for the placement of such

        cookies is indeed required”.9The Disputes Chamber indicated in the decision on the merits 12/2019

        that also relates to an advice from the predecessor of the GBA (CBPL) that stated that it is "at the

        legislator is to clarify the issue of the non-exemption of the consent of the

        users in connection with the origin analysis cookies”.


        The placement of "first party statistical cookies" was also not possible, according to the Disputes Chamber

        be based on the legitimate interest of the website owner, given the

        reading of Article 5(3) of the ePrivacy Directive.


   90. Also at European level, the Article 29 Working Party already took a position in 2012

       about the consent requirement for statistical cookies. It is clear that the working group 29 of

       believes that “first party analytics cookies” are not exempt from the consent requirement

       as they are not strictly necessary to expressly

       requested function. According to the Article 29 Working Party, it is even the case that the user

       can access all functions the website offers without any problems, even when such

       cookies are disabled. 50She then additionally stated that “it is not probable, however”

       [is] that first party analytics cookies pose a privacy risk if they are strictly

       limited to aggregated statistics used for the website operators

       by websites that provide clear information in their privacy policy about these cookies and appropriate

       provide privacy guarantees”. The Working Group article 29 adds: “Should article 5, paragraph 3, of

       Directive 2002/58/EC be revised, then it is appropriate for the European legislator to consider a

       add a third waiver criterion for cookies that are strictly limited to cookies from the

       first party for the purpose of anonymized and aggregated statistics”.


   91. In summary, in its decision on the grounds of 12/2019, the GBA has taken the position that for

       the placing of "first party analytical cookies" is in principle a prior

       consent of the data subject is required.









49GBA, Decision on the merits 12/2019 of 17 December 2019, p. 31.

50Group Data Protection Article 29, Opinion 04/2012 on exemption from the consent obligation for cookies, 7 June
2012, 00879/12/NL, p. 11.
51It should be noted, however, that the process by which data is aggregated is in itself a processing of

personal data that must comply with data protection legislation, regardless of whether that process
indeed results in statistical data, see also recital 162 GDPR: “[…] The statistical purpose means that the result of
the processing for statistical purposes does not consist of personal data, but of aggregated data […]” (own
underline), Decision on the substance 85/2022 - 33/58




   92. In its defence, the defendant cites that the statistical cookies are installed with the following:

       exclusive purposes to collect aggregated basic statistics on usage

       from its websites. Its cookie policy also stated the following about statistical cookies:


            “Analytical and statistical cookies are always loaded, they are used to fully

            gain anonymous insight into the way in which the website is used and which

            pages are visited with frequency. This information is, among other things, necessary in the

            framework of the CIM Internet Study and is used for traffic and profile analysis so that we

            can tailor our work even better to your needs.” 52


   93. The Disputes Chamber reminds that when statistical cookies are placed on the

       terminal equipmentofaninternetuserareyyidentifiedwillbebebehanded

       of IP addresses and other identifiers. 53 After all, the Court of Justice has, in its permanent


       case law has always used a very broad definition of both “personal data” and of the

       concept of “identifiability”. For example, she stated that "as long as information is due to its content, purpose"

       or consequence, can be linked to an identified or identifiable natural person
                                                                 54
       by means that can be reasonably deployed, regardless of whether the information is

       of which the data subject can be identified entirely from the same

       controller is based or partly with another entity, this information serves as

       be considered personal data”. 55


   94. Based on the technical report of the Inspectorate for the Knack website (p. 15-29)

       the Disputes Chamber establishes that for most statistical cookies the website operator either

       has a unique identification number, or an IP address available when reading the

       cookies. This is logical since only in this way the website can find out how often the website is visited


       is used by the same user.


   95. With regard to the IP address, the Disputes Chamber states that it is clear that this means that a natural

       person can be identified. An IP address has already been designated by the Court of Justice
                                                  56
       as personal data under the GDPR. Since the placement and reading of a

       statistical cookie on the user's terminal equipment the website operator also the IP address in

       available, it is also possible for the controller to inform the user






52
  Piece 15 from the defendant's collection of documents.
53See recital 30 GDPR; Article 4(1) of the GDPR also explicitly mentions “an online identifier”.
54
  CJEU Judgment C-434/16 of 20 December 2017, Nowak v. Data Protection Commissioner, ECLI:EU:C:2017:994, para. 35.
55 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43; CJEU

JudgmentC-434/16van 20December2017,Nowakt.DataProtectionCommissioner,ECLI:EU:C:2017:994,par. 31:seeoR.ZUIDERVEEN
BORGESIUS, “Singling out people without knowing their names – Behavioral targeting, pseudonymous data, and the new Data
Protectionregulation”,ComputerLaw&SecurityReview,vol.32-2,2016,pp.256-271;R.ZUIDERVEEBORGESIUS,”TheBreyerCase
of the CJEU – IP Addresses and the Personal Data Definition”, EDPL, 1/2017, pp. 130-137.
56CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 43., Judgment on the merits 85/2022 - 34/58




       identify. It therefore concerns the processing of information from an identifiable

       person (by an online identifier, cf. Art. 4, point 1) GDPR).


   96. With regard to the registration of a unique identification number, the Disputes Chamber refers to the

       decision on the merits 12/2019 where a position has already been taken on the qualification of

       a unique identification number. Here the Dispute Chamber decided that assigning a unique

       identification number is a form of pseudonymization within the meaning of Article 4. point 5) GDPR. 57 Also the

       Article 29 Data Protection Working Party has already expressed its opinion on the interpretation of the

                                                  58
       concept of “pseudonymised data”. There she argued that pseudonymization is the concealment of

       means one identity. The identities of persons can be identified through pseudonymization as

       disguised in such a way that re-identification becomes impossible, for example by means of

       one-way encryption, which in itself creates anonymized data. 59 Traceable

       pseudonymised data can be considered information about an indirect

       identifiable person and are therefore personal data within the meaning of the GDPR. 60 In case

       by using a pseudonym, data can be traced back to the data subject, so that his/her

       identity can be established, data protection rules apply. 61

       Based on the settled case-law of the Court of Justice, the Disputes Chamber finds that the


       it is possible to determine the identity of a data subject by combining the unique

       identification number with other information that may or may not be obtained with the help of third parties
                62
       become. In this case, the unique identification number must be seen as personal data in

       the meaning of the GDPR.


   97. In view of the foregoing findings and the broad interpretation of the term

       personal data, as confirmed by the case law of the Court of Justice of the EU,

       the Disputes Chamber concludes that with regard to the statistical cookies (where there is always an IP

       address of the user is available), a prior consent is actually required

       is pursuant to Article 6(1)(a) GDPR in conjunction with the national implementing provision


       of Article 5(3) of the ePrivacy Directive. After all, it concerns the processing of information from

       an identifiable natural person through which the rules of the GDPR undoubtedly apply

       are applicable. The lack of such consent on the Defendant's website for the



57According to Article 4.1.5 of the GDPR, “Pseudonymisation” is defined as “the processing of personal data in such a way that the

personal data can no longer be linked to a specific data subject without additional data
be used, provided this additional data is kept separately and technical and organizational measures are taken
are taken to ensure that the data is not given to an identified or identifiable natural person
be linked”
58
  Working Party on Data Protection Article 29, Opinion 4/2007 on the concept of personal data, https://ec.europa.eu/justice/article-
29/documentation/opinion-recommendation/files/2007/wp136_en.pdf.
59Ibid., p. 18-19.

