APD/GBA (Belgium) - 113/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=113/2024 |ECLI= |Original_Source_Name_1=APD/GBA (Belgium) |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-113-2024-van-6-september-2024.pdf |Original_Source_Language_1=Dutch |Original_Source_Language__Code_1=NL |Original_Source_Name_2= |Original_Source_Link...")
 
 
(3 intermediate revisions by one other user not shown)
Line 69: Line 69:
}}
}}


The DPA ordered the controller to bring the websites’ cookie banners into compliance with the GDPR by adding the reject button within its first layer and changing the colours used.
The DPA ordered a controller to bring the websites’ cookie banners into compliance with the GDPR by adding the reject button within its first layer and changing the colours used.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject visited four website operated by MediaHuis (https://www.mediahuis.be/en/), namely:
A data subject visited four website operated by MediaHuis, namely:
Gazet van Antwerpen;
 
De Standaard;
* Gazet van Antwerpen;
Het Nieuwsblad;
* De Standaard;
Het Belang van Limburg.
* Het Nieuwsblad;
* Het Belang van Limburg.
 
On each website there was a cookie banner which:
On each website there was a cookie banner which:
Didn’t contain a reject button within its first layer;
 
Buttons colours were misleading;
* Didn’t contain a reject button within its first layer;Buttons colours were misleading;
It was not as easy to withdraw consent as it was to give it;
* It was not as easy to withdraw consent as it was to give it;
Contained a reference to the legal basis of legitimate interest.
* Contained a reference to the legal basis of legitimate interest.
The data subject filed four complaints referring to abovementioned cookie banners with the Belgian DPA (ADP/GBA). noyb was appointed by the data subject as their representative under [[Article 80 GDPR#1|Article 80(1) GDPR]]. MediaHuis was assigned the role of data controller.  
 
The data subject filed four complaints referring to abovementioned cookie banners with the Belgian DPA (ADP/GBA). ''noyb'' was appointed by the data subject as their representative under [[Article 80 GDPR#1|Article 80(1) GDPR]]. MediaHuis was assigned the role of data controller.  
 
According to the controller, the law, especially [[Article 7 GDPR#3|Article 7(3) GDPR]] or [[Article 4 GDPR#11|Article 4(11) GDPR]], didn’t prescribe the controller to implement reject button within the first layer of the cookie banner or to use different colours for the buttons or to implement consent withdrawal option in a particular way. The fact that the cookie banners were not in line with the guidelines of different data protection authorities and the EDPB, as mentioned by the data subject, did not amount to violation of the GDPR. Moreover, the data subject gave their consent for processing activities of the controller and, for that reason, they had no interest to bring a case before the DPA.
According to the controller, the law, especially [[Article 7 GDPR#3|Article 7(3) GDPR]] or [[Article 4 GDPR#11|Article 4(11) GDPR]], didn’t prescribe the controller to implement reject button within the first layer of the cookie banner or to use different colours for the buttons or to implement consent withdrawal option in a particular way. The fact that the cookie banners were not in line with the guidelines of different data protection authorities and the EDPB, as mentioned by the data subject, did not amount to violation of the GDPR. Moreover, the data subject gave their consent for processing activities of the controller and, for that reason, they had no interest to bring a case before the DPA.


=== Holding ===
=== Holding ===
The DPA found the controller violated the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 7 GDPR#3|Article 7(3) GDPR]].
The DPA found the controller violated the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], [[Article 7 GDPR#3|Article 7(3) GDPR]].
Firstly, the DPA clarified that for the consent to be freely and unambiguously given under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and Article 5(3) ePrivacy Directive, the reject button had to be presented alongside the accept button. Otherwise, the data subject would have no real alternative to consenting for placing and processing cookies.  
Firstly, the DPA clarified that for the consent to be freely and unambiguously given under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and Article 5(3) ePrivacy Directive, the reject button had to be presented alongside the accept button. Otherwise, the data subject would have no real alternative to consenting for placing and processing cookies.  
Secondly, the buttons’ colours used by the controller were of deceptive nature. They inclined a data subject to give a consent for the cookies processing. Because of that, the controller was in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].  
Secondly, the buttons’ colours used by the controller were of deceptive nature. They inclined a data subject to give a consent for the cookies processing. Because of that, the controller was in breach of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]].  
Since the cookie banner was lacking of the reject button within its first layer, and the colours used were misleading, the DPA order the controller to bring the cookie banner into compliance with the GDPR within 45 days. The order was combined with a penalty of €25,000 per day and per each website concerned, due if the controller fails to implement the ordered changes. The maximum amount of total penalty was set on €10,000,000.  
Since the cookie banner was lacking of the reject button within its first layer, and the colours used were misleading, the DPA order the controller to bring the cookie banner into compliance with the GDPR within 45 days. The order was combined with a penalty of €25,000 per day and per each website concerned, due if the controller fails to implement the ordered changes. The maximum amount of total penalty was set on €10,000,000.  
Thirdly, the controller violated [[Article 7 GDPR#3|Article 7(3) GDPR]]. To withdraw the consent given, a data subject had to perform more actions - “click more” – whilst to give a consent only one click sufficed. Nevertheless, the controller updated their websites by adding the reject button to the first layer of cookie banner and the option to withdraw the consent, using the manage link at the bottom of each website. Since the violation was remedied, the DPA reprimanded the controller.  
 
Thirdly, the controller violated [[Article 7 GDPR#3|Article 7(3) GDPR]]. To withdraw the consent given, a data subject had to perform more actions - “click more” – whilst to give a consent only one click sufficed. Nevertheless, the controller updated their websites by adding the reject button to the first layer of cookie banner and the option to withdraw the consent, using the manage link at the bottom of each website. The violation was remedied, accordingly the DPA reprimanded the controller.  
 
Fourthly, the legitimate interest called upon by the controller covered placing and processing of the cookies, which were not “strictly necessary”. The controller’s cookies were of different kind, including the analytical cookies. Especially for the latter, the application of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is per se excluded and the consent needed to be obtained. Furthermore, by adding the legitimate interest to be a “back-up” legal basis for the cookies related processing, the controller mislead the data subject. The controller violated then [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. Nonetheless, the DPA reprimanded the controller that the legal basis for placing and processing of analytical cookies and other cookies that were not “strictly necessary cookies only was a consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]].
Fourthly, the legitimate interest called upon by the controller covered placing and processing of the cookies, which were not “strictly necessary”. The controller’s cookies were of different kind, including the analytical cookies. Especially for the latter, the application of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is per se excluded and the consent needed to be obtained. Furthermore, by adding the legitimate interest to be a “back-up” legal basis for the cookies related processing, the controller mislead the data subject. The controller violated then [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. Nonetheless, the DPA reprimanded the controller that the legal basis for placing and processing of analytical cookies and other cookies that were not “strictly necessary cookies only was a consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]].
In answer to the controller’s claims, the DPA emphasised that:  
 
the fact that the data subject gave a consent didn’t deprive them from starting the case before the DPA;
In answer to the controller’s claims, the DPA emphasised that:
the guidelines of the EDPB were not legally binding, as pointed by the controller, but they played important role regarding the interpretation of the GDPR.  
 
* the fact that the data subject gave a consent didn’t deprive them from starting the case before the DPA;
* the guidelines of the EDPB were not legally binding, as pointed by the controller, but they played important role regarding the interpretation of the GDPR.  
 
In addition, the DPA excluded alleged pressure put on the data subject by noyb to initiate the proceedings. The controller argued the relationship between the data subject, being a trainee at noyb, was instructed to lodge the complaints with the DPA. Hence there was no legal interest of the data subject in the case at hand. However, for the DPA statements of that kind were unfounded, bearing in mind the facts of the case. In particular, the outcome of the data subject’s hearing before the DPA that proved the data subject’s interest being involved.
In addition, the DPA excluded alleged pressure put on the data subject by noyb to initiate the proceedings. The controller argued the relationship between the data subject, being a trainee at noyb, was instructed to lodge the complaints with the DPA. Hence there was no legal interest of the data subject in the case at hand. However, for the DPA statements of that kind were unfounded, bearing in mind the facts of the case. In particular, the outcome of the data subject’s hearing before the DPA that proved the data subject’s interest being involved.


== Comment ==
== Comment ==
''Share your comments here!''
In the case [[APD/GBA (Belgium) - 112/2024]], where the data subject was represented by ''noyb'', the APD/GBA dismissed the case due to the lack of data subject's own interest. 


== Further Resources ==
== Further Resources ==
Line 106: Line 118:


== English Machine Translation of the Decision ==
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
<pre>
<pre>
1/70
1/70 Dispute Chamber Decision on the Merits 113/2024 of September 6, 2024
 
Dossier number: DOS-2023-03279
Dispute resolution
Subject: Measures regarding cookie banners on the news websites of Mediahuis (websites De Standaard, Gazet van Antwerpen, Het Belang van Limburg, and Het Nieuwsblad)
 
Decision on the merits 113/2024 of 6 September 2024
 
File number: DOS-2023-03279
 
Subject: measures concerning the cookie banners on the news websites of Mediahuis
 
(websites De Standaard, Gazet van Antwerpen, Het Belang van Limburg and Het
 
Nieuwsblad)
 
The Dispute resolution of the Data Protection Authority, composed of Mr.
 
Hielke HIJMANS, chairman, and Messrs. Christophe Boeraeve and Jelle Stassijns, members;
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
 
on the protection of natural persons with regard to the processing of
 
personal data and on the free movement of such data, and repealing
 
Directive 95/46/EC (General Data Protection Regulation), hereinafter
 
'GDPR';
 
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority,
 
hereinafter 'WOG';
 
Having regard to the Act of 30 July 2018 on the protection of natural persons
 
with regard to the processing of personal data, hereinafter 'WVP';
 
Having regard to the internal rules of procedure, as approved by the
 
Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on
 
15 January 2019;
 
Having regard to the documents in the file;
 
1The new Internal Rules (“RIO”), following the amendments made by the law of 25 December 2023
amending the law of 3 December 2017 establishing the Data Protection Authority (GBA), entered into force on 1 June 2024.
 
In accordance with Article 56 of the law of 25 December 2023, the new RIO only applies to complaints,
mediations, inspections and proceedings before the Dispute Chamber that were initiated on or after that date:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-
gegevensbeschermingsautoriteit.pdf


Cases initiated before 1 June 2024, as in the present case, are subject to the provisions of the WOG as they were not
The Dispute Chamber of the Data Protection Authority, composed of Mr. Hielke HIJMANS, chair, and Mr. Christophe Boeraeve and Mr. Jelle Stassijns, members;
amended by the law of 25 December 2023 and the RIO as it was before that date existed:
https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf. Decision on the merits 113/2024 — 2/70


Has taken the following decision regarding:
Considering Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Considering the Act of December 3, 2017, establishing the Data Protection Authority, hereinafter “DPA Act”;
Considering the Act of July 30, 2018, concerning the protection of natural persons in connection with the processing of personal data, hereinafter “PD Act”;
Considering the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents of the dossier;


Complainant: X, represented by noyb – European Center for Digital Rights
1 The new Internal Rules of Procedure (“IRP”), after the amendments made by the Act of December 25, 2023, to amend the Act of December 3, 2017, establishing the Data Protection Authority (GBA), came into force on June 1, 2024. In accordance with Article 56 of the Act of December 25, 2023, the new IRP applies only to complaints, mediations, inspections, and proceedings for the Dispute Chamber that were initiated on or after that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-gegevensbeschermingsautoriteit.pdf. Cases initiated before June 1, 2024, such as in the present case, are subject to the provisions of the DPA Act as not amended by the Act of December 25, 2023, and the IRP as it existed before that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf.


hereinafter “the complainant” or “complaining party”;
Has made the following decision regarding:
The complainant: The defendant:
X, represented by noyb – European Center for Digital Rights, hereinafter “the complainant” or “complaining party”;
Mediahuis N.V., represented by Mr. Jan CLINCK, Mr. Pierre ANTOINE, and Mr. Gerrit VANDENDRIESSCHE, hereinafter “the defendant.”


Defendant: Mediahuis N. V, represented by Mr. Jan CLINCK, Mr. Pierre ANTOINE
Table of Contents
 
I. Facts and Procedure ....................................................... 4
and Mr. Gerrit VANDENDRIESSCHE, hereinafter “the defendant”. Decision on the merits 113/2024 — 3/70
I.1. The four complaints ..................................................... 4
 
I.2. The settlement proposal and the settlement procedure in the proceedings
Table of contents
    preceding the decision on the merits .................................... 5
 
I.3. The proceedings on the merits ........................................... 6
I. Facts and procedure .......................................................................................................... 4
II. Reasons .................................................................. 8
 
II.1. Preliminary points ..................................................... 8
I.1. The four complaints.................................................................................................................. 4
II.2. The submitted complaint under Art. 80.1 GDPR .......................... 15
 
II.3. The violations ........................................................ 26
I.2. The settlement proposal and the settlement procedure in the procedure prior to the substantive hearing .............................................................................................................. 5
III. Measures and immediate enforceability .................................. 56
 
III.1. Orders ............................................................... 56
I.3. The substantive proceedings .............................................................................................. 6
III.2. Warnings ............................................................. 58
 
III.3. Financial penalties: special considerations .......................... 58
II. Reasons .............................................................................................................................. 8
III.4. Immediate enforceability ............................................. 66
 
IV. Publication of the decision ............................................. 68
II.1. Preliminary points .............................................................................................................. 8
 
II.2. The complaint lodged under Article 80.1 GDPR .................................................. 15
 
II.3. The infringements .................................................................................................................. 26
 
III. Measures and provisional enforceability .................................................................................. 56
 
III.1. Orders .................................................................................................................................. 56
 
III.2. Reprimands .................................................................................................................. 58
 
III.3. Penalty payments: special considerations .................................................................................. 58
 
III.4. Provisional enforceability .................................................................................................. 66
 
IV. Publication of the decision.................................................................................................68 Decision on the merits 113/2024 — 4/70
 
I. Facts and procedure


I. Facts and Procedure
I.1. The four complaints
I.1. The four complaints
1. This dossier is based on four consolidated complaints from one complainant regarding the cookie practices of the defendant on four of its websites:
  a. The first complaint concerns the website of ‘Gazet van Antwerpen’ (www.gva.be)
  b. The second complaint concerns the website of ‘De Standaard’ (www.standaard.be)
  c. The third complaint concerns the website of ‘Het Nieuwsblad’ (www.nieuwsblad.be)
  d. The fourth complaint concerns the website of ‘Het Belang van Limburg’ (www.hbvl.be)


1. This case is based on four joint complaints from one complainant concerning the
2. The complainant is represented by Noyb – European Center for Digital Rights (“Noyb”), which has its registered office in Austria. In each of the four complaints and for each individual website, a mandate signed and dated by the complainant is appended, authorizing the representative to represent the complainant before the Belgian GBA. The scope of the mandate is expressed as follows: “regarding: the collection of my data by placing cookies on the defendant's website,” followed by the identification of each of the aforementioned websites, and subsequently “and taking all necessary measures to enforce my rights, including initiating judicial or extrajudicial proceedings.”
 
cookie practices of the defendant on four of its websites:
 
a. The first complaint concerns the website of ‘Gazet van Antwerpen’ (www.gva.be)
 
b. The second complaint concerns the website of ‘De Standaard’ (www.standaard.be)
 
c. The third complaint concerns the website of ‘Het Nieuwsblad’ (www.nieuwsblad.be)
 
d. The fourth complaint concerns the website of ‘Het Belang van Limburg’ (www.hbvl.be)
 
2. The complainant is represented by Noyb–EuropeanCenterforDigitalRights (“Noyb”),
 
which has its registered office in Austria. In each of the four complaints and per individual website, a mandate signed and dated by the complainant is enclosed that
 
authorizes the representative to represent the complainant on behalf of the Belgian GBA.
 
The scope of the mandate is worded as follows: “regarding: the collection of
 
my data by placing cookies on the defendant’s website” followed
 
by the identification of each of the four aforementioned websites, and then “and to
 
take all necessary measures to enforce my rights, including the initiation of
 
judicial or extrajudicial proceedings.”
 
3. The complaints each raise four alleged “violations” and set out the complainant’s grievances as follows:
 
• “Violation type 1: No ‘refuse’ option at the first information level of the
 
cookie banner”
 
• “Violation type 2: Misleading button colours”
 
• “Violation type 3: It is not as easy to withdraw consent as
 
it is to give consent”
 
• “Violation type 4: Reference to legitimate interest”
 
4. The complaints are filed – dated 18 July 2023 – with the First Line Service of the
 
Data Protection Authority by email. The complaints were formally received after
 
midnight on 19 July 2023.
 
5. On 3 August 2023, the First Line Service requests the complainant's representative
 
the following: "Please inform us of the complainant's interest in filing
 
the complaint, as provided for in Article 60 of the Act of 3 December 2018
 
establishing the Data Protection Authority". Decision on the merits 113/2024 — 5/70
 
6. On 24 August 2020, the complaint is declared admissible by the First Line Service on the
 
basis of Articles 58 and 60 WOG, after which the complaint is transferred to the Dispute Chamber on the basis of Article 62,
 
§ 1 WOG. 7. On 1 September 2023, the complaining party submits a document to the First Line Service
 
that formulates an answer to the question that the First Line Service addressed to
 
Noyb on 3 August 2023 regarding (the legal framework for) the interest of the complainant and the mandate.
 
8. In the aforementioned document, Noyb refers to communications that it sent to the First Line Service on 17 and 25
 
August 2023, and to which the First Line Service replied to Noyb
 
on 24 and 29 August 2023 respectively. This communication was not added to the current file by the
 
First Line Service, because this exchange took place in the context of another file pending with the GBA; the Dispute
 
Chamber has confirmed this approach to the defendant. Of course, the content of these messages is
 
also not taken into account in the context of the assessment
 
and the decision in the current file. I.2. The settlement proposal and the settlement procedure in the procedure prior to the hearing on the merits
 
9. On 21 September 2023, the Dispute Resolution Chamber sends a letter to the parties with the
 
message that it would send a settlement proposal to the parties within a period of thirty days. In the meantime, the parties are given the opportunity to
 
inspect the file, which both parties also requested; they were granted inspection.
 
10. On 20 October 2023, a settlement proposal is sent simultaneously to both
 
parties, after which the settlement procedure formally commences within the meaning of Article 95 §1, 2°
 
WOG.
 
11. On 30 October 2023, the representative delivers the complainant's response to the
 
settlement proposal to the Dispute Resolution Chamber, with the proposal to make a number of
 
adjustments. 12. On 6 November 2023, the Dispute Resolution Chamber communicates to the parties that – in accordance with the comments made by the complaining party – it would not proceed to adjust the terms of the settlement proposal.
 
13. On 7 November 2023, the defendant indicated through her counsel that the response period provided for in the settlement proposal was not feasible. For that reason, the defendant requested that the response period be extended to 20 December 2023. On 10
 
2When delivering the copy of the file, the defendant repeatedly (on 28 September 2023 and again on 2 November 2023) requested the Dispute Chamber to deliver the aforementioned messages dated 17 and 14 August 2023, which the Dispute Chamber refused to do in order to safeguard the integrity of the other file. Decision on the merits 113/2024 — 6/70
 
November 2023, the Dispute Chamber indicates that at that time it is not possible
 
to respond to the extension of the term as proposed by the defendant, but the
 
Dispute Chamber does grant a seven-day extension.
 
14. On 27 November 2023, the defendant, through her counsel, sends a letter in which she
 
states that she is not averse to a settlement, but does want clarification on a number
 
of points. The defendant also suggests adjustments to the terms of the settlement


proposal.
3. The complaints each allege four alleged “violations,” reflecting the complainant's grievances as follows:
  • “Violation type 1: No ‘refuse’ option at the first level of information on the cookie banner”
  • “Violation type 2: Misleading button colors”
  • “Violation type 3: It is not as easy to withdraw consent as it is to give consent”
  • “Violation type 4: Reference to legitimate interest”


15. On 28 November 2023, the Dispute Chamber sends an acknowledgement of receipt to the
4. The complaints are submitted, dated July 18, 2023, to the First Line Service of the Data Protection Authority via email. The complaints were formally received after midnight, on July 19, 2023.


defendant, after which another message is sent by the Dispute Chamber on 1 December 2023
5. On August 3, 2023, the First Line Service requested the representative of the complainant to provide the following: “Please inform us about the complainant's interest in filing the complaint, as provided for in Article 60 of the Act of December 3, 2018, establishing the Data Protection Authority.”


stating that a response to the letter of 27 November 2023 from the
6. On August 24, 2023, the complaint was declared admissible by the First Line Service on the basis of Articles 58 and 60 DPA Act, and then the complaint was forwarded to the Dispute Chamber pursuant to Article 62, § 1 DPA Act.


defendant cannot be provided until later. 16. On 5 December 2023, the Dispute Resolution Chamber sends the defendant a response on
7. On September 1, 2023, the complaining party submitted a document to the First Line Service responding to the inquiry raised by the First Line Service on August 3, 2023, regarding (the legal framework concerning) the complainant's interest and the mandate.


all aspects for which the defendant requested clarifications or adjustments in the
8. In the aforementioned document, Noyb refers to communications sent to the First Line Service on August 17 and 25, 2023, to which the First Line Service responded on August 24 and 29, 2023, respectively. This communication was not added to the current dossier by the First Line Service because this exchange took place in the context of another dossier pending before the GBA; the Dispute Chamber has upheld this approach and confirmed it to the defendant.² Of course, no account is taken of the content of this correspondence in the assessment and decision of the current dossier.


letter of 27 November 2023.
I.2. The settlement proposal and the settlement procedure in the proceedings preceding the decision on the merits
9. On September 21, 2023, the Dispute Chamber issued a letter to the parties stating that it would submit a settlement proposal to the parties within a period of thirty days. In the meantime, the parties were given the opportunity to review the dossier, which both parties requested; they obtained access.


17. On 11 December 2023, the defendant indicates through her counsel that she cannot
10. On October 20, 2023, a settlement proposal was simultaneously sent to both parties, after which the settlement procedure formally commenced in the sense of Article 95 §1, 2° DPA Act.


accept the settlement proposal in its entirety. In the same
11. On October 30, 2023, the representative submitted the complainant's response to the settlement proposal to the Dispute Chamber, proposing a number of adjustments.


message, the defendant immediately indicates that she has made a number of changes in response
12. On November 6, 2023, the Dispute Chamber communicated to the parties that it would not make adjustments to the terms of the settlement proposal due to the comments from the complaining party.


to the 2nd and 3rd grievance of the complainant, and that further
13. On November 7, 2023, the defendant, through its counsel, indicated that the response period set forth in the settlement proposal was unachievable. For that reason, the defendant requested an extension of the response period to December 20, 2023. On November 10, 2023, the Dispute Chamber indicated that it could not agree to the proposed extension at that time but granted a seven-day extension.


changes would be made regarding the 4th grievance. With regard to this last grievance, the defendant states that
14. On November 27, 2023, the defendant forwarded a letter through its counsel, stating that it was not averse to a settlement but desired clarification on several points. The defendant also suggested adjustments to the terms of the settlement proposal.


she “will not fall back on the legitimate interest to still place such cookies.
15. On November 28, 2023, the Dispute Chamber sent an acknowledgment of receipt to the defendant, after which, on December 1, 2023, the Dispute Chamber sent another message stating that a response to the defendant's letter of November 27, 2023, could only be provided later.


18. On 18 December 2023, the Dispute Chamber will then take a formal decision to
16. On December 5, 2023, the Dispute Chamber sent a response to the defendant regarding all aspects for which the defendant requested clarifications or adjustments in the letter of November 27, 2023.


withdraw the settlement proposal, which will briefly set out the reasons for abandoning
17. On December 11, 2023, the defendant, through its counsel, indicated that it could not accept the settlement proposal in its entirety. The defendant immediately stated in the same letter that it had made a number of changes in response to the 2nd and 3rd grievances of the complainant and that further changes regarding the 4th grievance would still be made. Regarding this last grievance, the defendant stated that it “will not fall back on the legitimate interest to place such cookies.”


the settlement procedure.
18. On December 18, 2023, the Dispute Chamber then formally decided to withdraw the settlement proposal, briefly outlining the reasons for the breakdown of the settlement procedure.


I.3. The proceedings on the merits
I.3. The proceedings on the merits
19. On February 5, 2024, the parties were notified by registered letter of the provisions mentioned in Article 95, § 2, as well as those in Article 98 DPA Act. They were also informed, pursuant to Article 99 DPA Act, of the deadlines for submitting their defenses. In the letter, the Dispute Chamber invited the parties to take a stance on a number of aspects, outlining potential violations attributed to the defendant.


19. On 5 February 2024, the parties concerned will be notified by registered mail
20. On February 12, 2024, the defendant sent a letter to the Dispute Chamber with several comments and requests related to the procedure, as well as a request to send procedural documents by postal mail rather than electronically. The Dispute Chamber responded to this message on February 19, 2024, and also agreed to extend the previously set deadlines for submissions.
 
of the provisions as set out in Article 95, § 2, as well as those in Article 98 of the WOG.
 
They will also be notified, pursuant to Article 99 of the WOG, of the deadlines for submitting
 
their defences. In the letter, the Dispute Chamber invites the parties to
 
take a position on a number of aspects, setting out potential infringements that
 
are charged to the defendant. 20. On 12 February 2024, the defendant sends a letter to the Dispute Resolution Chamber, containing
 
several comments and requests regarding the procedure, as well as a
 
request to have the procedural documents sent by post, rather than
 
electronically. The Dispute Resolution Chamber responds to this message on 19 February 2024
 
and also extends the previously established deadlines for submitting conclusions. Decision on the merits 113/2024 — 7/70
 
21. On 27 March 2024, the Dispute Resolution Chamber receives the conclusion in response from the
 
defendant; at the same time, this conclusion is delivered to the representative of the
 
complainant.
 
22. On 17 April 2024, the Dispute Resolution Chamber receives the conclusion in reply from the
 
complainant. The representative of the complainant hereby replies on a number of points to the conclusion in


the defendant's response dated March 27, 2024.
21. On March 27, 2024, the Dispute Chamber received the defendant's defense conclusion; this conclusion was simultaneously provided to the representative of the complainant.


23. The (representative of the) complainant also requests the Dispute Chamber to be heard, as well as to take the necessary corrective measures. In addition, the complainant requests not to suspend provisional enforceability, as requested by the
22. On April 17, 2024, the Dispute Chamber received the reply conclusion from the complainant. The representative of the complainant replied on a number of points to the defendant's defense conclusion dated March 27, 2024.


defendant, since this option provided by the legislator should be interpreted narrowly. Finally, the complainant requests to publish the decision on the GBA website.
23. The (representative of the) complainant also requested to be heard by the Dispute Chamber, as well as to take the necessary corrective measures. Additionally, the complainant requested that the immediate enforceability not be suspended, as requested by the defendant, since this option provided by the legislator should be interpreted narrowly. Finally, the complainant requested that the decision be published on the GBA website.


24. On May 8, 2024, the Dispute Chamber receives the conclusion of the reply from the defendant;
24. On May 8, 2024, the Dispute Chamber received the reply conclusion from the defendant; this conclusion was simultaneously provided to the representative of the complainant.


at the same time, this conclusion is delivered to the representative of the complainant.
25. On June 17, 2024, the parties were informed that the hearing would take place on July 1, 2024.


25. On June 17, 2024, the parties are informed that the hearing will
26. On July 1, 2024, the parties were heard by the Dispute Chamber.


take place on July 1, 2024.
27. On July 8, 2024, the minutes of the hearing (“PV”) were presented to the parties.


26. On July 1, 2024, the parties are heard by the Dispute Chamber.
28. On July 12, 2024, the Dispute Chamber received several comments from the complaining party regarding the PV, which it decided to include in its deliberation.


27. On 8 July 2024, the Minutes of the hearing will be submitted to the parties.
29. On July 12, 2024, the defendant first submitted a number of comments regarding the minutes, claiming that these PV do not faithfully represent the hearing. The Dispute Chamber decided to take these comments into consideration in its deliberation. On July 16, 2024, the defendant then submitted new comments regarding the minutes, which the Dispute Chamber also decided to take into consideration in its deliberation.


28. On 12 July 2024, the Dispute Chamber receives a number of comments
30. Simultaneously, the defendant requested a copy of the recording of the hearing, a request based on Art. 95 § 2 DPA Act and Art. 15.3 GDPR. On July 18, 2024, it was communicated to the defendant that they could listen to the complete unedited recording of the hearing at the offices of the GBA, that the data protection officer of the GBA had been involved, and that the deadline for submitting comments on the minutes was extended. On July 31, 2024 – the day the deadline for comments on the minutes expired – the defendant sent a letter to the Dispute Chamber as well as to the DPO of the GBA regarding its request to obtain a copy of the recording of the hearing.
 
regarding the Minutes from the complaining party, which it decides to include in its deliberations.
 
29. On 12 July 2024, the defendant provides a number of comments
 
regarding the Minutes for the first time, stating that this PV is not a true
 
representation of the hearing. The Dispute Chamber decides to include the aforementioned comments
 
in its deliberations. On 16 July 2024, the defendant then submits new comments
 
regarding the minutes, which the Dispute Chamber decides to include in its
 
deliberations. 30. At the same time, the defendant requests a copy of the recording of the hearing, a request which she bases on art. 95 § 2 WOG and art. 15.3 AVG. On 18 July 2024, the defendant is informed that she can come and listen to the full unedited recording of the hearing
 
in the offices of the GBA, that the data protection officer of the GBA has been involved, and that the period for submitting
 
comments on the minutes is extended. On 31 July 2024 – the day of the expiry of the period for
 
comments on the minutes – the defendant delivers Decision on the merits 113/2024 — 8/70
 
a letter to the Disputes Chamber, as well as to the DPO of the GBA, regarding her
 
request to obtain a copy of the recording of the hearing.


II. Reasons
II. Reasons
II.1. Preliminary points
II.1. Preliminary points
31. A first preliminary point concerns the reply conclusion of the complaining party. The defendant states in its synthesis conclusion that the conclusion of the complaining party should be excluded from the debates, on the one hand, because it was not signed (by the legal mandate holder of the Noyb representative) and, on the other hand, because the conclusion was not drafted in accordance with Article 744 Ger. W.


31. A first preliminary point concerns the reply conclusion of the complaining party. The
32. The Dispute Chamber argues why the defendant's argument on this point is legally flawed. Essentially, the proceedings for the Dispute Chamber are governed by the procedural provisions of the DPA Act. The Markets Court has repeatedly stated that the Dispute Chamber is an administrative body, not an (administrative) court in the formal sense.³ In this sense, it cannot accurately be stated that the provisions of the Judicial Code apply to the proceedings before the Dispute Chamber without exception and that they would always apply as lex generalis where the lex specialis of the DPA Act does not provide for regulations.
 
defendant states in her summary conclusion that the conclusion of the complaining party must be excluded from the
 
debates, on the one hand because it was not signed (by the
 
legal mandate holder of the representative Noyb) and on the other hand because the
 
conclusion was not drawn up in accordance with art. 744 of the Judicial Code.
 
32. The Dispute Chamber argues why the defendant's argument on this point
 
fails as a matter of law. In essence, the procedure before the Dispute Chamber is
 
governed by the procedural provisions of the WOG. The Market Court has already stated several times that
 
the Dispute Chamber is an administrative body and not an (administrative) court
 
in the formal sense. In this sense, it cannot be correctly stated that the provisions of the Judicial Code in the procedure before the Dispute Chamber would apply in full and always as lex generalis, where the lex specialis of the WOG does not provide for any provision.


33. Moreover, the Belgian legislator has explicitly determined in the WOG that the parties can submit defences. The legislator then left it to the GBA to
33. Furthermore, the Belgian legislator has explicitly stipulated in the DPA Act that parties may submit defenses.The legislator has then left it to the GBA to determine how defenses may be submitted – and if necessary to regulate this in the Internal Rules of Procedure.⁵


regulate how defences can be submitted – and to regulate this, if necessary, in the Rules of Internal Order. 5
34. In the letter of February 5, 2024, the parties were informed about how the conclusions should be submitted. In that invitation, there is no mention of the fact that parties would have to submit defenses in a manner cloaked in formal requirements as alleged by the defendant, nor is there any reference to the Judicial Code. The Dispute Chamber cannot restrict a party's defenses⁶ – mutatis mutandis, this must also apply to how a party formulates and submits its conclusion when nothing has been ‘imposed’ on the parties in advance. The complaining party has complied with the deadlines for submission regarding the submission of the document.


34. It was in its letter of 5 February 2024 that the parties were informed of
35. Taking all of this into account, it is clear to the Dispute Chamber that the contested document (the reply conclusion of the complainant) should not have been excluded from the debates, that it could seamlessly become part of the Dispute Chamber's deliberation, and that the arguments raised by the defendant to exclude the document from the debates are unfounded.


the manner in which the conclusions had to be submitted. Nowhere in that invitation is it mentioned that the parties should submit
36. A second preliminary issue concerns new documents submitted at the hearing by the representative of the complainant. The defendant opposes the submission of these documents and their addition to the dossier. Given the late submission of the documents, the opposition from the defendant regarding the submission, and the failure to provide any grounded reason for the delay, the documents are wholly excluded from the debates and will not be taken into account in the deliberations before the Dispute Chamber.


defences in a manner with formal requirements as cited by the defendant, nor is it
37. The Dispute Chamber points out regarding this second preliminary issue that it, as an agency of a supervisory authority, must be able to consider all elements that have come to its attention, in order to ensure a high level of data protection. This does not preclude the procedure from meeting the requirements of adversarial proceedings and equality of the parties. The procedure provided in the subsection “deliberation and decision on the merits” in Articles 98 et seq. DPA Act aims precisely to provide for an adversarial process. In administrative law, particular account must be taken of the duty to hear and the rights of defense.⁷


referred to the Judicial Code. The Dispute Chamber cannot restrict a party's means of defence – mutatis6
38. A third preliminary point concerns the legal appearance of the person who appears in person at the hearing on behalf of the representative of the complainant. At the hearing, the defendant indicates that it has questions regarding the mandate of the person acting for Noyb according to the statutes of this organization.


mutandis, this must also apply to the manner in which a party draws up and
39. Firstly, it should be pointed out that Noyb has identified itself as the representative of the complainant before the Dispute Chamber, submitting the mandate in this regard, via communication through a specific email address. For the presence of the person in question at the hearing, prior to the hearing, the representative notified via the email address that the Noyb staff member would be present as a representative. The Dispute Chamber is not obliged to ex officio or at the request of the parties to investigate how the designation of this staff member occurred in concrete terms. The notification by the organization Noyb via email of the identity of the staff member in question suffices. For that reason alone, it is sufficiently established that the person could validly appear for Noyb.


files its conclusion when nothing else has been 'imposed' on the parties in advance. The complaining party
40. Additionally, it should be noted that the complainant was personally present at this hearing alongside the staff member from Noyb. Based on the appearance of the complainant, it can be established that the complainant also assumes that the person in question could validly act for the representative Noyb.


3
41. Therefore, the person in question did indeed appear validly for Noyb at the hearing.
E.g. Judgment of the Court of Appeal of Brussels (Chamber 19A, Market Court Section), 20 October 2020, 2020/AR/582, §7.4; Judgment of the Court of Appeal of Brussels (Chamber 19A, Market Court Section), 7 July 2021, 2021/AR/320, P. 24; Judgment of the Court of Appeal of Brussels (Chamber 19A,
Market Court Section), 1 March 2023, 2022/AR/1085, P. 7.
4 Art.98, 2° WOG: “. . . the possibility [for the parties to submit their defences”;


And also in art. 99 WOG: “The Dispute Chamber invites the parties to submit their defences.”
42. As a fourth preliminary point: at the hearing, the complaining party, for the first time and without prior notice, but not in limine litis, questions the “independence” of the chair of the Dispute Chamber in dealing with this case. Furthermore, the complaining party requests the chair of the Dispute Chamber to withdraw. The complaining party refers to anonymous “sources” who allegedly heard in private conversations that there was a strategy to dismiss complaints “from Noyb,and to a public event attended by the chair of the Dispute Chamber. No further concrete elements are provided that would substantiate the lack of “independence” of the serving member.


See in this regard articles 48 et seq. of the former Rules of Internal Order (version 2018), which apply to the present
43. From the words of the complaining party, the Dispute Chamber understands that it is more about impartiality than independence of the Dispute Chamber.⁸ With such ‘recusal requests,’ the requesting parties must be careful and precise.⁹ Expressing dissatisfaction about (the outcome or course of) a procedure is something different than raising recusal requests regarding members of public institutions, whose legitimacy is precisely based on their independence and impartiality.¹⁰
file.


6Cf. judgment Marktenhof (2021/AR/320), 7 July 2021, p. 15: “The circumstance that the answer form would only allow a
44. Specifically regarding the oral request of the complaining party for the withdrawal of the chair, the chair decides not to accede to this request for the following reasons.
year of experience at the Bar.
10 The legislator enshrines some elements in Article 44 DPA Act regarding this.


limited number of words of response is not pertinent in this respect. The scope of the response and therefore of the exercise
45. First of all, it was well known to the complaining party that the chair was (also) handling this file, at least as recently as February 5, 2024, when the parties were invited to submit their defenses in this dossier in a letter signed by the chair. The complaining party had the opportunity to take the necessary steps to raise this issue. The (extremely) late nature of the request for recusal is in itself sufficient to deny this request.


of the rights of defence cannot be validly limited by the Dispute Chamber.” Decision on the merits 113/2024 — 9/70
46. Furthermore, reference can be made to the following facts.


has complied with the conclusion deadlines with regard to the filing of the
47. It is the defendant who has raised a number of arguments and points in this dossier, highlighting the (procedural) interest and mandate of the representative by the complainant, not the Dispute Chamber. Moreover, in the present dossier, only the First Line Service casually inquired about the (procedural) interest of the complainant, evidently without any detrimental effect for the latter when declaring the complaint admissible. In contrast, the Dispute Chamber did not ask the complaining party in its letter inviting the submission of defenses to further clarify their (procedural) interest or the circumstances of the mandate. Therefore, it is factually incorrect to suggest a bias that can be traced back to a person or a strategy of the Dispute Chamber or its chair. This does not preclude the Dispute Chamber from having the competence to pose such questions to the parties.


document.
48. The complaining party was subsequently able to respond to the aforementioned arguments and points raised by the defendant in the reply conclusion and at the hearing. Nonetheless, at the beginning of the hearing, the complaining party indicated that substantive rather than formal points should constitute the core of the debate, and that the complainant should be subjected to “more thorough scrutiny” than a data controller. This statement is factually incorrect on multiple fronts.


35. Taking all this into account, it is clear to the Dispute Chamber that the document in question
49. Firstly, the settlement procedure itself illustrates that the Dispute Chamber – prior to this decision – proceeded with a process aimed at quickly addressing the grievances formulated in the complaint. Moreover, at that moment, it was even the first time the Dispute Chamber used the settlement procedure in the pre-decisional phase as part of its jurisdiction.


(the complainant's reply) should not have been excluded from the debates, that it
50. The Dispute Chamber moreover does not understand to what extent the complainant would have been subject to a “more thorough scrutiny.” The Dispute Chamber did not ask or suggest anything to the complaining party regarding this prior to the arguments presented by the defendant, and the Inspection Service did not intervene in this dossier. The fact that the defendant presents arguments and points in this regard is the right of a defending party in proceedings with potentially significant corrective measures. Such arguments and points cannot and must not be excluded from the debate.


could simply form part of the deliberations of the Dispute Chamber, and that the
51. Furthermore, in response to the defendant's inquiry as to whether the latter needed to limit itself to its arguments regarding these procedural elements at the hearing, the Dispute Chamber indicated that it was at liberty to structure its pleadings as it saw fit, but that the hearing, in accordance with the letter of February 5, 2024, “would at least address those substantive points.” The extent to which the substantive aspects constituted (also) the core of the debate is difficult to clarify further.


arguments put forward by the defendant in order to exclude the document from the debates
52. The Dispute Chamber clarifies that the representative of the complainant must separate different formal procedures in which they act for different complainants. In this dossier, the Dispute Chamber did not raise the alleged issue regarding the (procedural) interest of the complainant or the alleged issue regarding the mandate when allowing the dossier and inviting the submission of defenses. In the following parts of the present decision, the Dispute Chamber also dismisses the arguments of the defendant in this regard.


are unfounded.
53. The Dispute Chamber cannot be asked not to address the arguments of the defendant or that these arguments should not be subject to assessment. On the contrary, it is precisely the task of the Dispute Chamber to address the raised points and arguments that must be assessed on a case-by-case basis.


36. A second preliminary issue concerns new documents that are submitted
54. The Dispute Chamber also judges in an impartial manner, without fear or favor for either party. In this respect, defending parties have the right to a fair analysis of the facts and according to legal standards. A complaining party has no right to preferential treatment procedurally, nor does this party possess the privilege of avoiding a legal debate – potentially to its detriment.


at the hearing by the complainant's representative. The defendant opposes the
11 The defendant raised a question regarding this to the Dispute Chamber on June 19, 2024, with the complaining party being copied.
12 The Dispute Chamber responded to the defendant on June 21, 2024, and the complaining party was copied.
13 It should also be noted in this context that, procedurally, certain submissions from the complaining party could not be included in this dossier as they were made in the context of another dossier where the representative was acting. See in this regard the exchanges between the defendant and the Dispute Chamber in documents 20, 21, 28, and 32 of the administrative dossier.
14 See, for instance, Judgment of the Brussels Court of Appeal (Market Court Section) dated September 16, 2020, 2020/AR/1160, §5.7: “It is not in accordance with the rule of law that the Dispute Chamber of the GBA could ‘choose’ which argument it provides an answer to or not.”
15 Compare Article 6 ECHR, Article 47 EU Charter of Fundamental Rights, and Article 52 GDPR; although the Dispute Chamber is not a court in the traditional sense, this principle also applies to administrative procedures (ECtHR, Öztürk v. Germany, February 21, 1984, ECLI:CE:ECHR:1984:0221JUD000854479); within Belgian law, the impartiality of administrative bodies is also guaranteed as a principle of good governance, see supra and Judgment of the Council of State, June 22, 2017, No. 238,610.
16 Although the Dispute Chamber is not a legal body, reference can be made to Article 6 Ger. W., which states that judges must apply the applicable legal rules in all matters submitted for their judgment; under Article 57 GDPR, it applies mutatis mutandis to the supervisory authority to process complaints and investigate the outcome, without any indication for preferential treatment. When issues are discussed or treated in an investigation, hearing, or decision, it does not imply that these issues are justified or substantiated.


submission of these documents and their addition to the file. Given the
55. In a credible legal dispute, truth-finding occurs in a thoughtful manner based on facts and qualitative arguments. In this context, (legal) questions must be able to be raised without this in itself implying partisanship.


late nature of the submission of the documents, the opposition of the defendant to the
56. The fact that information may be shared within the framework of the loyal and confidentiality-oriented cooperation and loyal information sharing within and between supervisory authorities in the European Economic Area, which would raise critical legal questions regarding a particular issue, is an inherent element of the cooperation procedure in Chapter VII of the GDPR.18


submission, and in the absence of any valid reason for the
57. The mere fact that a previous case for the Dispute Chamber with allegedly similar circumstances may lead to a potentially detrimental outcome for the same party or its representative does not justify recusing a sitting member in another (i.e. this) case.


late nature of the submission, the documents are excluded from the debates in their entirety and
58. When a party disagrees with a decision of an authority, it is free, under Article 78 GDPR, to appeal that decision. In Belgian law, this can also be done, according to Article 108, §3 DPA Act, by any third party with an interest before the Market Court. Therefore, if Noyb believes it is a relevant stakeholder, it has potentially the right of access to the courts. The fact that no appeal could be lodged in a previous case because the involved complainant did not wish it, as raised at the hearing, is not a fault attributable to the Dispute Chamber and is not relevant.


will not be included in the debates before and the deliberations of the
59. Finally, as a fifth and final preliminary point, after receiving the minutes in this file, the defendant informed the Dispute Chamber on July 12, 2024, that it found these minutes “not a faithful representation” of the hearing and that this could violate the rights of defense. In this context, the defendant requested a new set of minutes to be drawn up.


Dispute Chamber.
60. On July 23, 2024, the Dispute Chamber informed the defendant that the audio recording could be listened to in full and unedited in the premises of the GBA, after having previously extended the deadline for submitting comments on the minutes until July 31, 2024.
 
37. TheDispute Chamber points out in connection with this second
 
preliminary point that, as a body of a supervisory authority, it must be
 
able to take into account all the elements that have come to its attention, in
 
order to guarantee a high level of data protection. This does not alter the fact that the procedure
 
must meet the requirements of adversarial and equality of parties. The procedure provided for in the
 
subsection "deliberation and decision on the merits" in art. 98 et seq. WOG aims precisely at providing a procedure for
 
adversarial proceedings. In administrative law, special account must be taken
 
of the duty to be heard and the rights of defence.
 
38. A third preliminary point concerns the legally valid appearance of the person who appears for
 
the representative of the complainant (physically) at the hearing. When the
 
hearing takes place, the defendant indicates that she has questions about the
 
mandate of the person to act for Noyb in accordance with the articles of
 
association of this organisation.
 
