APD/GBA (Belgium) - 103/2022: Difference between revisions
mNo edit summary |
m (Jg moved page APD/GBA (Belgium) - DOS-2020-02998 to APD/GBA (Belgium) - 103/2022) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 22: | Line 22: | ||
|Outcome=Violation Found | |Outcome=Violation Found | ||
|Date_Started=16.01.2019 | |Date_Started=16.01.2019 | ||
|Date_Decided= | |Date_Decided=16.06.2022 | ||
|Date_Published=17.06.2022 | |Date_Published=17.06.2022 | ||
|Year= | |Year= | ||
Line 77: | Line 77: | ||
}} | }} | ||
The Belgian DPA fined a large media company (Rossel & Cie) €50,000 for violations regarding its cookie policy | The Belgian DPA fined a large media company (Rossel & Cie) €50,000 for violations regarding its cookie policy and for the placement of not strictly necessary cookies without obtaining prior consent. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 16 January 2019, the | On 16 January 2019, the executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales. The investigation revealed the following potential violations. | ||
First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities. | First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities. | ||
Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is | Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is active behaviour that meets the active consent requirement of Planet 49. | ||
Third, pre-ticked boxes to grant consent for third-party-cookies. | Third, pre-ticked boxes to grant consent for third-party-cookies. | ||
Line 99: | Line 99: | ||
The DPA held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a)]] by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies. | The DPA held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a)]] by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies. | ||
Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in | Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in Planet 49 in specific situations. However the act of simply scrolling, is not. A computer action (e.g. a mouse-click) could change this. The DPA further noted that it also lacked the requirement for consent to be specific. The DPA therefore held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a)]] (jo [[Article 4 GDPR#11|Article 4(11)]] and [[Article 7 GDPR#1|Article 7(1)]]). | ||
Regarding the pre-ticked boxes for third-party cookies, the DPA argued that this cannot constitute lawful consent by the definition of [[Article 4 GDPR#11|Article 4(11)]]. The DPA thus found another violation of [[Article 6 GDPR#1a|Article 6(1)(a)]]. | Regarding the pre-ticked boxes for third-party cookies, the DPA argued that this cannot constitute lawful consent by the definition of [[Article 4 GDPR#11|Article 4(11)]]. The DPA thus found another violation of [[Article 6 GDPR#1a|Article 6(1)(a)]]. | ||
The DPA further held that the controller violated [[Article 4 GDPR#11|Article 4(11)]], [[Article 12 GDPR#1|Article 12(1)]], [[Article 13 GDPR|Article 13]] and [[Article 14 GDPR|Article 14]] as their cookie policy was incomplete (it only mentioned 13 of the 500 partners). Furthermore, it was not sufficiently accessible and and/or in the data subject's language . | The DPA further held that the controller violated [[Article 4 GDPR#11|Article 4(11)]], [[Article 12 GDPR#1|Article 12(1)]], [[Article 13 GDPR|Article 13]] and [[Article 14 GDPR|Article 14]] as their cookie policy was incomplete (it only mentioned 13 of the 500 partners). Furthermore, it was not sufficiently accessible and and/or in the data subject's language. | ||
Lastly, the DPA found that the controller violated [[Article 7 GDPR#3|Article 7(3)]], for the placement of additional cookies after withdrawing consent. | Lastly, the DPA found that the controller violated [[Article 7 GDPR#3|Article 7(3)]], for the placement of additional cookies after withdrawing consent. | ||
Line 110: | Line 110: | ||
== Comment == | == Comment == | ||
This is the second decision following this | This is the second decision following this investigation of the executive-committee. see APD/GBA Belguim - 85/2022 for the first decision. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 12:31, 3 August 2022
APD/GBA - DOS-2020-02998 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 6(1)(a) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 13 GDPR Article 14 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 16.01.2019 |
Decided: | 16.06.2022 |
Published: | 17.06.2022 |
Fine: | 50.000 EUR |
Parties: | Rossel Group (sudinfo) Rossel Group (le soir) Rossel & Cie |
National Case Number/Name: | DOS-2020-02998 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | ADP/GBA (in FR) |
Initial Contributor: | Elsje Gold |
The Belgian DPA fined a large media company (Rossel & Cie) €50,000 for violations regarding its cookie policy and for the placement of not strictly necessary cookies without obtaining prior consent.
English Summary
Facts
On 16 January 2019, the executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales. The investigation revealed the following potential violations.
First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities.
Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is active behaviour that meets the active consent requirement of Planet 49.
Third, pre-ticked boxes to grant consent for third-party-cookies.
Forth, an incomplete and poorly accessible cookie policy.
Sixth, unjustified retention periods for the storage of cookies.
Lastly, revoking consent was impossible.
Holding
The DPA held that the controller violated Article 6(1)(a) by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies.
Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in Planet 49 in specific situations. However the act of simply scrolling, is not. A computer action (e.g. a mouse-click) could change this. The DPA further noted that it also lacked the requirement for consent to be specific. The DPA therefore held that the controller violated Article 6(1)(a) (jo Article 4(11) and Article 7(1)).
Regarding the pre-ticked boxes for third-party cookies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11). The DPA thus found another violation of Article 6(1)(a).
The DPA further held that the controller violated Article 4(11), Article 12(1), Article 13 and Article 14 as their cookie policy was incomplete (it only mentioned 13 of the 500 partners). Furthermore, it was not sufficiently accessible and and/or in the data subject's language.
Lastly, the DPA found that the controller violated Article 7(3), for the placement of additional cookies after withdrawing consent.
The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months.
Comment
This is the second decision following this investigation of the executive-committee. see APD/GBA Belguim - 85/2022 for the first decision.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.