60Ibid., p. 19.
61
  The Court of Justice has stated in the Breyer judgment that “to determine whether a person is identifiable, it is necessary to
by any means which may be reasonably assumed by the controller,
or by any other person, can be used to identify the aforementioned person” (§42).
62 CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 48, Decision on the merits 85/2022 - 35/58



    Statistical cookies identified by the Inspectorate thus constitute an infringement of Article 6, paragraph

    1, point a) in conjunction with article 129 WEC.




     II.5.2. Pre-ticked boxes for the partners (Articles 4, point 11), 6, paragraph 1, point

         a) en7(1) GDPR) – determination 3 Inspection service



 FindingsInspection Service:


98. It appears from the Inspectorate's report that for Knack and Le Vif 449 “partners” or “vendors” per

    default permission is given by pre-ticked boxes. This also turns out
    clear from screenshots of the websites included in the technical reports of both Knack

    as Le Vif:
































99. The Inspectorate states that the GDPR is a “statement or an unambiguous active act”

    required (article 4, point 11) GDPR), which means that all supply presupposes the permissions based on a more

    implicit way of acting of the data subject, not in accordance with the standards of consent

    of the GDPR. The Inspectorate relies on the Planet49 judgment, which made it clear that
    Article 2(f) (definition of consent) and Article 5(3) (consent for cookies) of the e-mail

    privacy directive, to be read in conjunction with Article 4(11) and Article 6(1)(a)

    of the GDPR. The Court of Justice subsequently ruled that consent did not become legally valid

    granted when the storage of information by means of cookies or access to already on the substance, Decision 85/2022 - 36/58



    terminal equipment of the website user, information stored via cookies is

    allowed by default checked checkboxes that this user must

    tick off if he refuses to give his consent. In addition, the Inspectorate states that the

    the defendant also fails to comply with the obligation to prove under Article 7(1) of the GDPR

    that the data subject has given permission not to place strictly necessary cookies.

 Defendant's position:


100. The defendant argues that the third finding of the Inspectorate is incorrect. She admits that the

    partner companies within the OneTrust Consent management platform default to “active”

    but that this did not mean that cookies are automatically set by these third-party partner companies

    were installed. After all, according to the defendant, it was not a question of authorization to
    placing cookies, but about an indication which IAB vendors could use

    making a consent for one or more purposes, provided that this

    permission was given. This would only be the case if the person concerned

    accepted cookies within the cookie tool. The defendant is therefore of the opinion

    that, in the light of the case law of the Court of Justice in the Planet49 judgment, the practice whereby

    the cookies of partner companies are set to "active" by default, constitutes a valid consent in
    within the meaning of Articles 4.11 and 6.1 a) GDPR.


101. The Disputes Chamber finds that the defendant indicates in its claims that its practice

    has adapted on this aspect by implementing a new Didomi Consent

    Management Platform in March 2020. None of the partner companies would currently

    are automatically set to “active” and the user must now actively make a choice.

 Position of the Dispute Chamber:


102. The Disputes Chamber will meet the criteria for a valid consent in this section. Article

    4 pt. 11) GDPR defines “consent” of the data subject as “any free, specific,
    informed and unambiguous expression of will with which the data subject by means of a

    statement or an unambiguous active act concerning him/her processing of

    accept personal data”.


103.Article 7 GDPR contains the conditions that apply to the consent:

            1. When the processing is based on consent, the controller must

            be able to demonstrate that the data subject has given consent for the processing of

            his personal data.


            2. If the data subject gives consent within the framework of a written statement that

            also relates to other matters, the request for consent shall be
            in an understandable and easily accessible form and in clear and simple language

            presented in such a way that a clear distinction can be made from the others, Decision on the substance 85/2022 - 37/58




               affairs. Where any portion of such statement constitutes an infringement

               on this regulation, this section is not binding.


               3. The data subject has the right to withdraw his consent at any time
               of the consent does not affect the lawfulness of the processing based on the

               consent before its withdrawal, without prejudice. Before being involved

               consent, he will be notified accordingly. Withdrawal of consent

               is as easy as giving it.


               4. When assessing whether consent can be freely given,

               among other things, the question of whether for the implementation of a

               agreement, including a service agreement, consent is required for

               processing of personal data that is not necessary for the execution of that

               agreement.

   104.In addition, Article 5(3) of the ePrivacy Directive, as transposed by Article 129 of the WEC establishes

       the time of the inspection by the Inspectorate, the condition that the user "are

       has given permission" for the placement and consultation of cookies on its terminal equipment,

       with the exception of the technical registration of information or the provision of a service for which

       the subscriber or end user has expressly requested and where the placement of a cookie

       strictly necessary for that purpose.


   105.Recital 17 of the ePrivacy Directive specifies that for the purposes of this Directive the

       the term “consent” must have the same meaning as “consent of the data subject”, such as
                                                 63
       defined and specified in the GDPR.

   106.In the Planet49 judgment, the Court of Justice of the European Union set the consent requirement

       for placing cookies after the entry into force of the GDPR. She stated that

       explicit active consent is required: so “active consent" is indisputably required

       according to the correct interpretation of the GDPR. 64 Recital 32 indeed provides that:


            “Consent must be given through a clear active act,

            for example, a written statement, also by electronic means, or an oral statement

            statement, showing that the data subject is free, specific, informed and unambiguous

            consent to the processing of his personal data. This could include the

            clicking on a box when visiting an internet website, selecting technical

            institutions for information society services or any other statement or
            other act which clearly shows in this regard that the data subject consents to the

            proposed processing of his personal data. Silence, the use of already



63
  The GDPR as a replacement for Directive 95/46/EC.
64Judgment of the Court of Justice of 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, para. 73, Judgment on the substance 85/2022 - 38/58




            ticked boxes or inactivity should therefore not constitute consent. The permission

            must apply to all processing activities that serve the same purpose or purposes.

            If the processing has multiple purposes, consent must be obtained for each of them
            granted. If the data subject has to give his consent after a request via electronic

            resources, that request should be clear, concise and not unnecessarily disruptive to the

            use of the service in question.” (the Disputes Chamber underlines).


   107. On the basis of these considerations, the Disputes Chamber argues that the permission referred to in the

       Articles 2(f) and 5(3) of Directive 2002/58, transposed into Article 129 WEC at the time of the

       findings, read in conjunction with art. 4, par. 11 and art. 6 (1) point a) GDPR, not valid

       is given by a standard checked box that the user must uncheck in order to

       refuse to give permission (in this case it is therefore about giving permission to the
       partners for one or more purposes for which permission must be given in another window

       Be given). 65


   108. In concrete terms, this means that the data subject must receive information about the way in which he/she is

       wishes with regard to cookies, and how to “all, some or no cookies”

       can accept.