39. It should first be noted that Noyb has reported as the representative of
 
the complainant to the Dispute Chamber, submitting the mandate in this regard, by
 
sending a message via a specific e-mail address. For the presence at the hearing of the person in question, prior to the hearing the representative had reported via the e-mail address that the Noyb employee would be present as a representative. The Dispute Chamber is not obliged to investigate ex officio or at the request of the parties how the designation of this employee took place in concrete terms. The notification by the organisation Noyb via e-mail of the identity of the employee in question is sufficient. For that reason alone it has been sufficiently established that the person could legally appear before Noyb. 40. It should be noted that the complainant was present in person at this hearing, and
 
this at the side of the employee of Noyb. Based on the appearance of the complainant,
 
it can be established that the complainant also assumes that the person in question
 
could legally act for his representative Noyb.
 
41. The person in question did therefore legally appear before Noyb at the hearing.
 
42. As a fourth preliminary point: at the hearing, the complaining party, for the first time and
 
without prior notice, but not in limine litis, questions in its pleadings the
 
“independence” of the chairman of the Dispute Chamber for the handling
 
of this case. Furthermore, the complaining party asks the chairman of the
 
Dispute Chamber to withdraw. The complaining party refers to
 
anonymous "sources" who allegedly heard in private conversations that there was a strategy
 
to reject complaints "from Noyb", and to a public event where the
 
chairman of the Dispute Chamber was present. No further concrete
 
elements are provided that would substantiate the lack of "independence" of the
 
sitting member.
 
43. The Dispute Chamber understands from the wording of the complaining party that it is more (or
 
at least also) about the impartiality than the independence of the
 
Dispute Chamber. Such "requests for disqualification" must be handled carefully and
 
accurately by the requesting parties. Expressing dissatisfaction with (the outcome or course of) a procedure is something different than raising requests for disqualification against members of public institutions, whose legitimacy is based precisely on their independence and impartiality.0
 
44. Specifically with regard to the oral request of the complaining party to withdraw
 
from the chairman, the chairman decides not to grant this request for the following reasons.
 
8
L. Van Den Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP,
2024, Ed. 4, 215-230, specifically section 2.1 “types of (im)partiality and evidence”; Compare with regard to the confusion of concepts in the context of the
 
judiciary: Ooms A., “Judicial impartiality is not always what it seems. A historical and
prospective analysis of the boundary between objective and subjective impartiality.”, Croniques de droit public, 14(2010)4, p.
499-524; ; Opdebeek I. and De Somer S., Algemeen Bestuursrecht: fundamenten en principes, Ed. 2, Antwerp, 2019
Intersentia, specifically part V, Chapter III, Section 8 regarding the principle of impartiality for the administration.
9Compare art. 835 Judicial Code for requests for disqualification with regard to members of the judicial order, a provision that
 
states, among other things, that such requests for disqualification with the reasons for the disqualification must be filed
 
with the registry in a formal document, and that only by lawyers with more than 10 years of experience at the bar.
10The legislator anchors several elements in this regard in art. 44 WOG. Decision on the merits 113/2024 — 11/70
 
45. First and foremost, the complainant was sufficiently aware that the chairman was handling this file
 
(jointly), at least as recently as 5 February 2024 when the parties were
 
invited to submit their defences in this file in a letter signed by the chairman. The complainant had the opportunity
 
to take the necessary steps to address the fact. The (extremely) late nature of the request for
 
withdrawal is in itself sufficient to not grant this request.
 
46. In addition, reference can be made to the following facts.
 
47. It is the defendant who has put forward a number of means and arguments
 
in this file that highlighted the (procedural) interest and the
 
delegation of the representative by the complainant, not the Dispute Chamber. Furthermore, in the present
 
file, only the First Line Service has asked without obligation about the (procedural)
 
interest of the complainant, apparently without any adverse effect on the latter when
 
declaring the complaint admissible. In its letter with the invitation to submit
 
the defence, on the other hand, the Dispute Chamber did not ask the complaining party to
 
further explain its (procedural) interest or the circumstances of the
 
mandate. It is therefore factually incorrect to suggest a bias that can be
 
traced back to a person or a strategy of the Dispute Chamber or its chairman.
 
This does not, however, alter the fact that it is within the jurisdiction of the
 
Dispute Chamber to ask this type of question to the parties.
 
48. The complaining party was then able to respond to the aforementioned
 
resources and arguments of the defendant in the reply and at the hearing. However, the complainant indicated at the beginning of the hearing that the substantive rather than the formal points should form the core of the debate, and that the complainant would be subject to a "more thorough investigation" than a controller.
 
This is factually incorrect, and on several points.
 
49. First of all, the settlement procedure itself illustrates that the Dispute Resolution Chamber -
 
prior to this decision - initiated proceedings in order to quickly resolve the substantive
 
grounds formulated in the complaint. Moreover, at that time it was the first time that the Dispute Resolution Chamber used the settlement procedure as a power in the phase
 
preceding the deliberation on the merits.
 
50. Furthermore, the Dispute Resolution Chamber does not understand to what extent the complainant would have been subject to a "more thorough
 
investigation". The Dispute Chamber did not ask or suggest anything to the complainant in this regard prior to the submission of the arguments by the defendant, and the Inspectorate did not intervene in this case. The fact that the defendant submits arguments and resources in this regard is the right of a defendant in proceedings with potentially weighty corrective measures. Such arguments and resources cannot and may not be excluded from the debate. Decision on the merits 113/2024 — 12/70
 
51. Furthermore, in response to the question from the defendant whether the latter should limit herself to her arguments on these procedural elements at the hearing, the Dispute Chamber indicated 12that the parties are free to arrange their pleadings as they wish, but that the hearing, in accordance with the letter of 5 February 2024, will at least deal with those substantive points.
 
The extent to which the substantive aspects have (partly) formed the core of the
 
debate for the Dispute Chamber could hardly be clearer.
 
52. The Dispute Chamber clarifies that the representative of the complainant in this
 
case must separate the various formal procedures in which it acts for different complainants
 
from each other. In this case, the Dispute Chamber, when enabling the
 
case and inviting the submission of defences, has not raised the alleged
 
problem regarding the (procedural) interest of the complainant, nor the alleged
 
problem regarding the mandate itself. In the following parts of the present
 
decision, the Dispute Chamber also rejects the defendant's arguments in this
 
respect.
 
53. The Dispute Chamber cannot be asked not to address the
 
arguments of the defendant, or not to subject the arguments in this respect
 
to an assessment. Moreover, it is precisely the task of the Dispute Chamber to
 
consider the submitted means and arguments, which must be
 
assessed per case. 14
 
54. The Dispute Chamber also judges in an impartial manner, without fear or
 
favour for the other party. In this sense, the defendants are also
 
entitled to a fair analysis of the facts and in accordance with the legal standards. 15 A complaining party
 
has no right to preferential treatment on a procedural level, nor does this party
 
have the privilege of avoiding a legal debate – potentially to its disadvantage.
 
11
The defendant submitted a question to the Dispute Chamber on 19 June 2024, the complaining party could read along in cc.
12 The Dispute Chamber replied to the defendant on this matter on 21 June 2024, the complaining party could read along in cc. 13
In this context, it should also be noted that procedural documents from the complainant could not be included in this file, because they were transferred to the margin of another file in which the representative acted. See in this regard the exchanges between the defendant and the Dispute Resolution Chamber in documents 20, 21, 28 and 32 of the administrative file.
14
Cf. Judgment of the Brussels Court of Appeal (Market Court Section) of 16 September 2020, 2020/AR/1160, §5.7: “It is not appropriate in a constitutional state that the Dispute Resolution Chamber of the GBA could ‘choose’ which argument it does or does not provide an answer to.”
15 Cf. Article 6 ECHR, Article 47 Charter of Fundamental Rights of the EU and Article 52 GDPR; although the Litigation Chamber is not a court in the traditional sense, this principle also applies to administrative procedures (ECHR, Öztürk v. Germany, 21 February 1984,
 
ECLI:CE:ECHR:1984:0221JUD000854479); within Belgian law, the impartiality of administrative bodies is also guaranteed as a principle of good administration, cf. supra and Judgment of the Council of State, 22 June 2017, no. 238.610.
16Although the Litigation Chamber is not a court of law, reference can be made to art. 6 of the Judicial Code, which states that judges must apply the applicable legal rules in all cases subject to their judgment; under art. 57 GDPR, it is mutatis mutandis up to the supervisory authority to handle complaints and examine the outcome, without any indication of preferential treatment. Decision on the merits 113/2024 — 13/70
 
When aspects are discussed or dealt with in an investigation, at a hearing or in
 
a decision, this does not mean that the aspects are justified or well-founded.
 
55. In a credible dispute, one arrives at the truth in a thoughtful manner on the basis of
 
facts and qualitative arguments. In this context, (legal) questions must of course be able to be
 
asked without this in itself entailing partiality.
 
56. The fact that, in the context of loyal and confidentially organised cooperation and
 
the loyal sharing of information within and between supervisory authorities in the
 
European Economic Area, information could be provided that would raise critical legal
 
questions on a particular issue is an inherent element of the cooperation procedure in Chapter
 
18
of the GDPR.
 
57. The mere fact that a previous case before the Dispute Chamber with allegedly similar circumstances
 
entails a possible adverse outcome for the same party or its representative does not in itself
 
justify the recusal of a sitting member in another (i.e. this) case.
 
58. If a party does not agree with a decision of an authority, it is
 
free under Article 78 GDPR to institute proceedings against that decision. In the
 
Belgian legal system, this can also be done by any interested third party at the Market
 
Court in accordance with Article 108, §3 WOG. If Noyb therefore believes that it is such an
 
interested party, it has access to justice if necessary. The fact that in a previous case no appeal could be
 
lodged because the complainant concerned did not wish this, as was raised at the hearing, is not an
 
argument that is reprehensible to the Dispute Chamber and is not relevant.
 
59. Finally, as a fifth and final preliminary point, after receiving
 
the PV in this file, the defendant informed the Dispute Chamber on 12 July 2024 that it
 
considered this PV to be “not a faithful representation” of the hearing and that it
 
could violate the rights of the defence. In that context, the defendant requested that a new PV be drawn up.
 
60. On 23 July 2024, the Dispute Chamber informed the defendant that the audio
 
recording could be listened to in its entirety and unedited in the buildings of the GBA, after
 
the Dispute Chamber had already exceeded the deadline for submitting comments
 
to the PV.
 
1 See Article 54.2 GDPR and Article 48 § 1 WOG. 18The principle of impartiality cannot be applied contra legem in this regard in connection with the circumstances of
international information sharing, cf. Judgment of the Council of State of 23 June 2020, Lossau, no. 224.038; discussion in L. Van Den
 
Eynde, “Partiality and conflicts of interest in active management: the sneak path of the equality principle”, TBP, 2024, Ed. 4,
(215)219, §11.
19In this sense, reference is made in the conclusions and pleadings by various parties in the proceedings to Decision
22/2024 of the Disputes Chamber, against which no appeal was lodged with the Market Court.
20
In the comments on the report, the complaining party makes the following comment: “[…] now the failure to lodge an
appeal is anything but in the interest of noyb.” Decision on the merits 113/2024 — 14/70
 
extended until 31 July 2024. In this context, it should be emphasised that the Dispute Chamber included the following passage in the
 
invitation to the hearing:
 
You are also informed that the entire hearing will be
 
recorded for the sole purpose of drawing up a report. The
 
sound recording will be destroyed as soon as the appeal period as stated in
 
art. 108 WOG has expired. If the appeal option is used, the sound
 
recording will only be destroyed upon receipt of the Market Court's judgment.


61. The Dispute Chamber refuses the requested copy for the following reasons.
61. The Dispute Chamber refuses the requested copy for the following reasons.


62. Firstly, the drawing up of the report by the Dispute Chamber and the submission thereof
62. First and foremost, the preparation of the minutes by the Dispute Chamber and their submission to the parties is not a legal right, but merely an initiative of the GBA to formally record the hearing in the administrative dossier, as well as to formalize elements that were not raised during the conclusions. The Internal Rules of Procedure state that it is merely a representation by means of a synthesis; the minutes state explicitly: “The present minutes aim only to mention specifications and additions raised during the hearing, without repeating the elements laid out in the written conclusions of the parties.” (the Dispute Chamber emphasizes in light of this decision)
 
to the parties is not a legal right, but merely an initiative of the GBA to (formally) record the hearing in the
 
administrative file, as well as to formalise elements that were not raised in the
 
conclusion round in the file.
 
The Internal Rules state that this is merely a representation by way of
 
synthesis; the report itself also explicitly states as follows:
 
“The present report is only intended to record clarifications and
 
additions that were put forward during the hearing, without repeating the elements that
 
were set out in the written conclusions of the parties.” (the Dispute Chamber
 
underlines in light of this decision)
 
63. In that sense, the Dispute Chamber has taken note of everything that was said
 
during the hearing. In her conclusions, the
 
defendant has presented her arguments in detail (including table of contents and
 
overview of documents, the synthesis conclusion has 117 pages). The Dispute Chamber has not included similar elements that were mentioned
 
during the pleadings in the PV, and merely referred to the fact that the
 
pleadings deal with "formal" and "substantive" elements - elements that can be found
 
in and are identical in wording to the synthesis conclusion several times. Every question or
 
substantively new comment at the hearing was included in the PV.
 
64. Secondly, the Dispute Chamber states that it is not the objective of the PV to
 
provide an exhaustive overview of everything that was said at the hearing. An exhaustive
 
overview is not only not very relevant to the objective of the right to be heard as
 
laid down in the law, it is also undesirable for the proper functioning of the
 
procedure before the Dispute Chamber and for the smooth course thereof for the parties. In particular, the
 
debates will not be reopened after the hearing has ended, as is also
 
expressly stated in the PV itself. Under the principle of effectiveness, the GDPR must be
 
usefully
 
21
Art. 54 “old” version RIO GBA. Decision on the merits 113/2024 — 15/70
 
can be upheld: unnecessary additions to the procedure are not only
 
undesirable, they are also illegal in accordance with that principle.
 
65. An exhaustive transcription of everything said at the hearing would result in several dozen pages of PV for a 1.5-hour hearing such as in the present case; the procedural added value of a hearing is thus undermined.
 
66. Finally, in the context of the request, the defendant points out that she would be entitled to a copy of the recording under art. 95 § 2 WOG because it forms part of the file. This
 
is incorrect. The PV is the document that is included in the file; in addition, the parties' comments on that PV are added to the
 
file. The audio recording only facilitates the preparation of the aforementioned PV and is not a document in the administrative file.
 
The right to be heard, as laid down in art. 98, 2° WOG, does not extend to
 
obtaining a copy of the recording of the hearing. By the end of the hearing, the debates are closed, so access to the copy of the audio recording on the basis of art. 95 § 2 WOG – a statutory provision that deals with the copy of the file when the case is brought to court – is in any case not an issue.
 
67. For all these reasons, the defendant's request for the preparation of a new – more exhaustive – PV of the hearing of 1 July 2024 is rejected.
 
68. For the sake of transparency of the procedure, it should be noted that several lawyers for the defendant requested a copy of the audio recording of the hearing on the basis of art. 15.3
GDPR, by means of messages to the Dispute Chamber on 18 July and 31 July 2024. In the message of 31 July 2024, several lawyers for the defendant wrote to both the Dispute Chamber and the Data Protection Officer ("DPO") themselves. As soon as
 
a lawyer referred him to article 15.3 GDPR on 18 July 2024, the DPO of
 
the GBA was informed of the request. This exercise of a right under art.
 
15.3 GDPR does not fall under the administrative procedure that precedes the
present decision.
 
II.2. The complaint filed under art. 80.1 GDPR
 
II.2.1. Legal framework
 
69. Article 80 GDPR provides:
 
Representation of data subjects
 
1. The data subject shall have the right to instruct a non-profit-making body, organisation or association
 
which has been properly constituted in accordance with the law of a Member State,
 
the statutory objectives of which are in the public interest and which is active in


the field of the protection of the data subject’s rights and freedoms in relation to the Substantive decision 113/2024 — 16/70
63. In this regard, the Dispute Chamber has taken note of everything that was said at the hearing. The defendant elaborately presented its arguments in its conclusions (including table of contents and overview of documents, the synthesis conclusion totals 117 pages). The Dispute Chamber did not reiterate similar elements mentioned during the pleadings in the minutes, only referencing that the pleadings addressed “formal” and “substantive” elements – elements retrievable in and repeatedly identical to the synthesis conclusion. Any questions or substantively new comments raised at the hearing were included in the minutes.


the protection of his or her personal data, to lodge the complaint on his or her behalf,
64. Secondly, the Dispute Chamber states that the objective of the minutes is not to provide an exhaustive overview of what was said during the hearing. An exhaustive overview is not only of little relevance regarding the right to be heard as outlined by law, it is also undesirable for the proper functioning of the procedure for the Dispute Chamber and for smooth proceedings for the parties. The debates are not reopened after the hearing is concluded, as clearly stated in the minutes themselves. According to the principle of effectiveness, the GDPR must be capable of being upheld usefully: unnecessary additional elements to the procedure are not only undesirable, they are also unlawful according to that principle.


to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf,
65. An exhaustive transcript of everything said during a hearing, such as in this case lasting 1.5 hours, would yield several dozen pages of minutes; this would undermine the procedural value of a hearing.


and to exercise the right to compensation referred to in Article 82 on his or her behalf,
66. Finally, regarding the request, the defendant points out that it would have the right under Article 95 § 2 DPA Act to a copy of the recording as it is part of the dossier. This is incorrect. The minutes are the document that is recorded in the dossier; additionally, parties' comments on those minutes are added to the dossier. The audio recording merely facilitates the drafting of the aforementioned minutes and is not a document of the administrative dossier. The right to be heard, as laid out in Article 98, 2° DPA Act, does not extend to obtaining a copy of the audio recording of the hearing. In any case, after the hearing has concluded, the debates are closed, so access to the copy of the audio recording under Article 95 § 2 DPA Act – a legal provision dealing with the copy of the dossier when enabling the case – is definitely not an issue.


where Member State law so provides. 2. Member States may provide that a body, organisation or association referred to in paragraph 1
67. For all these reasons, the request of the defendant for the preparation of a new – more exhaustive – set of minutes of the hearing dated July 1, 2024, is rejected.


of this Article, independently of a data subject's mandate, has the right to lodge a complaint in that Member State with the supervisory
68. For the transparency of the procedure, it should be noted that several lawyers from the defendant requested a copy of the audio recording of the hearing under Article 15.3 GDPR, via messages sent to the Dispute Chamber on July 18 and July 31, 2024. In the message of July 31, 2024, several lawyers from the defendant addressed both the Dispute Chamber and the data protection officer (“DPO”) directly. Once any lawyer referred to Article 15.3 GDPR on July 18, 2024, the DPO of the GBA was informed of the request. This exercise of a right under Article 15.3 GDPR does not fall under the administrative procedure preceding this decision.


authorities competent in accordance with Article 77 and to exercise the rights referred to in Articles 78 and 79,
II.2. The lodged complaint under Article 80.1 GDPR
if it considers that the rights of a data subject under this Regulation have been
II.2.1. Legal Framework
 
69. Article 80 GDPR states the following: Representation of data subjects
infringed as a result of the processing. In this light, recital 142 of the preamble is also relevant:
1. The data subject has the right to mandate an organ, organization, or association without profit motive, which is duly established according to the law of a Member State, whose statutory objectives serve the public interest and which is active in the area of protecting the rights and freedoms of the data subject in relation to the protection of their personal data, to submit a complaint on their behalf, exercise the rights specified in Articles 77, 78, and 79 on their behalf, and exercise the right to compensation under Article 82 on their behalf, if the law of the Member State provides for this.
 
2. Member States may determine that an organ, organization, or association as referred to in paragraph 1 of this article has the right to submit a complaint independently of the mandate of a data subject in that Member State to the supervisory authority competent under Article 77 and to exercise the rights specified in Articles 78 and 79, if it believes that the rights of a data subject under this regulation have been violated as a result of processing. In this regard, Recital 142 of the preamble is also relevant: When a data subject believes that their rights have been infringed under this regulation, they should have the right to authorize organs, organizations, or associations without profit motive, duly established under the law of a Member State, whose statutory objectives serve the public interest and which are active in the area of protecting personal data, to submit a complaint on their behalf to a supervisory authority, to exercise the right to an effective judicial remedy on behalf of data subjects, or to exercise the right to receive compensation on behalf of data subjects, if this is provided for in the law of the Member State. Member States may determine that these organs, organizations, or associations have the right to submit complaints in that Member State, irrespective of any authorization by a data subject, and to have the right to an effective judicial remedy if they have reasons to believe that the rights of a data subject have been violated due to personal data processing that infringes this regulation. For these organs, organizations, or associations, it may be determined that they do not have the right to claim compensation on behalf of a data subject without the authorization of the data subject.
Where a data subject considers that his or her rights under this Regulation have been infringed, he or she should have the right to authorise a non-profit-making body, organisation or association,
 
established in accordance with the law of a Member State, which has statutory objectives that are in the public interest and which is active in the field of
 
the protection of personal data, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right
 
to a judicial remedy on behalf of data subjects, or to receive compensation on behalf of data subjects, where provided for by
 
Member State law. Member States may provide that these bodies, organisations or associations have the right
 
to lodge a complaint in that Member State, irrespective of any authorisation by a data subject, and the right to an effective judicial remedy, if
 
they have reason to believe that the rights of a data subject have been violated
 
as a result of the processing of personal data in breach of this
 
Regulation. Such bodies, organisations or associations may be provided that they
 
do not have the right to claim compensation on behalf of a data subject without the
 
authorisation of the data subject.


II.2.2. Context of the complaint
II.2.2. Context of the complaint
70. The manner in which the complainant, in consultation with Noyb as a representative, can be visualized is as follows. [Image]
71. First it is undisputed that Noyb is engaged in projects related to lodging complaints regarding cookies and cookie banners. Noyb has publicly communicated about projects in this regard that bundle a number of similar complaints, and the status of the projects is publicly maintained on Noyb's website.²²
72. Second, there was undeniably a internship relationship between the complainant and their representative in the present dossier at the time of the findings that led to the documents attached to the complaint. The complainant was also an intern when Noyb was mandated to submit the complaint.
73. Third, there is NO demonstrable link between the lodging of the complaint in this dossier by the complainant (including the mandate of Noyb by the complainant) and other cookie projects initiated by Noyb as an organization. However, Noyb did issue a press release on the day the complaints were lodged, stating that “fifteen” complaints were filed against Belgian media websites. The complainant did not submit each of those fifteen complaints.²² Reference is made among others to documents 4, 5, and 6 in the defendant’s synthesis conclusion, including a reference to the webpage titled “Noyb wants to put an end to ‘cookie banner terror’ and files more than 500 GDPR complaints” (example document 4).


70. The manner in which the complainant, in consultation with Noyb as representative,
74. This does indicate a certain form of coordination, but it is nowhere established that any coordination took place before the complainant's grievances arose, nor before the mandate of Noyb by the complainant. In that sense, it cannot be established that any pressure from Noyb on the complainant could have occurred.
75. It should, however, be noted that this fact is not undisputed, as the defendant indicates that the interest of the complainant as a data subject has not been demonstrated, and that the findings or grievances cannot be completely disconnected from the organization Noyb. The defendant refers, among other things, at the hearing to the fact that the finding was made with work materials during working hours, and that there is talk of a project at Noyb (and not a complaint of the complainant as an individual).


can be visualised as follows. Decision on the merits 113/2024 — 18/70
76. Fourth, the complainant believes that a breach of the GDPR has occurred and that he has been harmed in his rights.


74. This of course points to a certain form of coordination, but it is nowhere established that any coordination
77. Fifth, a complaint was filed on behalf of the complainant by Noyb as their representative. The complaint was formulated and submitted to the Belgian supervisory authority in consultation with the complainant, and was lodged with the First Line Service of the GBA without any alleged formal deficiencies.


took place before the complainant's grievances arose, nor
II.2.3. No direct evidence of ‘fictitious’ mandate and present (procedural) interest on the part of the complainant
Position of the complaining party
78. In her reply conclusion, the complaining party addresses the “admissibility” of the complaint. The Dispute Chamber summarizes the position. In a first part regarding this, the complaining party argues concerning the “admissibility under Article 77(1) in conjunction with Article 80(1) GDPR.”
  a. Firstly, the complaining party states in the section “burden of proof” that the complaints and attachments demonstrate a personal connection between the complainant and the data processing, inter alia, because the complainant visited the websites, from which the necessary indications arise for the violations described in the complaint. In this regard, the complaining party further states that the GDPR does not impose requirements on the content, form, or scope of the complaint and neither on the evidence that should be provided by the complainant. Furthermore, the complaining party states that it is the data controller who bears the burden of proof that the GDPR is being complied with, not the complainant.
  b. Secondly, the complaining party argues in the section “the relevant processing violates the GDPR” that the complaints...
Describing where GDPR violations occur


before the mandate of Noyb by the complainant. In that sense, it certainly cannot be established
The complaining party states that the GDPR or the DPA Act does not require that the involved complainant first exercise their rights against the data controller. Furthermore, the complaining party points out that the defendant did not accept the cookie banners following the settlement proposal, and that there are still unlawful cookie banners in place.


that there could potentially have been any pressure from Noyb with regard to the complainant.
c. Thirdly, the complaining party asserts in the section “sufficient personal interest” that the complainant has visited the websites and that personal data was processed during this time. The complainant has then chosen to be represented by Noyb, in accordance with Art. 80(1) GDPR. The representation can always be terminated, and Art. 80(1) GDPR does not impose a limitation on granting such a mandate during or after a “direct subordinate relationship” between the complainant and the representative. Furthermore, the complaining party states that the Court of Justice of the EU has accepted that a person who is (or has been) employed by Noyb may be represented by the latter, and that the argument of invalid representation by Noyb has repeatedly been dismissed in ongoing cases involving Noyb. Additionally, Noyb points out that the decisions of the Dispute Chamber do not have precedential effects.


75. It should be noted, however, that this fact is not undisputed, since the defendant indicates that the
d. Fourthly, the complaining party states in the section “Incorporation under Belgian law (Art. […] 220§2,1° GBW)” that the GBA has previously endorsed that this Belgian provision is stricter than Art. 80(1) GDPR and that it excludes it in the sense that non-compliance has ‘no impact’. The complaining party further states that the GBA must exclude the operation of the national provision to ensure the full effectiveness of EU law and thus allow Noyb as a representative under Art. 80(1) GDPR; Noyb is validly established under the law of a Member State, in this case, Austria.


interest of the complainant as a person concerned has not been demonstrated, and that the findings or grievances
79. In a second part regarding this matter, the complaining party argues about the “admissibility under Art. 80(2) GDPR”:
  a. The complaining party contends that there is a valid representation ex Art. 80(1) GDPR so that a question of admissibility under Art. 80(2) GDPR is not relevant. In this context, the complaining party notes that Noyb may initiate legal action in accordance with Art. 17 Ger. W. and that there is no reasonable justification for not allowing Noyb to independently file a complaint with the GBA. The complaining party further points out that the legislative history of Art. 17 Ger. W. does not state that this provision is not applicable for procedures before the (Dispute Chamber of the) GBA. On the other hand, according to the complaining party, the legislative history of Art. 58 DPA Act indicates that “everyone” can submit complaints, including legal entities and associations. Moreover, the complaining party argues that allowing Noyb to access a court as an independent party while not allowing it before the GBA would constitute a violation of the equality principle under Art. 10 of the Belgian Constitution. The complaining party concludes: “The fact that Noyb would have sufficient interest in filing complaints such as these follows from Noyb's statutes.”


cannot be completely separated from the Noyb organisation. The defendant refers
Position of the Defendant
at the hearing to the fact that the determination with work material was made during
80. The position of the defendant is clarified in two of its arguments as follows (the Dispute Chamber summarizes):
  2nd argument (as a primary order): Absence of sufficient personal interest on the part of the complainant:
  a. In this argument, the defendant first asserts, summarized, that there is “no credible evidence or claim of processing of personal data of the complainant” presented in the complaint. According to the defendant, it is uncertain whether the complainant himself visited the relevant websites. The defendant states that based on “further investigation,” for example, it finds that a number of “false or at least flawed claims” can be read in the complaint – and refers for each of the four complaints to the fact that references to news pages (web pages) included in the evidence pertained to dates after the date on which the complainant claimed to have visited the websites. Additionally, the defendant points out other inconsistencies in the submitted documents.
  b. Secondly, this argument states, summarized, that the “relevant processing” does not violate the GDPR. The defendant argues that the complainant, as a data subject, has given consent and that he consulted the various layers of information, as evidenced by the documents. Moreover, the defendant cites that the complainant did not exercise his rights against the defendant. This means, according to the defendant, that the Dispute Chamber cannot order the deletion of data in the sense of Article 17 GDPR or order that this deletion or rectification be communicated to third parties in the sense of Article 19 GDPR.
  c. Thirdly, the defendant asserts, summarized, that the “data subject” (complainant) has no sufficient personal interest and that the representative acts under a fictitious mandate. The defendant refers to press releases from Noyb regarding its actions against “cookie banner terror” as well as a specific press release concerning the settlements of the Dispute Chamber. The defendant cites the following passage from this latest press release from Noyb: “Noyb files 15 complaints against the aforementioned media sites to force them to adjust their cookie banners.” Furthermore, the defendant points out that the complainant was an intern at Noyb at the time of the visits to the contentious websites, and that the visits to the websites were not spontaneous (given the limited time spent – less than 1 minute per website), that the geographical data concerning the website visits trace back to Austria, that the complainant himself indicates he is acting against a general practice, and that he lodged complaints against other media companies on the same day. Additionally, the defendant points out that the letter to the First Line Service by Noyb on September 1, 2023, does not demonstrate that the complainant indeed holds the required personal interest, and that the Dispute Chamber in a previous decision in a similar case (Decision 22/2024 of January 24, 2024) already ruled that Noyb's mandate is fictitious.
  d. Fourthly, the defendant claims that Noyb is abusing rights because it uses the complaints procedure to “realize its own publicly announced program through a fictitious mandate of a subordinate intern.” Furthermore, the defendant states: “In this way, Noyb sought to circumvent the non-transposition of Article 80.2 into Belgian law.” The defendant cites several other elements and concludes: “Noyb thus used the complaints procedure with the GBA for a purpose other than that for which the procedure is intended. This is an abuse of rights.”
  e. Finally, the defendant responds to several points from the conclusion of the complainant. In this regard, the defendant notes that the complaining party does not respond to “multiple – earlier factual – arguments” from the defendant and that these facts are therefore not disputed.


working hours, as well as that it is discussed about a project at Noyb (and not a
3rd argument (subordinate): NOYB cannot independently file a complaint
  a. In this argument, the defendant first asserts, ‘as a primary argument’, that the complainant's mandate is limited to Article 80.1 GDPR. The defendant states that the Dispute Chamber cannot assess the elements of the complaint under Article 80.2 GDPR; in that case, the Dispute Chamber would be ruling “ultra petita.”
  b. Secondly, in a subordinate manner, the defendant asserts that Article 80.2 GDPR does not apply in Belgium. The defendant refers to the Belgian legislator's choice not to activate this provision through national law.
  c. Thirdly, and also in a subordinate manner, the defendant states that Noyb itself cannot file a complaint as it does not possess sufficient personal interest.
  d. Fourthly, the defendant provides a rebuttal to what was stated in the conclusion of the complaining party, namely that sufficient interest for Noyb follows from the statutes of that organization. The defendant states that the statutes of Noyb only reveal the general, public nature of the interest.


complaint from the complainant as an individual).
Assessment by the Dispute Chamber
81. The representative of the complainant is generally actively working to expose certain practices in the field of data protection law. These general organizational goals alone do not suffice to speak of a fictitious mandate under Article 80.1 GDPR. The defendant raises a number of (sub)arguments in its defense to argue that there are various issues regarding the mandate. However, the Dispute Chamber finds no direct indications or evidence in any of these arguments to claim that the mandate is fundamentally defective, let alone that it was established in a ‘fictitious’ manner in this dossier. The Dispute Chamber argues as follows.


76. Fourthly, the complainant believes that there has been a breach of the GDPR and that his
82. Firstly, it is indeed the case that Noyb has previously engaged in several projects where it sought to address certain practices through complaints. The mere fact that fictitious mandates would have been formulated in that context does not suffice to assert that Noyb cannot represent data subjects concerning the same matter. Moreover, there is no formal indication that Noyb itself initiated the approach to encourage the complainants to file complaints with a specific concrete content.
rights have been harmed.


77. Fifthly, a complaint was filed on behalf of the complainant by Noyb as his
83. Secondly, the complainant emphasizes at the hearing that he independently visited the websites and had issues with the practices of the data controller, specifically after gaining knowledge of the settlement decision from the Dispute Chamber regarding the websites. Moreover, the complainant is Dutch-speaking, so it is not inconceivable that the complainant also incidentally or routinely visits the contentious websites and has an interest in ensuring that the processing of personal data is carried out properly when this happens. Therefore, when the complainant states that he visited the website independently – albeit on a work laptop – and feels aggrieved, without any indication of prior instruction or pressure from the representative, the legitimate, direct, and personal interest is established. There is no indication of abuse of rights.


representative. The complaint was formulated in consultation with the complainant and
84. It should be emphasized, as the complaining party rightly notes, that in the context of the right to complain, a data subject only needs to “believe” that their rights have been infringed. Furthermore, A fortiori, Recital 143 – regarding the mandate by a data subject – explicitly states that a data subject has the right to mandate an organization as soon as that person “believes” that their rights have been violated. That the representative subsequently makes their expertise available in the context of the representation mandate, to gather additional evidence, can indeed be considered a good practice.


filed with the Belgian supervisory authority, and submitted to the First Line Service of the
85. In summary, the mandate has been validly granted under Article 80.1 GDPR.


GBA without any alleged procedural defects.
86. Thirdly, it is indeed prudent to enter into a mandate under Article 80.1 GDPR when a working relationship (an employment relationship, an internship relationship, or others) is involved. Problems (such as conflicts of interest) may indeed arise concerning the internship relationship; however, the Dispute Chamber reads or finds no argument that indicates that the internship relationship in this instance stands in problematic relation to the mandate to file the complaint. It is legally and sensu stricto not excluded that the representative can also serve as an internship supervisor.


II.2.3. No direct evidence of a ‘fictitious’ mandate and
87. It is up to the representative to assess, within the framework of the applicable legal provisions, whether the representation relationship is appropriate. The Dispute Chamber will only intervene when there are clear indications that the legal requirements for a valid representation have not been met, or when the integrity of the procedure is at stake. This is the case, for example, when a mandate is established in a fictitious manner, or when the grievances are demonstrably ‘steered’ by the representative.


present (procedural) interest on the part of the complainant
88. It is also worth noting that there is a difference between, on the one hand, being asked – however informal it may be – by an employer or ‘intern supervisor’ to give consent for something, versus, on the other hand, independently approaching the internship supervisor or employer to grant a mandate for representation. In this instance, there is no factual indication that the first situation applies, so there can be no legal defect in the mandate. Moreover, the complainant has also indicated in so many words at the hearing that he himself (albeit in consultation with another person who was also a trainee at the same time) independently identified a problem with the contentious websites. There is no evidence to suggest that this statement from the complainant is not truthful: the complainant raised this issue in person at the hearing.


Position of the complainant
89. The fact that trainees are provided with a forum to lodge complaints regarding alleged unlawful processing of their own personal data or related infringements is not problematic per se, as long as this occurs within the legal provisions23 and without prior instructions regarding, for example, the identity of the data controller and the specific infringements being alleged. Providing such a forum may also include offering work materials and a physical workspace to individuals. Strategic coordination between the complainant and their representative regarding how a complaint is lodged, which infringements are focused on, and how the content is presented can indeed only occur after such grievances have arisen.


78. In its conclusion of reply, the complainant addresses the “admissibility” of the
90. It is of course not excluded that the complainant's objective to be represented in addressing the alleged infringed rights he wishes to see upheld aligns with Noyb's organizational objectives to ensure compliance with the rules on lawful data processing regarding cookies in the public interest.


complaint. The Dispute Resolution Chamber summarizes the position.
91. In summary, there is no indication that the mandate is fictitious. The complainant has a direct and personal interest and has granted the mandate independently, not at the instruction of the representative.


In a first part on this matter, the complainant argues regarding the
92. Fourthly, the defendant rightly observes that several ambiguities, errors, or deficiencies arise from the evidence (in interaction with the content of the complaint itself). However, these aspects seem to indicate more of a careless presentation of evidence by the complaining party and/or the representative, specifically regarding the dating of such documents, rather than fundamental problems surrounding the representative's mandate. The complainant also claims to have visited the web pages himself, which is challenged by the defendant. In any case, the inaccuracies or errors are not of such a nature that they should lead to the dismissal of the dossier in the present case.


“admissibility pursuant to art. 77(1) in conjunction with art. 80(1) GDPR”.
93. At the hearing, the complaining party acknowledges that not all documents in the complaint and the administrative dossier have been accurately labeled or described. However, the complainant states that he took the initial screenshots and thus raised the initial grievances that form the basis of the complaint. Regarding the HAR files (which contain a representation/recording of network traffic at a given time, showing the placing and reading of various cookies on the contentious websites) attached to the complaint, it is further raised that they were not generated by the complainant (but by staff of the representative). Here, the complaining party indicates that the HAR files do not serve to demonstrate the processing of personal data of the complainant as a data subject but rather to frame the general practices of the defendant.


a. First, under the section “burden of proof”, the complainant states that the complaints
94. All of this provides no direct evidence for a problem regarding the (fictitiousness of) the mandate. The complaining party is open about the approach, and everything indicates that additional evidence was gathered after the grievances arose for the complainant. Moreover, the defendant does not dispute that the screenshots and practices displayed on those screenshots were indeed real screenshots taken from the contentious websites.


and appendices show that there is a personal connection between the complainant and the
95. The same applies to the HAR files that were attached from the contentious websites. In this instance, the defendant considers the dating or the acting person behind the document to be unclear, but the Dispute Chamber contemplates in this regard that there is no indication that the documents would have been manipulated in any way. Moreover, particularly the HAR files play no role in the further assessment by the Dispute Chamber, notably because these files are not relevant for the violations subsequently identified.


data processing, inter alia because the complainant visited the websites, from which
96. Regarding the screenshots, it is established that it is the complainant who has taken note of the cookie banners and their various layers; at least part of the screenshots attached to the complaint was initially generated by the complainant.


the necessary indications of the violations described in the complaint appear. In this
97. It can be considered good practice that when Noyb represents a data subject, it ensures that the necessary evidence is gathered as the representative; there is no need for the complainant to initiate when they mandate Noyb to raise a predetermined case (with grievances traceable to the complainant's own initiative), so long as the evidence supports the complaint. In this sense, it is certainly not the case that the Dispute Chamber deems documents provided by the representative inadmissible.


regard, the complainant further states that the GDPR does not impose any requirements on the
98. In summary, the incorrectly labeled, qualified, or otherwise deficient documents are not of such a nature that they indicate a problem concerning the interest of the complainant or the representation mandate, nor do they lead to the need to dismiss the dossier. The decision rests solely on the evidence whose authenticity is established or on documents or elements presented by the defendant themselves.


content, form or scope of the complaint, nor on the evidence that the complainant
99. Fifthly, it is by no means the case that a complaint should be dismissed in any instance because a complainant (in this case still as a data subject) has not first approached the data controller, or that the Dispute Chamber would be unable to take measures when a data subject has not first approached the data controller. Depending on the circumstances, it is not even necessary for a person’s personal data to be processed for a complaint to be addressed by a supervisory authority – despite some legal discussions about this previously.24 However, it is true that the Dispute Chamber and the GBA as a whole – in light of their limited resources – strive for the most efficient processing of complaints, where the non-exercise of rights can certainly play a role in the assessment of whether or not to dismiss a complaint. Such an assessment is not in question here and now by the Dispute Chamber.


should provide. Furthermore, the complainant states that it is the controller who bears the burden of
100. In conclusion: for all these reasons, all arguments put forward by the defendant concerning aspects of the representation mandate and the mandate of the representative by the complainant in this dossier are unsubstantiated. The Dispute Chamber rules that the representation is legally valid under Article 80.1 GDPR, and that the complainant has a personal, direct, and established interest in the processing of personal data underlying the present complaint procedure. No further discussion is provided on the parties' arguments concerning the role of Article 80.2 GDPR in this dossier, since this provision does not play a role in this case.


proving that the GDPR is complied with, and not the complainant.
II.3. The violations
II.3.1. A comprehensive “refuse all” option at the first layer of cookie banners
Position of the complaining party
101. The position of the complainant regarding this point is as follows: “None of the […] cookie banners on the websites of the defendant [respondent] contains an “All refuse” button at the first level but only a button with “Agree and close” and a button with “More information.” The option to refuse all cookies simply and at once is intentionally hidden by the defendant [respondent]. Since no “All refuse” option is included at the first level of information on the cookie banner and the acceptance of all cookies is thus many times easier than refusing them, there is a “default effect” for and encouragement to accept all cookies (cf. Recital 32 GDPR). Based on this, the consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), resulting in the consent obtained from the complainant being invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 GBW). Consequently, the defendant [respondent] cannot demonstrate that the complainant has given consent for the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR).
the EDPB Cookie Banner Taskforce Report emphasizes again that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is considered a violation by a significant majority of data protection authorities. […] As previously raised in the complaint, this prevailing legal opinion also follows from guidelines of national supervisory authorities from France, Germany, Denmark, and Finland. Additionally, the guidelines from the Netherlands and Austria can be added to this list. The GBA explicitly states: “A ‘Manage Settings’ button is thus not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies also constitutes a violation of the principle of due process laid out in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first informational layer of the defendant's cookie banners constitutes a violation, however, not only involves applying the guidelines of supervisory authorities, but is also a direct and concrete application of the legislation (in accordance with prevailing legal opinion). From a one-time approved action plan or individual (old) decisions of the Dispute Chamber in specific cases, where an “All refuse” button was not the subject, its value cannot be attributed as the prevailing legal opinion. […] As previously mentioned in this conclusion, the Markets Court confirmed that the decisions of the GBA's Dispute Chamber do not have precedent power.


b. Secondly, under the section “the processing operations in question
Position of the Defendant
102. The position of the defendant in its synthesis conclusion is as follows (the Dispute Chamber summarizes):


violate the GDPR”, the complainant states that the complaints describe where GDPR violations Decision on the merits 113/2024 — 19/70
4th argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not render consent invalid
• Firstly, the defendant states that the alleged violation is “without purpose because the complainant gave his consent.” The defendant argues that as soon as a data controller obtains the consent of the data subject, there is a legal basis to process the data lawfully; the defendant points out that the complainant gave his consent.
• Secondly, the defendant states that the obligation to place the ‘refuse’ option in the first informational layer is not evident in any legislation. The defendant states that valid consent can be obtained “even when there is no ‘refuse’ option at the first informational level of the cookie banner.”
• Thirdly, the defendant indicates that the consent requirements under Article 7 GDPR have indeed been respected. The defendant states that Article 7 GDPR does not imply a requirement to have a ‘refuse’ option in the first informational layer of the cookie banner. The defendant highlights that Article 7.3 GDPR addresses the withdrawal of consent: “The GDPR does not set out similar requirements for refusing consent at a time when no consent has yet been given.” Furthermore, in this context, the defendant points out that Article 4.11 GDPR also does not require having a ‘refuse’ option at the first layer of the cookie banner: the expression of will can, according to the defendant, take place in a free, specific, informed, and unequivocal manner. In any case, the expression of will occurs actively.
• Fourthly, the defendant asserts that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant specifically refers to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, in particular in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implicit consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant indicates that the cookie banner is in accordance with the guidelines of the EDPB regarding consent. The defendant states that it finds nothing indicating the requirement of a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant notes that the cookie banner complies with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, also does not contain the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not stipulate what buttons must appear at the first informational layer of a cookie banner.”
• Seventhly, the defendant argues that no violation occurs solely because the practice is not in accordance with “policy documents of authorities.” The defendant emphasizes that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that it understands from the EDPB Cookie Banner Taskforce report that a number of authorities believe that the absence of an ‘all refuse’ option on the same level as an ‘all accept’ option does not constitute a violation of Article 5(3) ePrivacy Directive, which indicates to the defendant that there is no consensus on this among European supervisory authorities. Furthermore, the defendant stresses that the GBA is “not consistent” in the information provided to the public, pointing out the difference in cookie web pages on the “citizen” section of the GBA website versus the “professional” page on the GBA website. The defendant also mentions that the information on the “professional” website is unclear and links to non-professional web pages on the GBA website. The defendant had these inconsistencies noted by a bailiff on November 27, 2023, and submitted the findings as evidence.
• Finally, the defendant also replies to the conclusion of the complainant.


occur, and that the GDPR or the WOG do not require the complainant
Assessment by the Dispute Chamber
103. Article 10/2 PD Act states: In accordance with Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communication and without prejudice to the application of the Regulation and this Act, the storage of information or the acquisition of access to information that is already stored in the end device of a subscriber or user is only permitted on the condition that: 1° the subscriber or user receives clear and precise information about the purposes of the processing and their rights under the Regulation and this Act; 2° the subscriber or end user has given their consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the end device of a subscriber or end user, with the sole purpose of carrying out the transmission of a communication via an electronic communication network or providing a service explicitly requested by the subscriber or end user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)


to first exercise his rights vis-à-vis the controller. Furthermore, the complainant points out that the
104. The European Data Protection Board (EDPB)26, just like the European Court of Justice (ECJ)27, has stated that the requirements concerning the notion of “consent” in the ePrivacy Directive must meet the requirements of consent under the GDPR.28 This is particularly true for those cookies that involve data processing: as the “Cookie Banner Taskforce” report of January 17, 2023 states, such processing implies that at the time of granting consent, this consent must meet the requirements of the GDPR.29


defendant did not accept the cookie banners pursuant to the settlement proposal and that the
105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which they signify agreement to the processing of personal data relating to them, by means of a statement or by a clear affirmative action;


cookie banners are still unlawful.
106. Article 6(1) GDPR states: Processing shall be lawful only if and to the extent that at least one of the following applies:
27 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §6-7.
37 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §39: “For consent to be freely given, access to services and functionalities must not be conditional on the consent of a user to store information or obtain access to information already stored in an end-user's device (the so-called cookie walls).


c. Thirdly, under the section “sufficient personal interest”, the complainant
38 See also the examples cited in the GBA’s “cookie checklist”, available at: https://www.gegegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf, vn. 3: “A ‘Manage settings’ button is not sufficient alongside an ‘accept all’ button, also see the prior press release regarding that from the Data Protection Authority: https://www.gegevensbeschermingsautoriteit.be/burger/nieuws/2023/02/10/cookiebanners-de-edpb-publiceert-voorbeelden-van-niet-conforme-praktijken.”


states that the complainant visited the websites and that personal data were processed in
107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer.30 Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.31


doing so. The complainant then chose to be represented by Noyb, in accordance with art. 80(1) GDPR. The
108. Consent is not “free” when the data subject who does not wish to grant their consent (in the sense of Article 10/2, first paragraph, 2° PD Act) is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be considered freely given if the data subject has no genuine or free choice . . .”32 A choice implies at least an equally valid option to perform an act of refusal (not consenting) in the same manner as the act for which the choice is presented (consenting).33 Additionally, it should be noted that the involved visitor cannot close the cookie banner without making a choice, which constitutes a problematic form of so-called cookie wall.34


representation assignment can always be terminated, and art. 80(1) GDPR
109. The fact that consent is not granted freely is sufficient to conclude that consent is not validly offered as a choice and cannot be obtained.


does not impose any restriction on granting such a representation mandate
110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “consent to all” option in that layer, but in any case in less clear colors than the “agree and close” option in the first layer, and with a number of other buttons displayed below in a similarly equal manner.37 As an example (mutatis mutandis applicable to the four contentious websites) on the website of De Standaard, from a screenshot in the synthesis conclusion of the defendant from the second layer:


during or after a “direct subordinate relationship” between the complainant and
38 A clear contrast with the ‘agree and close’ button in the first layer of the cookie banner: ---- Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) for storing and/or accessing information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, and product development, social media functionalities, personalized advertising, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you agree to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of every page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, ad and content measurement, audience insights and product development, Information stored and/or accessed on a device. Refuse all. Agree to all + Store and/or access information on a device. Disagree / Agree + Ad and content measurement, audience insights, and product development. Disagree / Agree + Personalized content. Disagree / Agree + Personalized ads. Disagree / Agree + Social Media. Disagree / Agree + Advanced measurement. Disagree / Agree + Using limited data to select content. Disagree / Agree + View partners Set all your preferences to save and proceed. ----


the representative, according to the complainant. Furthermore, the complainant states that the
111. It is essential to balance the right to data protection with other fundamental rights40 – such as freedom of enterprise41 – but when the legislator imposes a requirement for consent for certain processes (under the ePrivacy Directive as transposed in the PD Act), that consent must, of course, meet the specific requirements set by the same legislator (under both the ePrivacy Directive and the GDPR).


Court of Justice of the EU has accepted that a person who is (has been) employed by Noyb can be represented by the latter, and that the
112. Therefore, when it is established that, under applicable law, consent must be obtained for the placement of non-essential cookies – a point on which there is no dispute in this dossier – this inherently implies at least a direct choice, aside from the potential granularity for consenting to the placement of specific types or categories of cookies. As the complaining party notes, in the present cases on the four contentious websites, there is no legal reason why the refusal of cookies should not occur in the same simple manner.42 A different ruling would disregard the requirement of “free” and “unambiguous” consent necessary to obtain valid consent.


argument of invalid representation by Noyb has been rejected again and again
113. The defendant's argument that the complainant lacks an interest simply because he granted his consent is not tenable. Just because consent is given does not mean that the consent meets all the criteria for valid consent and thus constitutes valid consent under Article 4.11 in conjunction with Article 7.1 GDPR.


in the pending cases concerning Noyb. In addition, Noyb points out that the decisions
114. The defendant’s argument that the norm is unclear and that there is no reference in the legislation to the fact that an “all refuse” option must be present at the first informational level in the contentious cases is not the least bit tenable. This also applies to the argument that the situation adheres to the guidelines of the EDPB regarding consent, solely because those guidelines do not specify (with the incorrect implication that the guidelines do not require) the refuse option at the first ‘layer’ of the cookie banner.


of the Dispute Resolution Chamber do not set a precedent.
115. The Dispute Chamber further clarifies its powers regarding this issue.


d. Fourthly, the complainant states under the section “Incorporation under Belgian law
116. Article 8(3) of the Charter of Fundamental Rights of the European Union states that independent authorities must oversee compliance with the right to the protection of personal data. This provision underlines the importance of independent control and forms the basis for the establishment of supervisory authorities. Under Article 57.1 GDPR, supervisory authorities are authorized to enforce the GDPR.43 Under Article 4 DPA Act, the GBA is competent for this enforcement.44 Under Article 32 DPA Act, the Dispute Chamber is the administrative dispute body of the GBA; it decides on a case-by-case basis.


(art. […] 220§2,1° GBW)that the GBA has already previously endorsed that this
117. Since the entry into force of the Act of December 21, 2021, implementing the European Code for electronic communications and modifying various provisions concerning electronic communications on January 10, 2022 (“WEC”), the GBA is now competent under Belgian law for overseeing the provisions regarding the placement and use of cookies (i.e., “the storage of information or obtaining access to information that is already stored in the end device of a subscriber or a user”). This law made several amendments to the WEC. Specifically, Article 256 of the Act of December 21, 2021, repeals Article 129 WEC and transfers this provision to the Act of July 30, 2018, concerning the protection of natural persons regarding the processing of personal data (PD Act).45 Given that the GBA has residual authority to oversee the provisions of the PD Act, this confirms the material competence of the GBA regarding the placement and use of cookies.


Belgian provision is more restrictive than art. 80(1) GDPR and that it disregards it in the sense that non-
118. The European legislator explicitly chose, in light of the increasingly digital society, to assign the enforcement of the GDPR to an authority that connects with similar authorities in...
valid consent under Article 6.1(a) GDPR.


compliance with it has ‘no impact’. The
Position of the Complainant
The complainant emphasizes once again that the EDPB Cookie Banner Taskforce Report also confirms that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is deemed a violation by a large majority of data protection authorities. […] As previously mentioned in the complaint, the fact that this is the prevailing legal opinion is also supported by guidelines from national supervisory authorities in France, Germany, Denmark, and Finland. The guidelines from the Netherlands and Austria can also be added to this. The GBA explicitly prescribes that: “A ‘Manage Settings’ button is therefore not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies constitutes a violation of the principle of due process in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first information layer of the defendant’s cookie banners constitutes a violation does not solely rely on the application of supervisory guidelines, but rather constitutes a direct and concrete application of the legislation (in accordance with the prevailing legal opinion). The valuing of a one-time approved action plan or individual (previous) decisions of the Dispute Chamber in specific cases, where the absence of misleading button colors was not the subject, cannot be attributed the value of an established legal opinion. […] It has also been confirmed by the Markets Court that the decisions of the Dispute Chamber of the GBA do not have precedent effect.


complainant further submits that the GBA must disregard the effect of the national provision
Position of the Defendant
102. The defendant’s position in its synthesis conclusion is as follows (the Dispute Chamber summarizes):


in order to guarantee the full effect of EU law and therefore to admit Noyb as a representative on the basis of Article 80(1) GDPR; Noyb
4th Argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not invalidate consent
• Firstly, the defendant states that the alleged violation is “without purpose since the complainant gave his consent.” In this context, the defendant asserts that as soon as a data controller has obtained the consent of the data subject, there exists a legal basis for lawful processing of the data; the defendant points out that the complainant granted his consent.
• Secondly, the defendant states in a subordinate manner that there is no obligation to place the ‘refuse’ option at the first information layer in any legislation. The defendant claims that valid consent can be obtained “even when there is no ‘refuse’ option at the first layer of the cookie banner.”
• Thirdly, the defendant asserts that the consent requirements under Article 7 GDPR have indeed been respected. The defendant argues that Article 7 GDPR does not show a requirement for a ‘refuse’ option in the first informational layer of the cookie banner. The defendant points out that Article 7.3 GDPR pertains to the withdrawal of consent: “The GDPR does not impose similar requirements for refusing consent at a time when consent has not yet been granted.” Furthermore, the defendant emphasizes that Article 4.11 GDPR does not impose a requirement for having a ‘refuse’ option at the first layer of the cookie banner: according to the defendant, the expression of will can take place freely, specifically, informed, and unequivocally. In any case, the expression of will occurs in an active manner.
• Fourthly, the defendant states that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant refers specifically to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, particularly in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implied consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant claims that the cookie banner is in accordance with the EDPB guidelines on consent. The defendant argues that they do not see any requirement for a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant asserts that the cookie banner is in accordance with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, does not entail the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not contain any stipulation regarding what buttons must be included at the first information layer of a cookie banner.”
• Seventhly, the defendant argues that merely because the practice is not in accordance with “policy documents of authorities” does not mean there is a violation. The defendant points out that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that based on the EDPB Cookie Banner Taskforce report, some authorities believe that the absence of an ‘All refuse’ option at the same level as an ‘All accept’ option does not constitute a violation of Article 5(3) of the ePrivacy Directive, indicating to the defendant that there is no consensus on this matter among European supervisory authorities. Moreover, the defendant argues that the GBA is “inconsistent” in the information it provides to the public, highlighting the differences in cookie-related pages on the “citizen” section of the GBA website versus the “professional” page. The defendant notes that the information on the “professional” website is unclear, linking to non-professional pages on the GBA website. The defendant had these inconsistencies recorded by a bailiff on November 27, 2023, and submits these findings as evidence.
• Finally, the defendant responds to several points raised in the complainant’s conclusion.


is validly established under the law of a Member State, in this case Austria.
Assessment by the Dispute Chamber
103. Article 10/2 PD Act stipulates: In implementation of Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communications and without prejudice to the application of the Regulation and this Act, the storage of information or the obtaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed under the condition that: 1° the concerned subscriber or user, in accordance with the provisions laid down in the Regulation and this Act, receives clear and precise information about the purposes of the processing and his rights based on the Regulation and this Act; 2° the subscriber or end-user has given consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the terminal equipment of a subscriber or end-user when the sole purpose is to carry out the transmission of a communication via an electronic communications network or to provide a service explicitly requested by the subscriber or end-user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)


79. In a second part on this matter, the complaining party argues regarding the
104. The European Data Protection Board (EDPB)26, just as the European Court of Justice (ECJ)27, has stated that the requirements applied to the notion of “consent” in the ePrivacy Directive must comply with the requirements for consent under the GDPR. This is particularly the case for those cookies that involve data processing: as the EDPB Cookie Banner Taskforce report of January 17, 2023 states, such processing suggests that at the moment of granting consent, the consent must meet the conditions of the GDPR.


“admissibility under art. 80(2) GDPR”:
105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed, and unambiguous expression of the data subject's wishes, by which they indicate agreement to the processing of personal data relating to them;


a. The complaining party states in this regard that there is a valid representation under
106. Article 6(1) GDPR specifies: Processing shall be lawful only if and to the extent that at least one of the following applies:


art. 80(1) GDPR, which means that a question of admissibility under art. 80(2) GDPR is not
107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer. Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.


at issue. In addition, the complaining party notes that Noyb can institute proceedings with the courts itself in accordance with art. 17 Judicial Code and that there is no
108. Consent is not “free” when the data subject who does not wish to grant their consent is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be deemed freely given if the data subject has no genuine or free choice.” A choice implies that there is at least an equal option to opt for a different action (not consenting) in the same manner as the action for which the choice is offered (consenting).


reasonable justification for not allowing Noyb to independently file a complaint with the GBA. In addition, the complaining party notes that the legislative history
109. The fact that consent cannot be freely granted is sufficient on its own to determine that it cannot be validly offered as a choice and cannot be obtained.


of art. 17 Judicial Code does not state that the provision does not apply to procedures
110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “accept all” option in that layer, but in any case, with less clarity compared to the “agree and close” option in the first layer, and is accompanied by a number of other buttons displayed beneath in a similar, equally significant manner.


before the (Dispute Chamber of the) GBA. On the other hand, according to the complaining party, it follows
111. This striking color usage in the first layer of the contentious cookie banners, where the button representing the “accept all” option is highlighted in a more pronounced color, reflects a choice aimed at leading the data subject to grant consent for cookies to be placed.


from the legislative history of art. 58 WOG that “anyone” can file complaints, Decision on the merits 113/2024 — 20/70
112. The EDPB Cookie Banner Taskforce report indicates that regarding color use, no general standard can be imposed on data controllers, but the assessment should be made on a case-by-case basis.


including legal entities and associations. Furthermore, the complainant states that
113. In the present cases, the defendant uses various standout colors that likely induce a deceptive sense of comfort for the data subject:
  a. On the De Standaard website, the “agree and close” option is presented prominently in a dark red color as the most data-collecting option, while alternatives require clicking on a light gray banner against a white background.
  b. On the Het Belang van Limburg website, the “agree and close” option is shown prominently in dark black, while alternatives require clicking on a light gray banner on a white background.
  c. On the Het Nieuwsblad website, the “agree and close” option is shown prominently in dark blue, while alternatives require clicking on a light gray banner against a white background.
  d. On the Gazet van Antwerpen website, the “agree and close” option is shown prominently in bright red, while alternatives require clicking on a light gray banner against a white background.


allowing Noyb to appear before a court as an independent procedural actor, but not
114. Interfaces designed with deceptive comfort as in this case undeniably steer a data subject to choose the most data-collecting options, notably because the person is unaware of how many more steps they must undertake before they can choose not to allow cookies (i.e., not to consent). The data subject knows that they choose the “path of least resistance” with this comfortable option in the first layer of the cookie banner – without this necessarily reflecting their actual informed preference for granting consent.


before the GBA, would constitute a violation of the principle of equality within the meaning of art.
115. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer employed in the second informational layer (after an adjustment during the procedure) is evidently not conducive. The assessment at hand pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, with alleged violations stated) is in no way limited to the second layer of the cookie banner.


10 of the Belgian Constitution. The complainant concludes: “The fact that noyb
116. The argument that the involved complainant did grant consent is also not favorable, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent has been granted is not ipso facto sufficient to state that consent has been validly granted.
would have sufficient interest in filing complaints such as these already follows


from Noyb’s statutes.
117. The argument that there is “no prohibition” against using different colors is correct in a formal sense. However, the Dispute Chamber has already laid out above that this does not prevent the choice of specific colors from violating the duty of propriety in light of activities involving the processing of personal data, and that the unambiguous nature of consent cannot be ensured.


Defendant's position
118. The argument that the Dispute Chamber has approved an action plan from an industry organization that would directly relate to the present contentious situations is likewise not a favorable argument. As previously mentioned, the decisions of the Dispute Chamber have no precedent value. Moreover, the entity referred to by the defendant is completely foreign to the current procedure.


80. The defendant's position is clarified in this matter in two of its grounds,
119. Furthermore, it is important to note that under Articles 5.2 and 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for taking appropriate technical and organizational measures accordingly. The defendant does not contest its responsibility for the substantive evaluation of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly clear that it misses its target in a formal sense.


and is as follows (the Dispute Chamber summarises):
120. The Dispute Chamber does not dispute – as the defendant argues – that the guidelines of the supervisory authority and the European Data Protection Committee do not have the force of law. However, this does not mean that they do not have authoritative value (or should not), at least because Article 57.1(f) GDPR tasks the GBA with informing data controllers of their obligations under the regulation, just as Article 70.1(u) mandates the EDPB to facilitate cooperation among supervisory authorities and formulate guidelines, best practices, and recommendations as needed to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).


e
121. For all these reasons, it is evident that the misleading colors used on the first layer of the cookie banner constitute a violation of the duty of propriety in the sense of Article 5.1(a) GDPR. Since consent is not unambiguous, it cannot be claimed that valid consent is obtained.
"2nd ground (in the main order): Absence of a sufficient personal interest on the part of
7.3 AVG als ongegrond, aangezien de klager geen bewijs heeft geleverd dat er op het moment van de klacht een gerechtvaardigd belang zou zijn geclaimd of toegepast.


the complainant":
Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's websites does it require the same simplicity to withdraw consent as it does to accept cookies. Accepting all cookies occurs with a simple click (or two clicks if the ‘More information’ button is pressed), while withdrawing consent is not possible with a single click. Instead, website visitors must go to a specific section of the website to withdraw cookies. At the very bottom of the page, there is a link labeled ‘Manage Privacy Preferences’ buried among an extensive list of various other links. If clicked, the website visitor can then opt to ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, a data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since this requirement is not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Moreover, the simplicity of withdrawing consent is indeed a requirement for the consent granted to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also for compliance with Articles 10/2 PD Act and 125 §1, 1° WEC). The EDPB has confirmed this in its guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the GDPR requirements, then the consent mechanism of the data controller is not compliant with the GDPR.’ […] (emphasis added) In the EDPB Cookie Banner Task Force report, it is also emphasized that the withdrawal of consent for cookies must be as easy as granting it […] Furthermore, the EDPB guidelines on consent clarify: ‘When consent is obtained through electronic means, by a single mouse click, swipe, or keystroke, the data subject should be able to withdraw this consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, this same requirement is explicitly reiterated […] Therefore, the defendant must provide the complainant the opportunity to withdraw his consent with a single mouse click. When a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, among an extensive list of other links, at the very bottom of the defendant's website pages – requiring extensive scrolling – clearly does not meet these requirements. A floating, permanently visible ‘hoover’ button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible – once the ‘Manage Privacy Preferences’ button is located and clicked – to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This shows that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with the applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for quite some time). Furthermore, with the changes made by the defendant, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”


a. In this ground, the defendant first states, in summary, that "no
Position of the Defendant
148. The position of the defendant is as follows (the Dispute Chamber summarizes):


credible evidence or claim of processing of personal data of
6th Argument (subordinate): The withdrawal of consent does not violate Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125 §1, 1° WEC
  a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest on the part of the complainant concerning the alleged use of legitimate interest. The defendant claims that no cookies have been placed in this manner regarding the complainant, since the complainant granted consent for placing cookies.
  b. Secondly, the defendant asserts “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer reference legitimate interest. The defendant notes that during the same period as the settlement procedure, a number of adjustments regarding the placement of cookies based on legitimate interest were prepared (and ultimately implemented on December 22, 2023).
  c. Thirdly, the defendant claims “more subordinately” that there is no breach of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent that it contends that legitimate interest can never be a legal basis for cookies.
  d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant notes: “[…] if the exception to the rule (consent) under Article 10/2 PD Act applies, then it is self-evident that in such a case the rule (consent) itself does not apply.”
  e. Fifthly, the defendant replies to the conclusion of the complainant regarding this matter.


the complainant" is adduced in the complaint. According to the defendant, it is not certain
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning transparency of the cookie banner
  a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant notes that all references to legitimate interest were removed on December 22, 2023.
  b. Secondly, the defendant asserts “subordinately” that there is no violation of Article 5.1(a) GDPR. The defendant considers the allegation based on Article 7.3 GDPR to be unfounded, as the complainant granted consent, and states that there is “no prohibition” on using different colors to obtain consent in cookie banners.


that the complainant himself visited the websites in question.
Assessment by the Dispute Chamber
149. Firstly, the focus must be on the situation regarding the withdrawal of consent at the time of the complaint (the ‘old’ situation), before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to the situation that after clicking on the ‘Manage Privacy Preferences’ link on the contentious websites, consent could be withdrawn with a single click (“All Refuse”).


The defendant states that, based on “further investigation”, it establishes, for example, that a number of “false or at least defective assertions” can be read into the complaint – and refers for each of the four complaints to the fact that for each of the four complaints, references to news pages (web pages) were included in the evidence that were dated after the date on which the complainant claimed to have visited the websites.
150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (according to the defendant's wording) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant expressly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.


In addition, the defendant points to other inconsistencies in the submitted
151. Therefore, in this ‘old’ situation, withdrawing consent was clearly not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the withdrawal of consent is a relative concept – meaning that it must be as “easy” to withdraw as it is to grant – does not diminish its significance. Such an understanding as a relative concept in legal terms may well be accurate, but in relative circumstances, the “number of clicks” the defendant refers to is clearly relative to more clicks than the single click for the “agree and close” button on the cookie banner.


documents.
152. Regarding the ‘new’ situation, following the defendant's adjustments during the procedure: in the new situation, withdrawing consent after clicking on the ‘Privacy Preferences’ link on each webpage of every contentious news website can indeed be done with a single click (“All Refuse”). The options provided in the cookie banner are identical to those offered at the second layer of the cookie banner for granting consent: this practice does not give rise – based on the available documents in the dossier – to establishing a breach.


b. Secondly, in this plea, it is argued, in summary, that the “processing in question” does not violate the GDPR. The defendant argues in this regard that the
153. The website does not require a mandatory “permanently visible” button for properly withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites under Article 7.3 GDPR, it aligns with the spirit of the legal provision. A data subject can reasonably expect the cookie settings to be found at the bottom of a webpage. The individual can subsequently take note of the information regarding the withdrawal of consent and do so with a single button.


complainant, as the data subject, gave his consent and that he consulted the
154. As the EDPB pointed out in the report from the Cookie Banner Taskforce, it is sufficient that a link on the website is available and placed in a “visible and standardized location.”55 Placing a direct link at the bottom of every webpage leading to a banner with a single button to withdraw consent meets this requirement. The EDPB has also emphasized in the same report that legislation only requires easily accessible solutions to be provided for withdrawing consent, but that a “specific withdrawal solution” is not mandated, and particularly the establishment of a hovering solution cannot be imposed on a data controller within the current legal context.56


various information layers, as is evident from the evidence.
155. The defendant rightly stresses that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this sense, for the proper functioning of a website – which is also in the interest of the data subject – it is not expected that the withdrawal of consent occurs in precisely the same manner when this entails that they (in the most literal sense) must do so ‘at all times’ in that way.


Moreover, as the defendant points out, the complainant did not exercise his
156. In this reasoning, a “hoover” button (the proposal put forth by the complainant) would not suffice, as such a “hoover” button does not provide exactly the same visual representation as a cookie banner (for granting consent) for withdrawing consent at any time during the website visit. Such a requirement would impose a blocking effect on the internet user, which is manifestly unreasonable.


rights vis-à-vis the defendant. This means that, if the defendant, that
57. Regarding the ‘old’ situation, a breach must indeed be established regarding Article 7.3 GDPR. Given that there is no evidence that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides on this point to issue a reprimand to the defendant. No other coercive or punitive measures are deemed appropriate in this regard.


the Litigation Chamber cannot impose an order to erase data within the meaning
II.3.4. Use of legitimate interest for placing cookies that require consent and alleged breach of transparency and information obligations
Position of the Complainant
158. The position of the complainant is as follows: “When the complainant visited the websites, the websites of the defendant [respondent] contained a button for legitimate interest in the second layer of the cookie banner that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Insights can be derived about the audience that has viewed the advertisements and content. Data can be used to build or improve user experience, systems, and software.” This “legitimate interest button” for conducting such “measurements” was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Therefore, the defendant [respondent] presents that it has a legitimate interest (Art. 6(1)(f) GDPR) for conducting “advanced measurements” if the complainant does not grant consent (Art. 6(1)(a) GDPR). Legitimate interest thus serves as a ‘backup’ basis for the defendant. In this way, the defendant unlawfully shifts from an "opt-in" system based on Article 6(1)(a) GDPR to an "opt-out" system based on Article 6(1)(f) GDPR. Legitimate interest was and is not a valid legal basis for the placement and reading of non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.


of Article 17 GDPR or an order to notify this erasure or rectification to
159. It is correct that other bases under Article 6 GDPR can be used in very limited cases for the placement and reading of cookies. However, this only applies to strictly necessary cookies and solely for the purpose of sending communication via an electronic communications network (Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). Conducting “advanced measurements” by the defendant does not fall under this strict exception. Also, the further processing of personal data obtained via cookies for which consent is required must fundamentally be based on consent, as also confirmed by the EDPB and the EDPS. […] This also applies to further processing of data for conducting “advanced measurements” by the defendant. Moreover, it is misleading for the defendant to present as if consent is the basis for processing while, if this consent is not granted, the basis is switched to legitimate interest without respecting the complainant's choice to refuse consent. This violates the principles of legality, propriety, and transparency (Article 5(1)(a) GDPR). This conduct is contrary to Article 6 GDPR and Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act, and therefore unlawful. The EDPB guidelines on consent explicitly state that this conduct by the defendant is unfair (Article 5(1)(a) GDPR): “It is important to note that if a data controller chooses to base part of the processing on consent, it must be willing to respect the choices regarding that consent and to stop that part of the processing if a person withdraws their consent. To present as if data is processed based on consent while, in reality, another legal basis is relied upon would be fundamentally unfair to data subjects. [...] In other words, a data controller cannot substitute consent for other legal grounds. For example, it is not permitted to resort to the legal ground of ‘legitimate interest’ after the validity of consent becomes problematic.” […] (emphasis added)


third parties within the meaning of Article 19 GDPR.
160. Furthermore, there was no information about the alleged legitimate interest in the cookie banner, nor was there an option to object at the first level of the cookie banner. The only opportunity to object and even to receive information about such claimed legitimate interest was hidden in the second layer of the cookie banner. The text “Manage Preferences” at the first informational level of the cookie banner did not lead to this information or the opportunity to object. More specifically, within the second informational layer, one needed to click on the plus sign (+) next to “Advanced Measurement” to convert the defendant's “Legitimate Interest” into “Not Agree.” Thus, objecting to and being informed about the defendant's alleged legitimate interest required the website visitor to click multiple times, which people do only 2% of the time in practice. This is in violation of Article 21(4) GDPR and Article 12(2) GDPR, as both the fact that the defendant based its processing on the alleged legitimate interest and the possibility to object to this alleged legitimate interest were not explicitly brought to the attention of the data subject. This conduct also did not align with the principle of transparency (Article 5(1)(a) GDPR). Moreover, it is incomprehensible for the defendant to assume that if a data subject does not grant consent for the related “advanced measurement” processing, they would also not raise an objection against the processing under Article 21 GDPR. However, the cookie banner seemed to assume that data subjects must express the same desire not to have their data processed twice: once as a refusal of consent and then as an additional objection against the same processing activity (which constitutes a "double opt-out"). Considering the above, the defendant violated the principles of legality, propriety, and transparency as laid out in Article 5(1)(a) GDPR. The defendant has thankfully already removed references to “legitimate interest” from its cookie banners. The inclusion of a “legitimate interest” in the cookie banners has thus proven not necessary for the defendant and can easily be adjusted, indicating that the defendant previously consciously chose to include a reference to legitimate interest. This also shows that the defendant evidently believes that the previous cookie banner did not meet the applicable legal requirements. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibilities under data protection legislation by remedying GDPR violations post-complaint or during an investigation. This does not negate the fact that the violation definitely occurred (for a considerable time).


c. Thirdly, the defendant states, in summary, that the “data subject” (complainant)
Position of the Defendant
159. The defendant's defense is as follows (the Dispute Chamber summarizes):


does not have a sufficient personal interest and the representative is acting under a fictitious
7th Argument (subordinate): The reference to ‘legitimate interest’ does not constitute a violation of Article 6.1(f) GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
  a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest concerning the alleged use of legitimate interest. The defendant asserts, among other points, that no cookies were placed in this manner with respect to the complainant, since the complainant gave consent for placing cookies.
  b. Secondly, the defendant argues “subordinately” that the complaint is without purpose because there is no longer any reference to legitimate interest since December 23, 2023. The defendant states that references to legitimate interest were removed on December 22, 2023.
  c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR and that the complaint is unfounded to the extent it claims that legitimate interest can never serve as a legal basis for cookies.
  d. Fourthly, the defendant contends “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant indicates: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that, in such a case, the rule (consent) itself is not applicable.”
  e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.


mandate. The defendant refers to press releases from Noyb
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning the transparency of the cookie banner
  a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
  b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.3 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.


regarding its actions against “cookie banner terror” as well as a specific Decision on the merits 113/2024 — 21/70
Assessment by the Dispute Chamber
 
134. As the EDPB clarifies in its guidelines concerning misleading design patterns within social media platform interfaces, in the case of a potentially misleading design, the principle of propriety contained in Article 5.1(a) GDPR can be applied to assess whether a violation of legislation has occurred.
press release concerning the settlements of the Litigation Chamber. The defendant
 
quotes the following passage from this latest press release from Noyb: “Noyb files 15 complaints
 
against the aforementioned media sites in order to force them to adjust their cookie
 
banners after all.” The defendant also states that the complainant was an intern at Noyb at the time of the
 
visits to the disputed websites, that the visits to the websites were not


spontaneous visits (given the limited time spent less than 1 minute per website), the
135. On all four contentious websites, the first ‘layer’ of the cookie banner is displayed nearly identically to that on the De Standaard newspaper's website albeit with different colors, depending on the specific contentious news website:


geographical data regarding the website visits can be traced back to Austria, the complainant himself
Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) to store and/or access information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, product development, social media functionalities, personalized ads, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you consent to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of each page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, advertisement and content measurement, audience insights, and product development. Information stored and/or accessed on a device. Refuse All. Agree to All +


states that he is acting against a general practice and that the complainant filed a complaint
136. The use of certain more prominent colors on the four contentious websites, which primarily aims to encourage the data subject to grant consent for cookies, leads the Dispute Chamber to assert that the duty of propriety under Article 5.1(a) GDPR has been violated, thereby jeopardizing the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR. Consent cannot be unambiguously obtained when a data subject is “guided” to take a certain action.


against other media companies on the same day. The defendant also points out that the
137. It is evident that the striking color usage in the first layer of the contentious cookie banners, wherein the button that represents the accept-all option (“agree and close”) is highlighted in more pronounced color contrast, reflects a certain choice that leads to more intrusive processing of personal data due to the placing of cookies.


letter to the First Line Service by Noyb on 1 September 2023 does not
138. The EDPB Cookie Banner Taskforce report states that regarding color use, no general standard can be imposed on data controllers, but the assessment should be conducted on a case-by-case basis.


demonstrate that the complainant indeed has the required personal interest, and that the
139. In these cases, the defendant uses various prominent colors that likely induce a deceptive sense of comfort for the data subject:
  a. On the De Standaard website, the “agree and close” option is presented in dark red as the most data-collecting option, while alternatives must be clicked through a light gray banner on a white background.
  b. On the Het Belang van Limburg website, the “agree and close” option is presented in dark black as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
  c. On the Het Nieuwsblad website, the “agree and close” option is presented in dark blue as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
  d. On the Gazet van Antwerpen website, the “agree and close” option is presented in bright red as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.


Dispute Resolution Chamber had already ruled in an earlier decision in a similar case
140. Interfaces designed in this way create an undeniable tendency for a data subject to choose the most data-collecting options, particularly since individuals may not even know how many steps they must undertake before they can opt out of cookie placements (i.e., not grant consent). The data subject is aware that this comfortable option at the first layer of the cookie banner allows them to take the “path of least resistance” – without this necessarily reflecting their genuine informed preference for granting consent.


(Decision 22/2024 of 24 January 2024) that Noyb's mandate is fictitious.
141. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer present in the second informational layer (after an adjustment during the process) is clearly not helpful. The assessment here is about the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is in no way limited to the second layer of the cookie banner.


d. Fourthly, the defendant states that Noyb committed an abuse of rights because it used the
142. The argument that the involved complainant granted consent is also not helpful, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent was given is not, by itself, sufficient to assert that consent has been validly granted.


complaints procedure to "implement its own publicly announced programme via a fictitious mandate from a subordinate
143. The argument that there is “no prohibition” against using different colors is accurate in a formal sense. However, the Dispute Chamber has already elaborated above that this does not prevent the selection of certain colors from violating the duty of propriety in terms of personal data processing activities, and that the unambiguous nature of consent cannot be guaranteed.


trainee". The defendant further states: "In this way, Noyb attempted to circumvent the non-
144. The argument that the Dispute Chamber approved an action plan from an industry organization that would directly relate to the present contentious situations is also not a useful argument. As noted earlier, the decisions of the Dispute Chamber have no precedential value. Additionally, this refers to an entity that is entirely unrelated to the current procedure.


transposition into Belgian law of Article 80.2 . . .." The defendant
145. Furthermore, the Dispute Chamber emphasizes that according to Article 5.2 and Article 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for implementing appropriate technical and organizational measures accordingly. The defendant does not dispute its responsibility for the substantive assessment of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly evident that it misses its intended target in a formal sense.


cites several more elements before concluding: "Noyb therefore used the
146. The Dispute Chamber does not dispute – as the defendant contends – that the guidelines of the supervisory authority and the European Data Protection Board do not carry the force of law. However, this does not mean they should lack authoritative value, at least because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations under the regulation, just as Article 70.1(u) establishes the EDPB's role to enable cooperation among supervisory authorities and formulate guidelines, best practices, and recommendation to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).


complaints procedure at the GBA for a purpose other than that for which the
147. For all these reasons, it is evident that misleading colors are employed on the first layer of the cookie banner, which constitutes a violation of the duty of propriety as per Article 5.1(a) GDPR. Consequently, since consent is not unambiguous, it cannot be said to be validly obtained.
penalty must work towards compliance and should not merely serve punitive or deterrent purposes. Thus, the Dispute Chamber believes that a fresh and efficient approach to enforcing compliance with data protection laws, especially in the context of rapidly evolving technology, does not necessarily require prior notification to the defendant before imposing a penalty.


procedure is actually intended. This is an abuse of rights."
121. The authority must, therefore, ensure compliance with not only legal but also technological developments. The legislator intended for the interpretation of a factual situation to be evaluated by an authority in this context.


e. Finally, the defendant responds to a number of points from the
122. The fact that certain legal or technological developments impact a specific decision-making practice is a logical result of this approach – and is also taken into account in the context of sanctioning in this case (infra, section III.1.1.). An open norm does not prevent the imposition of measures, nor does it preclude the imposition of an administrative fine, as increasing technological developments (at a fast pace) compel proactive, sufficient, and proportional enforcement in new circumstances.


complainant's conclusion. In this context, the defendant notes that the complaining party does not
123. Furthermore, the defendant's argument that Article 7 GDPR does not explicitly require a ‘refuse’ option also refers back to the previous arguments presented in the context of the open norm. The Dispute Chamber assesses the legality of consent according to the definitions and conditions assigned to consent by the legislator: this pertains to consent under Article 10/2 PD Act and Article 6.1(a) GDPR, as defined in Article 4.11 GDPR.


respond to "several - earlier factual - arguments" of the defendant and that
124. Regarding the defendant's argument that the cookie banner is in compliance with previous decision-making practice of the Dispute Chamber, it should be noted that the decisions of the Dispute Chamber do not have precedential value. Although this argument may be relevant regarding potential measures (particularly the imposition of sanctions), the legal assessment that corresponds to the most accurate legal viewpoint – based on the most recent case law and the viewpoint of the EDPB – cannot be bypassed solely based on this argument.


those facts are therefore not disputed. “3rd plea (in subordinate order): NOYB cannot independently file a complaint”
125. The argument that the Dispute Chamber approved an action plan from a sector organization that would relate directly to the present contentious situations is likewise not a relevant argument. As noted before, the decisions of the Dispute Chamber do not carry precedential weight. Moreover, this refers to an actor that is entirely unrelated to the current procedure.


a. In this plea, the defendant firstly and ‘in principal order’ states that the mandate
126. Additionally, it is noteworthy that under Articles 5.2 and 24 GDPR, it is the responsibility of the data controller to ensure compliance with the application of the GDPR and to take appropriate technical and organizational measures accordingly. The defendant does not contest in any way its processing responsibility for the substantive evaluation of its processing activities, therefore, even if this argument lacks substance, it is clear that it fails in a formal sense.


of the complainant is limited to Article 80.1 GDPR. The defendant states that the
127. The Dispute Chamber does not contest – as the defendant argues – that the guidelines from the supervisory authority and the European Data Protection Board do not have the force of law. However, this does not imply they should lack authoritative value, especially because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations, and Article 70.1(u) enables the EDPB to foster cooperation among supervisory authorities and, if necessary, formulate guidelines, best practices, and recommendations to ensure consistent application of the GDPR (Article 70.1(d) GDPR).


Dispute Chamber cannot assess the elements in the complaint under Article 80.2
128. For all these reasons, it is clear that misleading colors are used on the first layer of the cookie banner, which constitutes a violation of the principle of propriety under Article 5.1(a) GDPR. Since consent cannot be unambiguously obtained, it cannot be claimed that valid consent has been provided.


GDPR: in that case, the Dispute Chamber would judge “ultra petita”.
II.3.2. Use of misleading button colors
b.
Position of the Complainant
Secondly and ‘in subordinately’, the defendant states that Article 80.2
132. The argument of the complainant is as follows: “The button ‘Agree and Close’ at the first level of the cookie banners on the defendant's websites is always prominently colored (red, blue, or black with white text) against a white background. Meanwhile, the ‘More Information’ button has a color that almost blends into the background color of the cookie banners (light gray with dark gray text against a white background). By explicitly ‘highlighting’ the ‘Agree and Close’ button compared to the option to refuse cookies, website visitors, such as the complainant, are explicitly encouraged to click on ‘Agree and Close’. Research has also shown that when the consent button has a (much) more prominent color than the button to refuse consent, consent is granted 1.7 times more often than when both buttons are the same color. As a result, consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), rendering the consent from the complainant invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 PD Act), meaning the defendant cannot demonstrate that the complainant has consented to the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR). As already emphasized in the complaint, the EDPB Cookie Banner Taskforce report also states that the contrast and colors used in the cookie banner must not be “obviously misleading,” as this leads to “unintended” and therefore invalid consent. [...] According to guidelines from various supervisory authorities, including the Greek, Austrian, and Czech authorities, it is explicitly stated that data controllers may not use misleading button colors that encourage website visitors to click on “Agree and Close”.
 
GDPR does not apply in Belgium. The defendant refers to the choice of the Belgian
 
legislator not to activate this provision via national law. Decision on the substance 113/2024 — 22/70
 
c. Thirdly and also ‘in subordinately’, the defendant states that
 
Noyb itself cannot file a complaint since it does not have a sufficient
 
personal interest.
 
d. Fourthly, the defendant offers a reply to what was stated in the conclusion of the complaining party, i.e. that a sufficient interest for Noyb follows from the articles of association of that company. The defendant states that the articles of association of Noyb only show the general, public nature of the interest.


Assessment by the Dispute Chamber
Assessment by the Dispute Chamber
135. The use of certain more striking colors on the four contentious websites, which has as its primary reason to encourage the data subject to give consent to the placement of cookies, leads the Dispute Chamber to assert explicitly that the duty of propriety under Article 5.1(a) GDPR has been violated and also jeopardizes the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR.


81. The representative of the complainant is generally active (pro-)actively to expose certain practices in the field of data protection law.
136. It is clear that the prominent color usage in the first layer of the contentious cookie banners, where the button depicting the accept-all option (“Agree and Close”) receives the most prominent color in a more distinct contrast, reflects a choice aimed at encouraging the data subject to grant consent to place cookies.


These general association-specific objectives are of course not sufficient in themselves to speak of a
137. The EDPB Cookie Banner Taskforce report states that regarding color usage, no general standard can be imposed on data controllers; rather, the assessment must be made on a case-by-case basis.


fictitious mandate under Article 80.1 GDPR. The defendant cites a number of (sub-) means in its defence to argue that various problems can be identified with regard to the
138. In these cases, the defendant employs various striking colors that likely induce a deceptive sense of comfort for the data subject:
  a. On the De Standaard website, the “agree and close” option is prominently displayed in dark red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
  b. On the Het Belang van Limburg website, the “agree and close” option is prominently displayed in dark black as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
  c. On the Het Nieuwsblad website, the “agree and close” option is prominently displayed in dark blue as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
  d. On the Gazet van Antwerpen website, the “agree and close” option is prominently displayed in bright red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background.


mandate. However, the Dispute Chamber does not find in any of these means direct indications or
139. Interfaces designed in this manner undoubtedly lead a data subject to select the most data-collecting options, especially since the individual may not be aware of how many additional steps they must undertake before they can choose not to allow cookies (i.e., not consenting). The data subject is aware that with the comfortable initial option in the cookie banner, they are taking the “path of least resistance” – without it necessarily reflecting their authentic informed preference for granting consent.


evidence to state that the mandate would be fundamentally flawed, let alone
140. The argument from the defendant that the complaint regarding this point is “without purpose” because the color usage has changed in the second informational layer (after an adjustment during the procedure) is clearly not assisting. The evaluation in question pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s assessment in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is not limited to the second layer of the cookie banner.


would have been created in a ‘fictitious’ manner in this case. The
141. The argument that the involved complainant did grant consent is also not relevant, as the granting or refusal of consent does not obstruct the assessment of the propriety of processing. Additionally, the mere fact that consent has been granted is not, by itself, sufficient to assert that consent has been validly granted.


Dispute Resolution Chamber argues as follows.
142. The defendant should indeed not employ misleading colors, an aspect that constitutes a violation of the duty of propriety as expressed in Article 5.1(a) GDPR. The presence of such deceptive designs makes it unfeasible to acquire valid consent, which is a legal requirement.


82. Firstly, it is indeed the case that Noyb has in the past maintained several projects
---


in which it attempted to address certain practices by means of complaints. The fact that in that
This concludes the translation of your legal text. If you have more text or require further assistance, please let me know!
a valid consent in the sense of Article 6.1(a) GDPR.


context mandates were generally formulated in a fictitious manner is of course not sufficient
II.3.3. Withdrawal of Consent in Accordance with Article 7.3 GDPR
Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's [respondent's] websites is it as easy to withdraw consent as it is to accept cookies. Accepting all cookies occurs with one simple click (or two clicks if the ‘More Information’ button is pressed), while withdrawing consent is not possible with one click. Instead, website visitors must navigate to a specific section of the website to withdraw cookies. At the very bottom of the page, hidden among an extensive list of various other links, is a link labeled ‘Manage Privacy Preferences’. When clicked, the website visitor can choose ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since the requirements of Article 7 GDPR are not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Additionally, the ease of withdrawing consent is indeed a requirement for the consent to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also regarding whether the requirements of Article 10/2 PD Act and Article 125§1, 1° WEC are met). The EDPB has confirmed this in the guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the requirements of the GDPR, then the data controller's consent mechanism does not comply with the GDPR.’ […] (emphasis added) The EDPB Cookie Banner Task Force report also emphasizes that the withdrawal of consent for cookies must be as easy as granting it […] Also, in the EDPB guidelines on consent, it is expressly clarified: ‘When consent is obtained via electronic means, through a single mouse click, swipe, or keystroke, the data subject must be able to withdraw that consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, the same requirement is reiterated […] Consequently, the defendant must provide the complainant the ability to withdraw consent with a single mouse click. Now that a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, buried among an extensive list of other links at the very bottom of the defendant's website pages—which requires extensive scrolling—does not meet these requirements. A hovering, permanently visible (hoover) button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible—once the ‘Manage Privacy Preferences’ button is found and clicked—to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This indicates that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for a considerable time). Moreover, with the changes the defendant has made, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”


to establish that Noyb cannot represent any parties involved in the same
Position of the Defendant
148. The defendant's position is as follows (the Dispute Chamber summarizes):


matter. Nor is there any formal indication in this case that Noyb itself took the initiative
6th Argument (subordinate): The withdrawal of consent does not constitute a violation of Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
  a. Firstly, the defendant asserts “primarily” that there is a lack of sufficient personal interest on the complainant’s part concerning the alleged use of legitimate interest. The defendant argues that no cookies have been placed in this manner concerning the complainant, as the complainant granted his consent for the placement of cookies.
  b. Secondly, the defendant maintains “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer refer to legitimate interest. The defendant notes that during the same period as the settlement procedure, several adjustments related to the placement of cookies based on legitimate interest were prepared (and ultimately carried out on December 22, 2023).
  c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent it contends that legitimate interest can never serve as a legal basis for cookies.
  d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant argues: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that in such a case, the rule (consent) itself does not apply.”
  e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.


to encourage the complainants to file complaints with a specific concrete content.
8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR regarding the transparency of the cookie banner
  a. Firstly, the defendant asserts “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
  b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.4 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.