   109.For example, confirming a purchase or accepting the general

       conditions are not sufficient to assume that valid consent has been given for
       placing or reading cookies. Nor can permission be given for the

       mere “use” of cookies, without any further specification of the data sent through this

       cookies are collected or the purposes for which this data is collected. The GDPR

       indeed requires a more detailed choice than a simple "all or nothing", but requires

       no consent for each individual cookie. If the administrator of a website or mobile

       application asks permission for different types of cookies, the user must choose

       have to consent (or refuse) to any kind of cookie, or even, in a second

       information layer with choices, for each cookie individually.

   110. By using pre-ticked boxes, as set out by the Inspection Service in its

       reports, the defendant commits an infringement of articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG,

       as explained in recital 32 of the GDPR.





        II.5.3. Disclaimer for third party cookies (potential violation of article 5, paragraph 2 and
            7, para. 1 GDPR) – determination 4 Inspection service





65This is also related to the specificity requirement of the consent, cfr EDPB, Guidelines 05/2020 on consent
in accordance with Regulation 2016/679,
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf, § 50., Decision on the merits 85/2022 - 39/58




    Determination of inspection service:
   111.According to the Inspectorate, the defendant is trying to shirk responsibility

       for third-party cookies that are placed when you visit the Knack and Le Vif sites.


   112. For example, the cookie policy states that the defendant is not responsible for cookies set by third parties

       are placed and managed, including cookies that enable

       sharing information through social networks. The defendant also argues that it has no control over

       certain cookies used on its website.

   113. With regard to this aspect, the Inspectorate refers to the judgment of the Court of the Wirtschaftsakademie

       of Justice which ruled that the owner of a website is responsible for the

       processing of cookies that are installed or read from its website. 66 He picks up

       at least part in determining the purposes and means of the processing of the

       personal data of visitors to his website through third-party applications on his website

       or to allow the distribution of the content of third parties in the advertising spaces of its website.


   114.Then the Inspectorate refers to the accountability principle in Article 5, paragraph 2 of the
       GDPR, which shows that the controller is responsible for compliance with the

       principles governing the processing of personal data and must be able to demonstrate that these

       principles are taken into account.


   115. This practice employed by the defendant must also, and as discussed above, be

       considered a violation of Article 7(1) of the GDPR, as a controller

       must demonstrate that the data subject has given permission for the placement of cookies

       from its website that are not strictly necessary.

    Defendant's position:


   116. The defendant is not responsible for the processing of cookies used by third parties in

       be placed within the framework of the IAB TCF.

        According to the defendant, this interpretation was also confirmed by the GBA in the current IAB

        Europe research: “Belgium's Data Protection Authority found IAB Europe's Transparency and

        Consent Framework does not meet several standards under the EU General Data Protection

        Regulation, TechCrunch reports. The DPA determined the framework fails to comply with the

        GDPR's principles of transparency, fairness and accountability. IAB Europe said in response it

        “respectfully disagree[s] with the [Belgian DPA]'s apparent interpretation of the law, pursuant to

        which IAB Europe is a data controller in the context of publishers' implementation of the TCF”.

   117. Next, the defendant argues that, should the Disputes Chamber come to a different conclusion,

       its practices nevertheless comply with Article 5(2) of the GDPR. The



66Judgment of the Court of Justice of 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, inter alia para. 39, Judgment on the substance 85/2022 - 40/58



       accountability means “(I) the need for a controller

       to take appropriate and effective measures to implement the principles of

       implement data protection”. 67There are no guidelines published by the DPA

       clarifying what is meant by a minimum of appropriate and effective

       measures. In addition, Roularta has chosen to use the IAB


       Framework described as “the most sophisticated and scrutinized model of GDPR-

       compliance for digital advertising in the world”. Roularta clarifies that the disclaimer does not de

       intended to shirk responsibility, but rather to indicate that

       it is unable to block cookies placed by third parties.


   118. Passing responsibility in the cookie policy was not so much the intention

       to abdicate responsibility, according to the defendant; to indicate that the

       the defendant is technically not able to block cookies that are used by some third parties (in this case:

       advertisers) are placed.


        Advertisers and agencies can, when an ad campaign on one of the

        Roularta sites, via that campaign launch cookies or scripts that are used by Roularta

        impossible to know in advance.


   119.The defendant states in its conclusions that the sentence in question was removed from the cookie policy

       because since the IAB TCF framework it can be assumed that IAB vendors conform to this

       frameworkdo not place any cookies or scripts unless there is both permission for the cookies and

       the vendor concerned has been approved in the list of partner companies.


    Position of the Dispute Chamber:

   120. The Disputes Chamber does not agree with the defendant's contention that it does not

                                                                           68
       is responsible for the processing of cookies by a third party.

   121.The responsibility of IAB Europe excludes the responsibility of other

       controllers within the TCF framework. 69 The Disputes Chamber points

       points out that the defendant must be seen as a (co-) controller in the


       framework of TCF, because they are supposed to decide whether or not to immediately register

       CMP work together, and are also able to determine which advertisers appear on their website or in

       are allowed to offer their application advertising and which means (cookies) they can use for this

       apply.





67 WP29, Opinion 3/2010 on the “Accountability Principle”13 July 2010, WP173, 10, available at:

https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf.
68 Decision Disputes Chamber GBA 21/2022 of 2 February 2022, available via:
https://www.dataprotectionauthority.be/publications/besluit-ten-gronde-nr.-21-2022.pdf.
69, Decision on the substance 85/2022 - 41/58




   122. The defendant states in its conclusion that, given the dominant position of IABEurope, it is obliged

       was to implement the IAB TCF. The Disputes Chamber rules that this argument of the

       defendant cannot be followed. In general, it can also be noted that there are

       alternative providers are available on the market, quite apart from the fact that it is not true that there are

       any obligation on the part of the defendant to make use of the offer

       of IAB to facilitate advertisements through its websites. Roularta was free to choose

       implement the IAB TCF and therefore bears responsibility for the consequences of that

       implementation.

   123. The Disputes Chamber rules that the defendant must be identified as

       controller, which is also not disputed in this proceeding. if

       controller is responsible for the processing of personal data and

       it must be able to ensure compliance with the principles governing the processing of personal data

       demonstrate. The defendant can therefore pass on the responsibility for the placement of cookies

       third parties on its websites from its processing responsibility. Moreover

       The cookie policy states that it has no control over certain cookies that are placed on its website

       posted. However, it is up to the defendant as operator of the websites, and in this case as

       controller under data protection law, to provide appropriate technical

       and organizational measures to ensure that its processing activities in

       are in accordance with the relevant legislation. Disclaiming responsibility for

       the placement of cookies by third parties against data subjects for whom the defendant has been appointed

       maybeas controllerisanviolationofarticle5,paragraph2GDPR,junctoarticle24
                                       70
       GDPR (accountability).

   124. In summary, the Litigation Chamber concludes that the defendant's obligation rests upon it

       to accountability (Article 5, paragraph 2, j° Article 24), by denying the

       bear responsibility towards those involved.


        II.5.4. Incorrect and deficient information (potential violation of Articles 4,

            point 11), 12, paragraph 1, 13 and 14 of the AVG) -determination 5 Inspection service



   125. The Inspectorate establishes a breach of the transparency principles of the GDPR by the

       defective cookie policy of Roularta Media Group. For example, Article 12(1) of the GDPR provides that the

       controller must take appropriate measures to ensure that the data subject is

       including Article 13 of the GDPR mandatory information in a concise, transparent, comprehensible and

       in an easily accessible form and in clear and plain language.