83. Secondly, the complainant emphasises at the hearing that he visited the websites
Assessment by the Dispute Chamber
 
149. The focus must first be on the situation before withdrawing consent at the time of the complaint (the ‘old’ situation) and before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to a scenario where the withdrawal of consent after clicking on the ‘Privacy Preferences’ link on the contentious websites can now be carried out with one click (“All Refuse”).
independently and had problems with the practices of the controller, specifically after
 
taking note of the settlement decision of the Dispute Resolution Chamber
 
concerning the websites. Furthermore, the complainant is Dutch-speaking, so it is not inconceivable that the
 
complainant also visits the websites in question occasionally or routinely and has an interest in
 
the personal data processing being carried out properly when this happens. If
 
the complainant then also states that he visited the website independently – albeit on
 
a work laptop – and feels aggrieved by this, without any indication of
 
prior instruction or pressure from the representative, the legitimate,
 
direct and personal interest is established. There is no indication that there is any
 
abuse of rights.
 
84. It should be emphasised here, as the complainant rightly points out, that in the context of the right to complain, the data subject must only be "of the opinion" that his rights have been infringed. Decision on the merits 113/2024 — 23/70
 
A fortiori, recital 143 – in connection with the delegation by a data subject – expressly states that a data subject has the right to mandate an organisation as soon as that person "believes" that his rights have been infringed.
 
The fact that the representative subsequently makes her expertise available in the context of the representation assignment, in order to gather additional evidence, can be regarded as good
 
practice.
 
85. In short, the mandate was lawfully granted under Article 80.1 GDPR.
 
86. Thirdly, caution is indeed required when entering into a mandate under Article 80.1
 
of the GDPR, when a working relationship (an employment relationship, a relationship as an intern, or
 
other) is at stake. Problems (such as conflicts of interest) may indeed arise in
 
the context of an internship relationship; the Dispute Chamber does not read or find any
 
argument in which the internship relationship in this case is in problematic relation to the
 
mandate for submitting the complaint. After all, it is legally and sensu stricto not excluded that the
 
representative can also be a trainee supervisor.
 
87. It is up to the representative to assess, within the framework of the
 
applicable legal standards, whether the representation relationship is appropriate. The Dispute Chamber
 
will only intervene if there are clear indications that the legal requirements for
 
valid representation have not been complied with, or if the integrity of the
 
procedure is compromised. This is the case, for example, when a mandate is created in a
 
fictitious manner, or: when the grievances are demonstrably ‘directed’
 
by the representative.
 
88. The following should be noted in this regard. There is a difference between, on the one hand, being asked
 
– however optional this may be – by an employer or ‘internship supervisor’ to give permission
 
for something, versus, on the other hand, asking the internship supervisor or employer to
 
grant a representation assignment. In this case, there is nothing in the facts to indicate that the
 
former is the case, which means that no legal defect in the mandate can
 
be established. Moreover, the complainant also stated in so many words at the hearing
 
that he himself (albeit in consultation with another person who was also a
 
trainee at the same time) and therefore not on instruction, had established a problem with the
 
websites in question. There is no evidence to suggest that this statement by the complainant himself
 
would not be true: the complainant raised this issue in person at the hearing.
 
89. The fact that trainees are offered a forum to file complaints concerning
 
alleged unlawful processing of their own personal data or other
 
related infringements is not problematic per se as long as this is done within the legal Decision on the substance 113/2024 — 24/70
 
provisions 23 and without prior instructions as to, for example, the
 
identity of the controller and the specific infringements sought. This
 
forum may also in principle include providing working material and a physical
 
workplace to individuals. Strategic coordination between the complainant and his/her
 
representative as to how a complaint is filed, which infringements are focused on and
 
how the content is presented can of course only take place after such grievances
 
have arisen. 90. It is of course not excluded that the complainant's objective of wanting to see himself represented in order to act on allegedly infringed rights that he himself wishes to see upheld coincides with the association's own objectives of Noybom, in the general interest, of wanting to see the rules on lawful personal data processing in the case of cookies upheld.
 
91. In short, there is also no indication that the mandate would be fictitious. The complainant has a direct and personal interest and has independently, not on the instructions of the representative, granted the mandate.
 
92. Fourthly, the defendant rightly notes that a number of ambiguities, errors or
 
defects are apparent from the evidence (in interaction with the content of the complaint itself).
 
However, these aspects seem to point to the careless submission of evidence by the complaining party or representative, specifically with regard to the
 
dating of such documents, rather than to fundamental problems regarding the delegation
 
of the representative. The complainant also claims to have visited the web pages himself,
 
which is questioned by the defendant. In any case, the carelessness or
 
errors are not of such a nature that they should lead to the dismissal of the file in
 
the present case.
 
93. At the hearing, the complaining party acknowledges that not all documents in the complaint and
 
the administrative file have been accurately identified or described. However, the complainant states that he
 
took the initial screenshots and that he therefore raised the initial grievances that
 
form the basis for the complaint. As regards the HAR files (with a display/recording of network traffic at a given time, in which the placement and reading of various cookies on the websites at issue are visible) that were attached to the complaint, it is argued that they were not generated by the complainant (but by employees of the representative). The complainant states that the HAR files are not intended to monitor the processing of personal data by the
 
23 Reference is made here, among other things, to art. 57.4 GDPR, which states that excessive requests from individual data subjects may be
 
refused for processing. Decision on the merits 113/2024 — 25/70
 
the complainant as a data subject, but to frame the general practices of the
 
defendant. 94. None of this constitutes any direct evidence of a problem regarding (the fictitiousness of) the
 
mandate. The complainant is open about the method and points out that additional
 
evidence was collected after the grievances arose for the complainant. Furthermore,
 
the defendant does not dispute that the screenshots and practices
 
shown on those screenshots were effectively real screenshots taken
 
from the websites at issue.
 
95. The same applies to the HAR files that were added from the websites at issue.
 
The defendant does consider the dating or the person acting behind the document
 
to be unclear for these files, but the Dispute Resolution Chamber considers in that context
 
that there is nothing to indicate that the documents were manipulated in any way. Furthermore,
 
the HAR files in particular play no role in the further assessment by the
 
Dispute Resolution Chamber, among other things because these files are not relevant to the
 
infringements that are established below.
 
96. As regards the screenshots, it is established that it is the complainant who has taken cognizance of the cookie banners and their various layers; at least some of the screenshots
 
attached to the complaint were initially generated by the complainant.
 
97. It can be considered good practice that when Noyb represents a data subject, it ensures as a representative that it collects the necessary
 
evidence; this does not have to be an initiative of the complainant when it mandates Noyb to bring a pre-established case (with grievances
 
leading back to the complainant's own initiative), insofar as the evidence further supports the
 
complaint. In this sense, it is certainly not the case that the Dispute Chamber considers documents
 
provided by the representative inadmissible. 98. In short, the incorrectly designated, qualified or otherwise defective
 
evidence is not of such a nature that it points to a problem in connection with the
 
interest of the complainant or the representation assignment, nor does it lead to the
 
case having to be dismissed. The decision is based solely on the evidence of which the
 
veracity has been established or evidence or elements provided by the defendant
 
itself.
 
99. Fifthly, it is by no means the case that a complaint should be
 
dismissed in any event because a complainant (in that case still as a data subject)
 
does not first contact the controller, or that the Dispute Resolution Chamber
 
could not take measures if a data subject has not first contacted the controller. Depending on the circumstances, it is not even necessary Decision on the merits 113/2024 — 26/70
 
that a person's personal data are processed in order to see a complaint handled
 
before a supervisory authority – despite some legal discussion
 
about this in the past. It is true that the Dispute Chamber and the GBA as a whole – in the
 
light of their limited resources – strive for the most efficient possible complaint handling
 
whereby the failure to exercise rights can certainly play a role in the assessment
 
whether or not to dismiss a complaint. Such an assessment is not at issue here by the
 
Dispute Chamber here and now.
 
100. In conclusion: for all these reasons, all means of the defendant that relate to
 
aspects concerning the representation assignment and the mandate of the representative by the
 
complainant in this case are not useful. The Dispute Chamber rules
 
that the representation is legitimate under Article 80.1 GDPR, and that
 
the complainant has a personal, direct and established interest in the
 
personal data processing that forms the basis of the present complaint procedure.
 
The arguments of the parties that relate to the role of Article 80.2
 
GDPR in this case will not be discussed further, since this provision does not play a role in this case.
 
II.3. The infringements
 
II.3.1. A refuse all option on the first level of the cookie banners
 
Position of the complainant
 
101. The complainant's position on this point is as follows:
 
"None of the […] cookie banners on the websites of the defendant [defendant],
 
contain a "Refuse all" button on the first level, but only a button with
 
"Agree and close" and a button with "More information". The option to refuse all cookies
 
easily and at once is deliberately hidden by the defendant [defendant].
 
Because no "Refuse all" option is included on the first information level of the
 
cookie banner and this makes accepting all cookies many times easier than refusing them, there is a
 
"default effect" for and an incentive to accept all cookies (cf. ov. 32 AVG).
 
On this basis, the consent obtained by the defendant for the placement of cookies cannot be regarded as ‘unambiguous’ (Article 4(11)
 
24Cassation, V t. GBA, C.20.03223.N, ECLI:BE:CASS:2021:ARR.20211007.1N.4, §6: “By holding on this ground that an
infringement of Article 5, paragraph 1, c), GDPR has not been proven and by annulling the contested decision of the claimant, while it is not required
that the complainant’s personal data have actually been processed in order for the claimant to be able to impose
corrective measures or an administrative fine in response to a complaint, after establishing that a practice exists that
gives rise to an infringement of the principle of minimum data processing, the appeal judges fail to justify their
decision in law.” (the Dispute Chamber underlines) Decision on the merits 113/2024 — 27/70
 
GDPR), which renders the consent obtained from the complainant invalid (Article 6(1)(a) GDPR
 
in conjunction with Article 5(3) ePrivacyRl in conjunction with Article 10/2 GBW[…]). As a result, the defendant [respondent]
 
cannot […] demonstrate that the complainant has given consent to the processing of
 
his personal data (Article 7(1) in conjunction with Article 5(2) GDPR).
 
The complainant hereby reiterates that the EDPB Cookie Banner Taskforce
 
Report also endorses the fact that the absence of a button of the type
 
"Reject all" on the same level as the "Accept all" button is considered an infringement
 
by a large majority of data protection authorities.[…]
 
As already stated in the complaint, the fact that this is the prevailing
 
legal view also follows from guidelines from national supervisory authorities of
 
France, Germany, Denmark and Finland. To these can also be added (among
 
others) the guidelines of the Dutch[…], Austrian[…] The GBA also explicitly stipulates that: “A “manage settings” button is therefore not sufficient next to an “accept all” button.[…]
 
Merely offering an option to refuse all cookies, which clearly requires more
 
steps, time and effort than accepting all cookies, also constitutes, on the basis of
 
the EDPB guidelines on deceptive design and dark patterns, a
 
violation of the principle of propriety of art. 5(1)(a) GDPR:
 
[quote of the aforementioned guidelines in English]
 
However, determining that not offering a “Refuse all” option on the first
 
information layer of the defendant’s cookie banners constitutes an infringement does not
 
so much concern the application of supervisory guidelines, but this
 
simply concerns a direct and concrete application of the legislation (in accordance
 
with the applicable legal view).
 
However, a single approved action plan or individual (old) decisions of the
 
Dispute Chamber in a few specific cases, in which a “Reject All” button was not the subject, cannot be attributed the value that they should apply as a valid legal opinion.[…] As
 
has already been mentioned in this opinion, the Market Court has confirmed that the
 
decisions of the Dispute Chamber of the GBA do not have a precedent effect.”
 
Defendant’s position
 
102. The defendant’s position in its summary conclusion is as follows (the
 
Dispute Chamber summarises): Decision on the merits 113/2024 — 28/70
 
“4th ground (subordinate): The absence of a ‘refuse’ option in the first
 
information layer of the cookie banner does not constitute invalid consent”
 
• Firstly, the defendant indicates that the alleged infringement “is without object
 
because the complainant gave his consent”. In this context, the defendant states that as soon as a controller has the consent of the data subject, there is a legal basis for lawfully processing the data; the defendant points out that the complainant gave his consent.
 
• Secondly, the defendant states that the obligation to place the ‘refuse’ option on the first information layer is not apparent from any legislation. In this respect, the defendant states that valid consent can be obtained, “even when there is no ‘refuse’ option on the first information level of the cookie banner”.
 
• Thirdly, the defendant states that the consent requirements under Article 7 of the GDPR have indeed been respected. The defendant states that Article 7 of the GDPR does not provide for an obligation to have a ‘refuse’ option in the first information layer of the cookie banner. In this respect, the defendant points out, among other things, that Article 7.3 GDPR deals with the withdrawal of consent: “The GDPR, on the other hand, does not impose similar requirements for refusing consent at a time when consent has not yet been given.” Furthermore, the defendant points out in this context that Article 4.11 GDPR also does not impose an obligation to have a ‘refuse’ option on the first layer of the cookie banner: according to the defendant, the expression of will can be made freely, specifically, informed and unambiguously. According to the defendant, the expression of will is in any case made actively.
 
• Fourthly, the defendant indicates that the cookie banner is in accordance with the “decision-making practice of the Dispute Resolution Chamber”. The defendant points in particular to two decisions – Decision 12/2019 of 17 December 2019 and
 
Decision 19/2021 of 12 February 2021 – in which, in particular in the latter decision,
 
the Dispute Chamber explicitly stated, as quoted by the defendant:
 
“The new cookie banner no longer assumes implicit consent
 
(‘by continuing to use this website’) but gives the choice between
 
‘accept recommended cookies’ and ‘adjust cookie preferences’.”
 
• Fifthly, the defendant indicates that the cookie banner is in line
 
with the EDPB guidelines on consent. In doing so, the defendant indicates that it does not read anything about the requirement for a ‘refuse’ option at the
 
first information level of the cookie banner. Decision on the substance 113/2024 — 29/70
 
• Sixthly, the defendant states that the cookie banner is in accordance
 
with the IAB Europe action plan that was approved by the Dispute
 
Chamber. 25The defendant states: “Mediahuis understands that the Internet Advertising Bureau (“IAB”)
 
action plan, validated by the Dispute Chamber on 11
 
January 2023, also does not include the requirement for a ‘refuse’ option in the first
 
information layer of a cookie banner. This action plan allegedly does not
 
include anything about which buttons should be on the first information layer of a
 
cookie banner.


• Seventhly, the defendant states that no infringement occurs, purely
150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (as stated by the defendant) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant explicitly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.”


because the practice would not be in accordance with “policy documents of
151. Therefore, in this ‘old’ situation, withdrawing consent was evidently not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the ‘withdrawal’ of consent is a relative concept—such that it must be “as easy” to withdraw as it is to grant—does not detract from this. Such a classification as a relative concept in legal terms may be accurate, but in relative circumstances, the “number of clicks” the defendant speaks of is clearly referred to as more clicks than the single click of the “agree and close” button on the cookie banner.


authorities”. In doing so, the defendant states that these are merely
152. Regarding the ‘new’ situation, after the defendant's adjustments during the procedure: in this new scenario, withdrawing consent after clicking on the ‘Manage Privacy Preferences’ link on every webpage of the contentious news websites can indeed now be done with a single click (“All Refuse”). The options presented in the cookie banner correspond to those offered at the secondary layer of the cookie banner when granting consent: this practice does not provide a basis—based on the documents presented in the dossier—for establishing a violation.


policy documents; they are not binding as they are not law. In addition, the defendant indicates that it understands from the EDPB Cookie Banner Taskforce report that a number of authorities consider that the absence of a ‘refuse all’ option in the same layer as an ‘accept all’ option does not constitute an infringement of Article 5(3) ePrivacy Directive, which indicates to the defendant that there is no consensus on this issue among European supervisory authorities. Furthermore, the defendant indicates that the GBA is ‘not consistent’ in the information it provides to the public, pointing to the difference in web pages on cookies in the ‘citizen’ section of the GBA website versus the ‘professional’ page of the GBA website.
153. The website does not necessitate a mandatory “permanently visible” button for appropriately withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites according to Article 7.3 GDPR, it aligns with the intent of the legal provision. A data subject can reasonably expect cookie settings to be found at the bottom of a webpage. Consequently, the individual can then take note of the information regarding the withdrawal of consent and do so with one button.
In addition, the defendant points out that the information on the website for


"professionals" is unclear, and, among other things, links to non-professional
154. As the EDPB has indicated in the Cookie Banner Taskforce report, it is sufficient that there is a link available on the website placed in a “visible and standardized location.” The placement of a direct link at the bottom of every webpage leading to a banner where consent can be withdrawn with one button complies with this wording. The EDPB has also emphasized in the same report that legislation merely requires easily accessible solutions for the withdrawal of consent to be offered, but does not indicate that a “specific withdrawal solution” must be implemented, nor can the establishment of a hovering solution be imposed on a data controller within the current legal context.


web pages of the GBA website. The defendant also had the inconsistencies
155. The defendant correctly emphasizes that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this respect, for the proper functioning of a website—which is also in the interest of the data subject—it is not reasonable to expect the withdrawal of consent to occur in exactly the same manner when this implies that they (in the most literal sense) must always do so in that way.


established by a bailiff on 27 November 2023, and attaches the
156. In this reasoning, a “hoover” button (the proposal presented by the complainant) would not suffice either since such a “hoover” button does not present the exact same visual representation as a cookie banner (for granting consent) for withdrawing consent throughout the entirety of the website visit. This would impose a blocking effect on the internet user, which is evidently unreasonable.


findings as a document.
157. Regarding the ‘old’ situation, a breach must indeed be established concerning Article 7.3 GDPR. Given that there is no indication that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides at this point to issue a reprimand to the defendant. No other coercive or penal measures are deemed appropriate in this regard.


• Eighth, the defendant also replies to the conclusion of the complainant.
II.3.4. Use of Legitimate Interest for Placing Cookies That Require Consent and Alleged Violation of Transparency and Information Obligations
Position of the Complainant
158. The position of the complainant states: “When the complainant visited the websites, the defendant's [respondent's] websites in the second layer of the cookie banner contained a legitimate interest button that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Data can be used to derive insights regarding the audience that viewed the advertisements and content. This data can be used to build or improve user experience, systems, and software.’ This ‘legitimate interest button’ for conducting such ‘measurements’ was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Thus, the defendant [respondent] implied that it has a legitimate interest (Article 6(1)(f) GDPR) for carrying out ‘advanced measurements’ if the complainant does not provide consent (Article 6(1)(a) GDPR). Legitimate interest serves as a ‘backup’ basis for the defendant. Consequently, the defendant unlawfully shifts from an “opt-in” system based on Article 6(1)(a) GDPR to an “opt-out” system based on Article 6(1)(f) GDPR. Legitimate interest cannot serve as a valid legal basis for placing and reading non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.


Assessment by the Dispute Chamber
Assessment by the Dispute Chamber
159. The defendant admits that cookies were placed based on legitimate interest, of which at least some should have been placed based on consent in accordance with the ePrivacy Directive and its transposition into the PD Act. Cookies placed to carry out ‘advanced measurements’ regarding website usage for advertising purposes (at least concerning the analysis of the reach and efficacy of targeted cookies) are by definition not strictly necessary. Such cookies thus require, in any case, consent under Article 10/2 PD Act and also under Article 6.1(a) GDPR for the subsequent processing of personal data.


103. Art. 10/2 WVP provides:
160. As the EDPB has emphasized in the report from the Cookie Banner Taskforce, the use or mention of legitimate interest as a legal basis in the cookie banner may also confuse users, who might believe they have to refuse twice to ensure their personal data is not processed. In this sense, the legal basis for placing a cookie should either be based on legitimate interest or on consent.
 
In application of article 125, § 1, 1°, of the law of 13 June 2005 on
 
electronic communications and without prejudice to the application of the Regulation
 
and this law, the storage of information or the obtaining of access to information
 
already stored in the terminal equipment of a subscriber or user
 
is only permitted on condition that:
 
1° the subscriber or user concerned, in accordance with the conditions
 
determined in the Regulation and in this law, receives clear and precise information about the
 
purposes of the processing and his rights under the Regulation and
 
this law;
 
2° the subscriber or end user has given his consent after being
 
informed in accordance with the provision under 1°.
 
The first paragraph shall not apply to the technical storage of information or
 
access to information stored in the terminal equipment of a subscriber or an
 
end-user for the sole purpose of carrying out the transmission of a communication
 
over an electronic communications network or of providing a service expressly requested by the
 
subscriber or end-user where this is strictly necessary for this purpose.
 
(The Litigation Chamber underlines and emphasises)
 
26
104. The European Data Protection Board, like the European Court of
27
Justice, has already stated that the requirements for the concept of “consent” in the
28
e-Privacy Directive must meet the requirements for consent under the GDPR. This is
 
particularly the case for those cookies that involve data processing: as the “Cookie Banner Taskforce” report of 17 January 2023 states, such
 
subsequent processing implies that at the time of consent,
 
this consent must meet the conditions of the GDPR. 29
 
105. Article 4.11 GDPR defines consent as follows:
 
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which
 
a statement or by a clear affirmative action signifies agreement to the processing of personal data
 
relating to him or her;
 
106. Article 6.1. opening and point a GDPR stipulates:
 
Processing shall be lawful only if and to the extent that at least one of the following conditions is met:
 
26 EDPB, Opinion 5/2019 on the interaction between the ePrivacy Directive and the General Data Protection Regulation, in particular as regards the tasks and powers of data protection authorities, 12
March 2019, available at:
https://www.edpb.europa.eu/sites/default/files/files/file1/201905 edpb opinion eprivacydir gdpr inEDPB,ay nl.pdf;
Guidelines 5/2020 on consent under Regulation 2016/679, v 1.1, 4 May 2020, §6-7.
 
27
Judgment of the Court of Justice of the EU, Proximus v. GBA, C-129/21, see specifically § 51: “As regards the manner in which such consent must be demonstrated, it follows from Article 2, second paragraph, point (f), of Directive 2002/58, read in conjunction with Article 94, paragraph 2, and Article 95 of the GDPR, that such consent must in principle meet the requirements of Article 4, point 11, of that regulation.”
28
Cf. Also A. GOBERT, “Chapitre 5. La jurisprudence de l’APD en matière de cookies » in M. Knockaert and J.-M. Van
Gyseghem (eds.), 5 années de jusprudence de la Chambre Contentieuse de l’APD, Brussels, Editions Larcier-Intersentia,
(139)145, §13 : « To be valid, consent to the deposit of non-essential cookies must therefore meet the conditions
set out in article 4.11. duRGPD. » (loosely translated: « To be valid, a cookie for the installation of non-essential
consent must meet the conditions set out in article 4.11 GDPR.”).
29
EDPB, Report of the work undertaken by the Cookie Banner Taskforce, 17 January 2023, §2. Decision on the substance 113/2024 — 31/70
 
(a) the data subject has given consent to the processing of his/her personal data for one or more specific purposes;
 
107. From a joint reading of the aforementioned legal provisions, and after the clarification of the Court of Justice on the interaction between the e-Privacy Directive and the GDPR, it is clear that the “refuse all” option
 
must be provided by the defendant on the first layer when the defendant places an “accept all” button on
 
that same layer. 30 Otherwise, consent cannot possibly be obtained in a “free” and “unambiguous” manner. 31


108. On the one hand, consent is not “free” when the data subject who does not wish to
161. One cannot choose to present legitimate interest as a 'backup' legal ground in the absence of granted consent. This is not only little transparent regarding the data subjects whose consent is being requested, but it is also not permitted within the framework of Article 10/2 PD Act (as transposed from Article 5.3 ePrivacy Directive) and Article 6 GDPR. Both provisions require that the data controller implements a personal data processing activity based on a single legal ground. As the Dispute Chamber has already stated in multiple decisions, the EDPB emphasizes this in its guidelines on consent: Before beginning processing activities, it must be determined which of the six grounds apply for which specific purpose. It is important to note that if a data controller opts to base part of the processing on consent, it must be willing to respect the choices regarding that consent and stop that part of the processing if a person withdraws their consent. Presenting it as if data is processed based on consent while actually relying on another legal basis would be fundamentally unfair to the data subjects.


give his/her consent (within the meaning of Article 10/2, first paragraph, 2° of the LVP) is obliged to perform more
162. The Dispute Chamber believes it is not maintaining an overly stringent interpretation of what constitutes strictly necessary cookies. However, the legislator currently leaves no room for another interpretation and explicitly refers to a “strictly necessary” character (Article 10/2 PD Act). Ruling that cookies, such as certain analytical cookies – which are not strictly necessary for the proper functioning of the website – could be placed based on legitimate interest would not merely reflect a lenient attitude, but rather an interpretation that is contra legem. This situation is even more pronounced for cookies used for marketing purposes. The Dispute Chamber applies the applicable legal rules to the facts.


actions in order to refuse consent. As recital 42 of the preamble to the GDPR states: “Consent shall not be considered to be freely given if the
163. No independent verification—e.g., by the Inspection Service—has been conducted to ascertain which cookies were placed and to what extent. In any case, the defendant’s acknowledgment of the unlawful placement of cookies based on legitimate interest necessitates the reprimanding of the defendant: they may only place cookies based on legitimate interest as long as the cookies fall under the exception scenario under Article 10/2, paragraph two PD Act; since this was not the case in the past, it constitutes a violation of the aforementioned provision. The same goes mutatis mutandis for the subsequent personal data processing activities, which must be based either on Article 6.1(a) or Article 6.1(f) GDPR—not both provisions simultaneously or as interchangeable ‘backup’.


32
164. It is also irrelevant whether or not valid consent from the complainant in question was obtained; the mere fact that the defendant potentially does not request consent for the placement of such cookies, resulting in unlawful processing of personal data, suffices to establish the violation.
data subject has no genuine or free choice . . .” A choice implies at least an


equivalent option to perform an action in an equivalent manner (not
165. The fact that the decision to place such cookies lies partly in the hands of third parties (whether they are joint data controllers, data controllers, or processors in that processing process) is irrelevant. The defendant is responsible under Article 5.2 GDPR for ensuring that the placement of cookies and the processing of personal data resulting from the placement of cookies through its contentious websites occurs lawfully.


consenting) other than the one for which the choice is offered (consenting). 33 It should be noted, for the sake of
166. The elements of the complaint related to the transparency and information obligations, as well as those elements concerning (the facilitation of exercising) the right to object based on the placement of cookies founded on legitimate interest, are not further examined by this decision. The Dispute Chamber has not been presented with sufficient elements concerning the assessment of these alleged breaches.


addition, that the visitor concerned cannot close the cookie banner without making a
167. The Dispute Chamber rules that the grievances asserted in the complaint—as rightly highlighted by the defendant—are overly broad, resulting in the defendant being unable to adequately defend itself based on the documents presented in the complaint or during the proceedings (for example, regarding the general reference to an alleged breach of “the principles of transparency, legality, and propriety”).


choice, which constitutes a problematic form of a so-called cookie wall. 34
168. The Dispute Chamber establishes that the defendant violated Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR by conceding that cookies were placed based on legitimate interest while they did not fall within the exception provision under Article 10/2 PD Act before making adjustments to their website in this regard. Furthermore, the legitimate interest (also under Article 6.1(f) GDPR for subsequent processing) was used as a ‘backup’ when no consent (under Article 6.1(a) GDPR) was granted for the placement of cookies.


109. The fact that consent is not freely given is sufficient in itself to establish that
169. The defendant should not have (allowed) the placement of these cookies and has at least failed to investigate whether the cookies could be placed based on legitimate interest – while this falls under its responsibility as a data controller in terms of the lawfulness of its processing activities. For this reason, the Dispute Chamber will proceed to reprimand the defendant regarding this point.


consent is not validly offered and cannot be obtained. 110. On the other hand, consent is not “unambiguous” if the data subject cannot take the active action to refuse consent in a similar manner, because, for example, he is not aware of the option to refuse cookies, since such an option is only mentioned or can be selected in a subsequent ‘layer’ of the cookie banner.
170. The Dispute Chamber partially dismisses the complaint with respect to the grievances concerning the transparency and information obligations (specifically Articles 12.2 and 5.1(a) GDPR that are mentioned by the complaining party), as well as (the exercise of) the right to object (Article 21.4 GDPR is mentioned by the complaining party) due to the reasons mentioned above.
 
In this sense, a data subject cannot take an unambiguous active action on the first
 
layer of the cookie banner, precisely because no alternative is offered to refuse consent.
 
30 See also the cited examples in the “cookie checklist” of the GBA, available via:
https://www.gegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf, par. 3: “A “manage settings” button
 
is therefore not sufficient in addition to an “accept all” button. see also the previous press release on this subject from the
Data Protection Authority:
https://www.gegevensbeschermingsautoriteit.be/burger/nieuws/2023/02/10/cookiebanners-de-edpb-publiceert-
voorbeelden-van-niet-conforme-praktijken.
31
EDPB Guidelines 5/2020 on consent, paragraph 39: “For consent to be freely given,
access to services and functions may not be made dependent on a user’s consent to store
information, or to gain access to information already stored, in a user’s terminal
equipment (so-called cookie walls)”, available at:
https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_nl.pdf
32
The Dispute Resolution Chamber underlines.
33EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v 1.1, 4 May 2020, §13: “The
 
element ‘freely’ implies real choice and control for the data subjects.”
 
34Ibid., §39: “For consent to be freely given, access to services and functionalities should not be made
subject to a user’s consent to retain information, or to gain access to
information already stored, in a user’s terminal equipment (so-called cookie walls)[…]” Substantive decision 113/2024 — 32/70
 
votes. 35 All this cannot be separated from the broader digital context in which
 
many website operators use cookie banners and thus many concerned
 
internet users see them appearing on a daily basis, which can lead to a certain
 
degree of “click fatigue”.
 
111. The fact that consent cannot be given unambiguously is sufficient
 
in itself to establish that consent is not validly offered as a choice
 
and cannot be obtained.
 
112. Furthermore, in the next layer, the “reject all” option is indeed displayed in the
 
same way as the “agree with all” option in that layer, but in any case in
 
less clear colours than the “accept and close” option in the first layer, and then
 
a whole number of other buttons that are displayed below it in the same,
 
equivalent way.37
 
As an example (mutatis mutandis applicable to the four websites at issue) on the
 
website of De Standaard, on a screenshot from the defendant’s synthesis
 
conclusion of the second layer:
 
35
Cf. EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v 1.1, 4 May 2020, §77: “A
‘clear affirmative action’ means that the data subject must have taken an intentional action to
consent to the specific processing[…]”.
36EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v 1.1, 4 May 2020, §87: “A
 
‘clear affirmative action’ means that the data subject must have taken an intentional action to
consent to the specific processing[…]”.
37Cf. Mutatis mutandis, the elements related to the term “privacy maze” within the excessive information section, cf.
EDPB, Guidelines 3/2022 on deceptive design patterns in social media platform interfaces: how to recognize and avoid them”
 
v. 2.0, 14 February 2023, §173. Decision on the merits 113/2024 — 33/70
 
38
 
A clear contrast with the ‘agree and close’ button in the first layer of the
 
cookie banner:
 
39
 
38
Defendant’s summary conclusion, 66.
39
Screenshot shown in the defendant’s summary conclusion, as a reprise of the screenshot in the
original complaint; summary conclusion defendant, 64. Decision on the merits 113/2024 — 34/70
 
113. Certainly, the right to data protection must be brought into proportion with
 
other fundamental rights 40 – such as the freedom to conduct a business 41 – but when the
 
legislator makes consent mandatory for certain processing operations (under the e-
 
Privacy Directive as transposed into the WVP), that consent must of course meet the
 
specific requirements set by the same legislator (under the e-Privacy Directive and
 
the GDPR).
 
114. Therefore, when it is established that consent must be obtained under the applicable
 
legislation for the placement of non-strictly necessary cookies – which is not the subject of
 
discussion in this case – this inherently implies at least a direct choice, regardless of the
 
possible granularity for consenting to the placement of certain types or
 
categories of cookies. As the complainant notes, in the cases at issue, there is no legal reason why the refusal of cookies should not be done in the same simple way on the four websites at issue. To hold otherwise would be to disregard the "free" and "unambiguous" requirement for obtaining valid consent.
 
115. The defendant's argument that the complainant has no interest because he has given his
 
consent is not helpful. It is not because consent is given that the consent meets all the requirements of valid consent and therefore
 
constitutes valid consent within the meaning of Article 4.11 in conjunction with Article 7.1 of the GDPR.
 
116. The defendant's argument that the standard is unclear and that nowhere in legislation
 
is there any mention of the fact that "refusing everything" in the cases at issue must be offered at the first
 
level of information is also not helpful. This also applies to the argument that the situation would be in line with the EDPB guidelines on consent, simply because those guidelines do not mention anything (with the erroneous implication that the guidelines do not require anything) regarding the refusal option on the first ‘layer’ of the cookie banner.
 
117. The Litigation Chamber once again clarifies its powers in this regard.
 
118. Article 8(3) of the Charter of Fundamental Rights of the European Union states that independent authorities must monitor compliance with the right to the protection of personal data. This provision underlines the importance of independent control and forms the basis for the establishment of supervisory authorities.
 
Under Article 57.1 GDPR, the supervisory authorities are responsible for the
 
40
Recital 4 of the Preamble to the GDPR.
41 Article 16 EU Charter.
42
Cf. GBA, Cookie Checklist, n. 3: “A “manage settings” button is therefore not sufficient in addition to an “accept all” button”, see also the previous press release on this subject from the Data Protection Authority:
https://www.gegevensbeschermingsautoriteit.be/burger/nieuws/2023/02/10/cookiebanners-de-edpb-publiceert-
voorbeelden-van-niet-conforme-praktijken.” Decision on the merits 113/2024 — 35/70
 
enforcement of the GDPR. 43 Under Article 4 WOG, the GBA is competent for this
 
enforcement. 44 Under Article 32 WOG, the Dispute Chamber is the administrative
 
dispute body of the GBA; it decides on a case-by-case basis.
 
119. Since the entry into force of the law of 21 December 2021 transposing the
 
European Electronic Communications Code and amending various provisions
 
regarding electronic communications on 10 January 2022 (“EC”), the DPA is now
 
competent, in accordance with Belgian law, to supervise the provisions regarding the
 
placement and use of cookies (i.e. “the storage of information or the
 
obtaining of access to information already stored in the terminal equipment of a
 
subscriber or a user”). The aforementioned law, among other things, made changes to the
 
EC. More specifically,
 
Article 256 of the law of 21 December 2021 provides for the repeal of Article 129 EC and
 
the transfer of this provision to the law of 30 July 2018 on the
 
protection of natural persons with regard to the processing of personal data (WVP). 45
 
Given that the GBA has residual jurisdiction to supervise the provisions of the WVP, this confirms the material jurisdiction of the GBA with regard to the placement and use of cookies.
 
120. The European legislator has, partly in light of the increasingly digital society, explicitly chosen to grant the enforcement of the GDPR to an authority that is in contact with similar authorities in the other Member States of the European Economic Area. 46 For that reason, the supervisory authority must be able to enforce, with a view to not only legal but also technological developments. In this context, the legislator wanted the interpretation of a factual situation to be tested by an authority.
 
121. The fact that certain legal or technological developments have an impact on a particular decision-making practice is a logical consequence of this approach – and is also taken into account in the context of the sanctioning in this case (infra, section III.1.1.). An open
 
standard therefore does not prevent the imposition of measures, or even the imposition
 
of an administrative fine, precisely because increasing technological developments
 
(at a high pace) require effective, adequate and proportionate
 
enforcement in new circumstances.
 
43 See also art. 32 WOG regarding enforcement powers for the Dispute Chamber.
44 Art. 4 § 1 WOG: “The Data Protection Authority is responsible for monitoring compliance with the
fundamental principles of the protection of personal data, within the framework of this law and the laws that
 
contain provisions regarding the protection of the processing of personal data.” 45Law of 21 December 2021 transposing the European Electronic Communications Code and amending
various provisions on electronic communications, B.S. 31 December 2021.
46
Recital 7 of the preamble to the GDPR: "These developments require a strong and more coherent framework for
data protection in the Union, supported by strict enforcement, because this is important for the
trust needed to allow the digital economy to develop throughout the internal market. " Substantive decision 113/2024 — 36/70
 
122. In short, the authority cannot only interpret a standard of an "open" nature, it must
do so; any argument that puts forward non-enforcement because of an "open standard"
 
is not helpful.
 
123. As regards the defendant's argument that Article 7 of the GDPR in particular does not explicitly make the refusal option mandatory, reference is also made to the previous argumentation in the context of the open standard. After all, the Dispute Chamber examines the lawfulness of the consent, according to the definition and the conditions assigned to the concept of consent by the legislator: it therefore concerns consent under Article 10/2 of the WVP and Article 6.1.a of the GDPR, as defined in Article 4.11 of the GDPR.
 
124. As regards the defendant's argument that the cookie banner is in
 
accordance with the previous decision-making practice of the Litigation Chamber, it should be noted that the
 
decisions of the Litigation Chamber have no precedent value. 47 Although this
 
argument may be useful in the context of possible measures (in particular
 
the sanctioning), the legal assessment that corresponds to the most correct legal
 
view - based on the most recent case-law as well as the view of the EDPB
 
48 - can hardly be omitted solely on the basis of this argument.
 
125. The argument that the Litigation Chamber would have approved an action plan of a
 
sector organisation that would be directly related to the disputed situations at hand, is also
 
not a useful argument. As noted earlier, the decisions of the Litigation
 
Chamber have no precedent value. Moreover, the actor to which the defendant refers is completely
 
foreign to the present proceedings. 126. It should also be noted that, under Article 5.2 and Article 24 of the GDPR, it is the controller who is responsible for compliance with the application of the GDPR and for taking appropriate technical and organisational measures in this regard. The defendant does not in any way dispute its responsibility for the substantive assessment of its processing activities, so while the argument may not be substantively substantive, it is also more than clear that the argument in the formal sense fails to achieve its purpose.
 
127. As for the argument that the guidelines of the supervisory authority and of the European Data Protection Board do not have the force of law, this
 
argument is of course correct in the formal sense and within the hierarchy of legal nouns. This does not mean, however, that they do not (should not) have any authoritative value, at least
 
47
Judgment of the Court of Appeal of Brussels (Chamber 19A, Market Court section, 1 December 2021, 2021/AR/1044, § 7.0.2.: “The Belgian legal system does not attribute binding precedent value, neither to administrative nor to judicial decisions (see
among others art. 6 Judg. W.)”
48Cf. regarding the evolution: A. GOBERT, “Chapter 5. The case law of the APD in the matter of cookies » in M. Knockaert and J.-
M.VanGyseghem(eds.),5annéesdejursprudencedelaChambreContentieusedel’APD,Brussel,EditionsLarcier-Intersentia,
(139)148-9, §20. Decision on the substance 113/2024 — 37/70
 
because Article 57.1.f GDPR imposes on the DPA the task of informing controllers
 
of their obligations under the Regulation, just as Article 70.1.u imposes on the EDPB the task of having supervisory authorities cooperate and, where
 
appropriate, formulate guidelines, best practices and recommendations to ensure the consistent application
 
of the GDPR (Article 70.1.d GDPR).
 
128. Within the DPA, and within the EDPB, the necessary expertise is available
 
to produce balanced and legally correct guidelines, recommendations and examples of best
 
practices. These guidelines and recommendations have the character of ‘soft law’, which has a
 
normative effect. Although controllers retain the right to challenge the legal interpretation,
 
their authoritative nature cannot be called into question. The GBA sets out clear and clearly formulated examples and
 
practices in its cookie checklist.9 It is emphasised that
 
data controllers can always object to specific
 
interpretations. The defendant is not deprived of any legal remedy in
 
this regard.
 
129. More specifically, the Dispute Chamber also addresses the defendant's
 
argument that the GBA is not consistent in providing information, since it does not
 
explicitly refer to the refusal option on its website for citizens, but does on the
 
page for professionals. Again, this argument is not helpful, since it is also the task of an
 
authority to make data controllers more aware of their obligations (Article 57.1.d GDPR, i.e. a separate and
 
independent legal task). 130. Since the defendant does not deny that the professional page is or could be directed at her, the question is why the defendant tries to derive an argument from the difference between that page and the page
 
directed to the citizen to state that no infringement has occurred or that no infringement can be attributed to her. Moreover, this
 
argument proves that the information that the GBA provides on its website with regard to
 
the controller is completely and unmistakably consistent with the decision of the Dispute
 
Chamber before us. 131. The Dispute Chamber decides that the defendant infringes Article 10/2 WVP
 
in conjunction with Article 6.1.a GDPR, since the consent of the data subjects in light of the placing
 
of cookies on its website, is not lawful, since it is not freely and
 
unambiguously obtained. The free and unambiguous nature of the consent
 
is fundamental to being able to speak of lawful consent; in the absence of
 
49 GBA, “cookie checklist” available via: https://www.gegevensbeschermingsautoriteit.be/publications/cookie-
checklist.pdf.
50 Cookies that do not fall under the exceptional cases of Article 10/2 WVP. Decision on the merits 113/2024 — 38/70
 
such lawful consent, the processing of personal data based on
 
such consent is not lawful.
 
II.3.2. Use of misleading button colours
 
Position of the complaining party
 
132. The complaining party's argument is as follows:
 
"The "Agree and close" button on the first level of the cookie banners of the
 
websites always has a striking, eye-catching colour (red, blue or
 
black with white text) against a white background. While the button with "More
 
information" has a colour that almost disappears against the background colour of the
 
cookie banners (light grey with dark grey letters against a white background).
 
By explicitly 'highlighting' the "Agree and close" button compared
 
to the option to refuse cookies, website visitors, such as the complainant,
 
are explicitly encouraged to click on "Agree and close". Research has also shown that if the button for giving consent has a (much) more conspicuous
 
colour than the button for refusing consent, consent is given 1.7 times more often
 
than when both buttons have the same colour.
 
This means that the consent obtained by the defendant for placing cookies
 
cannot be regarded as ‘unambiguous’ (Article 4(11) GDPR),
 
which means that the consent obtained from the complainant is invalid (Article 6(1)(a) GDPR in conjunction with Article
 
5(3)ePrivacyRl in conjunction with Article 10/2 WVP), which means that the
 
defendant cannot demonstrate that the complainant has given consent to the processing of his
 
personal data (Article 7(1) in conjunction with Article 5(2) GDPR).
 
As already emphasized in the complaint, it also follows from the EDPB Cookie Banner Taskforce
 
report that the contrast and colors used in the cookie banner may not be "obviously misleading", as this leads to
 
"unintended" and thus invalid consent.[…] Guidelines from many
 
supervisory authorities, such as the Greek[…], Austrian[…] and the
 
Czech[…] supervisory authority, also explicitly state that controllers may not use misleading button colors
 
that encourage website visitors to click "Agree and close". Decision on the merits 113/2024 — 39/70
 
If users of a website are induced to make decisions that go against their privacy interests because of visual elements, such as color,
 
this must also be considered a violation of the principles of lawfulness, fairness and transparency of art. 5(1)(a) GDPR:
 
[quote in English from the EDPB guidelines 03/2022 on misleading
 
design in interfaces of social media platforms]
 
As already explained above, determining that the use of
 
misleading button colours in the defendant's cookie banners constitutes an infringement
 
is not so much the application of supervisory guidelines, but rather
 
simply a direct and concrete application of legislation (in accordance with the
 
applicable legal view).
 
A single approved action plan or individual (old) decisions of the
 
Dispute Chamber in a few specific cases, which did not concern misleading
 
button colours of cookie banners, cannot be attributed the value that they
 
should apply as a valid legal opinion.[…] As already
 
mentioned in this conclusion, the Market Court has also confirmed that the
 
decisions of the Dispute Chamber of the GBA do not
 
have a precedent effect.[…]
 
In addition, when the complainant visited the websites, the
 
button with "All agreed" on the second level of the cookie
 
banners had the same eye-catching colour as on the first level of the cookie
 
banner. While the button with "Nothing agreed" had the
 
same inconspicuous colour as on the first level of the cookie
 
banner.
 
However, the current cookie banners on the defendant's websites have these buttons
 
“Reject All”, “Agree With All”, “Disagree” and “Agree” on the second
 
level of the cookie banner all the same white colour with light grey
 
letters.[…] This shows that adjusting the cookie banners and offering
 
a neutral choice without ‘dark patterns’ is therefore possible
 
for the defendant and that offering other misleading button colours is a deliberate
 
choice to make it more difficult for website visitors to refuse cookies. It
 
also shows that the defendant himself apparently also believes that the previous
 
cookie banner did not meet the applicable legal requirements.[…]
 
Decision on the merits 113/2024 — 40/70
 
However, the complaint must be assessed on the basis of the facts at the
 
time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection
 
law by deleting the personal data in connection with a complaint or investigation.
 
This does not alter the fact that the breach has indeed occurred (for a considerable time).
 
Moreover, this does not remove all the breaches described in this paragraph.”
 
Defendant's position
 
133. The defendant's defence is as follows (the Dispute Chamber summarises):
 
"5th ground (subordinate): Different colours in the cookie banner do not constitute an infringement of Articles 5.1.a GDPR and 6.1.a GDPR in conjunction with Articles 10/2 GBW
 
and 125, §1, 1° WEC"
 
a. Firstly, the defendant submits in the main order: "The complaint is without object
 
to the extent that Mediahuis has not used different colours in the second
 
information layer of the cookie banners since 20 November 2023".
 
b. Secondly, the defendant submits in a subordinate order: "No infringement of Article
6.1.a. GDPR or Articles 10/2 GBW and 125, §1, 1° WEC". In this respect, the
 
defendant again states that the complainant gave his consent, as well as that
 
there is “no prohibition” on the use of different colours for obtaining
 
consent in cookie banners.
 
c. Thirdly, the defendant raises another subordinate point: “No infringement
 
of the principle of legality, propriety and transparency (Article 5.1.a
 
GDPR)”. On this point, the defendant states that there is no infringement of this principle, because
 
there is “no prohibition” on the use of different colours by the cookie
 
banner that is used in the context of granting consent,
 
in addition, that the use of colour is in accordance with the decision-making
 
practice of the Dispute Chamber, that the use of colour is in accordance with the
 
action plan of the IAB that was approved by the Dispute Chamber, and that there
 
is no question of deception (in connection with the alleged misleading nature of the
 
buttons).
 
d. Fourthly, the defendant submits that “in any case”: “Mediahuis does not violate Articles 10/2 GBW, 125 WEC, 5.1.a and 6.1.a because the use of colour in its cookie banners is not fully in line with policy documents of the Decision on the merits 113/2024 — 41/70
 
authorities”. The defendant also states that such documents do not have the force of law.
 
e. Fifthly, the defendant offers a reply to the conclusion of the complaining party.
 
Assessment by the Dispute Resolution Chamber
 
134. As the EDP guidelines on misleading design patterns within the operation of
 
social media platforms clarifies, in the case of a potentially misleading design, the principle of propriety contained in Article 5.1.a GDPR can be considered when
 
assessing whether an infringement of the law has occurred. 51
 
135. On each of the four websites at issue, the first ‘layer’ of the cookie banner
 
is displayed in a quasi-exact manner as on the website of the newspaper “De Standaard” –
 
albeit with different colours, depending on the relevant news website at issue:
 
52
 
136. By using certain more explicit colours on the four websites at issue, which
 
may have the primary reason for inducing the data subject to give
 
consent to be able to place cookies, the Dispute Chamber
 
expressly considers that the duty of propriety under Article 5.1.a GDPR has been
 
violated, and it also jeopardises the legally valid obtaining of consent, which
 
constitutes an infringement of Article 6.1.a GDPR. After all, consent cannot be
 
obtained unambiguously when a data subject is “led” to perform a certain act.
 
5EDPB,Guidelines3/2022ondeceptivedesignpatternsinsocialmediaplatforminterfaces:howtorecognizeandavoidthem”
v. 2.0, 14 February 2023, 4.
 
52Partial reproduction of document 1 administrative file, complaint, p. 9. Decision on the merits 113/2024 — 42/70
 
137. It is clear that the conspicuous use of colour on the first layer of the
 
cookie banners at issue, where the button displaying the accept all option (‘agree and close’)
 
is given the most explicit colour in a more emphatic contrast, is intended to
 
reflect a particular choice that leads to more intrusive processing of personal
 
data as a result of the placement of cookies.
 
138. The EDPB Cookie Banner Taskforce report points out that, with regard to the use of colour,
 
no general standard can be imposed on controllers, but
 
53
the assessment must be made on a case-by-case basis.
 
139. In the cases at hand, the defendant uses various striking colours that
 
likely create a deceptive snugness for a data subject:
 
a. On the website of “De Standaard”, “akkoordensluiten” is highlighted in dark red as
 
the most data-processing option, while for the referral to the
 
alternatives, a light grey banner on a white background must be clicked;
 
b. On the website of “HetBelang van Limburg” “closing agreements” is highlighted in dark black as the most data-processing option, while a light grey banner on a white background is required for the redirection to the alternatives;
 
c. On the website of “HetNieuwsblad” “closing agreements” is highlighted in dark blue as the most data-processing option, while a light grey banner on a white background is required for the redirection to the alternatives;
 
d. On the website of “GazetvanAntwerpen” “closing agreements” is highlighted in bright red as the most data-processing option, while a light grey banner on a white background is required for the redirection to the alternatives.
 
140. Interfaces that, as in the present case, are designed with deceptive comfort, clearly induce a data subject to choose the most data-processing options, among other things, because the person does not even know how many steps he still has to take before he can choose not to have the cookies placed (i.e. not to give consent for the placement). The data subject knows that with this comfortable option he is on the first layer of
 
53EDPB, Report of the work undertaken by the Cookie Banner Taskforce, 17 January 2023, §17.
54EDPB,Guidelines3/2022ondeceptivedesignpatternsinsocialmediaplatforminterfaces:howtorecognizeandavoidthem,
v. 2.0, 14 February 2023, §177. Decision on the merits 113/2024 — 43/70
 
the cookie banner chooses the ‘path of least resistance’ – without this necessarily reflecting its
 
real, informed preference for granting consent.
 
141. The defendant’s argument that the complaint is “without object” on this point because
 
the second layer of information (after an adjustment during the procedure) no longer
 
uses different colours is evidently not helpful. The assessment in this respect
 
concerns the use of colours on the first layer of the cookie banner, the
 
assessment of the Dispute Chamber is not limited in the file (including the letter dated 5
 
February 2024 with alleged infringements) to the second layer of the
 
cookie banner. 142. The argument that the complainant concerned did give permission is also not helpful,
 
since whether or not permission was given does not prevent the assessment of the propriety of
 
the processing. Nor is the fact that permission was given ipso facto sufficient to state that the permission was validly granted.
 
143. The argument that there is “no prohibition” on the use of different colours is correct
 
in the formal sense. However, the Dispute Resolution Chamber has already explained above that this
 
does not prevent the choice of certain colours from violating the duty of propriety in the light of
 
personal data processing activities, and that the unambiguous nature of the permission
 
cannot be guaranteed.
 
144. The argument that the Dispute Chamber approved an action plan of a sector organisation that
 
is directly related to the disputed situations at hand is also not a useful argument. As previously noted, the
 
decisions of the Dispute Chamber have no precedent value. Moreover, it concerns an
 
actor that is completely foreign to the present procedure. In addition, the
 
Dispute Chamber emphasises that, under Article 5.2 and Article 24 GDPR, the
 
controller is responsible for compliance with the application of the GDPR and for taking the
 
appropriate technical and organisational measures in this regard. The defendant in no way disputes its responsibility
 
for the substantive assessment of its processing activities, so while the argument
 
may not be substantively useful, it is also more than clear that the argument in the
 
formal sense misses its target. 145. The Litigation Chamber does not dispute – as the defendant argues – that the guidelines of the
 
supervisory authority and of the European Data Protection Board do not
 
have the force of law. However, this does not mean that they do not
 
(should not) have any authoritative value, at least because Article 57.1.f of the GDPR imposes the task on the DPA
 
to inform controllers of their obligations under the
 
regulation, just as Article 70.1.u imposes the task on the European Board
 
to have supervisory authorities cooperate and, where appropriate, formulate guidelines, best practices and
 
recommendations to ensure the consistent application of the GDPR (Article 70.1.d. GDPR).
 
146. For all these reasons, it is clear that misleading colours are used on the first layer of the cookie banner, which constitutes a breach of the duty of propriety within the meaning of
 
art. 5.1.a. GDPR. Since the consent is not unambiguous, it cannot be said that
 
there is valid consent within the meaning of art. 6.1.a. GDPR.
 
II.3.3. Withdrawal of consent cf. article 7.3 GDPR
 
Position of the complaining party
 
147. The position of the complaining party is as follows:
 
“It is not as easy to withdraw consent on any of the websites of the defendant [respondent] as it is to
 
accept cookies. Accepting all cookies is done with one simple click (or two clicks if the "More information" button is pressed), while withdrawing consent is not possible with one click. Instead, website visitors must go to a specific section of the website to withdraw cookies. At the very bottom of the page, somewhere among an extensive list of various other links, is a link called "Manage privacy preferences". If this is clicked, the website visitor can click "Reject all", "Agree to all" or, per purpose, "Disagree" or "Agree".
 
Pursuant to Art. 7(3), first sentence of the GDPR, the data subject has the right to withdraw his or her consent at any time. Withdrawing consent should be as easy as giving it under Art. 7(3), third sentence of the GDPR. Now, the requirements of Art. 7 GDPR is met, the defendant also violates art. 12(1) GDPR,
 
art.17(1)(b) GDPR, art.5(3)e Privacy Guidelines art.10/2 GBW. The defendant also
 
does not act in accordance with the principles of lawfulness, transparency and fairness (art. 5(1)(a) GDPR).
 
Moreover, the simple withdrawal of consent is indeed a requirement for the given consent to be qualified as valid in the first place according to art. 7(1) in conjunction with 4(11) of the GDPR (and therefore also for the question of whether the requirements of art. 10/2GBW and art. 125§1, 1° WEC are met[…]). The EDPB has also confirmed this in the guidelines on consent:
 
“The requirement of being able to withdraw consent easily is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw Decision on the merits 113/2024 — 45/70
 
does not meet the requirements of the GDPR, then the mechanism for the controller’s consent does not meet the GDPR. [...].”[…]
 
(emphasis added)
 
The EDPB Cookie Banner Task Force report also emphasises that
 
withdrawing consent for cookies should be as easy as giving it […]
 
This is also confirmed in the EDPB guidelines on consent and clarified as follows:
 
“However, where consent is obtained by electronic means, by
 
a single mouse click, swipe or keystroke, the data subject should be able to
 
withdraw consent just as easily in practice.”[…]
 
The EDPB guidelines on deceptive design and dark patterns
explicitly reiterate this same requirement […] .
 
Consequently, the defendant should be given the
 
opportunity to withdraw consent by a single mouse click. Now that a clearly visible
 
option for giving consent is offered, there should also be an equally clearly
 
visible option for withdrawing consent. A link with the name under "Manage Privacy Preferences", in small print, among an extensive list of other links, at the very bottom of the defendant's website pages - where
 
it takes some time to scroll all the way down - clearly does not meet these requirements.
 
A floating, permanently visible (hoover) button to withdraw consent that is permanently visible would meet these
 
requirements.
 
The defendant has improved the ability to withdraw consent and change cookie settings somewhat
 
compared to when the complainant filed the complaint. It is now possible to click on a "Reject All" button once the "Manage Privacy Preferences" button has been found and clicked, whereas previously it was only possible to withdraw consent for each purpose separately.[…] This shows that the defendant can easily offer an equivalent option to withdraw cookies once the website visitor has found the option to adjust the cookie settings, and that the defendant has previously deliberately not done so. It also shows Decision on the merits 113/2024 — 46/70 that the defendant apparently also considers that the previous cookie banner did not meet the applicable legal requirements of Article 7(3) GDPR.
 
However, the complaint must be assessed on the basis of the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection
 
law by deleting the personal data in connection with a complaint or investigation. This also does not alter the fact that the
 
breach has indeed occurred (for a considerable time). Moreover, with the changes
 
made by the defendant, it is still not as easy to withdraw consent as it is to give it, it has
 
just become easier than it was at the time the complaint was filed. Defendant's position
 
148. The defendant's position is as follows (the Dispute Chamber summarises):
 
"6 ground (subordinate): The withdrawal of consent does not constitute a violation of
 
Article 4(11) in conjunction with 7.3 GDPR, nor of Articles 10/2 GBW and 125, §1, 1° WEC"
 
a. Firstly, the defendant states "in the main order" that there is no interest in the proceedings for the
 
complainant, as it appears from the file that the complainant did not withdraw his consent - although
 
he had given it. In addition, the defendant points out that no consent was given by the complainant on
 
10 February 2023, but it was given on
 
(presumably) five other, later dates.
 
b. Secondly, the defendant “subordinately” states that a user can withdraw his consent just as easily as giving it and that the complaint on this point is therefore without
 
object. The defendant points out that a “manage privacy preferences” button is available on every web page of the four
 
websites at issue, and that a user can then withdraw all consents with one click.
 
c. Thirdly, the defendant “subordinately” states that there is no infringement of Article 4.11
 
GDPR, since the definition contained therein does not state anything with regard to the withdrawal
 
of consent already given. This is contained in Article 7.3 GDPR.
 
d. Fourthly, the defendant “subordinately” states that there is no infringement of Article 7.3
 
GDPR. In this respect, the defendant points out that the wording "as simple as" in the standard is an open concept that is not given concrete legal substance, whereby the defendant explains in concrete terms why the websites at issue do indeed comply with the standard. In the previous situation on the website, there was no "no agreement" option. The defendant states in this regard: "A visitor who wanted to withdraw his full consent therefore had to click a number of times more than in the situation in which he wanted to give his full consent. This single point of difference (a number of clicks) cannot constitute a lack of equivalence within the meaning of Article 7.3, last sentence of the GDPR." e. Fifthly, the defendant states “subordinately” that there is no infringement of article 10/2
 
GBW and article 125 § 1, 1° WEC. As regards this point, the defendant states that the
 
e
complaint concerning the 3 alleged infringement concerns the withdrawal of consent already given, and not
 
about the lawful placement of the initially placed cookies – as a result of which the provisions raised by the Dispute Chamber “ex officio”
 
do not apply.
 
f. Sixthly, the defendant replies to the conclusion of the plaintiff on this point.
 
Assessment of the Dispute Chamber
 
149. First, the situation before the withdrawal of consent
 
at the time of the complaint (the ‘old’ situation) must be considered, and before the defendant made a number of
adjustments during the proceedings. These adjustments to the websites at issue
 
led to the withdrawal of consent in the ‘new’ situation after clicking on the
 
link ‘manage privacy preferences’ on the websites at issue - with a single click
 
(“reject all”).
 
150. In the ‘old’ situation, a data subject did indeed have to make a “number of clicks” (as
 
the defendant himself put it) in order to withdraw consent,
 
while the initial consent (“accept and close”) required only one click. The
 
defendant himself expressly acknowledges that a visitor (here qualified as the data subject)
 
had to click “a number of times more” than “the situation in which he wanted to give his full
 
consent.”
 
151. In this ‘old’ situation, withdrawing consent was apparently not as
 
easy as giving it, which constitutes a violation of art. 7.3 GDPR. The fact that
 
‘withdrawing’ consent is a relative concept – in the sense that
 
withdrawing consent must be “as easy” as giving it – does not
 
detract from this. Such qualification as a relative concept in the legal sense may be
 
correct, but in the relative circumstances the “number of clicks” that the
 
defendant himself speaks of are clearly relatively more clicks than the single click of the “accept
 
and close” button in the cookie banner. 152. As regards the ‘new’ situation, following the defendant’s adjustments during the
 
procedure: in the new situation, consent can be withdrawn after clicking on the ‘privacy preferences’ link on each web page of each news website at issue
 
with a single click (“reject all”). The choice is offered on a cookie banner identical to
 
the second layer of the cookie banner for giving consent: this
 
practice does not – based on the documents in the file – give rise to
 
establishing an infringement.
 
153. The website does not require a mandatory “permanently visible” button for
 
properly withdrawing consent. If a data subject can withdraw consent under Article 7.3 GDPR with two clicks from each web page on the websites at issue, this is in line with the spirit of the legal provision. A data subject can reasonably assume that the settings regarding cookies are located at the bottom of a web page. The person can therefore still access the information regarding the withdrawal of consent and do so by means of a single button.
 
154. As the EDPB pointed out in the Cookie Banner Taskforce report, it is sufficient that a link is available on the website and that this is in a “visible and standardised place”. Placing a direct link at the bottom of each web page leading to a banner with a single button for withdrawing consent is in line with this wording. The EDPB also, in the same report,
 
underlined that the legislation only shows that easily accessible solutions for
 
withdrawing consent should be offered, but that “it cannot be
 
imposed” that a “specific withdrawal solution” be implemented and “in particular the
 
design of a hovering solution” cannot therefore be imposed on a controller within the
 
current legal context. 56
 
155. The defendant rightly emphasises that the fact that consent under Art. 7.3 GDPR
 
must be able to be withdrawn “as easily” as it was given,
 
sets a relative situation. In that sense, for the proper functioning of a website – which is
 
in the interest of the visitor concerned, it cannot be expected that the withdrawal of
 
consent is done in exactly the same way if this means that it must be done (in the most
 
literal sense) ‘at all times’ in that way. 156. In that line of reasoning, a “hoover” button (the proposal put forward by the complainant) would not be sufficient either, because such a “hoover” button does not offer exactly the same visual representation as a cookie banner (for granting consent) for withdrawing consent at any time during a visit to the website. This would have a blocking effect for the internet user, which is of course manifestly unreasonable.
 
55EDPB, Report of the work undertaken by the Cookie Banner Taskforce, 17 January 2023, §32.
56EDPB, Report of the work undertaken by the Cookie Banner Taskforce, 17 January 2023, §35. Decision on the substance 113/2024 — 49/70
 
157. As regards the ‘old’ situation, an infringement must therefore be established
 
of art. 7.3 GDPR. Given that there are no indications that this infringement continues within the
 
‘new’ situation after adjustments in this regard by the defendant, the Dispute Chamber
 
decides on this point to reprimand the defendant. No other coercive or
punitive measures are appropriate in this regard.
 
II.3.4. Use of legitimate interest for placing cookies that
require consent and alleged violation of transparency and
information obligations
 
Position of the complainant
 
158. The position of the complainant is as follows:
 
“When the complainant visited the websites, the websites of the defendant
 
[defendant] contained a legitimate interest button in the second layer of the
 
cookie banner that was set to “Agree” by default for carrying out an “Extensive
 
measurement” in order to “Measure advertising and content performance. Insights can
 
be derived about the audience that saw the advertisements and content. Data can be used to build or improve user experience, systems and software.” This “legitimate interest button” for performing
 
such “measurements” was placed next to a button to give consent
 
for the same purpose and was only visible if the website visitor pressed the ‘+’
 
button.
 
The defendant [respondent] thus claimed to have a legitimate interest (Article 6(1)(f) GDPR) for performing “extensive measurements” if the complainant
 
would not give consent (Article 6(1)(a) GDPR). Legitimate interest
 
thus formed the ‘back-up’ basis for the defendant. The defendant thus
 
unlawfully switches from an “opt-in” system based on Article 6(1)(a) GDPR to an
 
“opt-out” system based on Article 6(1)(f) GDPR.
 
Legitimate interest was and is not at all a valid legal basis for
 
placing and reading non-strictly necessary cookies, such as cookies placed
 
to perform “extensive measurements” (cf. art. 5(3)
ePrivacy Directive in conjunction with art. 10/2 GBW). This has been confirmed again in the EDPB
 
Cookiebanner Taskforce Report[..] and in guidelines from national supervisory authorities. Decision on the merits 113/2024 — 50/70
 
It is correct that other grounds from art. 6 GDPR can be used in very limited cases
 
for placing and reading cookies. But this applies
 
only to the extent that it concerns strictly necessary cookies and for the exclusive
 
purpose of sending comm[u]nications via an electronic communications network (art. 5(3) ePrivacy Directive in conjunction with art. 10/2 GBW). The defendant's performance of "extensive measurements" does not fall under this strict exception.
 
The further processing of personal data obtained via cookies, for which consent is required, should also be based on the basis of consent, as also confirmed by the EDPB and the EDPS.[…] This also applies
 
to the further processing of data for the performance of "extensive measurements" by the defendant.
 
It is also misleading that the defendant made it appear that
 
consent is the basis for the processing, but if this consent is not
 
given, simply switches to the basis of legitimate interest, without respecting the
 
complainant's choice to refuse consent.
 
In doing so, the defendant violated the principles of lawfulness, fairness and
 
transparency (Article 5(1)(a) GDPR). This practice is, after all, contrary to Article 6 GDPR
 
and Article 5(3) ePrivacy Directive jo. art. 10/2 GBW and therefore unlawful.
 
The EDPB Guidelines on consent also expressly state that
 
this conduct of the defendant is unfair (art. 5(1)(a) GDPR):
 
“It is important to note here that if a controller
 
chooses to rely on consent for part of the processing, it must be
 
prepared to respect the choices made regarding that consent, and to stop that part of the
 
processing if an individual withdraws consent. To pretend that data are being
 
processed on the basis of consent, when in fact relying on another
 
legal ground, would be materially unfair to the data subjects. [...] In other words, the
 
controller cannot substitute consent for other legal grounds. For example,
 
it is not permitted, where the validity of consent raises problems,
 
to subsequently use the legal basis of “legitimate interest” to
 
justify processing.”[…] (emphasis added) Decision on the merits 113/2024 — 51/70
 
Moreover, no information on the alleged
 
legitimate interest was included in the cookie banner, nor was an option to object
 
included at the first level of the cookie banner.
 
The only possibility to object and even receive the information about such a claimed legitimate interest was hidden in the
 
second layer of the cookie banner. From the text "Set preferences" on the first
 
information level of the cookie banner, this information or the possibility to object did not follow. In
 
fact, even within the second information level, the plus sign (+) at "Extended
 
measurement" had to be clicked through to change the "Legitimate interest" of the defendant to "Disagree".
 
In other words, objecting to and being informed about the alleged
 
legitimate interest of the defendant required the website visitor to click through several times, something that
 
website visitors only do in practice in 2% of cases.
 
This is in conflict with Art. 21(4) GDPR and Art. 12(2) GDPR, since both the fact that the defendant
 
based its processing (subsidiarily) on its alleged legitimate
 
interest and the possibility to object to this alleged legitimate interest of the defendant
 
had not been expressly brought to the attention of the data subject. This also meant that the defendant's conduct
 
was not transparent (Article 5(1)(a) GDPR).
 
Furthermore, it is also incomprehensible that the defendant apparently assumed that if a
 
data subject did not give consent to the relevant "extended measurement"
 
processing, he would not also object to the processing under Article 21
 
GDPR. However, the cookie banner seemed to assume that data subjects must express the same
 
desire not to have their data processed twice: once as a refusal of consent and then as an additional
 
objection to the same processing activity (which constitutes a "double opt-out").
 
In view of the foregoing, the defendant has violated the principles of legality,
 
property and transparency by the defendant (Article 5(1)(a) GDPR).
 
Fortunately, the defendant has already removed the references to a "legitimate interest" in its
 
cookie banners. The inclusion of a "legitimate interest" in the
 
cookie banners therefore appears not to be necessary for the defendant and appears to be easily
 
adjustable, from which it follows that the defendant has previously deliberately chosen
 
to include a reference to legitimate interest in its cookie banners.
 
It also shows that the defendant apparently also believes that the
 
previous cookie banner did not meet the applicable legal requirements and that
 
the defendant therefore never had a legitimate interest in carrying out
 
“extensive measurements”, now that the defendant speaks of a “useless and
 
irrelevant reference to legitimate interest”.
 
However, the complaint must still be assessed on the basis of the facts at
 
the time the complaint was filed. Otherwise, the respondent could always
 
evade any processing responsibility under the data protection legislation by
 
remedying GDPR violations after filing a complaint or during an
 
investigation. This also does not detract from the fact that the violation
 
did indeed occur (for a considerable time).” Defendant's position
 
159. The defendant's defence is as follows (The Dispute Chamber summarises):
 
"7th ground (subordinate): The reference to 'legitimate interest' does not constitute a
 
violation of Article 6.1.f GDPR, nor of Articles 10/2 GBW and 125, par. 1, 1° WEC"
 
a. Firstly, the defendant states "in the main" that there is an absence of a
 
sufficient personal interest on the part of the complainant in connection with the
 
alleged use of the legitimate interest. In addition, the defendant states, among other things,
 
that no cookies were placed in this way in the case of the complainant, since the
 
complainant gave his consent for the placing of cookies.
 
b. Secondly, the defendant states "subordinately" that the complaint is without
 
object because Mediahuis' current cookie screens no longer refer to legitimate
 
interest. The defendant points out that during the same period as the
 
settlement procedure, a number of adjustments regarding the placement of cookies on the basis of
 
legitimate interest were prepared (and ultimately
 
implemented on 22 December 2023).
 
c. Thirdly, the defendant states "more subordinately" that there is no violation of
 
Article 6.1.f. GDPR and that the complaint is unfounded to the extent that it states that
 
legitimate interest can never be used as a legal basis for cookies.
 
d. Fourthly, the defendant states "more subordinately" that there is no violation of
 
Article 10/2 GBW and Article 125 § 1, 1° WEC. The defendant: “[…] if under Article
 
10/2 GBW the exception to the rule (consent) applies, then Decision on the merits 113/2024 — 53/70
 
it goes without saying that in such a case the rule (consent) itself does not
 
apply.”
 
e. Fifthly, the defendant replies to the conclusion of the complainant regarding this
 
part.
 
ste
“8 ground of appeal (subordinate): No violation of Articles 5.1.a, 12.2 and 21.4 GDPR
with regard to the transparency of the cookie banner”
 
a. Firstly, the defendant states “in the main order” that the complaint is without object, since
 
there is no longer a “legitimate interest” since 23 December 2023. In addition, the
 
defendant states that any reference to the legitimate interest was removed on 22 December
2023.
 
b. Secondly, the defendant “subordinately” states that there is no violation of Article
 
5.1.a. GDPR. In this respect, the defendant considers the ‘charge’ under Article
 
5.1.a. GDPR unclear, the defendant states that the design of its cookie banner does indeed comply with the legal standards, and that the
 
legitimate interest can exist simultaneously with the mention of
 
consent.
 
Thirdly, the defendant “subordinately” states that there is no violation of Article
 
c. 12.2 GDPR. In this respect, the defendant states that there can be no violation
 
here, because the duty to facilitate would only exist when exercising the right (as contained in Article 21.4
 
GDPR).
 
d. Fourthly, the defendant “subordinately” states that there has been no violation of Article
 
21.4 GDPR, referring to the information in the privacy policy as well as the information at the time of the first contact
 
with users.
 
e. Fifthly, the defendant replies to the conclusion of the complainant on this
 
point.
 
Assessment by the Dispute Resolution Chamber
 
160. The defendant admits that cookies were placed on the basis of legitimate
 
interest, at least some of which had to be placed on the basis of the
 
consent pursuant to the e-Privacy Directive and its transposition into the WVP. Cookies
 
placed in order to carry out ‘extensive measurements’ regarding website use
 
for purposes including advertising (at least as regards the analysis
 
of the reach and effectiveness of cookies targeted at that purpose), are by definition
 
not strictly necessary. Such cookies therefore require consent under Art. 10/2
 
WVP, but also under art. 6.1.a GDPR for the subsequent processing of personal data. Decision on the merits 113/2024 — 54/70
 
161. As the EDPB has underlined in the Cookie Banner Taskforce report, the
 
use or mention of legitimate interest as a legal basis in the cookie banner can also be confusing for users, who may think that they
 
have to refuse twice in order not to have their personal data processed. 57 In that
 
sense, the legal basis for placing a cookie must therefore be either on the basis of
 
legitimate interest or on the basis of consent.
 
162. In the absence of consent, it is not possible to choose to
 
provide the legitimate interest as a 'back-up' legal basis, as it were. This is
 
not only not very transparent with regard to data subjects whose consent is
 
requested, it is also not permitted within the scope of art. 10/2 WVP (as a transposition of
 
Article 5.3 e-Privacy Directive) and Art. 6 GDPR. Both provisions require the implementation
 
by a controller of a personal data processing based on
 
a single legal basis. Just as the Litigation Chamber has already stated in several decisions 58,
 
the EDPB points this out in its guidelines on consent:
 
Before starting the processing activities, it must be determined
 
which of the six grounds apply in relation to which specific
 
purpose . . .
 
It is important to note here that if a controller
 
chooses to rely on consent for part of the processing, it must be
 
prepared to respect the choices regarding that consent, and to stop that part of the
 
processing if a person withdraws his consent.
 
To pretend that data is processed on the basis of consent,
 
while in reality relying on another legal basis, would be fundamentally
 
59
unfair to the data subjects.
 
163. The Dispute Chamber considers that it does not adopt an (unnecessarily) strict interpretation of what
 
strictly necessary cookies constitute. 60 However, the legislator currently leaves no room
 
for a different interpretation and itself expressly speaks of a “strictly necessary”
 
nature (Article 10/2 WVP). To hold that cookies such as certain analytical cookies – which are
 
not strictly necessary for the proper functioning of the website – can be placed on the basis of
 
legitimate interest would not merely reflect a ‘lenient’ or ‘flexible’
 
attitude, it would be an interpretation that is contrary to the law. This
 
situation applies.
 
57 Cf. EDPB, Report of the work undertaken by the Cookie Banner Taskforce, 17 January 2023, §22. 58
Litigation Chamber, Decision on the substance 133/202 of 2 December 2021, marg. 56-9; Litigation Chamber, Decision on the substance
147/2022 of 17 October 2022, marg. 18; Litigation Chamber, Decision on the substance 105/2023 of 1 August 2023, marg. 98.
59EDPB, Guidelines 5/2020 on consent pursuant to Regulation 2016/679, v 1.1, 4 May 2020, §121-2.
60
Cf. A. GOBERT, “Chapter 5. The case law of the APD on the matter of cookies” in M. Knockaert and J.-M. Van Gyseghem, 5
années dejursprudencedelaChambreContentieusede l’APD, Brussels, Editions Larcier-Intersentia, (139) 142, §8: here the author speaks of a « strict interpretation of article 5 §3 e-Privacy Directive ». Decision on the merits 113/2024 — 55/70
 
a fortiori for cookies used for marketing purposes. The Dispute Chamber applies the
 
applicable legal rules to the facts.
 
164. It was not independently determined - for example by the Inspection Service - which
 
cookies were placed and in what order of magnitude. In any case, the defendant's acknowledgement of the fact regarding the unlawful placement of cookies on the basis of a
 
legitimate interest requires the defendant to reprimand the defendant: they may only place cookies on the basis of a
 
legitimate interest, insofar as the cookie complies with the
 
exceptional scenario under Article 10/2, paragraph 2 of the WVP; since they did not do so in the past,
this constitutes an infringement of the aforementioned provision. The same applies mutatis mutandis to
 
the subsequent processing of personal data that must be based on either Article 6.1.a. or Article 6.1.f of the GDPR - not both provisions at the same time or as a
 
interchangeable 'back-up'. 165. It is therefore not relevant whether or not the complainant in question has obtained lawful consent; the mere fact that the defendant potentially does not ask for consent to place such cookies, and this subsequently results in unlawful processing of personal data, is sufficient to establish the infringement.
 
166. The fact that the decision to place such cookies is partly in the hands of third parties
 
(regardless of whether these would constitute joint controllers, controllers or processors in that
 
processing process) is irrelevant. After all, the defendant is, pursuant to Article 5.2 GDPR,
 
responsible for ensuring that the placing of cookies and the processing of personal data resulting from the placing of cookies via its
 
websites in question are carried out lawfully.
 
167. The elements of the complaint relating to the transparency and
 
information obligations, as well as those elements relating to (facilitating the
 
exercise of) the right to object in connection with the placing of cookies on the
 
basis of legitimate interest, are not further examined by means of this decision.
 
The Dispute Chamber does not have sufficient elements in light of the
 
evidence for the assessment of these alleged infringements.
 
168. The Dispute Chamber finds that the grievances set out in the complaint – as
 
correctly cited by the defendant – are too broad, with the result that the
 
defendant has not been able to properly defend itself against them on the basis of the
 
documents from the administrative file submitted in the complaint or during the
 
procedure (for example with regard to the general reference to an alleged infringement of
 
the “principles of transparency, legality and propriety”). Decision on the merits 113/2024 — 56/70
 
169. The Dispute Chamber finds that the defendant violated Article 10/2 WVP in conjunction with Article 6.1.a/
 
GDPR, since the defendant admits to having placed cookies on the basis of the
 
legitimate interest while these did not fall under the exception provision of Article 10/2 WVP
, before making adjustments to its website in this regard. In doing so, the
 
legitimate interest (also under Article 6.1.f. GDPR for subsequent processing) was used
 
as a ‘backup’ when no consent (under Article 6.1.a GDPR) was granted for
 
placing cookies. 170. The defendant should not have placed these cookies and at least did not investigate whether the cookies could be placed on the basis of legitimate interest –
 
while this falls under its responsibility as controller in light of the
 
lawfulness of its personal data processing. For this reason, the
 
Dispute Chamber will proceed to reprimand the defendant on this point.
 
171. The Dispute Chamber will proceed to partially dismiss the complaint with regard to
 
the grievances concerning the transparency and information obligations (more specifically
 
Articles 12.2 and 5.1.a GDPR are mentioned in this case by the complaining party), as well as (the
 
exercise of) the right to object (Article 21.4 GDPR is mentioned by the
 
complaining party) on the grounds stated above.
 
III. Measures and provisional enforceability


III. Measures and Immediate Enforceability
III.1. Orders
III.1. Orders
171. The Dispute Chamber finds it appropriate to issue two separate orders for each of the four contentious websites of the defendant due to the first two mentioned violations.
172. Order 1: The Dispute Chamber orders the addition of a refusal option on every layer of the cookie banner on each of the four contentious websites when an option to accept all (“agree and close”) is provided on the same layer, insofar as the accept-all option serves to grant consent within the meaning of Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR for the placement of cookies involving personal data processing.
173. Order 2: In placing buttons on the cookie layers in the context of obtaining consent for the placement of cookies on the defendant’s contentious websites, the buttons – and more specifically the colors and contrast of those buttons – must not be designed deceptively. The all-refuse option must be presented in an equivalent manner compared to the all-accept option, as it is currently shown on each of the four contentious websites. This does not preclude the defendant as the data controller from opting to display such buttons in approximately the same visible location, utilizing the same color and size of button and text display; it remains the data controller's responsibility to make the choices necessary to comply with its obligations under Articles 5.2 and 24 GDPR.
174. For each of the two orders, the defendant may take inspiration from the suggestions and examples provided by the GBA in its Cookie Checklist. However, it is up to the data controller to make the necessary technical and organizational choices in this regard. An illustrative image from the Checklist could potentially be relevant for following the orders:


172. The Dispute Chamber considers it appropriate to impose two separate
---
 
Website
orders for each of the four disputed websites of the defendant pursuant to the
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse their placement, you can go to the next level by clicking “Settings.”
first two infringements.
All Accept | Settings
 
173. Order 1: the Dispute Chamber orders the addition of a
 
refuse option on each layer of the cookie banner on each of the four
 
disputed websites, where the option to accept all ("agree") is provided on the
 
same layer, insofar as the accept all option serves to
 
grant consent within the meaning of Article 10/2 WVP in conjunction with Article 6.1.a GDPR for
 
placing cookies that involve the processing of personal data. 174. Order 2: when placing buttons on the cookie layers in the context of obtaining
 
consent to place cookies on the defendant's websites at issue,
 
the buttons – and in particular the colours and contrast of those buttons –
 
must not be of a misleading design. The refuse all option must be displayed in an
 
equivalent manner to the accept all option, as it is now displayed on each of
 
the four websites at issue. This does not in principle preclude the defendant
 
as data controller from opting to display such buttons in approximately the
 
same visible place, using the same colour and the same size of button and text
 
display; it is the responsibility of the controller to make this choice in order to fulfil its obligations, in accordance with Articles 5.2 and 24 GDPR..
 
175. For each of the two orders, the defendant can draw inspiration from the suggestions and
 
examples provided by the GBA in its Cookie Checklist. However, it is up to the controller to make the technical and
 
organisational choices in this regard. An illustrative image from the Checklist could be relevant for
 
complying with the orders:
 
61
 
176. Each of the two orders must be complied with for each of the four
 
disputed websites, at the latest on the 45th day after notification of this
 
decision. 62 The defendant shall, within the same period, as part of the execution of the order,
 
submit a clear document to the Dispute Chamber and the complainant; this document shows which
 
61 Screenshot of GBA, Cookie Checklist, available via:
 
https://www.gegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf, 1; the Cookie Checklist was attached to
the settlement proposal and is therefore included in the present administrative file.
 
62In principle, the first of these 45 days starts on the day after the defendant receives the registered letter with the
decision in question or the deadline for collecting the registered letter expires. Decision on the merits 113/2024 — 58/70
 
wayadjustmentshavebeenmadetoeachofthedisputedwebsitesinordertoexecutethetwoorders.
 
e
177. If the Dispute Chamber determines from the 45th day after the decision that the orders
 
have not been or appear to be incompletely complied with, it will notify
 
the defendant of this. As soon as the defendant receives this notification, the
 
penalty (infra) will be declared forfeited until (a) new notification(s) from the Dispute Chamber
 
until each order for each of the disputed websites has been complied with. In the event of partial
 
compliance with one or two orders for one or more disputed websites, the
 
Dispute Chamber will notify the defendant for which order and for which disputed
 
website(s) it considers the execution of the order or orders to be sufficient.
 
III.2. Reprimands
 
178. The Dispute Chamber reprimands the defendant with regard to the difficulty in the "old"
 
situation on the disputed websites to withdraw consent for the placement and reading of
 
cookies (including for the personal data processing that follows the placement of cookies), which constitutes an infringement of
 
art. 7.3 GDPR.
 
179. The Dispute Chamber reprimands the defendant and states that it may only place cookies on the basis of
 
legitimate interest if and insofar as they fall under the exceptional situations provided for in
 
art. 10/2 in fine WVP, and in that sense may also fall under the
 
legal basis contained in art. 6.1.f. GDPR for the following personal data processing.
 
III.3. Penalty payment: special considerations
 
III.3.1. Mitigating circumstances and impact on the nature of the corrective measure
 
(penalty payment)
 
180. The Dispute Chamber takes into account the following argumentation of the defendant
 
in this context:
 
the
“9th remedy (subordinate): No corrective measures can be taken with
 
respect to Mediahuis”. In this regard, the defendant points out that the only corrective
 
measures – if the Dispute Chamber were to decide on an infringement – could be the formulation
 
of a warning or a reprimand.
 
a. Firstly, the defendant points out that it has already taken various measures
 
to bring its cookie banners more in line with the recommendations of the
 
GBA. Decision on the merits 113/2024 — 59/70
 
b. Secondly, the defendant argues that the applicable legal requirements are too
 
general in light of the practices that the complainant and the Dispute
 
Chamber raise. In addition, the defendant points out that the rules invoked constitute
 
general, open standards, whereby the controller can also make certain
 
choices regarding colours, buttons, text used, etc.
 
c. Thirdly, the defendant argues that the content of the rules on cookies
 
is constantly changing and that there is no consensus on the content.
 
Fourthly, the defendant responds to the conclusion of the complainant on this point.
 
d.
 
181. The complainant has also made a number of “requests and suggestions”
 
regarding the sanctioning or imposition of measures; however, it is up to the
63
authority to make the choice to use certain powers, and these arguments will
 
therefore not be discussed further by the complainant. 182. The Litigation Chamber has carefully considered the extent to which it can use its corrective powers, in accordance with the infringements that the defendant has committed and
 
has continued to commit to date. In particular, the Litigation Chamber has taken into account the
 
case-law of the Court of Justice, which states that there must be intent or negligence in
 
committing an infringement in order to be able to impose an administrative fine. 64
 
183. Although the Litigation Chamber can clearly assess the legal situation
 
today in the light of recent case-law of the Court of Justice and the unanimous position of
 
(the majority of) supervisory authorities on the aspects discussed, the Litigation Chamber considers that the
 
defendant rightly refers to previous decisions of the Litigation Chamber in this regard. In this sense, it is far from sufficiently established that there would be no intention and negligence in the context of the defective presentation of free consent (cf. the legal discussion regarding the option "refuse all" - in the presence of an "accept all" button). The Dispute Chamber therefore does not impose an administrative fine.
 
184. Nevertheless, the Dispute Chamber also takes note of the defendant's objection to adapting its cookie banner so that consent is given in a free and unambiguous manner and can therefore be obtained lawfully in the light of the most
 
correct legal assessment. This requires in particular the addition of a "refuse all" button or other presentation of equivalent effect, when the cookie banner
 
63 Judgment of the ECJ of 7 December 2023, UF and AB v. Land Hessen (Schufa), joined cases C-26/22 and C-64/22,
ECLI:EU:C:2023:958, specifically §68-9.
 
64Judgment of the ECJ of 5 December 2023, Deutsche Wohnen, C-807/21; Judgment of the ECJ of 5 December 2023, Nacionalinis
visuomenés sveikatos centras, C-683/21. Decision on the substance 113/2024 — 60/70
 
an “acceptall” button is displayed in the same layer, and this in a proper manner
 
within the meaning of Article 5.1.a GDPR.
 
185. The Dispute Chamber therefore considers it necessary to take the necessary coercive measures to ensure that the defendant complies with the assessment and subsequent order of the Dispute Chamber, in order to bring the processing into compliance with the applicable legislation. It does this by imposing a penalty payment.
 
186. In the context of this decision, the Dispute Chamber has carefully considered the procedure for imposing a penalty payment. In doing so, it has taken into account the specific circumstances of the case and the need to ensure effective enforcement.
 
The Dispute Chamber has decided to deviate in this case from the usual procedure as described in the policy on penalty payments, with a view to a more direct and efficient approach.
 
187. This deviation is based on the consideration that the nature of the infringement and the required corrective measures require rapid implementation. By including the penalty payment directly in the decision, without prior notice via a separate form, the
 
Litigation Chamber aims to encourage the defendant to take immediate action.
 
188. The Litigation Chamber emphasises that this approach does not restrict the rights of the defendant.
 
The defendant retains the possibility of appealing against the penalty payment imposed within the framework of a possible appeal against this decision.
 
III.3.2. The penalty payment and the powers granted to the supervisory authority by the European and national legislators
 
189. The penalty payment is a special measure in the sense that the amount of money to be paid is not certain and fixed at the time the present
 
decision is taken. After all, the defendant is first given time to organise itself to remedy the
 
situation, or to appeal if it does not agree with the decision of the Litigation
 
Chamber. 190. In this sense, the penalty payment differs from the administrative fine: the first instrument
 
aims to bring the actual situation into line65 with the applicable legislation,
 
the second instrument has a punitive 66 character. The penalty payment therefore differs from the
 
fine both in nature and in purpose.
 
191. In a judgment of 19 February 2020, the Market Court considered the following:
 
65
Cf. BaeckJ., CrielSenWagnerK, Attachment and execution law, Brussels, Larcier, 2019, 5, chapter 2, section 1 “indirect means of enforcement”.
66 This deserves some nuance in the sense that it aims for a “deterrent” effect, according to art. 83.1 GDPR. Decision on the substance 113/2024 — 61/70
 
“Before a penalty is imposed, the infringer must be informed
 
of the nature of the penalty being considered and its size (if a fine is being
 
considered). The infringer must be warned
 
(in order to avoid unnecessary penalties) and given the opportunity
 
to defend himself with regard to the amounts of the fine proposed by the Dispute
 
Chamber, before the penalty is actually imposed and implemented.”
 
192. In light of its “policy on penalty payments”, the Dispute
 
Chamber considered that, in the context of the adversarial proceedings and in light of the above-mentioned consideration of the
 
Market Court, the use of the penalty form would be required when imposing a penalty
 
68
 
193. However, the Litigation Chamber currently considers that the imposition of a penalty payment should not be submitted to the defendant prior to its imposition for the following reasons:
 
a) The obligation for the Litigation Chamber to submit the penalty to the defendant prior to a decision is
 
based on the case-law of the Market Court. In addition to the legal
 
framework, this step was added in the light of the rights of defence. In accordance with this
 
case-law, the Litigation Chamber uses a so-called “penalty form” that is submitted to the
 
defendant prior to the actual decision in the case of an administrative fine.
 
This procedural step is inherently delaying and additionally procedurally burdensome; the
 
Litigation Chamber recognises its value in the light of the sanctioning powers that it can
 
exercise, but at the same time notes that such purely nationally added
 
elements can hinder the uniform application of an EU regulation.
 
Such a delaying and procedurally burdensome step must therefore in any case be interpreted narrowly, in the sense that it may not interfere with the objectives
 
of the legislator with regard to the powers granted to the authority.
 
b) As already mentioned, the nature of the penalty payment is also fundamentally
 
different from that of an administrative fine as a punitive measure
 
in its purest form. The penalty payment aims – as the term in Dutch shows –
 
to ‘force’ a party to do something in order to bring a factual situation into line with the law
 
67
Judgment of the Court of Appeal of Brussels (Chamber 19A, Market Court Section) of 19 February 2020, 2019/AR/1600. 68 Dispute Resolution Chamber, Policy on penalty payments, 23 December 2020, available at:
https://www.gegevensbeschermingsautoriteit.be/publications/beleid-inzake-dwangsom.pdf, 3. Decision on the merits 113/2024 — 62/70
 
to be brought to bear on the decision of the Dispute Resolution Chamber. 69
 
Leading legal doctrine clearly states that a penalty payment is not a criminal sanction, 70
 
71
but an indirect means of enforcement. The aim is to execute the order that the
72
Dispute Resolution Chamber imposes on the party. In this sense, the choice of this
 
coercive measure falls exclusively within the powers of the Dispute Resolution Chamber, and a
 
party does not have to express an opinion on its use prior to the decision. The fact that
 
the penalty payment does not have a fixed amount and is conditional in the sense that it
 
only manifests itself after a party has failed to act does not detract from this. The national
 
legislator considered it appropriate to grant the jurisdiction to the Dispute
 
Chamber for a situation such as the one in the present case, and therefore the will of the legislator
 
must be recognised and respected.
 