70 The obligation in Articles 5.2 and 24.1 of the GDPR means that the VV must demonstrate that it complies with the obligations of the GDPR
complies. If the VV fails to show this, there is a violation of these articles. See also:Article39DataProtectionWorking
Party, Opinion 3/2010 on the principle of accountability13 July 2010, 12, https://ec.europa.eu/justice/article-
29/documentation/opinion-recommendation/files/2010/wp173_en.pdf., Decision on the merits 85/2022 - 42/58




        Articles 13 and 14 of the GDPR then determine which information must be provided

        by the controller to the data subject. In paragraphs 1 and 2 of both articles

        lists a list of information provided by the controller to the
        person concerned must be given.


   126. In order to clarify the relevant legislation, the Court of Justice in the Planet49 judgment also

       clarifies how the controller should provide information before placing cookies

       specify how long the cookies remain active and whether or not third parties can access the cookies

       to ensure proper and transparent information (Article 5.3 ePrivacy Directive

       with regard to the placing of cookies in conjunction with information obligations from art. 13.1(e) and art.

       13. 2 (a) GDPR).

    FindingsInspection Service:


   127. The Inspectorate has established that there were shortcomings in the cookie policy:


            ▪ Defendant's cookie policy contains provisions that do not comply

                with the GDPR. For example, the cookie policy speaks of implicit consent for cookies via the

                access to the defendant's websites, which is contrary to the need for a

                expression of will through a clear statement or positive act in accordance with Article 4,
                point 11) AVG. It is also noted that for sharing data collected through

                cookies, no specific consent is required, which is contrary to the specific

                nature of the consent to a data processing in accordance with Article 4,

                point 11) of the GDPR;


            ▪ The cookie policy would also lack clarity about the necessity of using

                third-party cookies due to technical problems that have been going on for more than a year;









            ▪ The Inspectorate also notes that the names of the types of cookies in the cookie policy

                do not match the cookie category names in the cookie setting tool,

                which does not benefit comprehensibility;71


             Cookie Policy Cookie Setting Tool


             Necessary cookies Necessary functional cookies





7Inspection service,Technical investigation report on the use of cookies on the Knack website (document 6 administrative file),
39., Decision on the substance 85/2022 - 43/58



         Analytical cookies Analytical cookies


         Social Media Cookies Content Selection and Delivery and

                                                 report


         Advertising cookies Advertising selection and delivery and

                                                 report

         Content Personalization


         Advertising and marketing cookies







        ▪ In addition, the cookie policy does not include information about the storage periods of

           cookies. The Privacy Policy only states: “Roularta Media Group will not process your data

           keep for longer than is legally permitted and than is necessary for the purposes
           mentioned in this document”. The cookie policy also states: “the retention period differs

           from cookie to cookie, in general, the cookie is stored until the user is

           delete cookies.”


        ▪ The cookie policy mentions the use that the partners make of the “IAB Europe”

           Transparency & Consent Framework” as a consent management tool, which ensures that
           third parties comply with the GDPR, while of the 449 partners who are on the Knack and Le Vif sites

           state 312 not or no longer validated by IAB;


        ▪ The user should refer to the policies of the 449 sellers to find out what

           these companies do with his data and make an informed decision based on that

           to give his consent. This is illusory and impracticable and, moreover, will
           lead to the setting of even more cookies when visiting the links to this one

           partners;


        ▪ Finally, it is determined that cookies are not individually documented, which means

           the user is unable to control what is being done with their data.

           In the privacy policy there is brief information about cookies:









Position of the Dispute Chamber:, Decision on the merits 85/2022 - 44/58




   128. The Disputes Chamber finds that the defendant indicates in its claims that it
       cookie policy has changed in certain aspects :72


           - The statement that the defendant's registration system has been temporarily replaced by a technical

               problem used third party cookies to log into the websites of the

               Defendant is now removed (the problem would also have been resolved by moving to

               a new registration software that only uses a purely functional cookie

               to make sure users don't have to log in every time);

           - In the update of the cookie policy dd. July 31, 2020 all cookies are correct

               inventoried and documented.


        Correcting some inaccuracies cannot undo the infringement of the past

        Consequently, the Dispute Chamber is of the opinion that the defendant has a negligent attitude

        on several aspects regarding its transparency obligation under

        of Articles 12 and 13 GDPR.

   129. First, the infringements are related to the incorrect information in the cookie policy.

       In accordance with Articles 13 and 14 (respectively paragraphs 1 and 2) of the GDPR, the following information must be summarized:

       be provided to the data subject: the name and contact details of the

       controller, the reason why the data is processed, the retention period

       of the personal data, with which companies/organizations the data is shared, as well as

       the data protection rights of the data subject. With regard to this last element,

       the Inspectorate determines that incorrect information has been given in the privacy policy of the

       defendant, such as the existence of an implied consent contrary to the provisions
       about this in the GDPR.


   130. The Disputes Chamber states that providing incorrect information about the consent requirement in

       the GDPR infringes Article 12(1) and Articles 13 and 14 of the GDPR.


   131. Second, with regard to the mention of the temporary technical problem that caused third party

       cookies were temporarily used to log in users. However, this problem could date from
       19 November 2018, so that it is impossible to speak of a “temporary” problem (the

       determination of the statement in the cookie policy dates from January 8, 2020). The Dispute Room

       furthermore, considers that a technical difficulty does not constitute a violation of the rules of the GDPR

       can justify, given that this is a long-term violation where major

       numbers of those involved could be disadvantaged, and where the responsibility of the

       controller for those activities cannot be negated in any way.






72see document 20 of the defendant's collection of documents: new cookie policy., Decision on the merits 85/2022 - 45/58




   132. Third, regarding the inconsistencies between the cookie policy and the cookie management tool.

       The defendant justifies this by alleging that it was obliged by IABEurope to use these terms

       to be used in the consent tool, on pain of exclusion from the IAB TCF. She wanted in her own
       cookie policy use more understandable terms. The Disputes Chamber understands the position of

       Defendant with regard to the obligation to apply the terms proposed by IAB

       Europe in its consent tool. However, this does not alter the fact that using different terms

       in its privacy policy increases the ambiguity and in that sense not in accordance with the

       providing information in “concise, transparent, comprehensible and easily accessible”

       form and in clear and plain language” (Article 12(1) of the GDPR on the interpretation of Article 13

       and 14 GDPR).


   133. Fourth, regarding the lack of information about the storage periods of the cookies. The
       The inspection service determined that there was only a statement in the cookie policy that the

       retention period “depends from cookie to cookie”. The defendant argues that the views of the

       Inspectorate that “no concrete information about the storage periods can be found” and that “the

       cookie policy refers to a storage period that is in principle unlimited” are incorrect. she states

       that in principle two types of information about the storage time of the cookies were included in

       the cookie policy: (i) the fact that the retention time varies from cookie to cookie, (ii) the fact that the

       user can disable cookies, resulting in a non-existent retention time.The Defendant

       argues, therefore, that the Inspectorate went too far in stating that this information is equivalent to

       an unlimited storage period.