194. The decisions of the Dispute Chamber have no precedent value. 73A maiore ad
 
minus, the policy documents of the Dispute Chamber are not binding. The
 
Dispute Chamber recognises that such documents do create confidence in the public,
 
but points out that it wished to communicate transparently and proactively with the public,
 
while at the same time being subject to the legal developments before it.
 
195. The fact that the penalty payment was not raised during the proceedings is irrelevant and
 
is not required by law: the Court of Justice has repeatedly confirmed that the
 
supervisory authority has a margin of discretion in determining which measures are
 
74
appropriate when dealing with a complaint file under the GDPR.
 
III.3.3. Implementation modalities of penalty payments: accessory nature
 
196. It is not necessary for the penalty payment to immediately follow the decision of the
 
Dispute Resolution Chamber, in order to give the defendant time to take the necessary technical and
 
organizational measures, also in light of the aforementioned unclear legal situation.
 
69Wagner K., Penalty Payment, Brussels, Story-Scientia, 2003, § 7: “It [the penalty payment] is never intended as an incentive to comply
to actually be forfeited.”; where the Dispute Resolution Chamber refers to legal doctrine and case law regarding the civil
law penalty payment, it should be noted that this is done for the legal framework. The instrument under the WOG is an
administrative law power and therefore differs from this.
 
70Wagner K., Penalty payment, Brussels, Story-Scientia, 2003, § 20.
71
Ibid., §5.
72 Compare, mutatis mutandis, Wagner K., o.c., §6: “The purpose of the penalty payment is to ensure the direct performance of the obligations . . .”
73
Brussels Court of Appeal (Chamber 19A, Market Court Section): judgment of 1 December 2021 (2021/AR/1044), §7.0.2.; judgment of 7 July 2021 (2021/AR/320), p. 12.
74
Judgment of the Court of Justice of 16 July 2020, Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems
(“Schrems II”), C-311/18, §111. Decision on the substance 113/2024 — 63/70
 
197. The penalty payment serves as an accessory to the orders imposed by the Litigation Chamber. In that sense,
 
the penalty payment is conditional. 75
 
198. A period of 45 days to provide for the implementation of Orders 1 and 2 is
 
sufficient for compliance with these orders.
 
199. On or after the 46th day after notification of the decision (the day of notification is the day on which the party receives the registered mail or the period for
 
collection thereof expires), the Dispute Chamber will notify the defendant by means of a
 
notification that the latter 1) sufficiently complies with an order, 2) partially
 
complies with an order, 3) does not comply with an order. The Dispute Chamber will, if
 
applicable, initiate the penalty payment on or after the 46th day by means of the notification of the
 
non-compliance under the aforementioned second or third situation.
 
200. A penalty payment of EUR 25,000 is appropriate for order 1 per day commenced after the expiry of the
 
period of 45 days, also in light of the consideration that the defendant could
 
make not to comply with the order because of its commercial impact. The
 
penalty applies per disputed website of the defendant, and can thus amount to
 
EUR 100,000 per day for the defendant.
 
201. A penalty of EUR 25,000 is appropriate for order 2 per day commenced after the expiry of the
 
term of 45 days, also in light of the consideration that the defendant could
 
make not to comply with the order because of its commercial impact. The
 
penalty applies per disputed website of the defendant, and can thus amount to
 
EUR 100,000 per day for the defendant.
 
202. The penalty applies per disputed website of the defendant, and can thus amount to
 
EUR 200,000 per day for the defendant. This amount is considered proportionate
 
given the scale of the defendant's activities and the potential impact of the
 
infringements on the rights and freedoms of the persons concerned.
 
203. The Litigation Chamber emphasises that this amount is not intended as a penalty, but as an
 
effective means of ensuring compliance with the orders. The aim is to encourage the defendant
 
to comply promptly and fully with the measures imposed, taking into account
 
75Cf. Baeck J,, Criel S and Wagner K, Beslag- en uitvoeringrecht, Brussels, Larcier, 2019, 5, ch. 2, section 2 "Conditionality".
 
76The Council of State may only impose a penalty payment if the party fails to comply with an earlier judgment; despite the fact that no such legal restriction applies to the Dispute Chamber, it seems reasonable to also provide for a compliance period in this sense so that the defendant can comply.
 
See art. 36 of the coordinated laws of the Council of State, coordinated on 12 January 1973; Royal Decree of 2 April 1991 regulating the legal proceedings before the administrative law division of the Council of State regarding the order and the penalty payment.
 
See also Van Eeckhoutte D., “L’astreinte et l’injonction dans le contentieux administratif en Belgique”, Administration Publique:
revue du droit public et des sciences administratives, 2010, Ed. 33, (426)429. Decision on the merits 113/2024 — 64/70
 
77
with the financial capacity of the company and the potential profits that could
 
result from non-compliance.
 
204. If the defendant can demonstrate that full compliance within the set period
 
is impossible despite all reasonable efforts, the defendant has the option to submit a reasoned request
 
for extension to the Disputes Chamber before the expiry of the period.
 
205. The penalty is forfeited per day, with a maximum amount for the total of
 
forfeited penalty payments of 10,000,000 (in words ten million) euros.
 
III.3.4. Visualisation of the timeline for compliance with orders and forfeiture
 
penalty payments
 
206. For illustrative purposes only, for the proper understanding of the parties and any other
 
reader of the present decision, the timeline for the implementation of the decision
 
is shown here. In the event of any ambiguity between this visual representation and the text of this
 
decision, the text of the decision shall prevail in any case:
 
77 Cf. the annual accounts of the defendant filed with the National Bank of Belgium, available at:
https://consult.cbso.nbb.be/consult-enterprise/0439849666. 66/70
 
III.4. Provisional enforceability
 
207. In the context of provisional enforceability, the Dispute Chamber takes particular note of the defendant's request and argumentation in this regard:
 
the
"10th ground (subordinate): No provisional enforceability". The defendant cites "special reasons" in this regard and refers to the case law of the
 
Market Court, which states that an effective remedy in court is only possible "when the
 
applicant is not pressured to pay a fine and/or to comply with the provisions of the contested decision".
 
208. The defendant therefore – referring to the case law of the Market Court in this regard – raises the
 
legitimate question of suspending provisional enforceability in this case, because this
 
places pressure on the parties in the context of (the outcome of) a possible appeal procedure.
 
209. The Litigation Chamber refuses the request for suspension of provisional enforceability
 
for the following reasons.
 
210. Firstly, provisional enforceability is the standard
 
situation for the national legislator. The European legislator has granted powers to
 
take measures to the authority: it is therefore the authority that decides which (corrective) measure
78
is most appropriate – where necessary – to implement or impose on the defendant.
 
211. The fact that a remedy is possible at a judicial body after a decision
 
has been taken in this regard does not affect the powers of the authority.
 
In light of the separation of powers, the judiciary must assess a posteriori whether the supervisory authority has acted within the legal framework and within its discretionary powers. When the court exercises its own power to suspend enforceability, this is a decision that falls within its discretionary power.
 
212. In light of the credibility of the powers granted to the authority by the European and
 
national legislators, it cannot be the default situation that the enforceability of the decisions and measures taken by an
 
authority is suspended as soon as a party requests this. If this were the default situation, it would undermine the entire intention of the
 
legislator to be able to act decisively and effectively in a digitalised society. This does not
 
fit in with the teleological design of the powers granted to the authority under the GDPR.
 
78 Judgment of the ECJ of 7 December 2023, UF and AB v. Land Hessen (Schufa), joined cases C-26/22 and C-64/22,
ECLI:EU:C:2023:958, specifically §68; This of course concerns the initial judgment on such measures, and does not concern the
issue of full jurisdiction in the event that an injunction is instituted. Decision on the substance 113/2024 — 67/70
 
213. In this sense, it is therefore indeed the intention, both of the European and of the Belgian
 
legislator, that a party in respect of which the Litigation Chamber takes measures
 
complies without undue delay with the provisions of the decision of the
 
authority. Once again, the Disputes Chamber points out that this does not mean that suspension is not possible, but only if there are serious grounds for it
 
(including, in an extreme case, the irreversible financial problems of a company when an administrative fine is imposed).
 
214. Secondly, where provisional enforceability is not suspended and the decision
 
would subsequently still be deemed defective, legal redress is in any case possible,
 
since the judgments of the Market Court constitute the final substantive judgment in the cases
 
involved. In the present case, there is no indication that such legal redress would be difficult or
 
impossible, since no irreversible measures are taken at all with regard to the
 
defendant. This could possibly have been different if a (high) administrative fine had
 
been imposed, a case to which the defendant also refers in light of her request.
 
215. If serious measures are imposed on a defendant, for example
79
in a situation where the legislation is clearly unclear, the suspension of
 
enforceability could be considered - which is why the legislator has provided
 
this optional option.
 
216. In light of the underlying case, the Dispute Resolution Chamber has ruled that
 
there was indeed legal uncertainty regarding the interpretation of certain
 
consent requirements regarding cookies - including uncertainty regarding the
 
interaction between the GDPR and the e-Privacy Directive; however, this has
 
in the meantime been clarified by the Court of Justice. The DPA has taken a position as an institution
 
regarding the correct implementation of consent in light of cookie banners.
 
217. Superfluously: the fact that five similar media companies accepted a settlement that
 
reflected the position of the GBA as set out in the Cookie Checklist is a clear


indication that the legal situation cannot be manifestly unclear. It can be pointed out
Website
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse them, you can click the “All Refuse” button.
All Accept | All Refuse | Settings
---


that courts frequently cite the position of the supervisory authorities on cookies and other
175. Each of the two orders must be complied with for each of the four contentious websites, no later than the 45th day after notification of this decision. The defendant must provide a clear document to the Dispute Chamber and the complainant as part of compliance with the order; this document should reflect which adjustments have been made to each of the contentious websites to implement the two orders.


tracking tools and therefore regard it as authoritative, without this in itself
176. Should the Dispute Chamber find that the orders have not been fully or partially complied with from the 46th day after the decision, it will notify the defendant accordingly. Once the defendant receives this notification, the penalty (infra) will be activated for non-compliance relative to the aforementioned second or third circumstance.


meaning anything with regard to enforceability as a standard.
177. A penalty of 25,000 EUR will apply for Order 1 per started day after the 45-day period expires, especially given the consideration that the defendant might weigh the decision not to comply due to its commercial impact. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.


79 Taking into account that the Dispute Chamber cannot submit preliminary questions to the
178. A penalty of 25,000 EUR will apply for Order 2 per started day after the 45-day period expires, likewise considering the potential economic impact on the defendant of not complying with the order. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.


competent judicial authorities.
179. The penalty applies per contentious website of the defendant, with a potential total of 200,000 EUR per day for the defendant. This amount is deemed proportional considering the scale of the defendant's activities and the potential impact of the violations on the rights and freedoms of the data subjects.
80
See, inter alia, the judgment of the ECJ of 27 October 2022, Proximus v. GBA, C-129/21, ECLI:EU:C:2022:833, answer to the first
preliminary question of the Market Court; see amendment to the law on the powers of the GBA to act in the matter of cookies:
81 Decisions of the Dispute Chamber of 1 December 2023 (159/2023, 160/2023, 161/2023 and 162/2023) and 5 December 2023
(164/2023).
82
For illustration: Amsterdam District Court, summary judgment, 7 June 2024, ECLI:NL:RBAMS:2024:3331, available via:
https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBAMS:2024:3331, §5.7. Decision on the substance 113/2024 — 68/70


IV. Publication of the decision
180. The Dispute Chamber emphasizes that this amount is not intended as a punishment but as an effective means of ensuring compliance with the orders. The goal is to motivate the defendant to act quickly and fully comply with the imposed measures, taking into account the financial capacity of the company and the potential profits that could arise from non-compliance.


218. Given the importance of transparency with regard to the decision-making of the
181. Should the defendant demonstrate that full compliance within the set timeframe is not possible despite all reasonable efforts, the defendant has the option to submit a reasoned request for an extension to the Dispute Chamber before the deadline expires.


Dispute Resolution Chamber, this decision is published on the website of the
182. The penalty will be imposed per day, with a maximum total of penalties amounting to 10,000,000 (ten million) euros.


Data Protection Authority.
III.3.4. Timeline for Compliance with Orders and Imposition of Penalties
183. Merely for the understanding of the parties and any other reader of the present decision, a timeline is presented regarding the execution of the decision. In case of any uncertainty between this visual representation and the text of this decision, the text of the decision shall prevail:


219. Given that the defendant is a media company of a considerable size and
IV. Immediate Enforcement
184. The Dispute Chamber acknowledges, in the context of immediate enforcement, the request and argumentation of the defendant regarding: “10th Argument (subordinate): No immediate enforcement.” The defendant cites “special reasons” in this regard and refers to the case law of the Market Court, which states that an effective legal remedy can only occur “if the requesting party is not pressured to immediately pay a fine and/or comply with the orders of the contested decision.”


equally social scope, and given that the
185. Therefore, the defendant poses the legitimate question of suspending immediate enforcement in this case, as this would place pressure on the parties within the context (of the outcome) of any appeal procedure.


personal data processing activities concern a significant part of the
186. The Dispute Chamber refuses the request for suspension of immediate enforcement for the following reasons.


Belgian and – more broadly – Dutch-speaking population, the Dispute Resolution
187. Firstly, immediate enforcement is the standard scenario for the national legislator. The European legislator has granted authorities the power to take measures: it is therefore the authority that decides which (corrective) measure is most appropriate to implement or impose on the defendant.


considers it appropriate to disclose the identity of the defendant as well as the
188. The possibility of appealing against a decision made does not lessen the authorities’ powers. In light of the separation of powers, the judiciary should assess a posteriori whether the supervisory authority has acted within the legal framework and its discretionary powers. When the judiciary employs its powers to suspend immediate enforcement, it is a decision that falls within its evaluative powers.


names of the websites at issue. This is, moreover, in line with the
189. It cannot be the standard practice – considering the credibility of the powers granted to the authorities by the European and national legislators – that the enforcement of decisions and measures taken by an authority is suspended as soon as a party requests it. If this were the standard scenario, it would undermine the legislator's entire setup to enable decisive and effective action in a digitized society. This does not fit within the teleological design of the powers granted to the authority under the GDPR.


practice of transparency that the Dispute Resolution Chamber has followed in
190. Secondly, where immediate enforcement is not suspended, if the decision is subsequently found to be inadequate, legal redress is in any case possible, given that the rulings of the Market Court serve as the final substantive judgment in the involved cases. In this case, there are no indications that such legal redress would be difficult or impossible, as no irreversible measures are taken against the defendant. This situation might have been different if a (high) administrative fine were imposed, a situation which the defendant references in light of its request.


comparable procedures with comparable actors in the media sectors that
191. Should substantial measures be imposed on a defendant, for example in a situation where the legislation is apparently unclear, the suspension of immediate enforcement might indeed be considered – which is why the legislator has provided this option.


led to settlement decisions, although in those procedures no actual infringements were
192. The Dispute Chamber has, in light of the underlying case, recognized that there was indeed legal uncertainty regarding the interpretation of certain consent requirements concerning cookies—especially due to uncertainty regarding the interplay between the GDPR and the ePrivacy Directive; however, this has been clarified by the Court of Justice in the meantime.


decided upon or enforcement measures were imposed. 220. The identity of the complainant's representative is also important for a proper understanding of the procedure, given the procedural elements formulated by the defendant with regard to the practice of mandating that representative.
193. The GBA has taken a position regarding the correct implementation of consent in light of cookie banners.


It should be noted that the representative has disclosed the same circumstances of this
194. Furthermore: the fact that five similar media companies accepted a settlement that reflected the position indicated in the Cookie Checklist from the GBA is a clear indication that the legal situation is not seemingly unclear. It can be noted that courts routinely cite the positioning of supervisory authorities regarding cookies and other tracking mechanisms and thus consider them authoritative, without that implying anything regarding enforceability as a rule.


procedure – including the identity of the defendant – on its website. Furthermore, it is important to make the fundamental
IV. Publication of the Decision
218. Given the importance of transparency concerning the decision-making of the Dispute Chamber, this decision shall be published on the website of the Data Protection Authority.


differences in the procedural assessment in this case known in a transparent manner compared to other
219. Since the defendant is a media company of considerable size and also societal reach, and given that the personal data processing activities address a significant portion of the Belgian and, more broadly, Dutch-speaking population, the Dispute Chamber deems it appropriate to disclose the identity of the defendant as well as the names of the contentious websites. This is in line with the transparency practice adopted by the Dispute Chamber in similar procedures involving similar actors in the media sector that led to settlement decisions, although in those procedures, no effective violations were decided or enforcement measures taken.


cases – where the Dispute Chamber did decide that there was a defect in the
220. The identity of the representative of the complainant is also of importance for a clear understanding of the procedure, given the procedural elements formulated by the defendant regarding the practice of mandating that representative. It can be noted that the representative has publicly disclosed the circumstances of this procedure, including the identity of the defendant, on their website. Additionally, it is important to transparently indicate the fundamental differences in procedural assessments in this dossier as compared to other dossiers – where the Dispute Chamber did decide on a lack of mandate for the same representative.


delegation of the same representative. Decision on the merits 113/2024 — 70/70
---


Such an appeal may be lodged by means of an inter partes application which must contain the
FOR THESE REASONS, the Dispute Chamber of the Data Protection Authority, after deliberation, decides to:


mentioned in Article 1034ter of the Judicial Code. The 83
Pursuant to Article 100, §1, 9° DPA Act, order the defendant to ensure that the placement of cookies and the processing of personal data on its websites are brought into compliance with Article 6 GDPR in conjunction with Article 10/2 PD Act, by modifying the cookie banner in accordance with this decision, and by submitting the necessary visual evidence to the Dispute Chamber and the complainant no later than the 45th day after notification of this decision (“order 1”). The defendant must ensure, in this context, that misleading button colors are not used so that the propriety of the processing is guaranteed (“order 2”).


inter partes application must be submitted to the registry of the Market Court
Pursuant to Article 100, §1, 12° DPA Act, impose a penalty concerning compliance with Order 1, whereby non-compliance with Order 1 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.


84
Pursuant to Article 100, §1, 12° DPA Act, impose a penalty regarding compliance with Order 2, whereby non-compliance with Order 2 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.
in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit


information system of Justice (Article 32ter of the Judicial Code).
Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant concerning the violation committed by the defendant under Article 7.3 GDPR.


(signed). Hielke H IJMANS
Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant for placing cookies based on legitimate interest when no exception situation justified this.


Chairman of the Disputes Chamber
Pursuant to Article 100, §1, 1° DPA Act, dismiss the complaint regarding those aspects related to transparency and information obligations and the exercise of the right of objection in light of the placement of cookies based on legitimate interest.


83
---
The application shall state, on penalty of nullity:
1° the day, month and year;
2° the surname, first name, place of residence of the applicant and, where applicable, his capacity and his national register or
company number;
3° the surname, first name, place of residence and, where appropriate, the capacity of the person to be summoned;


the subject and brief summary of the grounds of the action;
Pursuant to Article 108, §1 DPA Act, an appeal can be filed against this decision with the Market Court (Brussels Court of Appeal) within thirty days of notification, with the Data Protection Authority as the respondent.


the judge before whom the action is brought;
Such an appeal can be filed via a statement of opposition that must contain the specifications listed in Article 1034ter of the Judicial Code. The statement of opposition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of Justice (Article 32ter of the Judicial Code).


6° the signature of the applicant or his lawyer.
(get). Hielke HIJMANS
Chair of the Dispute Chamber 


84The application and its annex shall be sent, in as many copies as there are parties involved, by registered letter
to the clerk of the court or lodged at the registry.
</pre>
</pre>

Latest revision as of 12:36, 15 September 2024

APD/GBA - 113/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 7(3) GDPR
Article 5(3) Directive 2002/58
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.09.2024
Published:
Fine: n/a
Parties: MediaHuis
noyb
National Case Number/Name: 113/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in NL)
Initial Contributor: wp

The DPA ordered a controller to bring the websites’ cookie banners into compliance with the GDPR by adding the reject button within its first layer and changing the colours used.

English Summary

Facts

A data subject visited four website operated by MediaHuis, namely:

  • Gazet van Antwerpen;
  • De Standaard;
  • Het Nieuwsblad;
  • Het Belang van Limburg.

On each website there was a cookie banner which:

  • Didn’t contain a reject button within its first layer;Buttons colours were misleading;
  • It was not as easy to withdraw consent as it was to give it;
  • Contained a reference to the legal basis of legitimate interest.

The data subject filed four complaints referring to abovementioned cookie banners with the Belgian DPA (ADP/GBA). noyb was appointed by the data subject as their representative under Article 80(1) GDPR. MediaHuis was assigned the role of data controller.

According to the controller, the law, especially Article 7(3) GDPR or Article 4(11) GDPR, didn’t prescribe the controller to implement reject button within the first layer of the cookie banner or to use different colours for the buttons or to implement consent withdrawal option in a particular way. The fact that the cookie banners were not in line with the guidelines of different data protection authorities and the EDPB, as mentioned by the data subject, did not amount to violation of the GDPR. Moreover, the data subject gave their consent for processing activities of the controller and, for that reason, they had no interest to bring a case before the DPA.

Holding

The DPA found the controller violated the Article 5(1)(a) GDPR, Article 6(1)(a) GDPR, Article 7(3) GDPR.

Firstly, the DPA clarified that for the consent to be freely and unambiguously given under Article 6(1)(a) GDPR and Article 5(3) ePrivacy Directive, the reject button had to be presented alongside the accept button. Otherwise, the data subject would have no real alternative to consenting for placing and processing cookies.

Secondly, the buttons’ colours used by the controller were of deceptive nature. They inclined a data subject to give a consent for the cookies processing. Because of that, the controller was in breach of Article 5(1)(a) GDPR.

Since the cookie banner was lacking of the reject button within its first layer, and the colours used were misleading, the DPA order the controller to bring the cookie banner into compliance with the GDPR within 45 days. The order was combined with a penalty of €25,000 per day and per each website concerned, due if the controller fails to implement the ordered changes. The maximum amount of total penalty was set on €10,000,000.

Thirdly, the controller violated Article 7(3) GDPR. To withdraw the consent given, a data subject had to perform more actions - “click more” – whilst to give a consent only one click sufficed. Nevertheless, the controller updated their websites by adding the reject button to the first layer of cookie banner and the option to withdraw the consent, using the manage link at the bottom of each website. The violation was remedied, accordingly the DPA reprimanded the controller.

Fourthly, the legitimate interest called upon by the controller covered placing and processing of the cookies, which were not “strictly necessary”. The controller’s cookies were of different kind, including the analytical cookies. Especially for the latter, the application of Article 6(1)(f) GDPR is per se excluded and the consent needed to be obtained. Furthermore, by adding the legitimate interest to be a “back-up” legal basis for the cookies related processing, the controller mislead the data subject. The controller violated then Article 6(1)(a) GDPR. Nonetheless, the DPA reprimanded the controller that the legal basis for placing and processing of analytical cookies and other cookies that were not “strictly necessary cookies only was a consent under Article 6(1)(a) GDPR.

In answer to the controller’s claims, the DPA emphasised that:

  • the fact that the data subject gave a consent didn’t deprive them from starting the case before the DPA;
  • the guidelines of the EDPB were not legally binding, as pointed by the controller, but they played important role regarding the interpretation of the GDPR.

In addition, the DPA excluded alleged pressure put on the data subject by noyb to initiate the proceedings. The controller argued the relationship between the data subject, being a trainee at noyb, was instructed to lodge the complaints with the DPA. Hence there was no legal interest of the data subject in the case at hand. However, for the DPA statements of that kind were unfounded, bearing in mind the facts of the case. In particular, the outcome of the data subject’s hearing before the DPA that proved the data subject’s interest being involved.

Comment

In the case APD/GBA (Belgium) - 112/2024, where the data subject was represented by noyb, the APD/GBA dismissed the case due to the lack of data subject's own interest.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

1/70 Dispute Chamber Decision on the Merits 113/2024 of September 6, 2024
Dossier number: DOS-2023-03279
Subject: Measures regarding cookie banners on the news websites of Mediahuis (websites De Standaard, Gazet van Antwerpen, Het Belang van Limburg, and Het Nieuwsblad)

The Dispute Chamber of the Data Protection Authority, composed of Mr. Hielke HIJMANS, chair, and Mr. Christophe Boeraeve and Mr. Jelle Stassijns, members;

Considering Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter “GDPR”;
Considering the Act of December 3, 2017, establishing the Data Protection Authority, hereinafter “DPA Act”;
Considering the Act of July 30, 2018, concerning the protection of natural persons in connection with the processing of personal data, hereinafter “PD Act”;
Considering the internal rules of procedure, as approved by the Chamber of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019;
Considering the documents of the dossier;

1 The new Internal Rules of Procedure (“IRP”), after the amendments made by the Act of December 25, 2023, to amend the Act of December 3, 2017, establishing the Data Protection Authority (GBA), came into force on June 1, 2024. In accordance with Article 56 of the Act of December 25, 2023, the new IRP applies only to complaints, mediations, inspections, and proceedings for the Dispute Chamber that were initiated on or after that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde-van-de-gegevensbeschermingsautoriteit.pdf. Cases initiated before June 1, 2024, such as in the present case, are subject to the provisions of the DPA Act as not amended by the Act of December 25, 2023, and the IRP as it existed before that date: https://gegevensbeschermingsautoriteit.be/publications/reglement-van-interne-orde.pdf.

Has made the following decision regarding:
The complainant: The defendant:
X, represented by noyb – European Center for Digital Rights, hereinafter “the complainant” or “complaining party”;
Mediahuis N.V., represented by Mr. Jan CLINCK, Mr. Pierre ANTOINE, and Mr. Gerrit VANDENDRIESSCHE, hereinafter “the defendant.”

Table of Contents
I. Facts and Procedure ....................................................... 4
I.1. The four complaints ..................................................... 4
I.2. The settlement proposal and the settlement procedure in the proceedings
     preceding the decision on the merits .................................... 5
I.3. The proceedings on the merits ........................................... 6
II. Reasons .................................................................. 8
II.1. Preliminary points ..................................................... 8
II.2. The submitted complaint under Art. 80.1 GDPR .......................... 15
II.3. The violations ........................................................ 26
III. Measures and immediate enforceability .................................. 56
III.1. Orders ............................................................... 56
III.2. Warnings ............................................................. 58
III.3. Financial penalties: special considerations .......................... 58
III.4. Immediate enforceability ............................................. 66
IV. Publication of the decision ............................................. 68

I. Facts and Procedure
I.1. The four complaints
1. This dossier is based on four consolidated complaints from one complainant regarding the cookie practices of the defendant on four of its websites:
   a. The first complaint concerns the website of ‘Gazet van Antwerpen’ (www.gva.be)
   b. The second complaint concerns the website of ‘De Standaard’ (www.standaard.be)
   c. The third complaint concerns the website of ‘Het Nieuwsblad’ (www.nieuwsblad.be)
   d. The fourth complaint concerns the website of ‘Het Belang van Limburg’ (www.hbvl.be)

2. The complainant is represented by Noyb – European Center for Digital Rights (“Noyb”), which has its registered office in Austria. In each of the four complaints and for each individual website, a mandate signed and dated by the complainant is appended, authorizing the representative to represent the complainant before the Belgian GBA. The scope of the mandate is expressed as follows: “regarding: the collection of my data by placing cookies on the defendant's website,” followed by the identification of each of the aforementioned websites, and subsequently “and taking all necessary measures to enforce my rights, including initiating judicial or extrajudicial proceedings.”

3. The complaints each allege four alleged “violations,” reflecting the complainant's grievances as follows:
   • “Violation type 1: No ‘refuse’ option at the first level of information on the cookie banner”
   • “Violation type 2: Misleading button colors”
   • “Violation type 3: It is not as easy to withdraw consent as it is to give consent”
   • “Violation type 4: Reference to legitimate interest”

4. The complaints are submitted, dated July 18, 2023, to the First Line Service of the Data Protection Authority via email. The complaints were formally received after midnight, on July 19, 2023.

5. On August 3, 2023, the First Line Service requested the representative of the complainant to provide the following: “Please inform us about the complainant's interest in filing the complaint, as provided for in Article 60 of the Act of December 3, 2018, establishing the Data Protection Authority.”

6. On August 24, 2023, the complaint was declared admissible by the First Line Service on the basis of Articles 58 and 60 DPA Act, and then the complaint was forwarded to the Dispute Chamber pursuant to Article 62, § 1 DPA Act.

7. On September 1, 2023, the complaining party submitted a document to the First Line Service responding to the inquiry raised by the First Line Service on August 3, 2023, regarding (the legal framework concerning) the complainant's interest and the mandate.

8. In the aforementioned document, Noyb refers to communications sent to the First Line Service on August 17 and 25, 2023, to which the First Line Service responded on August 24 and 29, 2023, respectively. This communication was not added to the current dossier by the First Line Service because this exchange took place in the context of another dossier pending before the GBA; the Dispute Chamber has upheld this approach and confirmed it to the defendant.² Of course, no account is taken of the content of this correspondence in the assessment and decision of the current dossier.

I.2. The settlement proposal and the settlement procedure in the proceedings preceding the decision on the merits
9. On September 21, 2023, the Dispute Chamber issued a letter to the parties stating that it would submit a settlement proposal to the parties within a period of thirty days. In the meantime, the parties were given the opportunity to review the dossier, which both parties requested; they obtained access.

10. On October 20, 2023, a settlement proposal was simultaneously sent to both parties, after which the settlement procedure formally commenced in the sense of Article 95 §1, 2° DPA Act.

11. On October 30, 2023, the representative submitted the complainant's response to the settlement proposal to the Dispute Chamber, proposing a number of adjustments.

12. On November 6, 2023, the Dispute Chamber communicated to the parties that it would not make adjustments to the terms of the settlement proposal due to the comments from the complaining party.

13. On November 7, 2023, the defendant, through its counsel, indicated that the response period set forth in the settlement proposal was unachievable. For that reason, the defendant requested an extension of the response period to December 20, 2023. On November 10, 2023, the Dispute Chamber indicated that it could not agree to the proposed extension at that time but granted a seven-day extension.

14. On November 27, 2023, the defendant forwarded a letter through its counsel, stating that it was not averse to a settlement but desired clarification on several points. The defendant also suggested adjustments to the terms of the settlement proposal.

15. On November 28, 2023, the Dispute Chamber sent an acknowledgment of receipt to the defendant, after which, on December 1, 2023, the Dispute Chamber sent another message stating that a response to the defendant's letter of November 27, 2023, could only be provided later.

16. On December 5, 2023, the Dispute Chamber sent a response to the defendant regarding all aspects for which the defendant requested clarifications or adjustments in the letter of November 27, 2023.

17. On December 11, 2023, the defendant, through its counsel, indicated that it could not accept the settlement proposal in its entirety. The defendant immediately stated in the same letter that it had made a number of changes in response to the 2nd and 3rd grievances of the complainant and that further changes regarding the 4th grievance would still be made. Regarding this last grievance, the defendant stated that it “will not fall back on the legitimate interest to place such cookies.”

18. On December 18, 2023, the Dispute Chamber then formally decided to withdraw the settlement proposal, briefly outlining the reasons for the breakdown of the settlement procedure.

I.3. The proceedings on the merits
19. On February 5, 2024, the parties were notified by registered letter of the provisions mentioned in Article 95, § 2, as well as those in Article 98 DPA Act. They were also informed, pursuant to Article 99 DPA Act, of the deadlines for submitting their defenses. In the letter, the Dispute Chamber invited the parties to take a stance on a number of aspects, outlining potential violations attributed to the defendant.

20. On February 12, 2024, the defendant sent a letter to the Dispute Chamber with several comments and requests related to the procedure, as well as a request to send procedural documents by postal mail rather than electronically. The Dispute Chamber responded to this message on February 19, 2024, and also agreed to extend the previously set deadlines for submissions.

21. On March 27, 2024, the Dispute Chamber received the defendant's defense conclusion; this conclusion was simultaneously provided to the representative of the complainant.

22. On April 17, 2024, the Dispute Chamber received the reply conclusion from the complainant. The representative of the complainant replied on a number of points to the defendant's defense conclusion dated March 27, 2024.

23. The (representative of the) complainant also requested to be heard by the Dispute Chamber, as well as to take the necessary corrective measures. Additionally, the complainant requested that the immediate enforceability not be suspended, as requested by the defendant, since this option provided by the legislator should be interpreted narrowly. Finally, the complainant requested that the decision be published on the GBA website.

24. On May 8, 2024, the Dispute Chamber received the reply conclusion from the defendant; this conclusion was simultaneously provided to the representative of the complainant.

25. On June 17, 2024, the parties were informed that the hearing would take place on July 1, 2024.

26. On July 1, 2024, the parties were heard by the Dispute Chamber.

27. On July 8, 2024, the minutes of the hearing (“PV”) were presented to the parties.

28. On July 12, 2024, the Dispute Chamber received several comments from the complaining party regarding the PV, which it decided to include in its deliberation.

29. On July 12, 2024, the defendant first submitted a number of comments regarding the minutes, claiming that these PV do not faithfully represent the hearing. The Dispute Chamber decided to take these comments into consideration in its deliberation. On July 16, 2024, the defendant then submitted new comments regarding the minutes, which the Dispute Chamber also decided to take into consideration in its deliberation.

30. Simultaneously, the defendant requested a copy of the recording of the hearing, a request based on Art. 95 § 2 DPA Act and Art. 15.3 GDPR. On July 18, 2024, it was communicated to the defendant that they could listen to the complete unedited recording of the hearing at the offices of the GBA, that the data protection officer of the GBA had been involved, and that the deadline for submitting comments on the minutes was extended. On July 31, 2024 – the day the deadline for comments on the minutes expired – the defendant sent a letter to the Dispute Chamber as well as to the DPO of the GBA regarding its request to obtain a copy of the recording of the hearing.

II. Reasons
II.1. Preliminary points
31. A first preliminary point concerns the reply conclusion of the complaining party. The defendant states in its synthesis conclusion that the conclusion of the complaining party should be excluded from the debates, on the one hand, because it was not signed (by the legal mandate holder of the Noyb representative) and, on the other hand, because the conclusion was not drafted in accordance with Article 744 Ger. W.

32. The Dispute Chamber argues why the defendant's argument on this point is legally flawed. Essentially, the proceedings for the Dispute Chamber are governed by the procedural provisions of the DPA Act. The Markets Court has repeatedly stated that the Dispute Chamber is an administrative body, not an (administrative) court in the formal sense.³ In this sense, it cannot accurately be stated that the provisions of the Judicial Code apply to the proceedings before the Dispute Chamber without exception and that they would always apply as lex generalis where the lex specialis of the DPA Act does not provide for regulations.

33. Furthermore, the Belgian legislator has explicitly stipulated in the DPA Act that parties may submit defenses.⁴ The legislator has then left it to the GBA to determine how defenses may be submitted – and if necessary to regulate this in the Internal Rules of Procedure.⁵

34. In the letter of February 5, 2024, the parties were informed about how the conclusions should be submitted. In that invitation, there is no mention of the fact that parties would have to submit defenses in a manner cloaked in formal requirements as alleged by the defendant, nor is there any reference to the Judicial Code. The Dispute Chamber cannot restrict a party's defenses⁶ – mutatis mutandis, this must also apply to how a party formulates and submits its conclusion when nothing has been ‘imposed’ on the parties in advance. The complaining party has complied with the deadlines for submission regarding the submission of the document.

35. Taking all of this into account, it is clear to the Dispute Chamber that the contested document (the reply conclusion of the complainant) should not have been excluded from the debates, that it could seamlessly become part of the Dispute Chamber's deliberation, and that the arguments raised by the defendant to exclude the document from the debates are unfounded.

36. A second preliminary issue concerns new documents submitted at the hearing by the representative of the complainant. The defendant opposes the submission of these documents and their addition to the dossier. Given the late submission of the documents, the opposition from the defendant regarding the submission, and the failure to provide any grounded reason for the delay, the documents are wholly excluded from the debates and will not be taken into account in the deliberations before the Dispute Chamber.

37. The Dispute Chamber points out regarding this second preliminary issue that it, as an agency of a supervisory authority, must be able to consider all elements that have come to its attention, in order to ensure a high level of data protection. This does not preclude the procedure from meeting the requirements of adversarial proceedings and equality of the parties. The procedure provided in the subsection “deliberation and decision on the merits” in Articles 98 et seq. DPA Act aims precisely to provide for an adversarial process. In administrative law, particular account must be taken of the duty to hear and the rights of defense.⁷

38. A third preliminary point concerns the legal appearance of the person who appears in person at the hearing on behalf of the representative of the complainant. At the hearing, the defendant indicates that it has questions regarding the mandate of the person acting for Noyb according to the statutes of this organization.

39. Firstly, it should be pointed out that Noyb has identified itself as the representative of the complainant before the Dispute Chamber, submitting the mandate in this regard, via communication through a specific email address. For the presence of the person in question at the hearing, prior to the hearing, the representative notified via the email address that the Noyb staff member would be present as a representative. The Dispute Chamber is not obliged to ex officio or at the request of the parties to investigate how the designation of this staff member occurred in concrete terms. The notification by the organization Noyb via email of the identity of the staff member in question suffices. For that reason alone, it is sufficiently established that the person could validly appear for Noyb.

40. Additionally, it should be noted that the complainant was personally present at this hearing alongside the staff member from Noyb. Based on the appearance of the complainant, it can be established that the complainant also assumes that the person in question could validly act for the representative Noyb.

41. Therefore, the person in question did indeed appear validly for Noyb at the hearing.

42. As a fourth preliminary point: at the hearing, the complaining party, for the first time and without prior notice, but not in limine litis, questions the “independence” of the chair of the Dispute Chamber in dealing with this case. Furthermore, the complaining party requests the chair of the Dispute Chamber to withdraw. The complaining party refers to anonymous “sources” who allegedly heard in private conversations that there was a strategy to dismiss complaints “from Noyb,” and to a public event attended by the chair of the Dispute Chamber. No further concrete elements are provided that would substantiate the lack of “independence” of the serving member.

43. From the words of the complaining party, the Dispute Chamber understands that it is more about impartiality than independence of the Dispute Chamber.⁸ With such ‘recusal requests,’ the requesting parties must be careful and precise.⁹ Expressing dissatisfaction about (the outcome or course of) a procedure is something different than raising recusal requests regarding members of public institutions, whose legitimacy is precisely based on their independence and impartiality.¹⁰

44. Specifically regarding the oral request of the complaining party for the withdrawal of the chair, the chair decides not to accede to this request for the following reasons.
year of experience at the Bar.
10 The legislator enshrines some elements in Article 44 DPA Act regarding this.

45. First of all, it was well known to the complaining party that the chair was (also) handling this file, at least as recently as February 5, 2024, when the parties were invited to submit their defenses in this dossier in a letter signed by the chair. The complaining party had the opportunity to take the necessary steps to raise this issue. The (extremely) late nature of the request for recusal is in itself sufficient to deny this request.

46. Furthermore, reference can be made to the following facts.

47. It is the defendant who has raised a number of arguments and points in this dossier, highlighting the (procedural) interest and mandate of the representative by the complainant, not the Dispute Chamber. Moreover, in the present dossier, only the First Line Service casually inquired about the (procedural) interest of the complainant, evidently without any detrimental effect for the latter when declaring the complaint admissible. In contrast, the Dispute Chamber did not ask the complaining party in its letter inviting the submission of defenses to further clarify their (procedural) interest or the circumstances of the mandate. Therefore, it is factually incorrect to suggest a bias that can be traced back to a person or a strategy of the Dispute Chamber or its chair. This does not preclude the Dispute Chamber from having the competence to pose such questions to the parties.

48. The complaining party was subsequently able to respond to the aforementioned arguments and points raised by the defendant in the reply conclusion and at the hearing. Nonetheless, at the beginning of the hearing, the complaining party indicated that substantive rather than formal points should constitute the core of the debate, and that the complainant should be subjected to “more thorough scrutiny” than a data controller. This statement is factually incorrect on multiple fronts.

49. Firstly, the settlement procedure itself illustrates that the Dispute Chamber – prior to this decision – proceeded with a process aimed at quickly addressing the grievances formulated in the complaint. Moreover, at that moment, it was even the first time the Dispute Chamber used the settlement procedure in the pre-decisional phase as part of its jurisdiction.

50. The Dispute Chamber moreover does not understand to what extent the complainant would have been subject to a “more thorough scrutiny.” The Dispute Chamber did not ask or suggest anything to the complaining party regarding this prior to the arguments presented by the defendant, and the Inspection Service did not intervene in this dossier. The fact that the defendant presents arguments and points in this regard is the right of a defending party in proceedings with potentially significant corrective measures. Such arguments and points cannot and must not be excluded from the debate.

51. Furthermore, in response to the defendant's inquiry as to whether the latter needed to limit itself to its arguments regarding these procedural elements at the hearing, the Dispute Chamber indicated that it was at liberty to structure its pleadings as it saw fit, but that the hearing, in accordance with the letter of February 5, 2024, “would at least address those substantive points.” The extent to which the substantive aspects constituted (also) the core of the debate is difficult to clarify further.

52. The Dispute Chamber clarifies that the representative of the complainant must separate different formal procedures in which they act for different complainants. In this dossier, the Dispute Chamber did not raise the alleged issue regarding the (procedural) interest of the complainant or the alleged issue regarding the mandate when allowing the dossier and inviting the submission of defenses. In the following parts of the present decision, the Dispute Chamber also dismisses the arguments of the defendant in this regard.

53. The Dispute Chamber cannot be asked not to address the arguments of the defendant or that these arguments should not be subject to assessment. On the contrary, it is precisely the task of the Dispute Chamber to address the raised points and arguments that must be assessed on a case-by-case basis.

54. The Dispute Chamber also judges in an impartial manner, without fear or favor for either party. In this respect, defending parties have the right to a fair analysis of the facts and according to legal standards. A complaining party has no right to preferential treatment procedurally, nor does this party possess the privilege of avoiding a legal debate – potentially to its detriment.

11 The defendant raised a question regarding this to the Dispute Chamber on June 19, 2024, with the complaining party being copied.
12 The Dispute Chamber responded to the defendant on June 21, 2024, and the complaining party was copied.
13 It should also be noted in this context that, procedurally, certain submissions from the complaining party could not be included in this dossier as they were made in the context of another dossier where the representative was acting. See in this regard the exchanges between the defendant and the Dispute Chamber in documents 20, 21, 28, and 32 of the administrative dossier.
14 See, for instance, Judgment of the Brussels Court of Appeal (Market Court Section) dated September 16, 2020, 2020/AR/1160, §5.7: “It is not in accordance with the rule of law that the Dispute Chamber of the GBA could ‘choose’ which argument it provides an answer to or not.”
15 Compare Article 6 ECHR, Article 47 EU Charter of Fundamental Rights, and Article 52 GDPR; although the Dispute Chamber is not a court in the traditional sense, this principle also applies to administrative procedures (ECtHR, Öztürk v. Germany, February 21, 1984, ECLI:CE:ECHR:1984:0221JUD000854479); within Belgian law, the impartiality of administrative bodies is also guaranteed as a principle of good governance, see supra and Judgment of the Council of State, June 22, 2017, No. 238,610.
16 Although the Dispute Chamber is not a legal body, reference can be made to Article 6 Ger. W., which states that judges must apply the applicable legal rules in all matters submitted for their judgment; under Article 57 GDPR, it applies mutatis mutandis to the supervisory authority to process complaints and investigate the outcome, without any indication for preferential treatment. When issues are discussed or treated in an investigation, hearing, or decision, it does not imply that these issues are justified or substantiated.

55. In a credible legal dispute, truth-finding occurs in a thoughtful manner based on facts and qualitative arguments. In this context, (legal) questions must be able to be raised without this in itself implying partisanship.

56. The fact that information may be shared within the framework of the loyal and confidentiality-oriented cooperation and loyal information sharing within and between supervisory authorities in the European Economic Area, which would raise critical legal questions regarding a particular issue, is an inherent element of the cooperation procedure in Chapter VII of the GDPR.18

57. The mere fact that a previous case for the Dispute Chamber with allegedly similar circumstances may lead to a potentially detrimental outcome for the same party or its representative does not justify recusing a sitting member in another (i.e. this) case.

58. When a party disagrees with a decision of an authority, it is free, under Article 78 GDPR, to appeal that decision. In Belgian law, this can also be done, according to Article 108, §3 DPA Act, by any third party with an interest before the Market Court. Therefore, if Noyb believes it is a relevant stakeholder, it has potentially the right of access to the courts. The fact that no appeal could be lodged in a previous case because the involved complainant did not wish it, as raised at the hearing, is not a fault attributable to the Dispute Chamber and is not relevant.