   134. The Disputes Chamber follows the defendant with regard to this last element. The information in the

       cookie policy makes no mention of an in principle unlimited storage period. However, this takes

       does not mean that the information in the cookie policy was insufficiently clear and transparent, given that

       there was no indication whatsoever about the concrete retention periods, and therefore neither was this information

       was available to those involved. Article 13(2)(a) GDPR and Article 14(2)(a) GDPR

       clearly state that information must be given about “the period during which the

       personal data are stored, or if that is not possible, the criteria for determining that

       term". The Commission for the Protection of Privacy, the

       legal predecessor of the GBA in accordance with art. 3 WOG, already issued a recommendation in 2017
       Facebook regarding its cookie policy. In it, the Commission stated that the person concerned has clearly

       and understandably must be fully and accurately informed about the retention period of

       the data it collects via cookies.3According to the Commission, providing that information would

       are also necessary to ensure informed consent and to






73CBPL, Recommendation no. 03/2017 of April 12, 2017 supplement to recommendation no. 04/2015 of its own accord with regard to 1)
facebook, 2) the users of the internet and/or Facebook as well as 3) the users and providers of Facebook services, in particular
social plug-ins (CO-AR-2017-004), Decision on the merits 85/2022 - 46/58



                                                                74
       fair and lawful processing. The shortcoming would meanwhile
                                                                        75
       have been rectified by the defendant in its renewed cookie policy.


   135. Due to the lack of clear and transparent information on the concrete
       retention periods for the cookies placed on its website, as determined by the

       Inspectorate, the defendant infringes Articles 13 and 14 j° 12(1) GDPR.


   136. Fifth, as to the entry in the consent management tool related to the

       use of the “IAB Europe Transparency & Consent Framework”. The defendant argues that it

       this mention only wanted to increase transparency and inform the user about the

       way in which it wants to control the use of cookies, namely by joining a

       internationally recognized standard within the digital advertising world. The Inspectorate found

       this mention in the privacy policy is insufficient to inform the 449 partners of both Knack and Le

       Vif by default (it also appears from the Inspection Report that 312 of the 449

       partners - the vast majority - are no longer validated by IAB).

   137. From these elements, the Disputes Chamber infers that the information provided by the defendant to the

       users thereby trying to create an appearance of respecting the rules

       on data protection. It cannot be assumed that this entry de

       transparency, all the more so now that it turns out that the information was also incorrect. For this reason

       it must be noted that also on this point the information provided by the defendant

       is not sufficiently clear and transparent under Articles 13 and 14, j° 12, paragraph 1 GDPR.


   138. Sixth, with regard to the fact that the user of the website in principle follows the policy of the 449

       should consult partners in order to know what happens with his data and in order to

       to give informed consent on this basis. This redirect cannot be
       accepted as the sole supporting element in the provision of information to data subjects, therefore the

       de facto negates responsibility for information obligations for the

       controller – which is not in accordance with the provisions of the GDPR

       in this context. The fact that data subjects do not provide more concrete and clear information

       have access to the use and further use of their personal data,

       for this reason, an infringement of the information obligation under Articles 13 and 14 j° 12(1) GDPR.


   139. Seventh, the Disputes Chamber deals with the findings of the Inspectorate regarding the

       not individually documenting the cookies in the defendant's cookie policy.


        The Disputes Chamber points out in this regard that in accordance with Articles 13 and 14, in conjunction with Article 12,
        paragraph 1 GDPR, transparent information must be provided about cookies that contain personal data

        collect or otherwise process. This requirement applies regardless of whether or not there is a



74
  ibid.
75 Piece 20 of the defendant's collection of documents, Decision on the merits 85/2022 - 47/58




        permission must be given for the installation and reading of such cookies, and therefore

        also in the case of a strictly necessary cookie.

   140.In the cookie policy there is only a limited number of informational elements about cookies:









        Given the very limited information provided in relation to the list of cookies present, 76

        the Disputes Chamber indisputably establishes a problem with regard to information obligations.


   141.The following information should certainly be stated separately by category of cookies, so that

       a cookie would be sufficiently documented: the personal data being processed, the

       purposes of processing for such cookies and the retention period of such cookies (see

       for this the information obligations in Article 13(1) and 14(1) GDPR). Since this information

       is missing for each category of cookies used in the cookie policy, cannot be judged impossible

       that the cookies were sufficiently documented.

   142. The Disputes Chamber infers from the findings of infringements listed above that the

       Defendant fulfills its obligation to provide information accordingly Articles 13 and 14, j°12, paragraph 1AVGophet

       time of those findings. The Disputes Chamber emphasizes in this regard that the

       The controller's responsibility is to ensure itself that the

       website information provided is in accordance with reality, in accordance with the aforesaid

       provisions in the GDPR. The Disputes Chamber refers here emphatically to the provisions of Articles 5, paragraph

       2 and 24 GDPR established accountability.

        II.5.5. Unjustified storage periods of cookies (Article 5(1)(e) GDPR) –

            determination 6 Inspection service



   143. Article 5(1)(e) GDPR provides that personal data may not be kept longer than

       necessary to achieve the intended purpose (principle of “storage limitation”). The retention period may

       therefore not unlimited. The information collected and stored in a cookie and the

       information collected as a result of reading the cookie must be deleted

       when it is no longer necessary for the intended purpose.


   144. On the website of the GBA, the following is stated in the theme file “cookies” regarding

       the storage period or lifespan of cookies:





76For an overview of the names of the installed cookies, and the findings regarding its flawed character, see:
Technical research report on the use of cookies on the Knack website, document 6 administrative file, p. 29 ff., Decision on the merits 85/2022 - 48/58




                “A cookie that is exempt from the consent requirement must have a lifespan

                directly related to the purpose for which it is used and to be

                set to expire as soon as it is no longer needed, taking into account the reasonable

                expectations of the average user. Cookies exempt from consent

                are therefore likely to expire when the browser session ends or even earlier.
                However, that is not always the case. For example, in the shopping cart scenario, a

                retailer set the cookie to remain after the end of the browser session or

                for a few hours to account for the fact that the user may inadvertently de

                browser may close and reasonably expect to see the contents of the shopping cart

                when he returns to the retailer's website a few minutes later. In

                in other cases the user may expressly request the service for certain information

                from one session to another, requiring the use of permanent

                cookies is required.”7


   145. From the technical analysis reports of the Inspectorate, both with regard to the Knack website

       if this one from LeVif, it turns out that the effective storage periods for some cookies are unreasonably long
       and that the cookies have a lifespan of several years. Below is an overview of cookies

       with unreasonably long storage periods (expressed in days):


            - UID: 720 days (Le Vif and Knack)


            - _gfp_64b: 1000 days (Knack and Le Vif)


            - OB-USER TOKEN: 90000 days (Knack and Le Vif)


            - You: 730 days (Le Vif)

            - Gdyn: 1698 days (Le Vif and Knack)


            - Gtest: 1698 days (Knack)


   146. The defendant argues that in the past the Data Protection Authority has not made any specific

       has issued guidelines regarding the precise storage periods of cookies. This states that it

       because of this uncertainty it was not clear to her what should be understood concretely

       under “a lifespan that must not be longer than the time necessary to achieve the intended purpose

       reach".

   147. The Disputes Chamber points out, however, that the lack of guidelines from a supervisory

       government cannot be used by a controller as a reason for the

       non-compliance with the provisions of the GDPR. 78 Indeed, there is, in accordance with the provisions of Article 5,




77
  https://www.dataprotectionauthority.be/professioneel/thema-s/cookies. The Disputes Chamber underlines.
78See also above, part II.3 of the present decision, Decision on the substance 85/2022 - 49/58




       paragraphs 2 and 24 GDPR, obliged to ensure itself that
       the processing of personal data carried out by him takes place in accordance with the provisions

       of the GDPR and must be able to demonstrate this.


   148. In addition to the foregoing, it should be noted that, if the defendant

       was the opinion that the lifespan of certain cookies and the retention period of the cookies via these cookies

       personal data collected was proportional, could have demonstrated this if desired

       or could have argued in the course of the proceedings why it is of the opinion that the

       retention periods do meet the requirements of Article 5(1)(e) GDPR. The defendant did
       this however is not.


   149. The reports of the Inspectorate also show that the lifespan of certain cookies in

       case is manifestly disproportionate and can in no case be considered proportionate to

       the purpose pursued. In this context, particular reference should be made to the cookie

       “OB-USER-TOKEN”, with a lifespan of 90,000 days or approximately 246 years.


   150. The defendant argues in its response that the retention period as established in
       its privacy policy means that the placed cookies are stored until they are

       user will be deleted. 79 The defendant submits that the Inspectorate's finding,

       according to which the retention periods would be “indefinite”, is therefore not correct.


   151. While it is true that the defendant has not argued that it is an unlimited

       storage period, it is true that it is not clear proactive recording of (criteria for)

       the concrete retention periods constitute an apparent shortcoming in the light of the principle

       on storage limitation.

   152. On the basis of the above, the Disputes Chamber finds that the defendant has committed an infringement

       committed on Article 5(1)(e) GDPR.





        II.5.6. Non-compliance with the withdrawal of consent (Article 7(3)GDPR) -
            determination 7 Inspection service



   153. Pursuant to Article 7(3) of the GDPR, the data subject has “the right to give his or her consent at any time”

       to withdraw. Withdrawing consent does not affect the lawfulness of the processing

       of the consent before its withdrawal, without prejudice.

       he shall be notified thereof. Withdrawing consent is as easy as

       giving it.”





79Cf. statement of response defendant, p. 32, no. 86 et seq., Decision on the substance 85/2022 - 50/58



       Establishments Inspection Service: 80


   154. It appears from the technical analysis report on Le Vif's website that: 81


            - when the inspector surfed to the site, 60 cookies were detected before the

                permission was given;


            - when the inspector gave his consent for all cookies in the cookie consent tool, there

                147 cookies were detected;


            - when the inspector wanted to return to the selection screen (consent tool) to

                withdraw permission, it was confronted with a black screen, after which the

                website blocked:























            The Inspectorate therefore determined that it was impossible to obtain the consent

            Pull.


   155. For the Knack website, the Inspectorate established that: 82


            - when taking steps 1 to 15 (in step 15 all cookies were accepted), 86

                cookies were detected;


            - in step 24 (deleting the cookies and reloading the web page): number of cookies 73→

                step 25 (allow all cookies again and reload the page): number of cookies 85 →

                step 26 (return to minimum cookies and reload): number of cookies 88;


            Between step 24 “all cookies” and step 26 “minimum cookies” the number of cookies does not decrease,

            on the contrary, the number of cookies is increasing.




80 Report of the Inspectorate, document 10, p. 30, with reference to the findings in the technical investigation reports

in that regard.
81Page 36 of Le Vif's technical analysis report.
82
  For an overview of all the steps taken by the Inspectorate, reference is made to pages 31 to 33 of the
technical analysis report., Decision on the substance 85/2022 - 51/58




   156. In addition, it appears from the Inspectorate's technical analysis report that the withdrawal of the
       Consent is more difficult than giving it:


            - For LeVifiser even an impossibility to withdraw the consent

                (see above).


            - For Knack it appears that adjusting the permission is only possible by using the

                “footer” clicking on “cookie settings”:



    Defendant's position:


   157. In its statement of defense, the defendant submits, with regard to the . described above

       findings of the Inspectorate regarding the withdrawal of the permission that certain

       of these problems are due to an unfortunate configuration of the OneTrust cookie tool, which

       used by the defendant at the time of the findings. She states in this regard

       more specifically that, firstly, when implementing the aforementioned tool, there is no correct technical link
       was made between the consent given or not and the first party cookies used by the site

       were placed themselves. It states that with regard to the cookies placed by advertisers, the

       consent was correctly enforced by applying the IAB TCF. The Defendant

       adds that the aforementioned issue was resolved by the implementation on March 31, 2020

       of the CMP Didomi.


   158. Second, with regard to the Inspectorate's determination according to

       which for the website www.levif.be gets a black screen when trying
       withdraw permission, that this can also be explained by a configuration problem of

       the OneTrust cookie tool. The defendant argues that it was, however, its intention to insert

       from the tab “more info and configuration” allow users to give their consent for free

       to change. She regrets that the Inspectorate was confronted during its investigation

       with a black screen instead of the affected setup screen. 83


   Position of the Dispute Chamber

   159. On the basis of the findings of the Inspectorate, the Disputes Chamber establishes the above

       evidence presented as well as the statements of the defendant establish that there are more steps

       are necessary to withdraw consent than to give consent. This is not in

       in accordance with Article 7(3) of the GDPR, which states that the withdrawal of consent is equally

       should be as simple as giving it.


   160.The fact that technical problems arise during the withdrawal process
       permission, indicates that the correct technical measures have not been taken to ensure that a



83 Conclusion of the defendant's reply, p. 33., Decision on the substance 85/2022 - 52/58



       data subject can withdraw her or his consent at any time. In addition, it appears that even when

       it creates the appearance for the data subject that she or he has withdrawn consent, the

       technical situation does not change to a basic situation, but on the contrary, more cookies that

       processing personal data can be detected on the Knack website.


   161. Therefore, the Disputes Chamber with regard to both Knack's and LeVif's websites
       a breach of Article 7(3) of the GDPR.





III. Infringements and sanctions


   162. In summary, in the present case, the Disputes Chamber finds infringements of the following provisions in the main:

       from the defendant:

           - Article 6(1) of the GDPR, read in conjunction with Article 129(2) of the Act on

               electronic communication (current article 10/2 of the law of 30 July 2018 on

               the protection of natural persons with regard to the processing of

               personal data 84), due to the placement of not strictly necessary cookies on her

               websites www.knack.be and www.levif.be without permission being obtained.

               In accordance with the aforementioned provisions, the processing of personal data requires

               prior consent by placing and/or reading cookies

               of the data subject, unless the cookies are strictly necessary to 1) the transmission
               of a communication over an electronic communications network or 2) to

               to provide a service expressly requested by the user. From the findings of

               the Inspectorate and the documents in the file show that on both aforementioned websites

               cookies were placed that cannot be regarded as strictly necessary and this

               without obtaining the user's consent. It was also determined that

               statistical cookies were placed without the user's consent. The
               the defendant neither denies nor refutes the aforementioned finding in its statement of defense

               and during the hearing.