59. Finally, as a fifth and final preliminary point, after receiving the minutes in this file, the defendant informed the Dispute Chamber on July 12, 2024, that it found these minutes “not a faithful representation” of the hearing and that this could violate the rights of defense. In this context, the defendant requested a new set of minutes to be drawn up.

60. On July 23, 2024, the Dispute Chamber informed the defendant that the audio recording could be listened to in full and unedited in the premises of the GBA, after having previously extended the deadline for submitting comments on the minutes until July 31, 2024.

61. The Dispute Chamber refuses the requested copy for the following reasons.

62. First and foremost, the preparation of the minutes by the Dispute Chamber and their submission to the parties is not a legal right, but merely an initiative of the GBA to formally record the hearing in the administrative dossier, as well as to formalize elements that were not raised during the conclusions. The Internal Rules of Procedure state that it is merely a representation by means of a synthesis; the minutes state explicitly: “The present minutes aim only to mention specifications and additions raised during the hearing, without repeating the elements laid out in the written conclusions of the parties.” (the Dispute Chamber emphasizes in light of this decision)

63. In this regard, the Dispute Chamber has taken note of everything that was said at the hearing. The defendant elaborately presented its arguments in its conclusions (including table of contents and overview of documents, the synthesis conclusion totals 117 pages). The Dispute Chamber did not reiterate similar elements mentioned during the pleadings in the minutes, only referencing that the pleadings addressed “formal” and “substantive” elements – elements retrievable in and repeatedly identical to the synthesis conclusion. Any questions or substantively new comments raised at the hearing were included in the minutes.

64. Secondly, the Dispute Chamber states that the objective of the minutes is not to provide an exhaustive overview of what was said during the hearing. An exhaustive overview is not only of little relevance regarding the right to be heard as outlined by law, it is also undesirable for the proper functioning of the procedure for the Dispute Chamber and for smooth proceedings for the parties. The debates are not reopened after the hearing is concluded, as clearly stated in the minutes themselves. According to the principle of effectiveness, the GDPR must be capable of being upheld usefully: unnecessary additional elements to the procedure are not only undesirable, they are also unlawful according to that principle.

65. An exhaustive transcript of everything said during a hearing, such as in this case lasting 1.5 hours, would yield several dozen pages of minutes; this would undermine the procedural value of a hearing.

66. Finally, regarding the request, the defendant points out that it would have the right under Article 95 § 2 DPA Act to a copy of the recording as it is part of the dossier. This is incorrect. The minutes are the document that is recorded in the dossier; additionally, parties' comments on those minutes are added to the dossier. The audio recording merely facilitates the drafting of the aforementioned minutes and is not a document of the administrative dossier. The right to be heard, as laid out in Article 98, 2° DPA Act, does not extend to obtaining a copy of the audio recording of the hearing. In any case, after the hearing has concluded, the debates are closed, so access to the copy of the audio recording under Article 95 § 2 DPA Act – a legal provision dealing with the copy of the dossier when enabling the case – is definitely not an issue.

67. For all these reasons, the request of the defendant for the preparation of a new – more exhaustive – set of minutes of the hearing dated July 1, 2024, is rejected.

68. For the transparency of the procedure, it should be noted that several lawyers from the defendant requested a copy of the audio recording of the hearing under Article 15.3 GDPR, via messages sent to the Dispute Chamber on July 18 and July 31, 2024. In the message of July 31, 2024, several lawyers from the defendant addressed both the Dispute Chamber and the data protection officer (“DPO”) directly. Once any lawyer referred to Article 15.3 GDPR on July 18, 2024, the DPO of the GBA was informed of the request. This exercise of a right under Article 15.3 GDPR does not fall under the administrative procedure preceding this decision.

II.2. The lodged complaint under Article 80.1 GDPR
II.2.1. Legal Framework
69. Article 80 GDPR states the following: Representation of data subjects
1. The data subject has the right to mandate an organ, organization, or association without profit motive, which is duly established according to the law of a Member State, whose statutory objectives serve the public interest and which is active in the area of protecting the rights and freedoms of the data subject in relation to the protection of their personal data, to submit a complaint on their behalf, exercise the rights specified in Articles 77, 78, and 79 on their behalf, and exercise the right to compensation under Article 82 on their behalf, if the law of the Member State provides for this.
2. Member States may determine that an organ, organization, or association as referred to in paragraph 1 of this article has the right to submit a complaint independently of the mandate of a data subject in that Member State to the supervisory authority competent under Article 77 and to exercise the rights specified in Articles 78 and 79, if it believes that the rights of a data subject under this regulation have been violated as a result of processing. In this regard, Recital 142 of the preamble is also relevant: When a data subject believes that their rights have been infringed under this regulation, they should have the right to authorize organs, organizations, or associations without profit motive, duly established under the law of a Member State, whose statutory objectives serve the public interest and which are active in the area of protecting personal data, to submit a complaint on their behalf to a supervisory authority, to exercise the right to an effective judicial remedy on behalf of data subjects, or to exercise the right to receive compensation on behalf of data subjects, if this is provided for in the law of the Member State. Member States may determine that these organs, organizations, or associations have the right to submit complaints in that Member State, irrespective of any authorization by a data subject, and to have the right to an effective judicial remedy if they have reasons to believe that the rights of a data subject have been violated due to personal data processing that infringes this regulation. For these organs, organizations, or associations, it may be determined that they do not have the right to claim compensation on behalf of a data subject without the authorization of the data subject.

II.2.2. Context of the complaint
70. The manner in which the complainant, in consultation with Noyb as a representative, can be visualized is as follows. [Image]
71. First it is undisputed that Noyb is engaged in projects related to lodging complaints regarding cookies and cookie banners. Noyb has publicly communicated about projects in this regard that bundle a number of similar complaints, and the status of the projects is publicly maintained on Noyb's website.²²
72. Second, there was undeniably a internship relationship between the complainant and their representative in the present dossier at the time of the findings that led to the documents attached to the complaint. The complainant was also an intern when Noyb was mandated to submit the complaint.
73. Third, there is NO demonstrable link between the lodging of the complaint in this dossier by the complainant (including the mandate of Noyb by the complainant) and other cookie projects initiated by Noyb as an organization. However, Noyb did issue a press release on the day the complaints were lodged, stating that “fifteen” complaints were filed against Belgian media websites. The complainant did not submit each of those fifteen complaints.²² Reference is made among others to documents 4, 5, and 6 in the defendant’s synthesis conclusion, including a reference to the webpage titled “Noyb wants to put an end to ‘cookie banner terror’ and files more than 500 GDPR complaints” (example document 4).

74. This does indicate a certain form of coordination, but it is nowhere established that any coordination took place before the complainant's grievances arose, nor before the mandate of Noyb by the complainant. In that sense, it cannot be established that any pressure from Noyb on the complainant could have occurred.
75. It should, however, be noted that this fact is not undisputed, as the defendant indicates that the interest of the complainant as a data subject has not been demonstrated, and that the findings or grievances cannot be completely disconnected from the organization Noyb. The defendant refers, among other things, at the hearing to the fact that the finding was made with work materials during working hours, and that there is talk of a project at Noyb (and not a complaint of the complainant as an individual).

76. Fourth, the complainant believes that a breach of the GDPR has occurred and that he has been harmed in his rights.

77. Fifth, a complaint was filed on behalf of the complainant by Noyb as their representative. The complaint was formulated and submitted to the Belgian supervisory authority in consultation with the complainant, and was lodged with the First Line Service of the GBA without any alleged formal deficiencies.

II.2.3. No direct evidence of ‘fictitious’ mandate and present (procedural) interest on the part of the complainant
Position of the complaining party
78. In her reply conclusion, the complaining party addresses the “admissibility” of the complaint. The Dispute Chamber summarizes the position. In a first part regarding this, the complaining party argues concerning the “admissibility under Article 77(1) in conjunction with Article 80(1) GDPR.”
   a. Firstly, the complaining party states in the section “burden of proof” that the complaints and attachments demonstrate a personal connection between the complainant and the data processing, inter alia, because the complainant visited the websites, from which the necessary indications arise for the violations described in the complaint. In this regard, the complaining party further states that the GDPR does not impose requirements on the content, form, or scope of the complaint and neither on the evidence that should be provided by the complainant. Furthermore, the complaining party states that it is the data controller who bears the burden of proof that the GDPR is being complied with, not the complainant.
   b. Secondly, the complaining party argues in the section “the relevant processing violates the GDPR” that the complaints...
Describing where GDPR violations occur

The complaining party states that the GDPR or the DPA Act does not require that the involved complainant first exercise their rights against the data controller. Furthermore, the complaining party points out that the defendant did not accept the cookie banners following the settlement proposal, and that there are still unlawful cookie banners in place.

c. Thirdly, the complaining party asserts in the section “sufficient personal interest” that the complainant has visited the websites and that personal data was processed during this time. The complainant has then chosen to be represented by Noyb, in accordance with Art. 80(1) GDPR. The representation can always be terminated, and Art. 80(1) GDPR does not impose a limitation on granting such a mandate during or after a “direct subordinate relationship” between the complainant and the representative. Furthermore, the complaining party states that the Court of Justice of the EU has accepted that a person who is (or has been) employed by Noyb may be represented by the latter, and that the argument of invalid representation by Noyb has repeatedly been dismissed in ongoing cases involving Noyb. Additionally, Noyb points out that the decisions of the Dispute Chamber do not have precedential effects.

d. Fourthly, the complaining party states in the section “Incorporation under Belgian law (Art. […] 220§2,1° GBW)” that the GBA has previously endorsed that this Belgian provision is stricter than Art. 80(1) GDPR and that it excludes it in the sense that non-compliance has ‘no impact’. The complaining party further states that the GBA must exclude the operation of the national provision to ensure the full effectiveness of EU law and thus allow Noyb as a representative under Art. 80(1) GDPR; Noyb is validly established under the law of a Member State, in this case, Austria.

79. In a second part regarding this matter, the complaining party argues about the “admissibility under Art. 80(2) GDPR”:
   a. The complaining party contends that there is a valid representation ex Art. 80(1) GDPR so that a question of admissibility under Art. 80(2) GDPR is not relevant. In this context, the complaining party notes that Noyb may initiate legal action in accordance with Art. 17 Ger. W. and that there is no reasonable justification for not allowing Noyb to independently file a complaint with the GBA. The complaining party further points out that the legislative history of Art. 17 Ger. W. does not state that this provision is not applicable for procedures before the (Dispute Chamber of the) GBA. On the other hand, according to the complaining party, the legislative history of Art. 58 DPA Act indicates that “everyone” can submit complaints, including legal entities and associations. Moreover, the complaining party argues that allowing Noyb to access a court as an independent party while not allowing it before the GBA would constitute a violation of the equality principle under Art. 10 of the Belgian Constitution. The complaining party concludes: “The fact that Noyb would have sufficient interest in filing complaints such as these follows from Noyb's statutes.”

Position of the Defendant
80. The position of the defendant is clarified in two of its arguments as follows (the Dispute Chamber summarizes):
   2nd argument (as a primary order): Absence of sufficient personal interest on the part of the complainant:
   a. In this argument, the defendant first asserts, summarized, that there is “no credible evidence or claim of processing of personal data of the complainant” presented in the complaint. According to the defendant, it is uncertain whether the complainant himself visited the relevant websites. The defendant states that based on “further investigation,” for example, it finds that a number of “false or at least flawed claims” can be read in the complaint – and refers for each of the four complaints to the fact that references to news pages (web pages) included in the evidence pertained to dates after the date on which the complainant claimed to have visited the websites. Additionally, the defendant points out other inconsistencies in the submitted documents.
   b. Secondly, this argument states, summarized, that the “relevant processing” does not violate the GDPR. The defendant argues that the complainant, as a data subject, has given consent and that he consulted the various layers of information, as evidenced by the documents. Moreover, the defendant cites that the complainant did not exercise his rights against the defendant. This means, according to the defendant, that the Dispute Chamber cannot order the deletion of data in the sense of Article 17 GDPR or order that this deletion or rectification be communicated to third parties in the sense of Article 19 GDPR.
   c. Thirdly, the defendant asserts, summarized, that the “data subject” (complainant) has no sufficient personal interest and that the representative acts under a fictitious mandate. The defendant refers to press releases from Noyb regarding its actions against “cookie banner terror” as well as a specific press release concerning the settlements of the Dispute Chamber. The defendant cites the following passage from this latest press release from Noyb: “Noyb files 15 complaints against the aforementioned media sites to force them to adjust their cookie banners.” Furthermore, the defendant points out that the complainant was an intern at Noyb at the time of the visits to the contentious websites, and that the visits to the websites were not spontaneous (given the limited time spent – less than 1 minute per website), that the geographical data concerning the website visits trace back to Austria, that the complainant himself indicates he is acting against a general practice, and that he lodged complaints against other media companies on the same day. Additionally, the defendant points out that the letter to the First Line Service by Noyb on September 1, 2023, does not demonstrate that the complainant indeed holds the required personal interest, and that the Dispute Chamber in a previous decision in a similar case (Decision 22/2024 of January 24, 2024) already ruled that Noyb's mandate is fictitious.
   d. Fourthly, the defendant claims that Noyb is abusing rights because it uses the complaints procedure to “realize its own publicly announced program through a fictitious mandate of a subordinate intern.” Furthermore, the defendant states: “In this way, Noyb sought to circumvent the non-transposition of Article 80.2 into Belgian law.” The defendant cites several other elements and concludes: “Noyb thus used the complaints procedure with the GBA for a purpose other than that for which the procedure is intended. This is an abuse of rights.”
   e. Finally, the defendant responds to several points from the conclusion of the complainant. In this regard, the defendant notes that the complaining party does not respond to “multiple – earlier factual – arguments” from the defendant and that these facts are therefore not disputed.

3rd argument (subordinate): NOYB cannot independently file a complaint
   a. In this argument, the defendant first asserts, ‘as a primary argument’, that the complainant's mandate is limited to Article 80.1 GDPR. The defendant states that the Dispute Chamber cannot assess the elements of the complaint under Article 80.2 GDPR; in that case, the Dispute Chamber would be ruling “ultra petita.”
   b. Secondly, in a subordinate manner, the defendant asserts that Article 80.2 GDPR does not apply in Belgium. The defendant refers to the Belgian legislator's choice not to activate this provision through national law.
   c. Thirdly, and also in a subordinate manner, the defendant states that Noyb itself cannot file a complaint as it does not possess sufficient personal interest.
   d. Fourthly, the defendant provides a rebuttal to what was stated in the conclusion of the complaining party, namely that sufficient interest for Noyb follows from the statutes of that organization. The defendant states that the statutes of Noyb only reveal the general, public nature of the interest.

Assessment by the Dispute Chamber
81. The representative of the complainant is generally actively working to expose certain practices in the field of data protection law. These general organizational goals alone do not suffice to speak of a fictitious mandate under Article 80.1 GDPR. The defendant raises a number of (sub)arguments in its defense to argue that there are various issues regarding the mandate. However, the Dispute Chamber finds no direct indications or evidence in any of these arguments to claim that the mandate is fundamentally defective, let alone that it was established in a ‘fictitious’ manner in this dossier. The Dispute Chamber argues as follows.

82. Firstly, it is indeed the case that Noyb has previously engaged in several projects where it sought to address certain practices through complaints. The mere fact that fictitious mandates would have been formulated in that context does not suffice to assert that Noyb cannot represent data subjects concerning the same matter. Moreover, there is no formal indication that Noyb itself initiated the approach to encourage the complainants to file complaints with a specific concrete content.

83. Secondly, the complainant emphasizes at the hearing that he independently visited the websites and had issues with the practices of the data controller, specifically after gaining knowledge of the settlement decision from the Dispute Chamber regarding the websites. Moreover, the complainant is Dutch-speaking, so it is not inconceivable that the complainant also incidentally or routinely visits the contentious websites and has an interest in ensuring that the processing of personal data is carried out properly when this happens. Therefore, when the complainant states that he visited the website independently – albeit on a work laptop – and feels aggrieved, without any indication of prior instruction or pressure from the representative, the legitimate, direct, and personal interest is established. There is no indication of abuse of rights.

84. It should be emphasized, as the complaining party rightly notes, that in the context of the right to complain, a data subject only needs to “believe” that their rights have been infringed. Furthermore, A fortiori, Recital 143 – regarding the mandate by a data subject – explicitly states that a data subject has the right to mandate an organization as soon as that person “believes” that their rights have been violated. That the representative subsequently makes their expertise available in the context of the representation mandate, to gather additional evidence, can indeed be considered a good practice.

85. In summary, the mandate has been validly granted under Article 80.1 GDPR.

86. Thirdly, it is indeed prudent to enter into a mandate under Article 80.1 GDPR when a working relationship (an employment relationship, an internship relationship, or others) is involved. Problems (such as conflicts of interest) may indeed arise concerning the internship relationship; however, the Dispute Chamber reads or finds no argument that indicates that the internship relationship in this instance stands in problematic relation to the mandate to file the complaint. It is legally and sensu stricto not excluded that the representative can also serve as an internship supervisor.

87. It is up to the representative to assess, within the framework of the applicable legal provisions, whether the representation relationship is appropriate. The Dispute Chamber will only intervene when there are clear indications that the legal requirements for a valid representation have not been met, or when the integrity of the procedure is at stake. This is the case, for example, when a mandate is established in a fictitious manner, or when the grievances are demonstrably ‘steered’ by the representative.

88. It is also worth noting that there is a difference between, on the one hand, being asked – however informal it may be – by an employer or ‘intern supervisor’ to give consent for something, versus, on the other hand, independently approaching the internship supervisor or employer to grant a mandate for representation. In this instance, there is no factual indication that the first situation applies, so there can be no legal defect in the mandate. Moreover, the complainant has also indicated in so many words at the hearing that he himself (albeit in consultation with another person who was also a trainee at the same time) independently identified a problem with the contentious websites. There is no evidence to suggest that this statement from the complainant is not truthful: the complainant raised this issue in person at the hearing.

89. The fact that trainees are provided with a forum to lodge complaints regarding alleged unlawful processing of their own personal data or related infringements is not problematic per se, as long as this occurs within the legal provisions23 and without prior instructions regarding, for example, the identity of the data controller and the specific infringements being alleged. Providing such a forum may also include offering work materials and a physical workspace to individuals. Strategic coordination between the complainant and their representative regarding how a complaint is lodged, which infringements are focused on, and how the content is presented can indeed only occur after such grievances have arisen.

90. It is of course not excluded that the complainant's objective to be represented in addressing the alleged infringed rights he wishes to see upheld aligns with Noyb's organizational objectives to ensure compliance with the rules on lawful data processing regarding cookies in the public interest.

91. In summary, there is no indication that the mandate is fictitious. The complainant has a direct and personal interest and has granted the mandate independently, not at the instruction of the representative.

92. Fourthly, the defendant rightly observes that several ambiguities, errors, or deficiencies arise from the evidence (in interaction with the content of the complaint itself). However, these aspects seem to indicate more of a careless presentation of evidence by the complaining party and/or the representative, specifically regarding the dating of such documents, rather than fundamental problems surrounding the representative's mandate. The complainant also claims to have visited the web pages himself, which is challenged by the defendant. In any case, the inaccuracies or errors are not of such a nature that they should lead to the dismissal of the dossier in the present case.

93. At the hearing, the complaining party acknowledges that not all documents in the complaint and the administrative dossier have been accurately labeled or described. However, the complainant states that he took the initial screenshots and thus raised the initial grievances that form the basis of the complaint. Regarding the HAR files (which contain a representation/recording of network traffic at a given time, showing the placing and reading of various cookies on the contentious websites) attached to the complaint, it is further raised that they were not generated by the complainant (but by staff of the representative). Here, the complaining party indicates that the HAR files do not serve to demonstrate the processing of personal data of the complainant as a data subject but rather to frame the general practices of the defendant.

94. All of this provides no direct evidence for a problem regarding the (fictitiousness of) the mandate. The complaining party is open about the approach, and everything indicates that additional evidence was gathered after the grievances arose for the complainant. Moreover, the defendant does not dispute that the screenshots and practices displayed on those screenshots were indeed real screenshots taken from the contentious websites.

95. The same applies to the HAR files that were attached from the contentious websites. In this instance, the defendant considers the dating or the acting person behind the document to be unclear, but the Dispute Chamber contemplates in this regard that there is no indication that the documents would have been manipulated in any way. Moreover, particularly the HAR files play no role in the further assessment by the Dispute Chamber, notably because these files are not relevant for the violations subsequently identified.

96. Regarding the screenshots, it is established that it is the complainant who has taken note of the cookie banners and their various layers; at least part of the screenshots attached to the complaint was initially generated by the complainant.

97. It can be considered good practice that when Noyb represents a data subject, it ensures that the necessary evidence is gathered as the representative; there is no need for the complainant to initiate when they mandate Noyb to raise a predetermined case (with grievances traceable to the complainant's own initiative), so long as the evidence supports the complaint. In this sense, it is certainly not the case that the Dispute Chamber deems documents provided by the representative inadmissible.

98. In summary, the incorrectly labeled, qualified, or otherwise deficient documents are not of such a nature that they indicate a problem concerning the interest of the complainant or the representation mandate, nor do they lead to the need to dismiss the dossier. The decision rests solely on the evidence whose authenticity is established or on documents or elements presented by the defendant themselves.

99. Fifthly, it is by no means the case that a complaint should be dismissed in any instance because a complainant (in this case still as a data subject) has not first approached the data controller, or that the Dispute Chamber would be unable to take measures when a data subject has not first approached the data controller. Depending on the circumstances, it is not even necessary for a person’s personal data to be processed for a complaint to be addressed by a supervisory authority – despite some legal discussions about this previously.24 However, it is true that the Dispute Chamber and the GBA as a whole – in light of their limited resources – strive for the most efficient processing of complaints, where the non-exercise of rights can certainly play a role in the assessment of whether or not to dismiss a complaint. Such an assessment is not in question here and now by the Dispute Chamber.

100. In conclusion: for all these reasons, all arguments put forward by the defendant concerning aspects of the representation mandate and the mandate of the representative by the complainant in this dossier are unsubstantiated. The Dispute Chamber rules that the representation is legally valid under Article 80.1 GDPR, and that the complainant has a personal, direct, and established interest in the processing of personal data underlying the present complaint procedure. No further discussion is provided on the parties' arguments concerning the role of Article 80.2 GDPR in this dossier, since this provision does not play a role in this case.

II.3. The violations
II.3.1. A comprehensive “refuse all” option at the first layer of cookie banners
Position of the complaining party
101. The position of the complainant regarding this point is as follows: “None of the […] cookie banners on the websites of the defendant [respondent] contains an “All refuse” button at the first level but only a button with “Agree and close” and a button with “More information.” The option to refuse all cookies simply and at once is intentionally hidden by the defendant [respondent]. Since no “All refuse” option is included at the first level of information on the cookie banner and the acceptance of all cookies is thus many times easier than refusing them, there is a “default effect” for and encouragement to accept all cookies (cf. Recital 32 GDPR). Based on this, the consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), resulting in the consent obtained from the complainant being invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 GBW). Consequently, the defendant [respondent] cannot demonstrate that the complainant has given consent for the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR).
the EDPB Cookie Banner Taskforce Report emphasizes again that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is considered a violation by a significant majority of data protection authorities. […] As previously raised in the complaint, this prevailing legal opinion also follows from guidelines of national supervisory authorities from France, Germany, Denmark, and Finland. Additionally, the guidelines from the Netherlands and Austria can be added to this list. The GBA explicitly states: “A ‘Manage Settings’ button is thus not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies also constitutes a violation of the principle of due process laid out in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first informational layer of the defendant's cookie banners constitutes a violation, however, not only involves applying the guidelines of supervisory authorities, but is also a direct and concrete application of the legislation (in accordance with prevailing legal opinion). From a one-time approved action plan or individual (old) decisions of the Dispute Chamber in specific cases, where an “All refuse” button was not the subject, its value cannot be attributed as the prevailing legal opinion. […] As previously mentioned in this conclusion, the Markets Court confirmed that the decisions of the GBA's Dispute Chamber do not have precedent power.

Position of the Defendant
102. The position of the defendant in its synthesis conclusion is as follows (the Dispute Chamber summarizes):

4th argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not render consent invalid
• Firstly, the defendant states that the alleged violation is “without purpose because the complainant gave his consent.” The defendant argues that as soon as a data controller obtains the consent of the data subject, there is a legal basis to process the data lawfully; the defendant points out that the complainant gave his consent.
• Secondly, the defendant states that the obligation to place the ‘refuse’ option in the first informational layer is not evident in any legislation. The defendant states that valid consent can be obtained “even when there is no ‘refuse’ option at the first informational level of the cookie banner.”
• Thirdly, the defendant indicates that the consent requirements under Article 7 GDPR have indeed been respected. The defendant states that Article 7 GDPR does not imply a requirement to have a ‘refuse’ option in the first informational layer of the cookie banner. The defendant highlights that Article 7.3 GDPR addresses the withdrawal of consent: “The GDPR does not set out similar requirements for refusing consent at a time when no consent has yet been given.” Furthermore, in this context, the defendant points out that Article 4.11 GDPR also does not require having a ‘refuse’ option at the first layer of the cookie banner: the expression of will can, according to the defendant, take place in a free, specific, informed, and unequivocal manner. In any case, the expression of will occurs actively.
• Fourthly, the defendant asserts that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant specifically refers to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, in particular in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implicit consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant indicates that the cookie banner is in accordance with the guidelines of the EDPB regarding consent. The defendant states that it finds nothing indicating the requirement of a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant notes that the cookie banner complies with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, also does not contain the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not stipulate what buttons must appear at the first informational layer of a cookie banner.”
• Seventhly, the defendant argues that no violation occurs solely because the practice is not in accordance with “policy documents of authorities.” The defendant emphasizes that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that it understands from the EDPB Cookie Banner Taskforce report that a number of authorities believe that the absence of an ‘all refuse’ option on the same level as an ‘all accept’ option does not constitute a violation of Article 5(3) ePrivacy Directive, which indicates to the defendant that there is no consensus on this among European supervisory authorities. Furthermore, the defendant stresses that the GBA is “not consistent” in the information provided to the public, pointing out the difference in cookie web pages on the “citizen” section of the GBA website versus the “professional” page on the GBA website. The defendant also mentions that the information on the “professional” website is unclear and links to non-professional web pages on the GBA website. The defendant had these inconsistencies noted by a bailiff on November 27, 2023, and submitted the findings as evidence.
• Finally, the defendant also replies to the conclusion of the complainant.

Assessment by the Dispute Chamber
103. Article 10/2 PD Act states: In accordance with Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communication and without prejudice to the application of the Regulation and this Act, the storage of information or the acquisition of access to information that is already stored in the end device of a subscriber or user is only permitted on the condition that: 1° the subscriber or user receives clear and precise information about the purposes of the processing and their rights under the Regulation and this Act; 2° the subscriber or end user has given their consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the end device of a subscriber or end user, with the sole purpose of carrying out the transmission of a communication via an electronic communication network or providing a service explicitly requested by the subscriber or end user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)

104. The European Data Protection Board (EDPB)26, just like the European Court of Justice (ECJ)27, has stated that the requirements concerning the notion of “consent” in the ePrivacy Directive must meet the requirements of consent under the GDPR.28 This is particularly true for those cookies that involve data processing: as the “Cookie Banner Taskforce” report of January 17, 2023 states, such processing implies that at the time of granting consent, this consent must meet the requirements of the GDPR.29

105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which they signify agreement to the processing of personal data relating to them, by means of a statement or by a clear affirmative action;

106. Article 6(1) GDPR states: Processing shall be lawful only if and to the extent that at least one of the following applies:
27 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §6-7.
37 EDPB, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1, May 4, 2020, §39: “For consent to be freely given, access to services and functionalities must not be conditional on the consent of a user to store information or obtain access to information already stored in an end-user's device (the so-called cookie walls).”

38 See also the examples cited in the GBA’s “cookie checklist”, available at: https://www.gegegevensbeschermingsautoriteit.be/publications/cookie-checklist.pdf, vn. 3: “A ‘Manage settings’ button is not sufficient alongside an ‘accept all’ button, also see the prior press release regarding that from the Data Protection Authority: https://www.gegevensbeschermingsautoriteit.be/burger/nieuws/2023/02/10/cookiebanners-de-edpb-publiceert-voorbeelden-van-niet-conforme-praktijken.”

107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer.30 Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.31

108. Consent is not “free” when the data subject who does not wish to grant their consent (in the sense of Article 10/2, first paragraph, 2° PD Act) is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be considered freely given if the data subject has no genuine or free choice . . .”32 A choice implies at least an equally valid option to perform an act of refusal (not consenting) in the same manner as the act for which the choice is presented (consenting).33 Additionally, it should be noted that the involved visitor cannot close the cookie banner without making a choice, which constitutes a problematic form of so-called cookie wall.34

109. The fact that consent is not granted freely is sufficient to conclude that consent is not validly offered as a choice and cannot be obtained.

110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “consent to all” option in that layer, but in any case in less clear colors than the “agree and close” option in the first layer, and with a number of other buttons displayed below in a similarly equal manner.37 As an example (mutatis mutandis applicable to the four contentious websites) on the website of De Standaard, from a screenshot in the synthesis conclusion of the defendant from the second layer:

38 A clear contrast with the ‘agree and close’ button in the first layer of the cookie banner: ---- Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) for storing and/or accessing information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, and product development, social media functionalities, personalized advertising, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you agree to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of every page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, ad and content measurement, audience insights and product development, Information stored and/or accessed on a device. Refuse all. Agree to all + Store and/or access information on a device. Disagree / Agree + Ad and content measurement, audience insights, and product development. Disagree / Agree + Personalized content. Disagree / Agree + Personalized ads. Disagree / Agree + Social Media. Disagree / Agree + Advanced measurement. Disagree / Agree + Using limited data to select content. Disagree / Agree + View partners Set all your preferences to save and proceed. ----

111. It is essential to balance the right to data protection with other fundamental rights40 – such as freedom of enterprise41 – but when the legislator imposes a requirement for consent for certain processes (under the ePrivacy Directive as transposed in the PD Act), that consent must, of course, meet the specific requirements set by the same legislator (under both the ePrivacy Directive and the GDPR).

112. Therefore, when it is established that, under applicable law, consent must be obtained for the placement of non-essential cookies – a point on which there is no dispute in this dossier – this inherently implies at least a direct choice, aside from the potential granularity for consenting to the placement of specific types or categories of cookies. As the complaining party notes, in the present cases on the four contentious websites, there is no legal reason why the refusal of cookies should not occur in the same simple manner.42 A different ruling would disregard the requirement of “free” and “unambiguous” consent necessary to obtain valid consent.

113. The defendant's argument that the complainant lacks an interest simply because he granted his consent is not tenable. Just because consent is given does not mean that the consent meets all the criteria for valid consent and thus constitutes valid consent under Article 4.11 in conjunction with Article 7.1 GDPR.

114. The defendant’s argument that the norm is unclear and that there is no reference in the legislation to the fact that an “all refuse” option must be present at the first informational level in the contentious cases is not the least bit tenable. This also applies to the argument that the situation adheres to the guidelines of the EDPB regarding consent, solely because those guidelines do not specify (with the incorrect implication that the guidelines do not require) the refuse option at the first ‘layer’ of the cookie banner.

115. The Dispute Chamber further clarifies its powers regarding this issue.

116. Article 8(3) of the Charter of Fundamental Rights of the European Union states that independent authorities must oversee compliance with the right to the protection of personal data. This provision underlines the importance of independent control and forms the basis for the establishment of supervisory authorities. Under Article 57.1 GDPR, supervisory authorities are authorized to enforce the GDPR.43 Under Article 4 DPA Act, the GBA is competent for this enforcement.44 Under Article 32 DPA Act, the Dispute Chamber is the administrative dispute body of the GBA; it decides on a case-by-case basis.

117. Since the entry into force of the Act of December 21, 2021, implementing the European Code for electronic communications and modifying various provisions concerning electronic communications on January 10, 2022 (“WEC”), the GBA is now competent under Belgian law for overseeing the provisions regarding the placement and use of cookies (i.e., “the storage of information or obtaining access to information that is already stored in the end device of a subscriber or a user”). This law made several amendments to the WEC. Specifically, Article 256 of the Act of December 21, 2021, repeals Article 129 WEC and transfers this provision to the Act of July 30, 2018, concerning the protection of natural persons regarding the processing of personal data (PD Act).45 Given that the GBA has residual authority to oversee the provisions of the PD Act, this confirms the material competence of the GBA regarding the placement and use of cookies.

118. The European legislator explicitly chose, in light of the increasingly digital society, to assign the enforcement of the GDPR to an authority that connects with similar authorities in...
valid consent under Article 6.1(a) GDPR.

Position of the Complainant
The complainant emphasizes once again that the EDPB Cookie Banner Taskforce Report also confirms that the absence of a button labeled “Refuse All” at the same level as the “Accept All” button is deemed a violation by a large majority of data protection authorities. […] As previously mentioned in the complaint, the fact that this is the prevailing legal opinion is also supported by guidelines from national supervisory authorities in France, Germany, Denmark, and Finland. The guidelines from the Netherlands and Austria can also be added to this. The GBA explicitly prescribes that: “A ‘Manage Settings’ button is therefore not sufficient alongside an ‘Accept All’ button. […] The mere provision of an option to refuse all cookies that evidently requires more steps, time, and effort than accepting all cookies constitutes a violation of the principle of due process in Art. 5(1)(a) GDPR, according to the EDPB guidelines on deceptive design and dark patterns.” Establishing that the absence of an “All refuse” option at the first information layer of the defendant’s cookie banners constitutes a violation does not solely rely on the application of supervisory guidelines, but rather constitutes a direct and concrete application of the legislation (in accordance with the prevailing legal opinion). The valuing of a one-time approved action plan or individual (previous) decisions of the Dispute Chamber in specific cases, where the absence of misleading button colors was not the subject, cannot be attributed the value of an established legal opinion. […] It has also been confirmed by the Markets Court that the decisions of the Dispute Chamber of the GBA do not have precedent effect.

Position of the Defendant
102. The defendant’s position in its synthesis conclusion is as follows (the Dispute Chamber summarizes):

4th Argument (subordinate): The absence of a ‘refuse’ option in the first informational layer of the cookie banner does not invalidate consent
• Firstly, the defendant states that the alleged violation is “without purpose since the complainant gave his consent.” In this context, the defendant asserts that as soon as a data controller has obtained the consent of the data subject, there exists a legal basis for lawful processing of the data; the defendant points out that the complainant granted his consent.
• Secondly, the defendant states in a subordinate manner that there is no obligation to place the ‘refuse’ option at the first information layer in any legislation. The defendant claims that valid consent can be obtained “even when there is no ‘refuse’ option at the first layer of the cookie banner.”
• Thirdly, the defendant asserts that the consent requirements under Article 7 GDPR have indeed been respected. The defendant argues that Article 7 GDPR does not show a requirement for a ‘refuse’ option in the first informational layer of the cookie banner. The defendant points out that Article 7.3 GDPR pertains to the withdrawal of consent: “The GDPR does not impose similar requirements for refusing consent at a time when consent has not yet been granted.” Furthermore, the defendant emphasizes that Article 4.11 GDPR does not impose a requirement for having a ‘refuse’ option at the first layer of the cookie banner: according to the defendant, the expression of will can take place freely, specifically, informed, and unequivocally. In any case, the expression of will occurs in an active manner.
• Fourthly, the defendant states that the cookie banner aligns with the “decision-making practice of the Dispute Chamber.” The defendant refers specifically to two decisions – Decision 12/2019 of December 17, 2019, and Decision 19/2021 of February 12, 2021 – where, particularly in the latter decision, the Dispute Chamber explicitly stated, as cited by the defendant: “The new cookie banner no longer relies on implied consent (‘by continuing to use this website’) but gives the choice between ‘accept recommended cookies’ and ‘adjust cookie preferences.’”
• Fifthly, the defendant claims that the cookie banner is in accordance with the EDPB guidelines on consent. The defendant argues that they do not see any requirement for a ‘refuse’ option at the first informational level of the cookie banner.
• Sixthly, the defendant asserts that the cookie banner is in accordance with the action plan of IAB Europe, which was approved by the Dispute Chamber.25 The defendant states: “Mediahuis understands that the action plan of the Internet Advertising Bureau (“IAB”), validated by the Dispute Chamber on January 11, 2023, does not entail the requirement for a ‘refuse’ option in the first informational layer of a cookie banner. This action plan does not contain any stipulation regarding what buttons must be included at the first information layer of a cookie banner.”
• Seventhly, the defendant argues that merely because the practice is not in accordance with “policy documents of authorities” does not mean there is a violation. The defendant points out that these are merely policy documents; they do not have binding force as they are not law. Additionally, the defendant states that based on the EDPB Cookie Banner Taskforce report, some authorities believe that the absence of an ‘All refuse’ option at the same level as an ‘All accept’ option does not constitute a violation of Article 5(3) of the ePrivacy Directive, indicating to the defendant that there is no consensus on this matter among European supervisory authorities. Moreover, the defendant argues that the GBA is “inconsistent” in the information it provides to the public, highlighting the differences in cookie-related pages on the “citizen” section of the GBA website versus the “professional” page. The defendant notes that the information on the “professional” website is unclear, linking to non-professional pages on the GBA website. The defendant had these inconsistencies recorded by a bailiff on November 27, 2023, and submits these findings as evidence.
• Finally, the defendant responds to several points raised in the complainant’s conclusion.

Assessment by the Dispute Chamber
103. Article 10/2 PD Act stipulates: In implementation of Article 125, § 1, 1°, of the Act of June 13, 2005, concerning electronic communications and without prejudice to the application of the Regulation and this Act, the storage of information or the obtaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed under the condition that: 1° the concerned subscriber or user, in accordance with the provisions laid down in the Regulation and this Act, receives clear and precise information about the purposes of the processing and his rights based on the Regulation and this Act; 2° the subscriber or end-user has given consent after being informed in accordance with the provision under 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the terminal equipment of a subscriber or end-user when the sole purpose is to carry out the transmission of a communication via an electronic communications network or to provide a service explicitly requested by the subscriber or end-user when this is strictly necessary for that purpose. (The Dispute Chamber underlines and emphasizes)

104. The European Data Protection Board (EDPB)26, just as the European Court of Justice (ECJ)27, has stated that the requirements applied to the notion of “consent” in the ePrivacy Directive must comply with the requirements for consent under the GDPR. This is particularly the case for those cookies that involve data processing: as the EDPB Cookie Banner Taskforce report of January 17, 2023 states, such processing suggests that at the moment of granting consent, the consent must meet the conditions of the GDPR.

105. Article 4.11 GDPR defines consent as follows: any freely given, specific, informed, and unambiguous expression of the data subject's wishes, by which they indicate agreement to the processing of personal data relating to them;

106. Article 6(1) GDPR specifies: Processing shall be lawful only if and to the extent that at least one of the following applies:

107. From the combined reading of the aforementioned legal provisions, and following the clarification from the Court of Justice regarding the interplay between the ePrivacy Directive and the GDPR, it follows unequivocally that the “refuse all” option must be provided by the defendant at the first layer when the defendant places an “accept all” button on that same layer. Otherwise, consent cannot be obtained in a “free” and “unambiguous” manner.

108. Consent is not “free” when the data subject who does not wish to grant their consent is required to take additional actions to refuse consent. As Recital 42 of the GDPR states: “Consent should not be deemed freely given if the data subject has no genuine or free choice.” A choice implies that there is at least an equal option to opt for a different action (not consenting) in the same manner as the action for which the choice is offered (consenting).

109. The fact that consent cannot be freely granted is sufficient on its own to determine that it cannot be validly offered as a choice and cannot be obtained.

110. On the other hand, the “refuse all” option is indeed represented in the next layer in the same way as the “accept all” option in that layer, but in any case, with less clarity compared to the “agree and close” option in the first layer, and is accompanied by a number of other buttons displayed beneath in a similar, equally significant manner.

111. This striking color usage in the first layer of the contentious cookie banners, where the button representing the “accept all” option is highlighted in a more pronounced color, reflects a choice aimed at leading the data subject to grant consent for cookies to be placed.

112. The EDPB Cookie Banner Taskforce report indicates that regarding color use, no general standard can be imposed on data controllers, but the assessment should be made on a case-by-case basis.

113. In the present cases, the defendant uses various standout colors that likely induce a deceptive sense of comfort for the data subject:
   a. On the De Standaard website, the “agree and close” option is presented prominently in a dark red color as the most data-collecting option, while alternatives require clicking on a light gray banner against a white background.
   b. On the Het Belang van Limburg website, the “agree and close” option is shown prominently in dark black, while alternatives require clicking on a light gray banner on a white background.
   c. On the Het Nieuwsblad website, the “agree and close” option is shown prominently in dark blue, while alternatives require clicking on a light gray banner against a white background.
   d. On the Gazet van Antwerpen website, the “agree and close” option is shown prominently in bright red, while alternatives require clicking on a light gray banner against a white background.

114. Interfaces designed with deceptive comfort as in this case undeniably steer a data subject to choose the most data-collecting options, notably because the person is unaware of how many more steps they must undertake before they can choose not to allow cookies (i.e., not to consent). The data subject knows that they choose the “path of least resistance” with this comfortable option in the first layer of the cookie banner – without this necessarily reflecting their actual informed preference for granting consent.

115. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer employed in the second informational layer (after an adjustment during the procedure) is evidently not conducive. The assessment at hand pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, with alleged violations stated) is in no way limited to the second layer of the cookie banner.

116. The argument that the involved complainant did grant consent is also not favorable, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent has been granted is not ipso facto sufficient to state that consent has been validly granted.

117. The argument that there is “no prohibition” against using different colors is correct in a formal sense. However, the Dispute Chamber has already laid out above that this does not prevent the choice of specific colors from violating the duty of propriety in light of activities involving the processing of personal data, and that the unambiguous nature of consent cannot be ensured.

118. The argument that the Dispute Chamber has approved an action plan from an industry organization that would directly relate to the present contentious situations is likewise not a favorable argument. As previously mentioned, the decisions of the Dispute Chamber have no precedent value. Moreover, the entity referred to by the defendant is completely foreign to the current procedure.

119. Furthermore, it is important to note that under Articles 5.2 and 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for taking appropriate technical and organizational measures accordingly. The defendant does not contest its responsibility for the substantive evaluation of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly clear that it misses its target in a formal sense.

120. The Dispute Chamber does not dispute – as the defendant argues – that the guidelines of the supervisory authority and the European Data Protection Committee do not have the force of law. However, this does not mean that they do not have authoritative value (or should not), at least because Article 57.1(f) GDPR tasks the GBA with informing data controllers of their obligations under the regulation, just as Article 70.1(u) mandates the EDPB to facilitate cooperation among supervisory authorities and formulate guidelines, best practices, and recommendations as needed to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).

121. For all these reasons, it is evident that the misleading colors used on the first layer of the cookie banner constitute a violation of the duty of propriety in the sense of Article 5.1(a) GDPR. Since consent is not unambiguous, it cannot be claimed that valid consent is obtained.
7.3 AVG als ongegrond, aangezien de klager geen bewijs heeft geleverd dat er op het moment van de klacht een gerechtvaardigd belang zou zijn geclaimd of toegepast.

Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's websites does it require the same simplicity to withdraw consent as it does to accept cookies. Accepting all cookies occurs with a simple click (or two clicks if the ‘More information’ button is pressed), while withdrawing consent is not possible with a single click. Instead, website visitors must go to a specific section of the website to withdraw cookies. At the very bottom of the page, there is a link labeled ‘Manage Privacy Preferences’ buried among an extensive list of various other links. If clicked, the website visitor can then opt to ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, a data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since this requirement is not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Moreover, the simplicity of withdrawing consent is indeed a requirement for the consent granted to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also for compliance with Articles 10/2 PD Act and 125 §1, 1° WEC). The EDPB has confirmed this in its guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the GDPR requirements, then the consent mechanism of the data controller is not compliant with the GDPR.’ […] (emphasis added) In the EDPB Cookie Banner Task Force report, it is also emphasized that the withdrawal of consent for cookies must be as easy as granting it […] Furthermore, the EDPB guidelines on consent clarify: ‘When consent is obtained through electronic means, by a single mouse click, swipe, or keystroke, the data subject should be able to withdraw this consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, this same requirement is explicitly reiterated […] Therefore, the defendant must provide the complainant the opportunity to withdraw his consent with a single mouse click. When a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, among an extensive list of other links, at the very bottom of the defendant's website pages – requiring extensive scrolling – clearly does not meet these requirements. A floating, permanently visible ‘hoover’ button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible – once the ‘Manage Privacy Preferences’ button is located and clicked – to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This shows that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with the applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for quite some time). Furthermore, with the changes made by the defendant, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”

Position of the Defendant
148. The position of the defendant is as follows (the Dispute Chamber summarizes):

6th Argument (subordinate): The withdrawal of consent does not violate Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125 §1, 1° WEC
   a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest on the part of the complainant concerning the alleged use of legitimate interest. The defendant claims that no cookies have been placed in this manner regarding the complainant, since the complainant granted consent for placing cookies.
   b. Secondly, the defendant asserts “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer reference legitimate interest. The defendant notes that during the same period as the settlement procedure, a number of adjustments regarding the placement of cookies based on legitimate interest were prepared (and ultimately implemented on December 22, 2023).
   c. Thirdly, the defendant claims “more subordinately” that there is no breach of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent that it contends that legitimate interest can never be a legal basis for cookies.
   d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant notes: “[…] if the exception to the rule (consent) under Article 10/2 PD Act applies, then it is self-evident that in such a case the rule (consent) itself does not apply.”
   e. Fifthly, the defendant replies to the conclusion of the complainant regarding this matter.