           - articles 4, point) 11j° 6, paragraph 1, point a) and 7, paragraph 1 AVG, as explained in recital 32 of

               the AVG, because of not meeting the conditions regarding permission contained

               in the aforementioned provisions. In particular, it was found that on the websites

               www.knack.be and www.levif.be At the time of the research, use was made of

               so-called “pre-ticked boxes”, where the cookies of the partner companies
               were marked as “active” by default. However, this can in no way constitute a valid




84BS 5 September 2018., Decision on the substance 85/2022 - 53/58




               consent within the meaning of Art. 4, point 11) GDPR for the placement of cookies

               (i.e. “any free, specific, informed and unambiguous expression of will with which

               the data subject by means of a statement or an unambiguous active

               accepts any act concerning him/her concerning the processing of personal data"). This one

               practice is also contrary to the case law of the Court of Justice of the European Union
                                85
               (Judgment Planet49 ).



            - Articles 5(2) and 24 GDPR, due to the publication of a disclaimer on the

               websites concerned where the defendant claims that it is not responsible for the
               placement of third-party cookies on these sites, including in the context of the

               use of the IAB Transparency and Consent Framework. This statement of the

               the defendant is, however, contrary to the case-law of the Court of Justice of the

               European Union in the Wirtschaftsakademie judgment, 86 in which the Court held that the

               owner of a website is responsible for processing by means of cookies

               who installs or reads his website. This attitude of the defendant is therefore contrary to

               with Article 5, paragraph 2 j° Article 24 GDPR, according to which the controller

               is responsible for compliance with the provisions of the GDPR and demonstrating

               of this.


            - Articles 12(1), j° 13 and 14 GDPR, as the way in which the information is sent to the

               data subjects was provided does not meet the requirement of a "transparent,

               comprehensible and easily accessible form". It was first established that the

               privacy policy contained incorrect information, including regarding consent to the

               use of cookies, as well as with regard to the need to accept

               third party cookies. The privacy policy also did not include, at the time of the survey,

               full listing of the different types or categories of cookies that have been

               posted. Nor did this policy contain sufficient information regarding the (criteria for

               determination of the) lifespan of the cookies placed and the retention period of the thus

               collected data, as however required by articles 13, paragraph 2, point a) and 14, paragraph 2, dot
               a) GDPR. The privacy policy also did not contain information regarding the processing by

               partners, allowing those involved to follow the policies of a large number of partners and vendors

               should consult in order to obtain this information.



            - article 5, paragraph 1, point e) GDPR, due to non-compliance with the principle of storage limitation.

               A cookie must have a lifespan that is directly related to its purpose



85
  CJEU, C-673/17, 1 October 2019, ECLI:EU:C:2019:801.
86 CJEU, C-210/16, 5 June 2018, ECLI:EU:C:2018:388., Judgment on the merits 85/2022 - 54/58




               what it is used for and should be set to expire when it is not

               longer, taking into account the reasonable expectations of the user.



            - Article 7, paragraph 3 of the GDPR, for failure to ensure that the withdrawal of the

               consent to the placement of cookies is just as simple as granting it.

               More specifically, it is established for the website www.levif.be that the withdrawal of the

               consent is technically impossible via the cookie management tool, because this management tool

               blocks and a black screen appears. From the technical analysis of the website

               www.knack.be it appears that the withdrawal of consent is ineffective, as it

               number of cookies does not decrease after returning to the minimum choices. The Defendant

               neither denies nor refutes this finding and states in its reply that this

               problem was due to a bad configuration of the

               cookie tool OneTrust.


   163. As a result of these infringements, the Disputes Chamber decides to impose a
       administrative fine of EUR 50,000 to the defendant for the aforementioned infringements. The

       The Disputes Chamber also decides to order the defendant to process the

       align personal data with the applicable provisions of the

       data protection legislation within a period of 3 months from the date of

       receipt of the present decision.


   164. It should be noted in this regard that the administrative fine is not for

       to end an offense committed, but vigorously enforce the rules of

       the GDPR aims. Indeed, as can be seen from recital 148 of the GDPR, the GDPR presupposes that in any

       serious infringement – thus also in the event of an initial finding of an infringement – penalties, including
                                                                                                        87
       administrative fines, in addition to or instead of appropriate measures.

       Hereafter, the Disputes Chamber shows that the infringements committed by the defendant of the

       the aforementioned provisions of the GDPR in no way concern minor infringements, nor that the fine

       would cause a disproportionate burden to a natural person as referred to in recital 148 AVG,

       where in either case a fine may be waived. The fact that it is a first

       determination of a breach of the GDPR committed by the defendant, thus raises



87
  Recital 148 states: “In order to strengthen enforcement of the rules of this Regulation, penalties, including
including administrative fines, to be imposed for any infringement of the Regulation, in addition to or in lieu of appropriate
measures imposed by the supervisory authorities pursuant to this Regulation. If it is a small
infringement or if the expected monetary fine would cause a disproportionate burden and on a natural person, instead of a
fine are chosen for a reprimand. However, the nature, severity and duration of the
the infringement, with the intentional nature of the infringement, with damage mitigation measures, with the degree of responsibility,
or with previous relevant infringements, with the manner in which the infringement came to the attention of the supervisory authority, with
compliance with the measures taken against the controller or processor, with the affiliation with
a code of conduct and any other aggravating or mitigating factors. The imposition of penalties, including
administrative fines must be subject to adjusting the procedure and guarantees in accordance with the general principles
of Union law and the Charter, including an effective remedy and a fair administration of justice. [own
underline], Decision on the substance 85/2022 - 55/58




       in no way prejudice the ability of the Disputes Chamber to file an administrative

       impose a fine. The Disputes Chamber imposes the administrative fine in application of

       Article 58(2)(i) GDPR. The instrument of administrative fines in no way serves the purpose
       to end infringements. To this end, the AVG and the WOG provide for a number of corrective

       measures, including the orders referred to in article 100, §1, 8° and 9° WOG.


   165. Taking into account Article 83 AVG, the Disputes Chamber motivates the imposition of a

       administrative sanction in concrete terms:


        a) the nature, seriousness and duration of the infringement (Art. 83.2 a) GDPR): the infringements found

        include a violation of the provisions of the GDPR relating to the
        principles of data protection (Art. 5 GDPR) and the lawfulness of processing (Art.

        6 (1) GDPR) as well as transparency (Art. 12 et seq. GDPR). A violation of the aforementioned provisions gives

        subject to the highest fines in accordance with Art. 83(5) GDPR.


        It should also be noted the scope of the processing in terms of number

        involved. The websites concerned belong, according to figures from the Center for Information

        about the Media (CIM) among the twenty most visited media websites in Belgium, increasing the number of

        stakeholders can by definition be called significant.

        b) the previous relevant infringements by the controllers (Art. 83.2 e) GDPR): the

        defendant has never been the subject of an enforcement procedure of the

        Data Protection Authority.


        h) the way in which the DPA became aware of the infringement (Art. 83.2 h) GDPR): the infringements

        were not reported by the defendant but were established in the context of an investigation

        by the Inspectorate on the own initiative of the GBA Management Committee.