8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning transparency of the cookie banner
   a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant notes that all references to legitimate interest were removed on December 22, 2023.
   b. Secondly, the defendant asserts “subordinately” that there is no violation of Article 5.1(a) GDPR. The defendant considers the allegation based on Article 7.3 GDPR to be unfounded, as the complainant granted consent, and states that there is “no prohibition” on using different colors to obtain consent in cookie banners.

Assessment by the Dispute Chamber
149. Firstly, the focus must be on the situation regarding the withdrawal of consent at the time of the complaint (the ‘old’ situation), before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to the situation that after clicking on the ‘Manage Privacy Preferences’ link on the contentious websites, consent could be withdrawn with a single click (“All Refuse”).

150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (according to the defendant's wording) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant expressly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.”

151. Therefore, in this ‘old’ situation, withdrawing consent was clearly not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the withdrawal of consent is a relative concept – meaning that it must be as “easy” to withdraw as it is to grant – does not diminish its significance. Such an understanding as a relative concept in legal terms may well be accurate, but in relative circumstances, the “number of clicks” the defendant refers to is clearly relative to more clicks than the single click for the “agree and close” button on the cookie banner.

152. Regarding the ‘new’ situation, following the defendant's adjustments during the procedure: in the new situation, withdrawing consent after clicking on the ‘Privacy Preferences’ link on each webpage of every contentious news website can indeed be done with a single click (“All Refuse”). The options provided in the cookie banner are identical to those offered at the second layer of the cookie banner for granting consent: this practice does not give rise – based on the available documents in the dossier – to establishing a breach.

153. The website does not require a mandatory “permanently visible” button for properly withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites under Article 7.3 GDPR, it aligns with the spirit of the legal provision. A data subject can reasonably expect the cookie settings to be found at the bottom of a webpage. The individual can subsequently take note of the information regarding the withdrawal of consent and do so with a single button.

154. As the EDPB pointed out in the report from the Cookie Banner Taskforce, it is sufficient that a link on the website is available and placed in a “visible and standardized location.”55 Placing a direct link at the bottom of every webpage leading to a banner with a single button to withdraw consent meets this requirement. The EDPB has also emphasized in the same report that legislation only requires easily accessible solutions to be provided for withdrawing consent, but that a “specific withdrawal solution” is not mandated, and particularly the establishment of a hovering solution cannot be imposed on a data controller within the current legal context.56

155. The defendant rightly stresses that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this sense, for the proper functioning of a website – which is also in the interest of the data subject – it is not expected that the withdrawal of consent occurs in precisely the same manner when this entails that they (in the most literal sense) must do so ‘at all times’ in that way.

156. In this reasoning, a “hoover” button (the proposal put forth by the complainant) would not suffice, as such a “hoover” button does not provide exactly the same visual representation as a cookie banner (for granting consent) for withdrawing consent at any time during the website visit. Such a requirement would impose a blocking effect on the internet user, which is manifestly unreasonable.

57. Regarding the ‘old’ situation, a breach must indeed be established regarding Article 7.3 GDPR. Given that there is no evidence that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides on this point to issue a reprimand to the defendant. No other coercive or punitive measures are deemed appropriate in this regard.

II.3.4. Use of legitimate interest for placing cookies that require consent and alleged breach of transparency and information obligations
Position of the Complainant
158. The position of the complainant is as follows: “When the complainant visited the websites, the websites of the defendant [respondent] contained a button for legitimate interest in the second layer of the cookie banner that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Insights can be derived about the audience that has viewed the advertisements and content. Data can be used to build or improve user experience, systems, and software.” This “legitimate interest button” for conducting such “measurements” was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Therefore, the defendant [respondent] presents that it has a legitimate interest (Art. 6(1)(f) GDPR) for conducting “advanced measurements” if the complainant does not grant consent (Art. 6(1)(a) GDPR). Legitimate interest thus serves as a ‘backup’ basis for the defendant. In this way, the defendant unlawfully shifts from an "opt-in" system based on Article 6(1)(a) GDPR to an "opt-out" system based on Article 6(1)(f) GDPR. Legitimate interest was and is not a valid legal basis for the placement and reading of non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.

159. It is correct that other bases under Article 6 GDPR can be used in very limited cases for the placement and reading of cookies. However, this only applies to strictly necessary cookies and solely for the purpose of sending communication via an electronic communications network (Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). Conducting “advanced measurements” by the defendant does not fall under this strict exception. Also, the further processing of personal data obtained via cookies for which consent is required must fundamentally be based on consent, as also confirmed by the EDPB and the EDPS. […] This also applies to further processing of data for conducting “advanced measurements” by the defendant. Moreover, it is misleading for the defendant to present as if consent is the basis for processing while, if this consent is not granted, the basis is switched to legitimate interest without respecting the complainant's choice to refuse consent. This violates the principles of legality, propriety, and transparency (Article 5(1)(a) GDPR). This conduct is contrary to Article 6 GDPR and Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act, and therefore unlawful. The EDPB guidelines on consent explicitly state that this conduct by the defendant is unfair (Article 5(1)(a) GDPR): “It is important to note that if a data controller chooses to base part of the processing on consent, it must be willing to respect the choices regarding that consent and to stop that part of the processing if a person withdraws their consent. To present as if data is processed based on consent while, in reality, another legal basis is relied upon would be fundamentally unfair to data subjects. [...] In other words, a data controller cannot substitute consent for other legal grounds. For example, it is not permitted to resort to the legal ground of ‘legitimate interest’ after the validity of consent becomes problematic.” […] (emphasis added)

160. Furthermore, there was no information about the alleged legitimate interest in the cookie banner, nor was there an option to object at the first level of the cookie banner. The only opportunity to object and even to receive information about such claimed legitimate interest was hidden in the second layer of the cookie banner. The text “Manage Preferences” at the first informational level of the cookie banner did not lead to this information or the opportunity to object. More specifically, within the second informational layer, one needed to click on the plus sign (+) next to “Advanced Measurement” to convert the defendant's “Legitimate Interest” into “Not Agree.” Thus, objecting to and being informed about the defendant's alleged legitimate interest required the website visitor to click multiple times, which people do only 2% of the time in practice. This is in violation of Article 21(4) GDPR and Article 12(2) GDPR, as both the fact that the defendant based its processing on the alleged legitimate interest and the possibility to object to this alleged legitimate interest were not explicitly brought to the attention of the data subject. This conduct also did not align with the principle of transparency (Article 5(1)(a) GDPR). Moreover, it is incomprehensible for the defendant to assume that if a data subject does not grant consent for the related “advanced measurement” processing, they would also not raise an objection against the processing under Article 21 GDPR. However, the cookie banner seemed to assume that data subjects must express the same desire not to have their data processed twice: once as a refusal of consent and then as an additional objection against the same processing activity (which constitutes a "double opt-out"). Considering the above, the defendant violated the principles of legality, propriety, and transparency as laid out in Article 5(1)(a) GDPR. The defendant has thankfully already removed references to “legitimate interest” from its cookie banners. The inclusion of a “legitimate interest” in the cookie banners has thus proven not necessary for the defendant and can easily be adjusted, indicating that the defendant previously consciously chose to include a reference to legitimate interest. This also shows that the defendant evidently believes that the previous cookie banner did not meet the applicable legal requirements. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibilities under data protection legislation by remedying GDPR violations post-complaint or during an investigation. This does not negate the fact that the violation definitely occurred (for a considerable time).

Position of the Defendant
159. The defendant's defense is as follows (the Dispute Chamber summarizes):

7th Argument (subordinate): The reference to ‘legitimate interest’ does not constitute a violation of Article 6.1(f) GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
   a. Firstly, the defendant states “primarily” that there is an absence of sufficient personal interest concerning the alleged use of legitimate interest. The defendant asserts, among other points, that no cookies were placed in this manner with respect to the complainant, since the complainant gave consent for placing cookies.
   b. Secondly, the defendant argues “subordinately” that the complaint is without purpose because there is no longer any reference to legitimate interest since December 23, 2023. The defendant states that references to legitimate interest were removed on December 22, 2023.
   c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR and that the complaint is unfounded to the extent it claims that legitimate interest can never serve as a legal basis for cookies.
   d. Fourthly, the defendant contends “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant indicates: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that, in such a case, the rule (consent) itself is not applicable.”
   e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.

8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR concerning the transparency of the cookie banner
   a. Firstly, the defendant states “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
   b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.3 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.

Assessment by the Dispute Chamber
134. As the EDPB clarifies in its guidelines concerning misleading design patterns within social media platform interfaces, in the case of a potentially misleading design, the principle of propriety contained in Article 5.1(a) GDPR can be applied to assess whether a violation of legislation has occurred.

135. On all four contentious websites, the first ‘layer’ of the cookie banner is displayed nearly identically to that on the De Standaard newspaper's website – albeit with different colors, depending on the specific contentious news website:

Welcome to De Standaard! Mediahuis and third parties use cookies and similar techniques (“cookies”) to store and/or access information on a device, functional and analytical purposes, advertisement and content measurement, audience insights, product development, social media functionalities, personalized ads, and personalized content. Personal data may be processed, including information about your device, your browser, and your use of the website. By clicking “Agree,” you consent to this. If you do not wish to allow all types of cookies, click on “Manage Preferences.” You can adjust your preferences at any time via the link “Manage Privacy Preferences” at the bottom of each page. Do you wish to learn more about how we use your data? Read our privacy policy and cookie policy. Our partners and we process data as follows: Personalized ads and content, advertisement and content measurement, audience insights, and product development. Information stored and/or accessed on a device. Refuse All. Agree to All +

136. The use of certain more prominent colors on the four contentious websites, which primarily aims to encourage the data subject to grant consent for cookies, leads the Dispute Chamber to assert that the duty of propriety under Article 5.1(a) GDPR has been violated, thereby jeopardizing the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR. Consent cannot be unambiguously obtained when a data subject is “guided” to take a certain action.

137. It is evident that the striking color usage in the first layer of the contentious cookie banners, wherein the button that represents the accept-all option (“agree and close”) is highlighted in more pronounced color contrast, reflects a certain choice that leads to more intrusive processing of personal data due to the placing of cookies.

138. The EDPB Cookie Banner Taskforce report states that regarding color use, no general standard can be imposed on data controllers, but the assessment should be conducted on a case-by-case basis.

139. In these cases, the defendant uses various prominent colors that likely induce a deceptive sense of comfort for the data subject:
   a. On the De Standaard website, the “agree and close” option is presented in dark red as the most data-collecting option, while alternatives must be clicked through a light gray banner on a white background.
   b. On the Het Belang van Limburg website, the “agree and close” option is presented in dark black as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
   c. On the Het Nieuwsblad website, the “agree and close” option is presented in dark blue as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.
   d. On the Gazet van Antwerpen website, the “agree and close” option is presented in bright red as the most data-collecting option, while alternatives must be clicked through a light gray banner against a white background.

140. Interfaces designed in this way create an undeniable tendency for a data subject to choose the most data-collecting options, particularly since individuals may not even know how many steps they must undertake before they can opt out of cookie placements (i.e., not grant consent). The data subject is aware that this comfortable option at the first layer of the cookie banner allows them to take the “path of least resistance” – without this necessarily reflecting their genuine informed preference for granting consent.

141. The defendant's argument that the complaint on this point is “without purpose” because different color usage is no longer present in the second informational layer (after an adjustment during the process) is clearly not helpful. The assessment here is about the color usage in the first layer of the cookie banner; the Dispute Chamber’s evaluation in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is in no way limited to the second layer of the cookie banner.

142. The argument that the involved complainant granted consent is also not helpful, as the granting or withholding of consent does not preclude the assessment of the propriety of the processing. Additionally, the fact that consent was given is not, by itself, sufficient to assert that consent has been validly granted.

143. The argument that there is “no prohibition” against using different colors is accurate in a formal sense. However, the Dispute Chamber has already elaborated above that this does not prevent the selection of certain colors from violating the duty of propriety in terms of personal data processing activities, and that the unambiguous nature of consent cannot be guaranteed.

144. The argument that the Dispute Chamber approved an action plan from an industry organization that would directly relate to the present contentious situations is also not a useful argument. As noted earlier, the decisions of the Dispute Chamber have no precedential value. Additionally, this refers to an entity that is entirely unrelated to the current procedure.

145. Furthermore, the Dispute Chamber emphasizes that according to Article 5.2 and Article 24 GDPR, it is the data controller who is responsible for ensuring compliance with the application of the GDPR and for implementing appropriate technical and organizational measures accordingly. The defendant does not dispute its responsibility for the substantive assessment of its processing activities; therefore, even though this argument is not substantively conducive, it is also abundantly evident that it misses its intended target in a formal sense.

146. The Dispute Chamber does not dispute – as the defendant contends – that the guidelines of the supervisory authority and the European Data Protection Board do not carry the force of law. However, this does not mean they should lack authoritative value, at least because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations under the regulation, just as Article 70.1(u) establishes the EDPB's role to enable cooperation among supervisory authorities and formulate guidelines, best practices, and recommendation to ensure consistent application of the GDPR (Art. 70.1(d) GDPR).

147. For all these reasons, it is evident that misleading colors are employed on the first layer of the cookie banner, which constitutes a violation of the duty of propriety as per Article 5.1(a) GDPR. Consequently, since consent is not unambiguous, it cannot be said to be validly obtained.
penalty must work towards compliance and should not merely serve punitive or deterrent purposes. Thus, the Dispute Chamber believes that a fresh and efficient approach to enforcing compliance with data protection laws, especially in the context of rapidly evolving technology, does not necessarily require prior notification to the defendant before imposing a penalty.

121. The authority must, therefore, ensure compliance with not only legal but also technological developments. The legislator intended for the interpretation of a factual situation to be evaluated by an authority in this context.

122. The fact that certain legal or technological developments impact a specific decision-making practice is a logical result of this approach – and is also taken into account in the context of sanctioning in this case (infra, section III.1.1.). An open norm does not prevent the imposition of measures, nor does it preclude the imposition of an administrative fine, as increasing technological developments (at a fast pace) compel proactive, sufficient, and proportional enforcement in new circumstances.

123. Furthermore, the defendant's argument that Article 7 GDPR does not explicitly require a ‘refuse’ option also refers back to the previous arguments presented in the context of the open norm. The Dispute Chamber assesses the legality of consent according to the definitions and conditions assigned to consent by the legislator: this pertains to consent under Article 10/2 PD Act and Article 6.1(a) GDPR, as defined in Article 4.11 GDPR.

124. Regarding the defendant's argument that the cookie banner is in compliance with previous decision-making practice of the Dispute Chamber, it should be noted that the decisions of the Dispute Chamber do not have precedential value. Although this argument may be relevant regarding potential measures (particularly the imposition of sanctions), the legal assessment that corresponds to the most accurate legal viewpoint – based on the most recent case law and the viewpoint of the EDPB – cannot be bypassed solely based on this argument.

125. The argument that the Dispute Chamber approved an action plan from a sector organization that would relate directly to the present contentious situations is likewise not a relevant argument. As noted before, the decisions of the Dispute Chamber do not carry precedential weight. Moreover, this refers to an actor that is entirely unrelated to the current procedure.

126. Additionally, it is noteworthy that under Articles 5.2 and 24 GDPR, it is the responsibility of the data controller to ensure compliance with the application of the GDPR and to take appropriate technical and organizational measures accordingly. The defendant does not contest in any way its processing responsibility for the substantive evaluation of its processing activities, therefore, even if this argument lacks substance, it is clear that it fails in a formal sense.

127. The Dispute Chamber does not contest – as the defendant argues – that the guidelines from the supervisory authority and the European Data Protection Board do not have the force of law. However, this does not imply they should lack authoritative value, especially because Article 57.1(f) GDPR assigns the GBA the task of informing data controllers about their obligations, and Article 70.1(u) enables the EDPB to foster cooperation among supervisory authorities and, if necessary, formulate guidelines, best practices, and recommendations to ensure consistent application of the GDPR (Article 70.1(d) GDPR).

128. For all these reasons, it is clear that misleading colors are used on the first layer of the cookie banner, which constitutes a violation of the principle of propriety under Article 5.1(a) GDPR. Since consent cannot be unambiguously obtained, it cannot be claimed that valid consent has been provided.

II.3.2. Use of misleading button colors
Position of the Complainant
132. The argument of the complainant is as follows: “The button ‘Agree and Close’ at the first level of the cookie banners on the defendant's websites is always prominently colored (red, blue, or black with white text) against a white background. Meanwhile, the ‘More Information’ button has a color that almost blends into the background color of the cookie banners (light gray with dark gray text against a white background). By explicitly ‘highlighting’ the ‘Agree and Close’ button compared to the option to refuse cookies, website visitors, such as the complainant, are explicitly encouraged to click on ‘Agree and Close’. Research has also shown that when the consent button has a (much) more prominent color than the button to refuse consent, consent is granted 1.7 times more often than when both buttons are the same color. As a result, consent obtained by the defendant for placing cookies cannot be considered ‘unequivocal’ (Art. 4(11) GDPR), rendering the consent from the complainant invalid (Art. 6(1)(a) GDPR in conjunction with Art. 5(3) ePrivacy Directive in conjunction with Art. 10/2 PD Act), meaning the defendant cannot demonstrate that the complainant has consented to the processing of his personal data (Art. 7(1) in conjunction with Art. 5(2) GDPR). As already emphasized in the complaint, the EDPB Cookie Banner Taskforce report also states that the contrast and colors used in the cookie banner must not be “obviously misleading,” as this leads to “unintended” and therefore invalid consent. [...] According to guidelines from various supervisory authorities, including the Greek, Austrian, and Czech authorities, it is explicitly stated that data controllers may not use misleading button colors that encourage website visitors to click on “Agree and Close”.

Assessment by the Dispute Chamber
135. The use of certain more striking colors on the four contentious websites, which has as its primary reason to encourage the data subject to give consent to the placement of cookies, leads the Dispute Chamber to assert explicitly that the duty of propriety under Article 5.1(a) GDPR has been violated and also jeopardizes the valid acquisition of consent, constituting a breach of Article 6.1(a) GDPR.

136. It is clear that the prominent color usage in the first layer of the contentious cookie banners, where the button depicting the accept-all option (“Agree and Close”) receives the most prominent color in a more distinct contrast, reflects a choice aimed at encouraging the data subject to grant consent to place cookies.

137. The EDPB Cookie Banner Taskforce report states that regarding color usage, no general standard can be imposed on data controllers; rather, the assessment must be made on a case-by-case basis.

138. In these cases, the defendant employs various striking colors that likely induce a deceptive sense of comfort for the data subject:
   a. On the De Standaard website, the “agree and close” option is prominently displayed in dark red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
   b. On the Het Belang van Limburg website, the “agree and close” option is prominently displayed in dark black as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
   c. On the Het Nieuwsblad website, the “agree and close” option is prominently displayed in dark blue as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background;
   d. On the Gazet van Antwerpen website, the “agree and close” option is prominently displayed in bright red as the most data-collecting option, while the alternatives need to be accessed by clicking a light gray banner on a white background.

139. Interfaces designed in this manner undoubtedly lead a data subject to select the most data-collecting options, especially since the individual may not be aware of how many additional steps they must undertake before they can choose not to allow cookies (i.e., not consenting). The data subject is aware that with the comfortable initial option in the cookie banner, they are taking the “path of least resistance” – without it necessarily reflecting their authentic informed preference for granting consent.

140. The argument from the defendant that the complaint regarding this point is “without purpose” because the color usage has changed in the second informational layer (after an adjustment during the procedure) is clearly not assisting. The evaluation in question pertains to the color usage in the first layer of the cookie banner; the Dispute Chamber’s assessment in the dossier (including the letter dated February 5, 2024, outlining the alleged violations) is not limited to the second layer of the cookie banner.

141. The argument that the involved complainant did grant consent is also not relevant, as the granting or refusal of consent does not obstruct the assessment of the propriety of processing. Additionally, the mere fact that consent has been granted is not, by itself, sufficient to assert that consent has been validly granted.

142. The defendant should indeed not employ misleading colors, an aspect that constitutes a violation of the duty of propriety as expressed in Article 5.1(a) GDPR. The presence of such deceptive designs makes it unfeasible to acquire valid consent, which is a legal requirement.

---

This concludes the translation of your legal text. If you have more text or require further assistance, please let me know!
a valid consent in the sense of Article 6.1(a) GDPR.

II.3.3. Withdrawal of Consent in Accordance with Article 7.3 GDPR
Position of the Complainant
147. The position of the complainant is as follows: “On none of the defendant's [respondent's] websites is it as easy to withdraw consent as it is to accept cookies. Accepting all cookies occurs with one simple click (or two clicks if the ‘More Information’ button is pressed), while withdrawing consent is not possible with one click. Instead, website visitors must navigate to a specific section of the website to withdraw cookies. At the very bottom of the page, hidden among an extensive list of various other links, is a link labeled ‘Manage Privacy Preferences’. When clicked, the website visitor can choose ‘Refuse All’, ‘Accept All’, or click ‘Not Agree’ or ‘Agree’ for each purpose. Under Article 7(3), first sentence, GDPR, the data subject has the right to withdraw their consent at any time. The withdrawal of consent must be as easy as granting it according to Article 7(3), third sentence, GDPR. Since the requirements of Article 7 GDPR are not met, the defendant also violates Article 12(1) GDPR, Article 17(1)(b) GDPR, Article 5(3) ePrivacy Directive, and Article 10/2 PD Act. Additionally, the ease of withdrawing consent is indeed a requirement for the consent to be classified as valid under Article 7(1) in conjunction with Article 4(11) GDPR (and thus also regarding whether the requirements of Article 10/2 PD Act and Article 125§1, 1° WEC are met). The EDPB has confirmed this in the guidelines on consent: ‘The ability to easily withdraw consent is described in the GDPR as a necessary aspect of valid consent. If the right to withdraw does not meet the requirements of the GDPR, then the data controller's consent mechanism does not comply with the GDPR.’ […] (emphasis added) The EDPB Cookie Banner Task Force report also emphasizes that the withdrawal of consent for cookies must be as easy as granting it […] Also, in the EDPB guidelines on consent, it is expressly clarified: ‘When consent is obtained via electronic means, through a single mouse click, swipe, or keystroke, the data subject must be able to withdraw that consent just as easily in practice.’ […] In the EDPB guidelines on deceptive design and dark patterns, the same requirement is reiterated […] Consequently, the defendant must provide the complainant the ability to withdraw consent with a single mouse click. Now that a clearly visible option for granting consent is offered, there must also be an equally clearly visible option for withdrawing consent. A link labeled ‘Manage Privacy Preferences’ in small text, buried among an extensive list of other links at the very bottom of the defendant's website pages—which requires extensive scrolling—does not meet these requirements. A hovering, permanently visible (hoover) button to withdraw consent that remains visible would meet these requirements. The defendant has somewhat improved the possibility to withdraw consent and change cookie settings since the complaint was filed. It is now possible—once the ‘Manage Privacy Preferences’ button is found and clicked—to press an ‘All Refuse’ button, whereas previously it was only possible to withdraw consent for each purpose individually. […] This indicates that the defendant can easily provide an equivalent option to withdraw cookies as soon as the website visitor finds the opportunity to adjust cookie settings, and that the defendant previously consciously chose not to do so. It also shows that the defendant evidently believes the previous cookie banner did not comply with applicable legal requirements of Article 7(3) GDPR. However, the complaint must still be assessed based on the facts at the time the complaint was filed. Otherwise, the respondent could evade any processing responsibility under data protection legislation by removing personal data in connection with a complaint or investigation. This does not negate the fact that the violation indeed occurred (for a considerable time). Moreover, with the changes the defendant has made, it is still not as simple to withdraw consent as it is to grant it; it has only become easier than it was at the time the complaint was filed.”

Position of the Defendant
148. The defendant's position is as follows (the Dispute Chamber summarizes):

6th Argument (subordinate): The withdrawal of consent does not constitute a violation of Article 4(11) in conjunction with Article 7.3 GDPR, nor Articles 10/2 PD Act and 125, §1, 1° WEC
   a. Firstly, the defendant asserts “primarily” that there is a lack of sufficient personal interest on the complainant’s part concerning the alleged use of legitimate interest. The defendant argues that no cookies have been placed in this manner concerning the complainant, as the complainant granted his consent for the placement of cookies.
   b. Secondly, the defendant maintains “subordinately” that the complaint is without purpose because the current cookie screens of Mediahuis no longer refer to legitimate interest. The defendant notes that during the same period as the settlement procedure, several adjustments related to the placement of cookies based on legitimate interest were prepared (and ultimately carried out on December 22, 2023).
   c. Thirdly, the defendant argues “more subordinately” that there is no violation of Article 6.1(f) GDPR, and that the complaint is unfounded to the extent it contends that legitimate interest can never serve as a legal basis for cookies.
   d. Fourthly, the defendant states “more subordinately” that there is no violation of Article 10/2 PD Act and Article 125 §1, 1° WEC. The defendant argues: “[…] if under Article 10/2 PD Act the exception to the rule (consent) applies, then it is self-evident that in such a case, the rule (consent) itself does not apply.”
   e. Fifthly, the defendant replies to the conclusion of the complainant regarding this aspect.

8th Argument (subordinate): No violation of Articles 5.1(a), 12.2, and 21.4 GDPR regarding the transparency of the cookie banner
   a. Firstly, the defendant asserts “primarily” that the complaint is without purpose, as there is “no legitimate interest” since December 23, 2023. The defendant reiterates that all references to legitimate interest were removed on December 22, 2023.
   b. Secondly, the defendant claims “subordinately” that there is no violation of Article 5.1(a) GDPR in this regard. The defendant considers the allegation based on Article 21.4 GDPR to be unfounded, asserting that the complainant granted consent, and indicates that there is “no prohibition” on the use of different colors to obtain consent in cookie banners.

Assessment by the Dispute Chamber
149. The focus must first be on the situation before withdrawing consent at the time of the complaint (the ‘old’ situation) and before the defendant made several adjustments during the procedure. These adjustments to the contentious websites led to a scenario where the withdrawal of consent after clicking on the ‘Privacy Preferences’ link on the contentious websites can now be carried out with one click (“All Refuse”).

150. In the ‘old’ situation, a data subject indeed had to undertake “a number of clicks” (as stated by the defendant) to withdraw consent, while the initial consent (“agree and close”) required only one click. The defendant explicitly acknowledges that a visitor (here classified as a data subject) had to click “many more times” “compared to the situation in which he wanted to grant his full consent.”

151. Therefore, in this ‘old’ situation, withdrawing consent was evidently not as simple as granting it, which constitutes a violation of Article 7.3 GDPR. The fact that the ‘withdrawal’ of consent is a relative concept—such that it must be “as easy” to withdraw as it is to grant—does not detract from this. Such a classification as a relative concept in legal terms may be accurate, but in relative circumstances, the “number of clicks” the defendant speaks of is clearly referred to as more clicks than the single click of the “agree and close” button on the cookie banner.

152. Regarding the ‘new’ situation, after the defendant's adjustments during the procedure: in this new scenario, withdrawing consent after clicking on the ‘Manage Privacy Preferences’ link on every webpage of the contentious news websites can indeed now be done with a single click (“All Refuse”). The options presented in the cookie banner correspond to those offered at the secondary layer of the cookie banner when granting consent: this practice does not provide a basis—based on the documents presented in the dossier—for establishing a violation.

153. The website does not necessitate a mandatory “permanently visible” button for appropriately withdrawing consent. When a data subject can withdraw consent with two clicks from any webpage on the contentious websites according to Article 7.3 GDPR, it aligns with the intent of the legal provision. A data subject can reasonably expect cookie settings to be found at the bottom of a webpage. Consequently, the individual can then take note of the information regarding the withdrawal of consent and do so with one button.

154. As the EDPB has indicated in the Cookie Banner Taskforce report, it is sufficient that there is a link available on the website placed in a “visible and standardized location.” The placement of a direct link at the bottom of every webpage leading to a banner where consent can be withdrawn with one button complies with this wording. The EDPB has also emphasized in the same report that legislation merely requires easily accessible solutions for the withdrawal of consent to be offered, but does not indicate that a “specific withdrawal solution” must be implemented, nor can the establishment of a hovering solution be imposed on a data controller within the current legal context.

155. The defendant correctly emphasizes that the requirement under Article 7.3 GDPR that consent must be “as easy” to withdraw as it is to grant presents a relative situation. In this respect, for the proper functioning of a website—which is also in the interest of the data subject—it is not reasonable to expect the withdrawal of consent to occur in exactly the same manner when this implies that they (in the most literal sense) must always do so in that way.

156. In this reasoning, a “hoover” button (the proposal presented by the complainant) would not suffice either since such a “hoover” button does not present the exact same visual representation as a cookie banner (for granting consent) for withdrawing consent throughout the entirety of the website visit. This would impose a blocking effect on the internet user, which is evidently unreasonable.

157. Regarding the ‘old’ situation, a breach must indeed be established concerning Article 7.3 GDPR. Given that there is no indication that this breach continues in the ‘new’ situation following the adjustments made by the defendant, the Dispute Chamber decides at this point to issue a reprimand to the defendant. No other coercive or penal measures are deemed appropriate in this regard.

II.3.4. Use of Legitimate Interest for Placing Cookies That Require Consent and Alleged Violation of Transparency and Information Obligations
Position of the Complainant
158. The position of the complainant states: “When the complainant visited the websites, the defendant's [respondent's] websites in the second layer of the cookie banner contained a legitimate interest button that was defaulted to ‘Agree’ for conducting an ‘Advanced Measurement’ to ‘measure advertisement and content performance. Data can be used to derive insights regarding the audience that viewed the advertisements and content. This data can be used to build or improve user experience, systems, and software.’ This ‘legitimate interest button’ for conducting such ‘measurements’ was placed alongside a button to grant consent for the same purpose and was only visible if the website visitor pressed the ‘+’ button. Thus, the defendant [respondent] implied that it has a legitimate interest (Article 6(1)(f) GDPR) for carrying out ‘advanced measurements’ if the complainant does not provide consent (Article 6(1)(a) GDPR). Legitimate interest serves as a ‘backup’ basis for the defendant. Consequently, the defendant unlawfully shifts from an “opt-in” system based on Article 6(1)(a) GDPR to an “opt-out” system based on Article 6(1)(f) GDPR. Legitimate interest cannot serve as a valid legal basis for placing and reading non-strictly necessary cookies, such as the cookies placed for conducting “advanced measurements” (cf. Article 5(3) ePrivacy Directive in conjunction with Article 10/2 PD Act). This has been reiterated in the EDPB Cookie Banner Taskforce Report and in guidelines from national supervisory authorities.

Assessment by the Dispute Chamber
159. The defendant admits that cookies were placed based on legitimate interest, of which at least some should have been placed based on consent in accordance with the ePrivacy Directive and its transposition into the PD Act. Cookies placed to carry out ‘advanced measurements’ regarding website usage for advertising purposes (at least concerning the analysis of the reach and efficacy of targeted cookies) are by definition not strictly necessary. Such cookies thus require, in any case, consent under Article 10/2 PD Act and also under Article 6.1(a) GDPR for the subsequent processing of personal data.

160. As the EDPB has emphasized in the report from the Cookie Banner Taskforce, the use or mention of legitimate interest as a legal basis in the cookie banner may also confuse users, who might believe they have to refuse twice to ensure their personal data is not processed. In this sense, the legal basis for placing a cookie should either be based on legitimate interest or on consent.

161. One cannot choose to present legitimate interest as a 'backup' legal ground in the absence of granted consent. This is not only little transparent regarding the data subjects whose consent is being requested, but it is also not permitted within the framework of Article 10/2 PD Act (as transposed from Article 5.3 ePrivacy Directive) and Article 6 GDPR. Both provisions require that the data controller implements a personal data processing activity based on a single legal ground. As the Dispute Chamber has already stated in multiple decisions, the EDPB emphasizes this in its guidelines on consent: Before beginning processing activities, it must be determined which of the six grounds apply for which specific purpose. It is important to note that if a data controller opts to base part of the processing on consent, it must be willing to respect the choices regarding that consent and stop that part of the processing if a person withdraws their consent. Presenting it as if data is processed based on consent while actually relying on another legal basis would be fundamentally unfair to the data subjects.

162. The Dispute Chamber believes it is not maintaining an overly stringent interpretation of what constitutes strictly necessary cookies. However, the legislator currently leaves no room for another interpretation and explicitly refers to a “strictly necessary” character (Article 10/2 PD Act). Ruling that cookies, such as certain analytical cookies – which are not strictly necessary for the proper functioning of the website – could be placed based on legitimate interest would not merely reflect a lenient attitude, but rather an interpretation that is contra legem. This situation is even more pronounced for cookies used for marketing purposes. The Dispute Chamber applies the applicable legal rules to the facts.

163. No independent verification—e.g., by the Inspection Service—has been conducted to ascertain which cookies were placed and to what extent. In any case, the defendant’s acknowledgment of the unlawful placement of cookies based on legitimate interest necessitates the reprimanding of the defendant: they may only place cookies based on legitimate interest as long as the cookies fall under the exception scenario under Article 10/2, paragraph two PD Act; since this was not the case in the past, it constitutes a violation of the aforementioned provision. The same goes mutatis mutandis for the subsequent personal data processing activities, which must be based either on Article 6.1(a) or Article 6.1(f) GDPR—not both provisions simultaneously or as interchangeable ‘backup’.

164. It is also irrelevant whether or not valid consent from the complainant in question was obtained; the mere fact that the defendant potentially does not request consent for the placement of such cookies, resulting in unlawful processing of personal data, suffices to establish the violation.

165. The fact that the decision to place such cookies lies partly in the hands of third parties (whether they are joint data controllers, data controllers, or processors in that processing process) is irrelevant. The defendant is responsible under Article 5.2 GDPR for ensuring that the placement of cookies and the processing of personal data resulting from the placement of cookies through its contentious websites occurs lawfully.

166. The elements of the complaint related to the transparency and information obligations, as well as those elements concerning (the facilitation of exercising) the right to object based on the placement of cookies founded on legitimate interest, are not further examined by this decision. The Dispute Chamber has not been presented with sufficient elements concerning the assessment of these alleged breaches.

167. The Dispute Chamber rules that the grievances asserted in the complaint—as rightly highlighted by the defendant—are overly broad, resulting in the defendant being unable to adequately defend itself based on the documents presented in the complaint or during the proceedings (for example, regarding the general reference to an alleged breach of “the principles of transparency, legality, and propriety”).

168. The Dispute Chamber establishes that the defendant violated Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR by conceding that cookies were placed based on legitimate interest while they did not fall within the exception provision under Article 10/2 PD Act before making adjustments to their website in this regard. Furthermore, the legitimate interest (also under Article 6.1(f) GDPR for subsequent processing) was used as a ‘backup’ when no consent (under Article 6.1(a) GDPR) was granted for the placement of cookies.

169. The defendant should not have (allowed) the placement of these cookies and has at least failed to investigate whether the cookies could be placed based on legitimate interest – while this falls under its responsibility as a data controller in terms of the lawfulness of its processing activities. For this reason, the Dispute Chamber will proceed to reprimand the defendant regarding this point.

170. The Dispute Chamber partially dismisses the complaint with respect to the grievances concerning the transparency and information obligations (specifically Articles 12.2 and 5.1(a) GDPR that are mentioned by the complaining party), as well as (the exercise of) the right to object (Article 21.4 GDPR is mentioned by the complaining party) due to the reasons mentioned above.

III. Measures and Immediate Enforceability
III.1. Orders
171. The Dispute Chamber finds it appropriate to issue two separate orders for each of the four contentious websites of the defendant due to the first two mentioned violations.
172. Order 1: The Dispute Chamber orders the addition of a refusal option on every layer of the cookie banner on each of the four contentious websites when an option to accept all (“agree and close”) is provided on the same layer, insofar as the accept-all option serves to grant consent within the meaning of Article 10/2 PD Act in conjunction with Article 6.1(a) GDPR for the placement of cookies involving personal data processing.
173. Order 2: In placing buttons on the cookie layers in the context of obtaining consent for the placement of cookies on the defendant’s contentious websites, the buttons – and more specifically the colors and contrast of those buttons – must not be designed deceptively. The all-refuse option must be presented in an equivalent manner compared to the all-accept option, as it is currently shown on each of the four contentious websites. This does not preclude the defendant as the data controller from opting to display such buttons in approximately the same visible location, utilizing the same color and size of button and text display; it remains the data controller's responsibility to make the choices necessary to comply with its obligations under Articles 5.2 and 24 GDPR.
174. For each of the two orders, the defendant may take inspiration from the suggestions and examples provided by the GBA in its Cookie Checklist. However, it is up to the data controller to make the necessary technical and organizational choices in this regard. An illustrative image from the Checklist could potentially be relevant for following the orders:

---
Website
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse their placement, you can go to the next level by clicking “Settings.”
All Accept | Settings

Website
If you want to allow the placement of cookies on your device, you can click the “Accept All” button. If you wish to refuse them, you can click the “All Refuse” button.
All Accept | All Refuse | Settings
---

175. Each of the two orders must be complied with for each of the four contentious websites, no later than the 45th day after notification of this decision. The defendant must provide a clear document to the Dispute Chamber and the complainant as part of compliance with the order; this document should reflect which adjustments have been made to each of the contentious websites to implement the two orders.

176. Should the Dispute Chamber find that the orders have not been fully or partially complied with from the 46th day after the decision, it will notify the defendant accordingly. Once the defendant receives this notification, the penalty (infra) will be activated for non-compliance relative to the aforementioned second or third circumstance.

177. A penalty of 25,000 EUR will apply for Order 1 per started day after the 45-day period expires, especially given the consideration that the defendant might weigh the decision not to comply due to its commercial impact. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.

178. A penalty of 25,000 EUR will apply for Order 2 per started day after the 45-day period expires, likewise considering the potential economic impact on the defendant of not complying with the order. The penalty will apply per contentious website of the defendant, potentially reaching 100,000 EUR per day for the defendant.

179. The penalty applies per contentious website of the defendant, with a potential total of 200,000 EUR per day for the defendant. This amount is deemed proportional considering the scale of the defendant's activities and the potential impact of the violations on the rights and freedoms of the data subjects.

180. The Dispute Chamber emphasizes that this amount is not intended as a punishment but as an effective means of ensuring compliance with the orders. The goal is to motivate the defendant to act quickly and fully comply with the imposed measures, taking into account the financial capacity of the company and the potential profits that could arise from non-compliance.

181. Should the defendant demonstrate that full compliance within the set timeframe is not possible despite all reasonable efforts, the defendant has the option to submit a reasoned request for an extension to the Dispute Chamber before the deadline expires.

182. The penalty will be imposed per day, with a maximum total of penalties amounting to 10,000,000 (ten million) euros.

III.3.4. Timeline for Compliance with Orders and Imposition of Penalties
183. Merely for the understanding of the parties and any other reader of the present decision, a timeline is presented regarding the execution of the decision. In case of any uncertainty between this visual representation and the text of this decision, the text of the decision shall prevail:

IV. Immediate Enforcement
184. The Dispute Chamber acknowledges, in the context of immediate enforcement, the request and argumentation of the defendant regarding: “10th Argument (subordinate): No immediate enforcement.” The defendant cites “special reasons” in this regard and refers to the case law of the Market Court, which states that an effective legal remedy can only occur “if the requesting party is not pressured to immediately pay a fine and/or comply with the orders of the contested decision.”

185. Therefore, the defendant poses the legitimate question of suspending immediate enforcement in this case, as this would place pressure on the parties within the context (of the outcome) of any appeal procedure.

186. The Dispute Chamber refuses the request for suspension of immediate enforcement for the following reasons.

187. Firstly, immediate enforcement is the standard scenario for the national legislator. The European legislator has granted authorities the power to take measures: it is therefore the authority that decides which (corrective) measure is most appropriate to implement or impose on the defendant.

188. The possibility of appealing against a decision made does not lessen the authorities’ powers. In light of the separation of powers, the judiciary should assess a posteriori whether the supervisory authority has acted within the legal framework and its discretionary powers. When the judiciary employs its powers to suspend immediate enforcement, it is a decision that falls within its evaluative powers.

189. It cannot be the standard practice – considering the credibility of the powers granted to the authorities by the European and national legislators – that the enforcement of decisions and measures taken by an authority is suspended as soon as a party requests it. If this were the standard scenario, it would undermine the legislator's entire setup to enable decisive and effective action in a digitized society. This does not fit within the teleological design of the powers granted to the authority under the GDPR.

190. Secondly, where immediate enforcement is not suspended, if the decision is subsequently found to be inadequate, legal redress is in any case possible, given that the rulings of the Market Court serve as the final substantive judgment in the involved cases. In this case, there are no indications that such legal redress would be difficult or impossible, as no irreversible measures are taken against the defendant. This situation might have been different if a (high) administrative fine were imposed, a situation which the defendant references in light of its request.

191. Should substantial measures be imposed on a defendant, for example in a situation where the legislation is apparently unclear, the suspension of immediate enforcement might indeed be considered – which is why the legislator has provided this option.

192. The Dispute Chamber has, in light of the underlying case, recognized that there was indeed legal uncertainty regarding the interpretation of certain consent requirements concerning cookies—especially due to uncertainty regarding the interplay between the GDPR and the ePrivacy Directive; however, this has been clarified by the Court of Justice in the meantime.

193. The GBA has taken a position regarding the correct implementation of consent in light of cookie banners.

194. Furthermore: the fact that five similar media companies accepted a settlement that reflected the position indicated in the Cookie Checklist from the GBA is a clear indication that the legal situation is not seemingly unclear. It can be noted that courts routinely cite the positioning of supervisory authorities regarding cookies and other tracking mechanisms and thus consider them authoritative, without that implying anything regarding enforceability as a rule.

IV. Publication of the Decision
218. Given the importance of transparency concerning the decision-making of the Dispute Chamber, this decision shall be published on the website of the Data Protection Authority.

219. Since the defendant is a media company of considerable size and also societal reach, and given that the personal data processing activities address a significant portion of the Belgian and, more broadly, Dutch-speaking population, the Dispute Chamber deems it appropriate to disclose the identity of the defendant as well as the names of the contentious websites. This is in line with the transparency practice adopted by the Dispute Chamber in similar procedures involving similar actors in the media sector that led to settlement decisions, although in those procedures, no effective violations were decided or enforcement measures taken.

220. The identity of the representative of the complainant is also of importance for a clear understanding of the procedure, given the procedural elements formulated by the defendant regarding the practice of mandating that representative. It can be noted that the representative has publicly disclosed the circumstances of this procedure, including the identity of the defendant, on their website. Additionally, it is important to transparently indicate the fundamental differences in procedural assessments in this dossier as compared to other dossiers – where the Dispute Chamber did decide on a lack of mandate for the same representative.

---

FOR THESE REASONS, the Dispute Chamber of the Data Protection Authority, after deliberation, decides to:

Pursuant to Article 100, §1, 9° DPA Act, order the defendant to ensure that the placement of cookies and the processing of personal data on its websites are brought into compliance with Article 6 GDPR in conjunction with Article 10/2 PD Act, by modifying the cookie banner in accordance with this decision, and by submitting the necessary visual evidence to the Dispute Chamber and the complainant no later than the 45th day after notification of this decision (“order 1”). The defendant must ensure, in this context, that misleading button colors are not used so that the propriety of the processing is guaranteed (“order 2”).

Pursuant to Article 100, §1, 12° DPA Act, impose a penalty concerning compliance with Order 1, whereby non-compliance with Order 1 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.

Pursuant to Article 100, §1, 12° DPA Act, impose a penalty regarding compliance with Order 2, whereby non-compliance with Order 2 results in a penalty of 25,000 EUR per day per contentious website, starting from the notification (on the 46th day or later after notification of this decision) by the Dispute Chamber regarding the penalty.

Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant concerning the violation committed by the defendant under Article 7.3 GDPR.

Pursuant to Article 100, §1, 5° DPA Act, reprimand the defendant for placing cookies based on legitimate interest when no exception situation justified this.

Pursuant to Article 100, §1, 1° DPA Act, dismiss the complaint regarding those aspects related to transparency and information obligations and the exercise of the right of objection in light of the placement of cookies based on legitimate interest.

---

Pursuant to Article 108, §1 DPA Act, an appeal can be filed against this decision with the Market Court (Brussels Court of Appeal) within thirty days of notification, with the Data Protection Authority as the respondent.

Such an appeal can be filed via a statement of opposition that must contain the specifications listed in Article 1034ter of the Judicial Code. The statement of opposition must be submitted to the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of Justice (Article 32ter of the Judicial Code).

(get). Hielke HIJMANS
Chair of the Dispute Chamber