   166.On April 20, 2022, a sanction form (“form for response against intended sanction”)

       forwarded to the defendant. In this sanction form, the present decision

       infringements, as well as the amount of EUR 50,000 that is the intended amount for the fine

       applies. On 11 May 2022, the defendant submitted its response to this sanction form to the

       Dispute room.


   167. In summary, the defendant states in this reply:

        (1) According to the defendant, the infringements occurred only for a limited period of time, since

            the defendant only used the OneTrust cookie tool for 7 months.





88As well as the case law of the Marktenhof, cf., among others, the Brussels Court of Appeal (Markenhof section), X. N.V. t. GBA, Judgment 2020/1471
of 19 February 2020., Decision on the substance 85/2022 - 56/58



     2) According to the defendant, the Disputes Chamber incorrectly refers to a “large number”

        parties involved”, where, according to the defendant, the Disputes Chamber does not demonstrate which

        concrete order this goes. According to the defendant, the CIM ranking gives “no”

        indication of the number of visitors”, or those involved – as only the visits are

        measured. After all, multiple visits can be attributed to the same
        data subjects, inter alia because data subjects access the defendant's websites via various

        visit devices.


     3) The defendant also states that it has complaints relating to the methodology

        which determines the amount of the fine, and makes the comparison with the
        fines imposed abroad for similar infringements. It also states that the proposed

        fine is “disproportionate” to the modest turnover that its (investigated) websites

        collected from digital advertisements.


     4) Finally, the defendant states that the turnover to which the sanction form refers is this
        of the entire group, and that this turnover may not be fully taken into account for

        the calculation of the fine, as not all subsidiaries are part of

        “same economic unit”.


168. As regards the defendant's first argument in its reply to the fine form,

    the Disputes Chamber refers to the findings made by the Inspectorate on a
    number of concrete points in time within the period of its investigation. The fact that a change in the

    management of the defendant's websites took place after these findings,

    without prejudice to the infringements established at those times. It is true that the

    The Disputes Chamber can take into account an improvement of

    the situation during the procedure with the Data Protection Authority, but this is required
    admittedly that the defendant indicates inconcreto why and how a certain changed situation

    can be considered a mitigating circumstance. In this regard, the defendant does not demonstrate that it

    longer use of the OneTrust cookie tool means that the situation for data subjects in the

    processing of personal data has subsequently been improved.

169. With regard to the second argument, the Disputes Chamber points out that, although the CIM figures

    to which, among other things, the Inspectorate referred to in its reports does not provide a concrete indication

    of the number of people involved, these figures do provide a general indication of the

    popularity of news websites. The fact that the various organs of the

    Data protection authority not demonstrating in concrete terms how many data subjects are affected

    by the activities of a particular controller against which a
    enforcement proceedings are underway, does not mean that indications of the magnitude of

    the number of persons involved may not be relevant for the determination of the seriousness of one or more

    multiple breaches of personal data protection legislation, in particular the, Decision on the merits 85/2022 - 57/58



       impact on a certain order of magnitude on those involved. A comparison can be made with

       a situation in which the number of persons involved cannot be accurately determined, but where there is

       are indications of the concrete number of those involved. 89 Mutatis mutandis shows the fact that the

       defendant the (generally stated) order of magnitude of the number of data subjects who use its websites

       visit, dispute, without providing any evidence to the contrary that it concerns a different order,


       insufficient to explain why the CIM figures cannot provide an indication of the magnitude of the

       number of stakeholders.

   170. As regards the third argument relating to the amount of the fine, the


       The Disputes Chamber points out that placing cookies in this matter is a commercial matter for the

       defendant, in which it has significant financial interests in acquiring the

       linked ad revenue. The Disputes Chamber refers, for informational purposes, to the

       directives on administrative monetary sanctions, which were in force at the time of the determination of the
                                                                                               90
       Inspection service, and the transfer of the fine form, had not yet been accepted.


      171. As a fourth argument, the defendant cites that the Disputes Chamber does not demonstrate that the

          companies that fall under its umbrella group, are part of

          the same economic unit. The Disputes Chamber points out in this regard that during the

          proceedings have arisen against the defendant as a group, and in the proceedings also the defendant

          appointed in that capacity. In addition, the defendant refers in its reply to

          the sanction form itself to itself under its legal form as a group, without distinction

          between the alleged various economic activities, or without

          present as part of a (segregated) economic activity. The Dispute Room

          emphasizes that it can impose fines on the basis of the turnover of a full
                                                                                       91
          company, which is undeniable of the group as a legal entity. Superfluously

          the Disputes Chamber points out that supervisory authorities have the power to –

          subject to adequate justification – to impose fines of up to 10,000,000, resp. EUR 20,000,000,

          irrespective of the size of the undertaking, but depending on the type of infringement. 92





   172. The whole of the elements set out above justifies an effective,

       proportionala deterrent sanction as referred to in article 83 AVG, taking into account the

       certain assessment criteria. The Disputes Chamber points out that the other criteria of art. 83.2.






89Dispute ChamberGBA,Decision4/2021of27January2021,46;an appeal againstthisdecisionwasdeclaredunfounded;Court
of Appeal Brussels (Marktenhof), 7 July 2021, 2021/AR/320.
90
   Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 16 May 2022, available at:
https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-042022-calculation-administrative_en.
91Article 83, paragraphs 4, 5 and 6 GDPR.
92
  Ibid., Decision on the merits 85/2022 - 58/58



       GDPR in this case are not of a nature that they lead to an administrative fine other than that

       which the Disputes Chamber has determined in the context of this decision.




IV. Publication of the decision


    Given the importance of transparency with regard to the decision-making of the Disputes Chamber,

    this decision is published on the website of the in accordance with Article 95, §1, 8° WOG

    Data protection authority with indication of the identification data of the defendant and

    this because of the specificity of the present decision – which means that even in the case of

    omission of identification data makes re-identification unavoidable or at least very

    probable – as well as the public interest of this decision.


    FOR THESE REASONS,

    the Disputes Chamber of the Data Protection Authority decides, after deliberation, to:

    - pursuant to Article 58, paragraph 2, point i) j° Article 83 GDPR and Article 100, §1, 13° WOG a

       to impose an administrative fine of EUR 50,000 for the violation of Article 6(4)

       1 GDPR j° Article 129 WEC; Articles 4(11) j° 6(1)(a) and 7(1) GDPR; Articles 5, paragraph 2
       and 24 GDPR; Articles 12, paragraph 1, j° 13 and 14 GDPR; Article 5(1)(e) GDPR; and Article 7(3) GDPR.

    - order the defendant pursuant to Art. 58, paragraph 2, point d) GDPR and Art. 100, § 1, 9° WOG

       to the processing of personal data in the context of which various infringements

       were established in the present decision and for which pursuant to the first

       indent of this operative part a fine was imposed, to be brought in line with

       the provisions of the AVG within a period of 3 months to be calculated from the receipt of
       the decision on the merits and to provide evidence thereof.





    Against this decision, pursuant to art. 108, §1 WOG, appeals must be lodged within a

    period of thirty days, from the notification, to the Marktenhof, with the
    Data Protection Authority as Defendant.










(Get). Hielke Hijmans

Chairman of the Disputes Chamber